OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/SourceListDirective.h" | 5 #include "core/frame/csp/SourceListDirective.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/network/ContentSecurityPolicyParsers.h" | 9 #include "platform/network/ContentSecurityPolicyParsers.h" |
10 #include "platform/weborigin/KURL.h" | 10 #include "platform/weborigin/KURL.h" |
(...skipping 581 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
592 if (type != ContentSecurityPolicy::DirectiveType::DefaultSrc && | 592 if (type != ContentSecurityPolicy::DirectiveType::DefaultSrc && |
593 type != ContentSecurityPolicy::DirectiveType::StyleSrc && | 593 type != ContentSecurityPolicy::DirectiveType::StyleSrc && |
594 type != ContentSecurityPolicy::DirectiveType::ScriptSrc) { | 594 type != ContentSecurityPolicy::DirectiveType::ScriptSrc) { |
595 return false; | 595 return false; |
596 } | 596 } |
597 return m_allowInline && !isHashOrNoncePresent() && | 597 return m_allowInline && !isHashOrNoncePresent() && |
598 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || | 598 (type != ContentSecurityPolicy::DirectiveType::ScriptSrc || |
599 !m_allowDynamic); | 599 !m_allowDynamic); |
600 } | 600 } |
601 | 601 |
602 HeapVector<Member<CSPSource>> SourceListDirective::getSources( | |
603 Member<CSPSource> self) const { | |
604 HeapVector<Member<CSPSource>> sources = m_list; | |
605 if (m_allowStar) { | |
606 sources.append(new CSPSource(m_policy, "ftp", String(), 0, String(), | |
607 CSPSource::NoWildcard, CSPSource::NoWildcard)); | |
608 sources.append(new CSPSource(m_policy, "ws", String(), 0, String(), | |
609 CSPSource::NoWildcard, CSPSource::NoWildcard)); | |
610 sources.append(new CSPSource(m_policy, "http", String(), 0, String(), | |
611 CSPSource::NoWildcard, CSPSource::NoWildcard)); | |
612 if (self) { | |
613 sources.append(new CSPSource(m_policy, self->getScheme(), String(), 0, | |
614 String(), CSPSource::NoWildcard, | |
615 CSPSource::NoWildcard)); | |
616 } | |
617 } else if (m_allowSelf && self) { | |
618 sources.append(self); | |
619 } | |
620 | |
621 return sources; | |
622 } | |
623 | |
602 bool SourceListDirective::subsumes( | 624 bool SourceListDirective::subsumes( |
603 const HeapVector<Member<SourceListDirective>>& other) const { | 625 const HeapVector<Member<SourceListDirective>>& other) const { |
604 // TODO(amalika): Handle here special keywords. | |
amalika
2016/12/07 13:20:53
Time to remove this :)
Mike West
2016/12/07 15:16:22
Yay \o/
| |
605 if (!other.size() || other[0]->isNone()) | 626 if (!other.size() || other[0]->isNone()) |
606 return other.size(); | 627 return other.size(); |
607 | 628 |
608 HeapVector<Member<CSPSource>> normalizedA = m_list; | |
609 if (m_allowSelf && other[0]->m_policy->getSelfSource()) | |
610 normalizedA.append(other[0]->m_policy->getSelfSource()); | |
611 | |
612 HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; | |
613 if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) | |
614 normalizedB.append(other[0]->m_policy->getSelfSource()); | |
615 | |
616 bool allowInlineOther = other[0]->m_allowInline; | 629 bool allowInlineOther = other[0]->m_allowInline; |
617 bool allowEvalOther = other[0]->m_allowEval; | 630 bool allowEvalOther = other[0]->m_allowEval; |
618 bool allowDynamicOther = other[0]->m_allowDynamic; | 631 bool allowDynamicOther = other[0]->m_allowDynamic; |
619 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; | 632 bool allowHashedAttributesOther = other[0]->m_allowHashedAttributes; |
620 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); | 633 bool isHashOrNoncePresentOther = other[0]->isHashOrNoncePresent(); |
621 HashSet<String> noncesB = other[0]->m_nonces; | 634 HashSet<String> noncesB = other[0]->m_nonces; |
622 HashSet<CSPHashValue> hashesB = other[0]->m_hashes; | 635 HashSet<CSPHashValue> hashesB = other[0]->m_hashes; |
623 | 636 |
637 HeapVector<Member<CSPSource>> normalizedB = | |
638 other[0]->getSources(other[0]->m_policy->getSelfSource()); | |
624 for (size_t i = 1; i < other.size(); i++) { | 639 for (size_t i = 1; i < other.size(); i++) { |
625 allowInlineOther = allowInlineOther && other[i]->m_allowInline; | 640 allowInlineOther = allowInlineOther && other[i]->m_allowInline; |
626 allowEvalOther = allowEvalOther && other[i]->m_allowEval; | 641 allowEvalOther = allowEvalOther && other[i]->m_allowEval; |
627 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; | 642 allowDynamicOther = allowDynamicOther && other[i]->m_allowDynamic; |
628 allowHashedAttributesOther = | 643 allowHashedAttributesOther = |
629 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; | 644 allowHashedAttributesOther && other[i]->m_allowHashedAttributes; |
