Index: third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp |
diff --git a/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp b/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp |
index 669c0ccc7d0b5e5c16abc696bccfbda857fc83ea..6d57492a6afca2a9ba460de89119dec20bfc3e50 100644 |
--- a/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp |
+++ b/third_party/WebKit/Source/core/frame/csp/SourceListDirective.cpp |
@@ -599,20 +599,33 @@ bool SourceListDirective::allowAllInline() const { |
!m_allowDynamic); |
} |
+HeapVector<Member<CSPSource>> SourceListDirective::getSources( |
+ Member<CSPSource> self) const { |
+ HeapVector<Member<CSPSource>> sources = m_list; |
+ if (m_allowStar) { |
+ sources.append(new CSPSource(m_policy, "ftp", String(), 0, String(), |
+ CSPSource::NoWildcard, CSPSource::NoWildcard)); |
+ sources.append(new CSPSource(m_policy, "ws", String(), 0, String(), |
+ CSPSource::NoWildcard, CSPSource::NoWildcard)); |
+ sources.append(new CSPSource(m_policy, "http", String(), 0, String(), |
+ CSPSource::NoWildcard, CSPSource::NoWildcard)); |
+ if (self) { |
+ sources.append(new CSPSource(m_policy, self->getScheme(), String(), 0, |
+ String(), CSPSource::NoWildcard, |
+ CSPSource::NoWildcard)); |
+ } |
+ } else if (m_allowSelf && self) { |
+ sources.append(self); |
+ } |
+ |
+ return sources; |
+} |
+ |
bool SourceListDirective::subsumes( |
const HeapVector<Member<SourceListDirective>>& other) const { |
- // TODO(amalika): Handle here special keywords. |
if (!other.size() || other[0]->isNone()) |
return other.size(); |
- HeapVector<Member<CSPSource>> normalizedA = m_list; |
- if (m_allowSelf && other[0]->m_policy->getSelfSource()) |
- normalizedA.append(other[0]->m_policy->getSelfSource()); |
- |
- HeapVector<Member<CSPSource>> normalizedB = other[0]->m_list; |
- if (other[0]->m_allowSelf && other[0]->m_policy->getSelfSource()) |
- normalizedB.append(other[0]->m_policy->getSelfSource()); |
- |
bool allowInlineOther = other[0]->m_allowInline; |
bool allowEvalOther = other[0]->m_allowEval; |
bool allowDynamicOther = other[0]->m_allowDynamic; |
@@ -621,6 +634,8 @@ bool SourceListDirective::subsumes( |
HashSet<String> noncesB = other[0]->m_nonces; |
HashSet<CSPHashValue> hashesB = other[0]->m_hashes; |
+ HeapVector<Member<CSPSource>> normalizedB = |
+ other[0]->getSources(other[0]->m_policy->getSelfSource()); |
for (size_t i = 1; i < other.size(); i++) { |
allowInlineOther = allowInlineOther && other[i]->m_allowInline; |
allowEvalOther = allowEvalOther && other[i]->m_allowEval; |
@@ -666,6 +681,9 @@ bool SourceListDirective::subsumes( |
return allowDynamicOther || !normalizedB.size(); |
} |
+ // If embedding CSP specifies `self`, `self` refers to the embedee's origin. |
+ HeapVector<Member<CSPSource>> normalizedA = |
+ getSources(other[0]->m_policy->getSelfSource()); |
return CSPSource::firstSubsumesSecond(normalizedA, normalizedB); |
} |
@@ -750,9 +768,8 @@ HeapVector<Member<CSPSource>> SourceListDirective::getIntersectCSPSources( |
} |
} |
- HeapVector<Member<CSPSource>> thisVector = m_list; |
- if (m_allowSelf && m_policy->getSelfSource()) |
- thisVector.append(m_policy->getSelfSource()); |
+ HeapVector<Member<CSPSource>> thisVector = |
+ getSources(m_policy->getSelfSource()); |
for (const auto& sourceA : thisVector) { |
if (schemesMap.contains(sourceA->getScheme())) |
continue; |