OLD | NEW |
---|---|
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "extensions/common/csp_validator.h" | 5 #include "extensions/common/csp_validator.h" |
6 | 6 |
7 #include <stddef.h> | 7 #include <stddef.h> |
8 | 8 |
9 #include <initializer_list> | |
9 #include <vector> | 10 #include <vector> |
10 | 11 |
12 #include "base/bind.h" | |
13 #include "base/callback.h" | |
11 #include "base/macros.h" | 14 #include "base/macros.h" |
12 #include "base/strings/string_split.h" | 15 #include "base/strings/string_split.h" |
13 #include "base/strings/string_tokenizer.h" | 16 #include "base/strings/string_tokenizer.h" |
14 #include "base/strings/string_util.h" | 17 #include "base/strings/string_util.h" |
18 #include "base/strings/stringprintf.h" | |
15 #include "content/public/common/url_constants.h" | 19 #include "content/public/common/url_constants.h" |
16 #include "extensions/common/constants.h" | 20 #include "extensions/common/constants.h" |
17 #include "extensions/common/error_utils.h" | 21 #include "extensions/common/error_utils.h" |
18 #include "extensions/common/install_warning.h" | 22 #include "extensions/common/install_warning.h" |
19 #include "extensions/common/manifest_constants.h" | 23 #include "extensions/common/manifest_constants.h" |
20 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 24 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
21 | 25 |
22 namespace extensions { | 26 namespace extensions { |
23 | 27 |
24 namespace csp_validator { | 28 namespace csp_validator { |
25 | 29 |
26 namespace { | 30 namespace { |
27 | 31 |
28 const char kDefaultSrc[] = "default-src"; | 32 const char kDefaultSrc[] = "default-src"; |
29 const char kScriptSrc[] = "script-src"; | 33 const char kScriptSrc[] = "script-src"; |
30 const char kObjectSrc[] = "object-src"; | 34 const char kObjectSrc[] = "object-src"; |
35 const char kFrameSrc[] = "frame-src"; | |
36 const char kChildSrc[] = "child-src"; | |
37 | |
38 const char kDirectiveSeparator = ';'; | |
39 | |
31 const char kPluginTypes[] = "plugin-types"; | 40 const char kPluginTypes[] = "plugin-types"; |
32 | 41 |
33 const char kObjectSrcDefaultDirective[] = "object-src 'self';"; | 42 const char kObjectSrcDefaultDirective[] = "object-src 'self';"; |
34 const char kScriptSrcDefaultDirective[] = "script-src 'self';"; | 43 const char kScriptSrcDefaultDirective[] = "script-src 'self';"; |
35 | 44 |
45 const char kAppSandboxSubframeSrcDefaultDirective[] = "child-src 'self';"; | |
46 const char kAppSandboxScriptSrcDefaultDirective[] = | |
47 "script-src 'self' 'unsafe-inline' 'unsafe-eval';"; | |
48 | |
36 const char kSandboxDirectiveName[] = "sandbox"; | 49 const char kSandboxDirectiveName[] = "sandbox"; |
37 const char kAllowSameOriginToken[] = "allow-same-origin"; | 50 const char kAllowSameOriginToken[] = "allow-same-origin"; |
38 const char kAllowTopNavigation[] = "allow-top-navigation"; | 51 const char kAllowTopNavigation[] = "allow-top-navigation"; |
39 | 52 |
40 // This is the list of plugin types which are fully sandboxed and are safe to | 53 // This is the list of plugin types which are fully sandboxed and are safe to |
41 // load up in an extension, regardless of the URL they are navigated to. | 54 // load up in an extension, regardless of the URL they are navigated to. |
42 const char* const kSandboxedPluginTypes[] = { | 55 const char* const kSandboxedPluginTypes[] = { |
43 "application/pdf", | 56 "application/pdf", |
44 "application/x-google-chrome-pdf", | 57 "application/x-google-chrome-pdf", |
45 "application/x-pnacl" | 58 "application/x-pnacl" |
46 }; | 59 }; |
47 | 60 |
48 // List of CSP hash-source prefixes that are accepted. Blink is a bit more | 61 // List of CSP hash-source prefixes that are accepted. Blink is a bit more |
49 // lenient, but we only accept standard hashes to be forward-compatible. | 62 // lenient, but we only accept standard hashes to be forward-compatible. |
50 // http://www.w3.org/TR/2015/CR-CSP2-20150721/#hash_algo | 63 // http://www.w3.org/TR/2015/CR-CSP2-20150721/#hash_algo |
51 const char* const kHashSourcePrefixes[] = { | 64 const char* const kHashSourcePrefixes[] = { |
52 "'sha256-", | 65 "'sha256-", |
53 "'sha384-", | 66 "'sha384-", |
54 "'sha512-" | 67 "'sha512-" |
55 }; | 68 }; |
56 | 69 |
57 struct DirectiveStatus { | 70 // Represents the status of a directive in a CSP string. |
58 explicit DirectiveStatus(const char* name) | 71 // |
59 : directive_name(name), seen_in_policy(false) {} | 72 // Examples of directive: |
73 // script source related: scrict-src | |
74 // subframe source related: child-src/frame-src. | |
75 class DirectiveStatus { | |
76 public: | |
77 // Subframe related directives can have multiple directive names: "child-src" | |
78 // or "frame-src". | |
79 DirectiveStatus(std::initializer_list<const char*> directives) | |
80 : directive_names_(directives.begin(), directives.end()) {} | |
60 | 81 |
61 const char* directive_name; | 82 // Returns true if |directive_name| matches this DirectiveStatus. |
62 bool seen_in_policy; | 83 bool Matches(const std::string& directive_name) const { |
84 for (const auto& directive : directive_names_) { | |
85 if (!base::CompareCaseInsensitiveASCII(directive_name, directive)) | |
86 return true; | |
87 } | |
88 return false; | |
89 } | |
90 | |
91 bool seen_in_policy() const { return seen_in_policy_; } | |
92 void set_seen_in_policy() { seen_in_policy_ = true; } | |
93 | |
94 std::string name() const { | |
Devlin
2016/12/22 17:04:32
const &?
