OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 599 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
610 | 610 |
611 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | 611 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
612 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) | 612 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) |
613 normalizedB.append(other[0]->m_policy->getSelfSource()); | 613 normalizedB.append(other[0]->m_policy->getSelfSource()); |
614 | 614 |
615 bool allowInlineOther = other[0]->m_allowInline; | 615 bool allowInlineOther = other[0]->m_allowInline; |
616 bool allowEvalOther = other[0]->m_allowEval; | 616 bool allowEvalOther = other[0]->m_allowEval; |
617 bool allowDynamicOther = other[0]->m_allowDynamic; | 617 bool allowDynamicOther = other[0]->m_allowDynamic; |
618 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; | 618 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; |
619 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); | 619 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); |
| 620 HashSet<String> noncesB = other[0]->m_nonces; |
| 621 HashSet<CSPHashValue> hashesB = other[0]->m_hashes; |
620 | 622 |
621 for (size_t i = 1; i < other.size(); i++) { | 623 for (size_t i = 1; i < other.size(); i++) { |
622 allowInlineOther = allowInlineOther && other[i]->m_allowInline; | 624 allowInlineOther = allowInlineOther && other[i]->m_allowInline; |
623 allowEvalOther = allowEvalOther && other[i]->m_allowEval; | 625 allowEvalOther = allowEvalOther && other[i]->m_allowEval; |
624 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; | 626 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; |
625 allowHashedAttributesOther = | 627 allowHashedAttributesOther = |
626 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; | 628 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; |
627 isHashOrNoncePresentOther = | 629 isHashOrNoncePresentOther = |
628 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); | 630 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); |
| 631 noncesB = other[i]->getIntersectNonces(noncesB); |
| 632 hashesB = other[i]->getIntersectHashes(hashesB); |
629 normalizedB = other[i]->getIntersectCSPSources(normalizedB); | 633 normalizedB = other[i]->getIntersectCSPSources(normalizedB); |
630 } | 634 } |
631 | 635 |
| 636 if (!subsumesNoncesAndHashes(noncesB, hashesB)) |
| 637 return false; |
| 638 |
632 const ContentSecurityPolicy::DirectiveType type = | 639 const ContentSecurityPolicy::DirectiveType type = |
633 ContentSecurityPolicy::getDirectiveType(m_directiveName); | 640 ContentSecurityPolicy::getDirectiveType(m_directiveName); |
634 if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc || | 641 if (type == ContentSecurityPolicy::DirectiveType::ScriptSrc || |
635 type == ContentSecurityPolicy::DirectiveType::StyleSrc) { | 642 type == ContentSecurityPolicy::DirectiveType::StyleSrc) { |
636 if (!m_allowEval && allowEvalOther) | 643 if (!m_allowEval && allowEvalOther) |
637 return false; | 644 return false; |
638 if (!m_allowHashedAttributes && allowHashedAttributesOther) | 645 if (!m_allowHashedAttributes && allowHashedAttributesOther) |
639 return false; | 646 return false; |
640 bool allowAllInlineOther = | 647 bool allowAllInlineOther = |
641 allowInlineOther && !isHashOrNoncePresentOther && | 648 allowInlineOther && !isHashOrNoncePresentOther && |
642 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | 649 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || |
643 !allowDynamicOther); | 650 !allowDynamicOther); |
644 if (!allowAllInline() && allowAllInlineOther) | 651 if (!allowAllInline() && allowAllInlineOther) |
645 return false; | 652 return false; |
646 } | 653 } |
647 | 654 |
648 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 655 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
649 } | 656 } |
650 | 657 |
| 658 bool SourceListDirective::subsumesNoncesAndHashes( |
| 659 const HashSet<String>& nonces, |
| 660 const HashSet<CSPHashValue> hashes) { |
| 661 for (const auto& nonce : nonces) { |
| 662 if (!m_nonces.contains(nonce)) |
| 663 return false; |
| 664 } |
| 665 for (const auto& hash : hashes) { |
| 666 if (!m_hashes.contains(hash)) |
| 667 return false; |
| 668 } |
| 669 |
| 670 return true; |
| 671 } |
| 672 |
| 673 HashSet<String> SourceListDirective::getIntersectNonces( |
| 674 const HashSet<String>& other) { |
| 675 if (!m_nonces.size() || !other.size()) |
| 676 return !m_nonces.size() ? m_nonces : other; |
| 677 |
| 678 HashSet<String> normalized; |
| 679 for (const auto& nonce : m_nonces) { |
| 680 if (other.contains(nonce)) |
| 681 normalized.add(nonce); |
| 682 } |
| 683 |
| 684 return normalized; |
| 685 } |
| 686 |
| 687 HashSet<CSPHashValue> SourceListDirective::getIntersectHashes( |
| 688 const HashSet<CSPHashValue>& other) { |
| 689 if (!m_hashes.size() || !other.size()) |
| 690 return !m_hashes.size() ? m_hashes : other; |
| 691 |
| 692 HashSet<CSPHashValue> normalized; |
| 693 for (const auto& hash : m_hashes) { |
| 694 if (other.contains(hash)) |
| 695 normalized.add(hash); |
| 696 } |
| 697 |
| 698 return normalized; |
| 699 } |
| 700 |
651 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( | 701 HashMap<String, CSPSource*> SourceListDirective::getIntersectSchemesOnly( |
652 HeapVector<Member<CSPSource>> other) { | 702 HeapVector<Member<CSPSource>> other) { |
653 HashMap<String, CSPSource*> schemesA; | 703 HashMap<String, CSPSource*> schemesA; |
654 for (const auto& sourceA : m_list) { | 704 for (const auto& sourceA : m_list) { |
655 if (sourceA->isSchemeOnly()) | 705 if (sourceA->isSchemeOnly()) |
656 addSourceToMap(schemesA, sourceA); | 706 addSourceToMap(schemesA, sourceA); |
657 } | 707 } |
658 // Add schemes only sources if they are present in both `this` and `other`, | 708 // Add schemes only sources if they are present in both `this` and `other`, |
659 // allowing upgrading `http` to `https` and `ws` to `wss`. | 709 // allowing upgrading `http` to `https` and `ws` to `wss`. |
660 HashMap<String, CSPSource*> intersect; | 710 HashMap<String, CSPSource*> intersect; |
(...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
718 return normalized; | 768 return normalized; |
719 } | 769 } |
720 | 770 |
721 DEFINE_TRACE(SourceListDirective) { | 771 DEFINE_TRACE(SourceListDirective) { |
722 visitor->trace(m_policy); | 772 visitor->trace(m_policy); |
723 visitor->trace(m_list); | 773 visitor->trace(m_list); |
724 CSPDirective::trace(visitor); | 774 CSPDirective::trace(visitor); |
725 } | 775 } |
726 | 776 |
727 } // namespace blink | 777 } // namespace blink |
OLD | NEW |