OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 568 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
579 const KURL& url, | 579 const KURL& url, |
580 ResourceRequest::RedirectStatus redirectStatus) const { | 580 ResourceRequest::RedirectStatus redirectStatus) const { |
581 for (size_t i = 0; i < m_list.size(); ++i) { | 581 for (size_t i = 0; i < m_list.size(); ++i) { |
582 if (m_list[i]->matches(url, redirectStatus)) | 582 if (m_list[i]->matches(url, redirectStatus)) |
583 return true; | 583 return true; |
584 } | 584 } |
585 | 585 |
586 return false; | 586 return false; |
587 } | 587 } |
588 | 588 |
589 bool SourceListDirective::allowAllInline() { | 589 bool SourceListDirective::allowAllInline() const { |
590 const ContentSecurityPolicy::DirectiveType& type = | 590 const ContentSecurityPolicy::DirectiveType& type = |
591 ContentSecurityPolicy::getDirectiveType(m_directiveName); | 591 ContentSecurityPolicy::getDirectiveType(m_directiveName); |
592 if (type != ContentSecurityPolicy::DirectiveType::DefaultSrc && | 592 if (type != ContentSecurityPolicy::DirectiveType::DefaultSrc && |
593 type != ContentSecurityPolicy::DirectiveType::StyleSrc && | 593 type != ContentSecurityPolicy::DirectiveType::StyleSrc && |
594 type != ContentSecurityPolicy::DirectiveType::ScriptSrc) { | 594 type != ContentSecurityPolicy::DirectiveType::ScriptSrc) { |
595 return false; | 595 return false; |
596 } | 596 } |
597 return m_allowInline && !isHashOrNoncePresent() && | 597 return m_allowInline && !isHashOrNoncePresent() && |
598 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | 598 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || |
599 !m_allowDynamic); | 599 !m_allowDynamic); |
600 } | 600 } |
601 | 601 |
602 bool SourceListDirective::subsumes( | 602 bool SourceListDirective::subsumes( |
603 HeapVector<Member<SourceListDirective>> other) { | 603 const HeapVector<Member<SourceListDirective>>& other) const { |
604 // TODO(amalika): Handle here special keywords. | 604 // TODO(amalika): Handle here special keywords. |
605 if (!other.size() || other[0]->isNone()) | 605 if (!other.size() || other[0]->isNone()) |
606 return other.size(); | 606 return other.size(); |
607 | 607 |
608 HeapVector<Member<CSPSource>> normalizedA = m_list; | 608 HeapVector<Member<CSPSource>> normalizedA = m_list; |
609 if (m_allowSelf && other[0]->m_policy->getSelfSource()) | 609 if (m_allowSelf && other[0]->m_policy->getSelfSource()) |
610 normalizedA.append(other[0]->m_policy->getSelfSource()); | 610 normalizedA.append(other[0]->m_policy->getSelfSource()); |
611 | 611 |
612 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | 612 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
613 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) | 613 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) |
(...skipping 30 matching lines...) Expand all Loading... |
644 !allowDynamicOther); | 644 !allowDynamicOther); |
645 if (!allowAllInline() && allowAllInlineOther) | 645 if (!allowAllInline() && allowAllInlineOther) |
646 return false; | 646 return false; |
647 } | 647 } |
648 | 648 |
649 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 649 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
650 } | 650 } |
651 | 651 |
652 HeapHashMap<String, Member<CSPSource>> | 652 HeapHashMap<String, Member<CSPSource>> |
653 SourceListDirective::getIntersectSchemesOnly( | 653 SourceListDirective::getIntersectSchemesOnly( |
654 HeapVector<Member<CSPSource>> other) { | 654 const HeapVector<Member<CSPSource>>& other) const { |
655 HeapHashMap<String, Member<CSPSource>> schemesA; | 655 HeapHashMap<String, Member<CSPSource>> schemesA; |
656 for (const auto& sourceA : m_list) { | 656 for (const auto& sourceA : m_list) { |
657 if (sourceA->isSchemeOnly()) | 657 if (sourceA->isSchemeOnly()) |
658 addSourceToMap(schemesA, sourceA); | 658 addSourceToMap(schemesA, sourceA); |
659 } | 659 } |
660 // Add schemes only sources if they are present in both `this` and `other`, | 660 // Add schemes only sources if they are present in both `this` and `other`, |
661 // allowing upgrading `http` to `https` and `ws` to `wss`. | 661 // allowing upgrading `http` to `https` and `ws` to `wss`. |
662 HeapHashMap<String, Member<CSPSource>> intersect; | 662 HeapHashMap<String, Member<CSPSource>> intersect; |
663 for (const auto& sourceB : other) { | 663 for (const auto& sourceB : other) { |
664 if (sourceB->isSchemeOnly()) { | 664 if (sourceB->isSchemeOnly()) { |
665 if (schemesA.contains(sourceB->getScheme())) | 665 if (schemesA.contains(sourceB->getScheme())) |
666 addSourceToMap(intersect, sourceB); | 666 addSourceToMap(intersect, sourceB); |
667 else if (sourceB->getScheme() == "http" && schemesA.contains("https")) | 667 else if (sourceB->getScheme() == "http" && schemesA.contains("https")) |
668 intersect.add("https", schemesA.get("https")); | 668 intersect.add("https", schemesA.get("https")); |
669 else if (sourceB->getScheme() == "ws" && schemesA.contains("wss")) | 669 else if (sourceB->getScheme() == "ws" && schemesA.contains("wss")) |
670 intersect.add("wss", schemesA.get("wss")); | 670 intersect.add("wss", schemesA.get("wss")); |
671 } | 671 } |
672 } | 672 } |
673 | 673 |
674 return intersect; | 674 return intersect; |
675 } | 675 } |
676 | 676 |
677 HeapVector<Member<CSPSource>> SourceListDirective::getIntersectCSPSources( | 677 HeapVector<Member<CSPSource>> SourceListDirective::getIntersectCSPSources( |
678 HeapVector<Member<CSPSource>> other) { | 678 const HeapVector<Member<CSPSource>>& other) const { |
679 auto schemesMap = getIntersectSchemesOnly(other); | 679 auto schemesMap = getIntersectSchemesOnly(other); |
680 HeapVector<Member<CSPSource>> normalized; | 680 HeapVector<Member<CSPSource>> normalized; |
681 // Add all normalized scheme source expressions. | 681 // Add all normalized scheme source expressions. |
682 for (const auto& it : schemesMap) { | 682 for (const auto& it : schemesMap) { |
683 // We do not add secure versions if insecure schemes are present. | 683 // We do not add secure versions if insecure schemes are present. |
684 if ((it.key != "https" || !schemesMap.contains("http")) && | 684 if ((it.key != "https" || !schemesMap.contains("http")) && |
685 (it.key != "wss" || !schemesMap.contains("ws"))) { | 685 (it.key != "wss" || !schemesMap.contains("ws"))) { |
686 normalized.append(it.value); | 686 normalized.append(it.value); |
687 } | 687 } |
688 } | 688 } |
(...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
720 return normalized; | 720 return normalized; |
721 } | 721 } |
722 | 722 |
723 DEFINE_TRACE(SourceListDirective) { | 723 DEFINE_TRACE(SourceListDirective) { |
724 visitor->trace(m_policy); | 724 visitor->trace(m_policy); |
725 visitor->trace(m_list); | 725 visitor->trace(m_list); |
726 CSPDirective::trace(visitor); | 726 CSPDirective::trace(visitor); |
727 } | 727 } |
728 | 728 |
729 } // namespace blink | 729 } // namespace blink |
OLD | NEW |