OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 561 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
572 const KURL& url, | 572 const KURL& url, |
573 ResourceRequest::RedirectStatus redirectStatus) const { | 573 ResourceRequest::RedirectStatus redirectStatus) const { |
574 for (size_t i = 0; i < m_list.size(); ++i) { | 574 for (size_t i = 0; i < m_list.size(); ++i) { |
575 if (m_list[i]->matches(url, redirectStatus)) | 575 if (m_list[i]->matches(url, redirectStatus)) |
576 return true; | 576 return true; |
577 } | 577 } |
578 | 578 |
579 return false; | 579 return false; |
580 } | 580 } |
581 | 581 |
582 bool SourceListDirective::allowAllInline() { | |
583 const ContentSecurityPolicy::DirectiveType& type = | |
584 ContentSecurityPolicy::getDirectiveType(m_directiveName); | |
585 if (type != ContentSecurityPolicy::DirectiveType::DefaultSrc && | |
amalika
2016/11/29 09:42:29
Added default-src since otherwise unspecified scri
| |
586 type != ContentSecurityPolicy::DirectiveType::StyleSrc && | |
587 type != ContentSecurityPolicy::DirectiveType::ScriptSrc) { | |
588 return false; | |
589 } | |
590 return m_allowInline && !isHashOrNoncePresent() && | |
591 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | |
592 !m_allowDynamic); | |
593 } | |
594 | |
582 bool SourceListDirective::subsumes( | 595 bool SourceListDirective::subsumes( |
583 HeapVector<Member<SourceListDirective>> other) { | 596 HeapVector<Member<SourceListDirective>> other) { |
584 // TODO(amalika): Handle here special keywords. | 597 // TODO(amalika): Handle here special keywords. |
585 if (!m_list.size() || !other.size()) | 598 if (!m_list.size() || !other.size()) |
586 return !m_list.size(); | 599 return !m_list.size(); |
587 | 600 |
588 HeapVector<Member<CSPSource>> normalizedA = m_list; | 601 HeapVector<Member<CSPSource>> normalizedA = m_list; |
589 if (m_allowSelf) | 602 if (m_allowSelf) |
590 normalizedA.append(m_policy->getSelfSource()); | 603 normalizedA.append(m_policy->getSelfSource()); |
591 | 604 |
592 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | 605 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
593 if (other[0]->m_allowSelf) | 606 if (other[0]->m_allowSelf) |
594 normalizedB.append(other[0]->m_policy->getSelfSource()); | 607 normalizedB.append(other[0]->m_policy->getSelfSource()); |
595 for (size_t i = 1; i < other.size(); i++) | 608 |
609 bool allowInlineOther = other[0]->m_allowInline; | |
Mike West
2016/11/29 12:00:50
Why do you need these three variables? Don't they
amalika
2016/11/29 12:27:33
To call `allowAllInline()` is a method on SourceLi
Mike West
2016/11/30 09:57:19
Hrm. Ok. But you only need them to check `allowAll
amalika
2016/11/30 10:06:06
I dont think this would give an expected behavior
| |
610 bool allowDynamicOther = other[0]->m_allowDynamic; | |
611 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); | |
612 | |
613 for (size_t i = 1; i < other.size(); i++) { | |
614 allowInlineOther = allowInlineOther && other[i]->m_allowInline; | |
615 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; | |
616 isHashOrNoncePresentOther = | |
617 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); | |
596 normalizedB = other[i]->getIntersectCSPSources(normalizedB); | 618 normalizedB = other[i]->getIntersectCSPSources(normalizedB); |
619 } | |
620 | |
621 const ContentSecurityPolicy::DirectiveType type = | |
622 ContentSecurityPolicy::getDirectiveType(m_directiveName); | |
623 bool allowAllInlineOther = | |
624 allowInlineOther && !isHashOrNoncePresentOther && | |
625 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | |
626 !allowDynamicOther); | |
627 if (!allowAllInline() && allowAllInlineOther) | |
628 return false; | |
597 | 629 |
598 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 630 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
599 } | 631 } |
600 | 632 |
601 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( | 633 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( |
602 HeapVector<Member<CSPSource>> other) { | 634 HeapVector<Member<CSPSource>> other) { |
603 HashMap<String, CSPSource*> schemesA; | 635 HashMap<String, CSPSource*> schemesA; |
604 for (const auto& sourceA : m_list) { | 636 for (const auto& sourceA : m_list) { |
605 if (sourceA->isSchemeOnly()) | 637 if (sourceA->isSchemeOnly()) |
606 addSourceToMap(schemesA, sourceA); | 638 addSourceToMap(schemesA, sourceA); |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
668 return normalized; | 700 return normalized; |
669 } | 701 } |
670 | 702 |
671 DEFINE_TRACE(SourceListDirective) { | 703 DEFINE_TRACE(SourceListDirective) { |
672 visitor->trace(m_policy); | 704 visitor->trace(m_policy); |
673 visitor->trace(m_list); | 705 visitor->trace(m_list); |
674 CSPDirective::trace(visitor); | 706 CSPDirective::trace(visitor); |
675 } | 707 } |
676 | 708 |
677 } // namespace blink | 709 } // namespace blink |
OLD | NEW |