OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 600 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
611 | 611 |
612 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | 612 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
613 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) | 613 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) |
614 normalizedB.append(other[0]->m_policy->getSelfSource()); | 614 normalizedB.append(other[0]->m_policy->getSelfSource()); |
615 | 615 |
616 bool allowInlineOther = other[0]->m_allowInline; | 616 bool allowInlineOther = other[0]->m_allowInline; |
617 bool allowEvalOther = other[0]->m_allowEval; | 617 bool allowEvalOther = other[0]->m_allowEval; |
618 bool allowDynamicOther = other[0]->m_allowDynamic; | 618 bool allowDynamicOther = other[0]->m_allowDynamic; |
619 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; | 619 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; |
620 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); | 620 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); |
621 HashSet<String> noncesB = other[0]->m_nonces; | |
622 HashSet<CSPHashValue> hashesB = other[0]->m_hashes; | |
621 | 623 |
622 for (size_t i = 1; i < other.size(); i++) { | 624 for (size_t i = 1; i < other.size(); i++) { |
623 allowInlineOther = allowInlineOther && other[i]->m_allowInline; | 625 allowInlineOther = allowInlineOther && other[i]->m_allowInline; |
624 allowEvalOther = allowEvalOther && other[i]->m_allowEval; | 626 allowEvalOther = allowEvalOther && other[i]->m_allowEval; |
625 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; | 627 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; |
626 allowHashedAttributesOther = | 628 allowHashedAttributesOther = |
627 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; | 629 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; |
628 isHashOrNoncePresentOther = | 630 isHashOrNoncePresentOther = |
629 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); | 631 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); |
632 noncesB = other[i]->getIntersectNonces(noncesB); | |
633 hashesB = other[i]->getIntersectHashes(hashesB); | |
630 normalizedB = other[i]->getIntersectCSPSources(normalizedB); | 634 normalizedB = other[i]->getIntersectCSPSources(normalizedB); |
631 } | 635 } |
632 | 636 |
637 if (!subsumesNoncesAndHashes(noncesB, hashesB)) | |
638 return false; | |
639 | |
633 const ContentSecurityPolicy::DirectiveType type = | 640 const ContentSecurityPolicy::DirectiveType type = |
634 ContentSecurityPolicy::getDirectiveType(m_directiveName); | 641 ContentSecurityPolicy::getDirectiveType(m_directiveName); |
635 if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc || | 642 if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc || |
636 type == ContentSecurityPolicy::DirectiveType::StyleSrc) { | 643 type == ContentSecurityPolicy::DirectiveType::StyleSrc) { |
637 if (!m_allowEval && allowEvalOther) | 644 if (!m_allowEval && allowEvalOther) |
638 return false; | 645 return false; |
639 if (!m_allowHashedAttributes && allowHashedAttributesOther) | 646 if (!m_allowHashedAttributes && allowHashedAttributesOther) |
640 return false; | 647 return false; |
641 bool allowAllInlineOther = | 648 bool allowAllInlineOther = |
642 allowInlineOther && !isHashOrNoncePresentOther && | 649 allowInlineOther && !isHashOrNoncePresentOther && |
643 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | 650 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || |
644 !allowDynamicOther); | 651 !allowDynamicOther); |
645 if (!allowAllInline() && allowAllInlineOther) | 652 if (!allowAllInline() && allowAllInlineOther) |
646 return false; | 653 return false; |
647 } | 654 } |
648 | 655 |
649 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 656 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
650 } | 657 } |
651 | 658 |
659 bool SourceListDirective::subsumesNoncesAndHashes( | |
660 const HashSet<String>& nonces, | |
661 const HashSet<CSPHashValue> hashes) const { | |
662 for (const auto& nonce : nonces) { | |
663 if (!m_nonces.contains(nonce)) | |
664 return false; | |
665 } | |
666 for (const auto& hash : hashes) { | |
667 if (!m_hashes.contains(hash)) | |
668 return false; | |
669 } | |
670 | |
671 return true; | |
672 } | |
673 | |
674 HashSet<String> SourceListDirective::getIntersectNonces( | |
675 const HashSet<String>& other) const { | |
676 if (!m_nonces.size() || !other.size()) | |
677 return !m_nonces.size() ? m_nonces : other; | |
678 | |
679 HashSet<String> normalized; | |
680 for (const auto& nonce : m_nonces) { | |
681 if (other.contains(nonce)) | |
682 normalized.add(nonce); | |
683 } | |
684 | |
685 return normalized; | |
686 } | |
687 | |
688 HashSet<CSPHashValue> SourceListDirective::getIntersectHashes( | |
689 const HashSet<CSPHashValue>& other) const { | |
690 if (!m_hashes.size() || !other.size()) | |
691 return !m_hashes.size() ? m_hashes : other; | |
692 | |
693 HashSet<CSPHashValue> normalized; | |
694 for (const auto& hash : m_hashes) { | |
695 if (other.contains(hash)) | |
696 normalized.add(hash); | |
697 } | |
698 | |
699 return normalized; | |
700 } | |
Mike West
2016/12/07 13:32:46
Since these two are ~exactly the same code, you co
amalika
2016/12/07 15:11:51
Discussed! The other way around did not work eithe
| |
701 | |
652 HeapHashMap<String, Member<CSPSource>> | 702 HeapHashMap<String, Member<CSPSource>> |
653 SourceListDirective::getIntersectSchemesOnly( | 703 SourceListDirective::getIntersectSchemesOnly( |
654 const HeapVector<Member<CSPSource>>& other) const { | 704 const HeapVector<Member<CSPSource>>& other) const { |
655 HeapHashMap<String, Member<CSPSource>> schemesA; | 705 HeapHashMap<String, Member<CSPSource>> schemesA; |
656 for (const auto& sourceA : m_list) { | 706 for (const auto& sourceA : m_list) { |
657 if (sourceA->isSchemeOnly()) | 707 if (sourceA->isSchemeOnly()) |
658 addSourceToMap(schemesA, sourceA); | 708 addSourceToMap(schemesA, sourceA); |
659 } | 709 } |
660 // Add schemes only sources if they are present in both `this` and `other`, | 710 // Add schemes only sources if they are present in both `this` and `other`, |
661 // allowing upgrading `http` to `https` and `ws` to `wss`. | 711 // allowing upgrading `http` to `https` and `ws` to `wss`. |
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
720 return normalized; | 770 return normalized; |
721 } | 771 } |
722 | 772 |
723 DEFINE_TRACE(SourceListDirective) { | 773 DEFINE_TRACE(SourceListDirective) { |
724 visitor->trace(m_policy); | 774 visitor->trace(m_policy); |
725 visitor->trace(m_list); | 775 visitor->trace(m_list); |
726 CSPDirective::trace(visitor); | 776 CSPDirective::trace(visitor); |
727 } | 777 } |
728 | 778 |
729 } // namespace blink | 779 } // namespace blink |
OLD | NEW |