OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 589 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
600 | 600 |
601 HeapVector<Member<CSPSource>> normalizedA = m_list; | 601 HeapVector<Member<CSPSource>> normalizedA = m_list; |
602 if (m_allowSelf && other[0]->m_policy->getSelfSource()) | 602 if (m_allowSelf && other[0]->m_policy->getSelfSource()) |
603 normalizedA.append(other[0]->m_policy->getSelfSource()); | 603 normalizedA.append(other[0]->m_policy->getSelfSource()); |
604 | 604 |
605 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | 605 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
606 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) | 606 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) |
607 normalizedB.append(other[0]->m_policy->getSelfSource()); | 607 normalizedB.append(other[0]->m_policy->getSelfSource()); |
608 | 608 |
609 bool allowInlineOther = other[0]->m_allowInline; | 609 bool allowInlineOther = other[0]->m_allowInline; |
| 610 bool allowEvalOther = other[0]->m_allowEval; |
610 bool allowDynamicOther = other[0]->m_allowDynamic; | 611 bool allowDynamicOther = other[0]->m_allowDynamic; |
| 612 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; |
611 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); | 613 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); |
612 | 614 |
613 for (size_t i = 1; i < other.size(); i++) { | 615 for (size_t i = 1; i < other.size(); i++) { |
614 allowInlineOther = allowInlineOther && other[i]->m_allowInline; | 616 allowInlineOther = allowInlineOther && other[i]->m_allowInline; |
| 617 allowEvalOther = allowEvalOther && other[i]->m_allowEval; |
615 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; | 618 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; |
| 619 allowHashedAttributesOther = |
| 620 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; |
616 isHashOrNoncePresentOther = | 621 isHashOrNoncePresentOther = |
617 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); | 622 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); |
618 normalizedB = other[i]->getIntersectCSPSources(normalizedB); | 623 normalizedB = other[i]->getIntersectCSPSources(normalizedB); |
619 } | 624 } |
620 | 625 |
621 const ContentSecurityPolicy::DirectiveType type = | 626 const ContentSecurityPolicy::DirectiveType type = |
622 ContentSecurityPolicy::getDirectiveType(m_directiveName); | 627 ContentSecurityPolicy::getDirectiveType(m_directiveName); |
623 bool allowAllInlineOther = | 628 if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc || |
624 allowInlineOther && !isHashOrNoncePresentOther && | 629 type == ContentSecurityPolicy::DirectiveType::StyleSrc) { |
625 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | 630 if (!m_allowEval && allowEvalOther) |
626 !allowDynamicOther); | 631 return false; |
627 if (!allowAllInline() && allowAllInlineOther) | 632 if (!m_allowHashedAttributes && allowHashedAttributesOther) |
628 return false; | 633 return false; |
| 634 bool allowAllInlineOther = |
| 635 allowInlineOther && !isHashOrNoncePresentOther && |
| 636 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || |
| 637 !allowDynamicOther); |
| 638 if (!allowAllInline() && allowAllInlineOther) |
| 639 return false; |
| 640 } |
629 | 641 |
630 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 642 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
631 } | 643 } |
632 | 644 |
633 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( | 645 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( |
634 HeapVector<Member<CSPSource>> other) { | 646 HeapVector<Member<CSPSource>> other) { |
635 HashMap<String, CSPSource*> schemesA; | 647 HashMap<String, CSPSource*> schemesA; |
636 for (const auto& sourceA : m_list) { | 648 for (const auto& sourceA : m_list) { |
637 if (sourceA->isSchemeOnly()) | 649 if (sourceA->isSchemeOnly()) |
638 addSourceToMap(schemesA, sourceA); | 650 addSourceToMap(schemesA, sourceA); |
(...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
700 return normalized; | 712 return normalized; |
701 } | 713 } |
702 | 714 |
703 DEFINE_TRACE(SourceListDirective) { | 715 DEFINE_TRACE(SourceListDirective) { |
704 visitor->trace(m_policy); | 716 visitor->trace(m_policy); |
705 visitor->trace(m_list); | 717 visitor->trace(m_list); |
706 CSPDirective::trace(visitor); | 718 CSPDirective::trace(visitor); |
707 } | 719 } |
708 | 720 |
709 } // namespace blink | 721 } // namespace blink |
OLD | NEW |