630 isHashOrNoncePresentOther = | 645 isHashOrNoncePresentOther = |
631 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); | 646 isHashOrNoncePresentOther && other[i]->isHashOrNoncePresent(); |
632 noncesB = other[i]->getIntersectNonces(noncesB); | 647 noncesB = other[i]->getIntersectNonces(noncesB); |
633 hashesB = other[i]->getIntersectHashes(hashesB); | 648 hashesB = other[i]->getIntersectHashes(hashesB); |
(...skipping 25 matching lines...) Expand all Loading... | |
659 // does allow, so the result is `false`. | 674 // does allow, so the result is `false`. |
660 if (!m_allowDynamic) | 675 if (!m_allowDynamic) |
661 return false; | 676 return false; |
662 // All keyword source expressions have been considered so only CSPSource | 677 // All keyword source expressions have been considered so only CSPSource |
663 // subsumption is left. However, `strict-dynamic` ignores all CSPSources so | 678 // subsumption is left. However, `strict-dynamic` ignores all CSPSources so |
664 // for subsumption to be true either `other` must allow `strict-dynamic` or | 679 // for subsumption to be true either `other` must allow `strict-dynamic` or |
665 // have no allowed CSPSources. | 680 // have no allowed CSPSources. |
666 return allowDynamicOther || !normalizedB.size(); | 681 return allowDynamicOther || !normalizedB.size(); |
667 } | 682 } |
668 | 683 |
684 HeapVector<Member<CSPSource>> normalizedA = | |
685 getSources(other[0]->m_policy->getSelfSource()); | |
Mike West
2016/12/07 15:16:22
Can you add a note explaining why you're using `ot
| |
669 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); | 686 return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
670 } | 687 } |
671 | 688 |
672 bool SourceListDirective::subsumesNoncesAndHashes( | 689 bool SourceListDirective::subsumesNoncesAndHashes( |
673 const HashSet<String>& nonces, | 690 const HashSet<String>& nonces, |
674 const HashSet<CSPHashValue> hashes) const { | 691 const HashSet<CSPHashValue> hashes) const { |
675 for (const auto& nonce : nonces) { | 692 for (const auto& nonce : nonces) { |
676 if (!m_nonces.contains(nonce)) | 693 if (!m_nonces.contains(nonce)) |
677 return false; | 694 return false; |
678 } | 695 } |
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
743 HeapVector<Member<CSPSource>> normalized; | 760 HeapVector<Member<CSPSource>> normalized; |
744 // Add all normalized scheme source expressions. | 761 // Add all normalized scheme source expressions. |
745 for (const auto& it : schemesMap) { | 762 for (const auto& it : schemesMap) { |
746 // We do not add secure versions if insecure schemes are present. | 763 // We do not add secure versions if insecure schemes are present. |
747 if ((it.key != "https" || !schemesMap.contains("http")) && | 764 if ((it.key != "https" || !schemesMap.contains("http")) && |
748 (it.key != "wss" || !schemesMap.contains("ws"))) { | 765 (it.key != "wss" || !schemesMap.contains("ws"))) { |
749 normalized.append(it.value); | 766 normalized.append(it.value); |
750 } | 767 } |
751 } | 768 } |
752 | 769 |
753 HeapVector<Member<CSPSource>> thisVector = m_list; | 770 HeapVector<Member<CSPSource>> thisVector = |
754 if (m_allowSelf && m_policy->getSelfSource()) | 771 getSources(m_policy->getSelfSource()); |
755 thisVector.append(m_policy->getSelfSource()); | |
756 for (const auto& sourceA : thisVector) { | 772 for (const auto& sourceA : thisVector) { |
757 if (schemesMap.contains(sourceA->getScheme())) | 773 if (schemesMap.contains(sourceA->getScheme())) |
758 continue; | 774 continue; |
759 | 775 |
760 CSPSource* match(nullptr); | 776 CSPSource* match(nullptr); |
761 for (const auto& sourceB : other) { | 777 for (const auto& sourceB : other) { |
762 // No need to add a host source expression if it is subsumed by the | 778 // No need to add a host source expression if it is subsumed by the |
763 // matching scheme source expression. | 779 // matching scheme source expression. |
764 if (schemesMap.contains(sourceB->getScheme())) | 780 if (schemesMap.contains(sourceB->getScheme())) |
765 continue; | 781 continue; |
(...skipping 17 matching lines...) Expand all Loading... | |
783 return normalized; | 799 return normalized; |
784 } | 800 } |
785 | 801 |
786 DEFINE_TRACE(SourceListDirective) { | 802 DEFINE_TRACE(SourceListDirective) { |
787 visitor->trace(m_policy); | 803 visitor->trace(m_policy); |
788 visitor->trace(m_list); | 804 visitor->trace(m_list); |
789 CSPDirective::trace(visitor); | 805 CSPDirective::trace(visitor); |
790 } | 806 } |
791 | 807 |
792 } // namespace blink | 808 } // namespace blink |
OLD | NEW |