OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 589 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
600 | 600 |
601 HeapVector<Member<CSPSource>> normalizedA = m_list; | 601 HeapVector<Member<CSPSource>> normalizedA = m_list; |
602 if (m_allowSelf) | 602 if (m_allowSelf) |
603 normalizedA.append(m_policy->getSelfSource()); | 603 normalizedA.append(m_policy->getSelfSource()); |
604 | 604 |
605 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | 605 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
606 if (other[0]->m_allowSelf) | 606 if (other[0]->m_allowSelf) |
607 normalizedB.append(other[0]->m_policy->getSelfSource()); | 607 normalizedB.append(other[0]->m_policy->getSelfSource()); |
608 | 608 |
609 bool allowInlineOther = other[0]->m_allowInline; | 609 bool allowInlineOther = other[0]->m_allowInline; |
| 610 bool allowEvalOther = other[0]->m_allowEval; |
610 bool allowDynamicOther = other[0]->m_allowDynamic; | 611 bool allowDynamicOther = other[0]->m_allowDynamic; |
| 612 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; |
611 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); | 613 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); |
612 | 614 |
613 for (size_t i = 1; i < other.size(); i++) { | 615 for (size_t i = 1; i < other.size(); i++) { |
614 allowInlineOther = allowInlineOther && other[i]->m_allowInline; | 616 allowInlineOther = allowInlineOther && other[i]->m_allowInline; |
| 617 allowEvalOther = allowEvalOther && other[i]->m_allowEval; |
615 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; | 618 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; |
| 619 allowHashedAttributesOther = |
| 620 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; |
616 isHashOrNoncePresentOther = | 621 isHashOrNoncePresentOther = |
617 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); | 622 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); |
618 normalizedB = other[i]->getIntersectCSPSources(normalizedB); | 623 normalizedB = other[i]->getIntersectCSPSources(normalizedB); |
619 } | 624 } |
620 | 625 |
621 const ContentSecurityPolicy::DirectiveType type = | 626 const ContentSecurityPolicy::DirectiveType type = |
622 ContentSecurityPolicy::getDirectiveType(m_directiveName); | 627 ContentSecurityPolicy::getDirectiveType(m_directiveName); |
623 bool allowAllInlineOther = | 628 if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc || |
624 allowInlineOther && !isHashOrNoncePresentOther && | 629 type == ContentSecurityPolicy::DirectiveType::StyleSrc) { |
625 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | 630 if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc && |
626 !allowDynamicOther); | 631 !m_allowDynamic && !allowAllInline() && allowDynamicOther) { |
627 if (!allowAllInline() && allowAllInlineOther) | 632 return false; |
628 return false; | 633 } |
| 634 if (!m_allowEval && allowEvalOther) |
| 635 return false; |
| 636 if (!m_allowHashedAttributes && allowHashedAttributesOther) |
| 637 return false; |
| 638 bool allowAllInlineOther = |
| 639 allowInlineOther && !isHashOrNoncePresentOther && |
| 640 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || |
| 641 !allowDynamicOther); |
| 642 if (!allowAllInline() && allowAllInlineOther) |
| 643 return false; |
| 644 } |
629 | 645 |
630 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 646 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
631 } | 647 } |
632 | 648 |
633 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( | 649 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( |
634 HeapVector<Member<CSPSource>> other) { | 650 HeapVector<Member<CSPSource>> other) { |
635 HashMap<String, CSPSource*> schemesA; | 651 HashMap<String, CSPSource*> schemesA; |
636 for (const auto& sourceA : m_list) { | 652 for (const auto& sourceA : m_list) { |
637 if (sourceA->isSchemeOnly()) | 653 if (sourceA->isSchemeOnly()) |
638 addSourceToMap(schemesA, sourceA); | 654 addSourceToMap(schemesA, sourceA); |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
700 return normalized; | 716 return normalized; |
701 } | 717 } |
702 | 718 |
703 DEFINE_TRACE(SourceListDirective) { | 719 DEFINE_TRACE(SourceListDirective) { |
704 visitor->trace(m_policy); | 720 visitor->trace(m_policy); |
705 visitor->trace(m_list); | 721 visitor->trace(m_list); |
706 CSPDirective::trace(visitor); | 722 CSPDirective::trace(visitor); |
707 } | 723 } |
708 | 724 |
709 } // namespace blink | 725 } // namespace blink |
OLD | NEW |