Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(130)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/CSPSource.cpp

Issue 2550093005: Embedding-CSP: Fixing path matching (Closed)
Patch Set: Adding CSPSourceTest Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "core/frame/csp/CSPSource.h" 5 #include "core/frame/csp/CSPSource.h"
6 6
7 #include "core/frame/UseCounter.h" 7 #include "core/frame/UseCounter.h"
8 #include "core/frame/csp/ContentSecurityPolicy.h" 8 #include "core/frame/csp/ContentSecurityPolicy.h"
9 #include "platform/weborigin/KURL.h" 9 #include "platform/weborigin/KURL.h"
10 #include "platform/weborigin/KnownPorts.h" 10 #include "platform/weborigin/KnownPorts.h"
(...skipping 56 matching lines...) Expand 10 before | Expand all | Expand 10 after
67 UseCounter::count(*document, 67 UseCounter::count(*document,
68 UseCounter::CSPSourceWildcardWouldMatchExactHost); 68 UseCounter::CSPSourceWildcardWouldMatchExactHost);
69 } else { 69 } else {
70 match = equalHosts; 70 match = equalHosts;
71 } 71 }
72 72
73 return match; 73 return match;
74 } 74 }
75 75
76 bool CSPSource::pathMatches(const String& urlPath) const { 76 bool CSPSource::pathMatches(const String& urlPath) const {
77 if (m_path.isEmpty()) 77 if (m_path.isEmpty() || (m_path == "/" && urlPath.isEmpty()))
78 return true; 78 return true;
79 79
80 String path = decodeURLEscapeSequences(urlPath); 80 String path = decodeURLEscapeSequences(urlPath);
81 81
82 if (m_path.endsWith("/")) 82 if (m_path.endsWith("/"))
83 return path.startsWith(m_path); 83 return path.startsWith(m_path);
84 84
85 return path == m_path; 85 return path == m_path;
86 } 86 }
87 87
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after
147 147
148 String scheme = other->schemeMatches(m_scheme) ? m_scheme : other->m_scheme; 148 String scheme = other->schemeMatches(m_scheme) ? m_scheme : other->m_scheme;
149 if (isSchemeOnly() || other->isSchemeOnly()) { 149 if (isSchemeOnly() || other->isSchemeOnly()) {
150 const CSPSource* stricter = isSchemeOnly() ? other : this; 150 const CSPSource* stricter = isSchemeOnly() ? other : this;
151 return new CSPSource(m_policy, scheme, stricter->m_host, stricter->m_port, 151 return new CSPSource(m_policy, scheme, stricter->m_host, stricter->m_port,
152 stricter->m_path, stricter->m_hostWildcard, 152 stricter->m_path, stricter->m_hostWildcard,
153 stricter->m_portWildcard); 153 stricter->m_portWildcard);
154 } 154 }
155 155
156 String host = m_hostWildcard == NoWildcard ? m_host : other->m_host; 156 String host = m_hostWildcard == NoWildcard ? m_host : other->m_host;
157 String path = other->pathMatches(m_path) ? m_path : other->m_path; 157 // Since sources are similar and paths match, pick the longer one.
158 String path =
159 m_path.length() > other->m_path.length() ? m_path : other->m_path;
amalika 2016/12/08 19:30:59 Simplified the logic instead of adding another che
158 // Choose this port if the other port is empty, has wildcard or is a port for 160 // Choose this port if the other port is empty, has wildcard or is a port for
159 // a less secure scheme such as "http" whereas scheme of this is "https", in 161 // a less secure scheme such as "http" whereas scheme of this is "https", in
160 // which case the lengths would differ. 162 // which case the lengths would differ.
161 int port = (other->m_portWildcard == HasWildcard || !other->m_port || 163 int port = (other->m_portWildcard == HasWildcard || !other->m_port ||
162 m_scheme.length() > other->m_scheme.length()) 164 m_scheme.length() > other->m_scheme.length())
163 ? m_port 165 ? m_port
164 : other->m_port; 166 : other->m_port;
165 WildcardDisposition hostWildcard = 167 WildcardDisposition hostWildcard =
166 (m_hostWildcard == HasWildcard) ? other->m_hostWildcard : m_hostWildcard; 168 (m_hostWildcard == HasWildcard) ? other->m_hostWildcard : m_hostWildcard;
167 WildcardDisposition portWildcard = 169 WildcardDisposition portWildcard =
(...skipping 26 matching lines...) Expand all
194 return false; 196 return false;
195 } 197 }
196 return true; 198 return true;
197 } 199 }
198 200
199 DEFINE_TRACE(CSPSource) { 201 DEFINE_TRACE(CSPSource) {
200 visitor->trace(m_policy); 202 visitor->trace(m_policy);
201 } 203 }
202 204
203 } // namespace blink 205 } // namespace blink
OLDNEW
« no previous file with comments | « no previous file | third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/CSPSourceTest.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698