Chromium Code Reviews Chromium Code Reviews
Issue 2536713002:
Part 3.3: Is policy list subsumed under subsuming policy? (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
| 10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
| (...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 156 } | 156 } |
| 157 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 157 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
| 158 m_reportEndpoints, m_header, m_headerType, | 158 m_reportEndpoints, m_header, m_headerType, |
| 159 ContentSecurityPolicy::EvalViolation); | 159 ContentSecurityPolicy::EvalViolation); |
| 160 } | 160 } |
| 161 | 161 |
| 162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { | 162 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { |
| 163 return !directive || directive->allowEval(); | 163 return !directive || directive->allowEval(); |
| 164 } | 164 } |
| 165 | 165 |
| 166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { | 166 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const { |
|
Mike West
2016/11/29 12:00:50
Can you just remove this method entirely, since it
| |
| 167 return !directive || | 167 return !directive || directive->allowAllInline(); |
| 168 (directive->allowInline() && !directive->isHashOrNoncePresent()); | |
| 169 } | 168 } |
| 170 | 169 |
| 171 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, | 170 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, |
| 172 const String& nonce) const { | 171 const String& nonce) const { |
| 173 return directive && directive->allowNonce(nonce); | 172 return directive && directive->allowNonce(nonce); |
| 174 } | 173 } |
| 175 | 174 |
| 176 bool CSPDirectiveList::checkHash(SourceListDirective* directive, | 175 bool CSPDirectiveList::checkHash(SourceListDirective* directive, |
| 177 const CSPHashValue& hashValue) const { | 176 const CSPHashValue& hashValue) const { |
| 178 return !directive || directive->allowHash(hashValue); | 177 return !directive || directive->allowHash(hashValue); |
| (...skipping 203 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 382 const String& consoleMessage, | 381 const String& consoleMessage, |
| 383 Element* element, | 382 Element* element, |
| 384 const String& contextURL, | 383 const String& contextURL, |
| 385 const WTF::OrdinalNumber& contextLine, | 384 const WTF::OrdinalNumber& contextLine, |
| 386 bool isScript, | 385 bool isScript, |
| 387 const String& hashValue) const { | 386 const String& hashValue) const { |
| 388 if (checkInline(directive)) | 387 if (checkInline(directive)) |
| 389 return true; | 388 return true; |
| 390 | 389 |
| 391 String suffix = String(); | 390 String suffix = String(); |
| 392 if (directive->allowInline() && directive->isHashOrNoncePresent()) { | 391 if (directive->allowInline() && directive->isHashOrNoncePresent()) { |
|
amalika
2016/11/29 09:42:29
Left this as it is so that we display an appropria
| |
| 393 // If inline is allowed, but a hash or nonce is present, we ignore | 392 // If inline is allowed, but a hash or nonce is present, we ignore |
| 394 // 'unsafe-inline'. Throw a reasonable error. | 393 // 'unsafe-inline'. Throw a reasonable error. |
| 395 suffix = | 394 suffix = |
| 396 " Note that 'unsafe-inline' is ignored if either a hash or nonce value " | 395 " Note that 'unsafe-inline' is ignored if either a hash or nonce value " |
| 397 "is present in the source list."; | 396 "is present in the source list."; |
| 398 } else { | 397 } else { |
| 399 suffix = | 398 suffix = |
| 400 " Either the 'unsafe-inline' keyword, a hash ('" + hashValue + | 399 " Either the 'unsafe-inline' keyword, a hash ('" + hashValue + |
| 401 "'), or a nonce ('nonce-...') is required to enable inline execution."; | 400 "'), or a nonce ('nonce-...') is required to enable inline execution."; |
| 402 if (directive == m_defaultSrc) | 401 if (directive == m_defaultSrc) |
| (...skipping 872 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1275 visitor->trace(m_imgSrc); | 1274 visitor->trace(m_imgSrc); |
| 1276 visitor->trace(m_mediaSrc); | 1275 visitor->trace(m_mediaSrc); |
| 1277 visitor->trace(m_manifestSrc); | 1276 visitor->trace(m_manifestSrc); |
| 1278 visitor->trace(m_objectSrc); | 1277 visitor->trace(m_objectSrc); |
| 1279 visitor->trace(m_scriptSrc); | 1278 visitor->trace(m_scriptSrc); |
| 1280 visitor->trace(m_styleSrc); | 1279 visitor->trace(m_styleSrc); |
| 1281 visitor->trace(m_workerSrc); | 1280 visitor->trace(m_workerSrc); |
| 1282 } | 1281 } |
| 1283 | 1282 |
| 1284 } // namespace blink | 1283 } // namespace blink |
| OLD | NEW |
