OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 600 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
611 | 611 |
612 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | 612 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
613 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) | 613 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) |
614 normalizedB.append(other[0]->m_policy->getSelfSource()); | 614 normalizedB.append(other[0]->m_policy->getSelfSource()); |
615 | 615 |
616 bool allowInlineOther = other[0]->m_allowInline; | 616 bool allowInlineOther = other[0]->m_allowInline; |
617 bool allowEvalOther = other[0]->m_allowEval; | 617 bool allowEvalOther = other[0]->m_allowEval; |
618 bool allowDynamicOther = other[0]->m_allowDynamic; | 618 bool allowDynamicOther = other[0]->m_allowDynamic; |
619 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; | 619 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; |
620 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); | 620 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); |
| 621 HashSet<String> noncesB = other[0]->m_nonces; |
| 622 HashSet<CSPHashValue> hashesB = other[0]->m_hashes; |
621 | 623 |
622 for (size_t i = 1; i < other.size(); i++) { | 624 for (size_t i = 1; i < other.size(); i++) { |
623 allowInlineOther = allowInlineOther && other[i]->m_allowInline; | 625 allowInlineOther = allowInlineOther && other[i]->m_allowInline; |
624 allowEvalOther = allowEvalOther && other[i]->m_allowEval; | 626 allowEvalOther = allowEvalOther && other[i]->m_allowEval; |
625 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; | 627 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; |
626 allowHashedAttributesOther = | 628 allowHashedAttributesOther = |
627 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; | 629 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; |
628 isHashOrNoncePresentOther = | 630 isHashOrNoncePresentOther = |
629 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); | 631 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); |
| 632 noncesB = other[i]->getIntersectNonces(noncesB); |
| 633 hashesB = other[i]->getIntersectHashes(hashesB); |
630 normalizedB = other[i]->getIntersectCSPSources(normalizedB); | 634 normalizedB = other[i]->getIntersectCSPSources(normalizedB); |
631 } | 635 } |
632 | 636 |
| 637 if (!subsumesNoncesAndHashes(noncesB, hashesB)) |
| 638 return false; |
| 639 |
633 const ContentSecurityPolicy::DirectiveType type = | 640 const ContentSecurityPolicy::DirectiveType type = |
634 ContentSecurityPolicy::getDirectiveType(m_directiveName); | 641 ContentSecurityPolicy::getDirectiveType(m_directiveName); |
635 if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc || | 642 if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc || |
636 type == ContentSecurityPolicy::DirectiveType::StyleSrc) { | 643 type == ContentSecurityPolicy::DirectiveType::StyleSrc) { |
637 if (!m_allowEval && allowEvalOther) | 644 if (!m_allowEval && allowEvalOther) |
638 return false; | 645 return false; |
639 if (!m_allowHashedAttributes && allowHashedAttributesOther) | 646 if (!m_allowHashedAttributes && allowHashedAttributesOther) |
640 return false; | 647 return false; |
641 bool allowAllInlineOther = | 648 bool allowAllInlineOther = |
642 allowInlineOther && !isHashOrNoncePresentOther && | 649 allowInlineOther && !isHashOrNoncePresentOther && |
643 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | 650 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || |
644 !allowDynamicOther); | 651 !allowDynamicOther); |
645 if (!allowAllInline() && allowAllInlineOther) | 652 if (!allowAllInline() && allowAllInlineOther) |
646 return false; | 653 return false; |
647 } | 654 } |
648 | 655 |
649 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 656 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
650 } | 657 } |
651 | 658 |
| 659 bool SourceListDirective::subsumesNoncesAndHashes( |
| 660 const HashSet<String>& nonces, |
| 661 const HashSet<CSPHashValue> hashes) const { |
| 662 for (const auto& nonce : nonces) { |
| 663 if (!m_nonces.contains(nonce)) |
| 664 return false; |
| 665 } |
| 666 for (const auto& hash : hashes) { |
| 667 if (!m_hashes.contains(hash)) |
| 668 return false; |
| 669 } |
| 670 |
| 671 return true; |
| 672 } |
| 673 |
| 674 HashSet<String> SourceListDirective::getIntersectNonces( |
| 675 const HashSet<String>& other) const { |
| 676 if (!m_nonces.size() || !other.size()) |
| 677 return !m_nonces.size() ? m_nonces : other; |
| 678 |
| 679 HashSet<String> normalized; |
| 680 for (const auto& nonce : m_nonces) { |
| 681 if (other.contains(nonce)) |
| 682 normalized.add(nonce); |
| 683 } |
| 684 |
| 685 return normalized; |
| 686 } |
| 687 |
| 688 HashSet<CSPHashValue> SourceListDirective::getIntersectHashes( |
| 689 const HashSet<CSPHashValue>& other) const { |
| 690 if (!m_hashes.size() || !other.size()) |
| 691 return !m_hashes.size() ? m_hashes : other; |
| 692 |
| 693 HashSet<CSPHashValue> normalized; |
| 694 for (const auto& hash : m_hashes) { |
| 695 if (other.contains(hash)) |
| 696 normalized.add(hash); |
| 697 } |
| 698 |
| 699 return normalized; |
| 700 } |
| 701 |
652 HeapHashMap<String, Member<CSPSource>> | 702 HeapHashMap<String, Member<CSPSource>> |
653 SourceListDirective::getIntersectSchemesOnly( | 703 SourceListDirective::getIntersectSchemesOnly( |
654 const HeapVector<Member<CSPSource>>& other) const { | 704 const HeapVector<Member<CSPSource>>& other) const { |
655 HeapHashMap<String, Member<CSPSource>> schemesA; | 705 HeapHashMap<String, Member<CSPSource>> schemesA; |
656 for (const auto& sourceA : m_list) { | 706 for (const auto& sourceA : m_list) { |
657 if (sourceA->isSchemeOnly()) | 707 if (sourceA->isSchemeOnly()) |
658 addSourceToMap(schemesA, sourceA); | 708 addSourceToMap(schemesA, sourceA); |
659 } | 709 } |
660 // Add schemes only sources if they are present in both `this` and `other`, | 710 // Add schemes only sources if they are present in both `this` and `other`, |
661 // allowing upgrading `http` to `https` and `ws` to `wss`. | 711 // allowing upgrading `http` to `https` and `ws` to `wss`. |
(...skipping 58 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
720 return normalized; | 770 return normalized; |
721 } | 771 } |
722 | 772 |
723 DEFINE_TRACE(SourceListDirective) { | 773 DEFINE_TRACE(SourceListDirective) { |
724 visitor->trace(m_policy); | 774 visitor->trace(m_policy); |
725 visitor->trace(m_list); | 775 visitor->trace(m_list); |
726 CSPDirective::trace(visitor); | 776 CSPDirective::trace(visitor); |
727 } | 777 } |
728 | 778 |
729 } // namespace blink | 779 } // namespace blink |
OLD | NEW |