| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
| 6 | 6 |
| 7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
| 8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
| 10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
| (...skipping 589 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 600 | 600 |
| 601 HeapVector<Member<CSPSource>> normalizedA = m_list; | 601 HeapVector<Member<CSPSource>> normalizedA = m_list; |
| 602 if (m_allowSelf && other[0]->m_policy->getSelfSource()) | 602 if (m_allowSelf && other[0]->m_policy->getSelfSource()) |
| 603 normalizedA.append(other[0]->m_policy->getSelfSource()); | 603 normalizedA.append(other[0]->m_policy->getSelfSource()); |
| 604 | 604 |
| 605 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | 605 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
| 606 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) | 606 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) |
| 607 normalizedB.append(other[0]->m_policy->getSelfSource()); | 607 normalizedB.append(other[0]->m_policy->getSelfSource()); |
| 608 | 608 |
| 609 bool allowInlineOther = other[0]->m_allowInline; | 609 bool allowInlineOther = other[0]->m_allowInline; |
| 610 bool allowEvalOther = other[0]->m_allowEval; |
| 610 bool allowDynamicOther = other[0]->m_allowDynamic; | 611 bool allowDynamicOther = other[0]->m_allowDynamic; |
| 612 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; |
| 611 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); | 613 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); |
| 612 | 614 |
| 613 for (size_t i = 1; i < other.size(); i++) { | 615 for (size_t i = 1; i < other.size(); i++) { |
| 614 allowInlineOther = allowInlineOther && other[i]->m_allowInline; | 616 allowInlineOther = allowInlineOther && other[i]->m_allowInline; |
| 617 allowEvalOther = allowEvalOther && other[i]->m_allowEval; |
| 615 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; | 618 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; |
| 619 allowHashedAttributesOther = |
| 620 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; |
| 616 isHashOrNoncePresentOther = | 621 isHashOrNoncePresentOther = |
| 617 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); | 622 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); |
| 618 normalizedB = other[i]->getIntersectCSPSources(normalizedB); | 623 normalizedB = other[i]->getIntersectCSPSources(normalizedB); |
| 619 } | 624 } |
| 620 | 625 |
| 621 const ContentSecurityPolicy::DirectiveType type = | 626 const ContentSecurityPolicy::DirectiveType type = |
| 622 ContentSecurityPolicy::getDirectiveType(m_directiveName); | 627 ContentSecurityPolicy::getDirectiveType(m_directiveName); |
| 623 bool allowAllInlineOther = | 628 if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc || |
| 624 allowInlineOther && !isHashOrNoncePresentOther && | 629 type == ContentSecurityPolicy::DirectiveType::StyleSrc) { |
| 625 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | 630 if (!m_allowEval && allowEvalOther) |
| 626 !allowDynamicOther); | 631 return false; |
| 627 if (!allowAllInline() && allowAllInlineOther) | 632 if (!m_allowHashedAttributes && allowHashedAttributesOther) |
| 628 return false; | 633 return false; |
| 634 bool allowAllInlineOther = |
| 635 allowInlineOther && !isHashOrNoncePresentOther && |
| 636 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || |
| 637 !allowDynamicOther); |
| 638 if (!allowAllInline() && allowAllInlineOther) |
| 639 return false; |
| 640 } |
| 629 | 641 |
| 630 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 642 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
| 631 } | 643 } |
| 632 | 644 |
| 633 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( | 645 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( |
| 634 HeapVector<Member<CSPSource>> other) { | 646 HeapVector<Member<CSPSource>> other) { |
| 635 HashMap<String, CSPSource*> schemesA; | 647 HashMap<String, CSPSource*> schemesA; |
| 636 for (const auto& sourceA : m_list) { | 648 for (const auto& sourceA : m_list) { |
| 637 if (sourceA->isSchemeOnly()) | 649 if (sourceA->isSchemeOnly()) |
| 638 addSourceToMap(schemesA, sourceA); | 650 addSourceToMap(schemesA, sourceA); |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 700 return normalized; | 712 return normalized; |
| 701 } | 713 } |
| 702 | 714 |
| 703 DEFINE_TRACE(SourceListDirective) { | 715 DEFINE_TRACE(SourceListDirective) { |
| 704 visitor->trace(m_policy); | 716 visitor->trace(m_policy); |
| 705 visitor->trace(m_list); | 717 visitor->trace(m_list); |
| 706 CSPDirective::trace(visitor); | 718 CSPDirective::trace(visitor); |
| 707 } | 719 } |
| 708 | 720 |
| 709 } // namespace blink | 721 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2538623003:
Part 3.4: Is policy list subsumed under subsuming policy? (Closed)