lazyboy
2016/12/22 22:57:06
Done.
| |
95 DCHECK(!directive_names_.empty()); | |
96 return directive_names_[0]; | |
97 } | |
98 | |
99 private: | |
100 // The CSP directive names this DirectiveStatus cares about. | |
101 std::vector<std::string> directive_names_; | |
102 // Whether or not we've seen any directive name that matches |this|. | |
103 bool seen_in_policy_ = false; | |
63 }; | 104 }; |
Devlin
2016/12/22 17:04:32
Still missing disallow copy and assign from
https:
lazyboy
2016/12/22 22:57:06
Ah, my response to this didn't go thru:
we do copy
| |
64 | 105 |
65 // Returns whether |url| starts with |scheme_and_separator| and does not have a | 106 // Returns whether |url| starts with |scheme_and_separator| and does not have a |
66 // too permissive wildcard host name. If |should_check_rcd| is true, then the | 107 // too permissive wildcard host name. If |should_check_rcd| is true, then the |
67 // Public suffix list is used to exclude wildcard TLDs such as "https://*.org". | 108 // Public suffix list is used to exclude wildcard TLDs such as "https://*.org". |
68 bool isNonWildcardTLD(const std::string& url, | 109 bool isNonWildcardTLD(const std::string& url, |
69 const std::string& scheme_and_separator, | 110 const std::string& scheme_and_separator, |
70 bool should_check_rcd) { | 111 bool should_check_rcd) { |
71 if (!base::StartsWith(url, scheme_and_separator, | 112 if (!base::StartsWith(url, scheme_and_separator, |
72 base::CompareCase::SENSITIVE)) | 113 base::CompareCase::SENSITIVE)) |
73 return false; | 114 return false; |
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
116 if (host == "googleapis.com") | 157 if (host == "googleapis.com") |
117 return true; | 158 return true; |
118 | 159 |
119 // Wildcards on subdomains of a TLD are not allowed. | 160 // Wildcards on subdomains of a TLD are not allowed. |
120 return net::registry_controlled_domains::HostHasRegistryControlledDomain( | 161 return net::registry_controlled_domains::HostHasRegistryControlledDomain( |
121 host, net::registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES, | 162 host, net::registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES, |
122 net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); | 163 net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); |
123 } | 164 } |
124 | 165 |
125 // Checks whether the source is a syntactically valid hash. | 166 // Checks whether the source is a syntactically valid hash. |
126 bool IsHashSource(const std::string& source) { | 167 bool IsHashSource(base::StringPiece source) { |
168 if (source.empty() || source.back() != '\'') | |
169 return false; | |
170 | |
127 size_t hash_end = source.length() - 1; | 171 size_t hash_end = source.length() - 1; |
128 if (source.empty() || source[hash_end] != '\'') { | |
129 return false; | |
130 } | |
131 | |
132 for (const char* prefix : kHashSourcePrefixes) { | 172 for (const char* prefix : kHashSourcePrefixes) { |
133 if (base::StartsWith(source, prefix, | 173 if (base::StartsWith(source, prefix, |
134 base::CompareCase::INSENSITIVE_ASCII)) { | 174 base::CompareCase::INSENSITIVE_ASCII)) { |
135 for (size_t i = strlen(prefix); i < hash_end; ++i) { | 175 for (size_t i = strlen(prefix); i < hash_end; ++i) { |
136 const char c = source[i]; | 176 const char c = source[i]; |
137 // The hash must be base64-encoded. Do not allow any other characters. | 177 // The hash must be base64-encoded. Do not allow any other characters. |
138 if (!base::IsAsciiAlpha(c) && !base::IsAsciiDigit(c) && c != '+' && | 178 if (!base::IsAsciiAlpha(c) && !base::IsAsciiDigit(c) && c != '+' && |
139 c != '/' && c != '=') { | 179 c != '/' && c != '=') { |
140 return false; | 180 return false; |
141 } | 181 } |
142 } | 182 } |
143 return true; | 183 return true; |
144 } | 184 } |
145 } | 185 } |
146 return false; | 186 return false; |
147 } | 187 } |
148 | 188 |
149 InstallWarning CSPInstallWarning(const std::string& csp_warning) { | 189 InstallWarning CSPInstallWarning(const std::string& csp_warning) { |
150 return InstallWarning(csp_warning, manifest_keys::kContentSecurityPolicy); | 190 return InstallWarning(csp_warning, manifest_keys::kContentSecurityPolicy); |
151 } | 191 } |
152 | 192 |
153 void GetSecureDirectiveValues(const std::string& directive_name, | 193 std::string GetSecureDirectiveValues( |
154 base::StringTokenizer* tokenizer, | 194 int options, |
155 int options, | 195 const std::string& directive_name, |
156 std::vector<std::string>* sane_csp_parts, | 196 const std::vector<base::StringPiece>& directive_values, |
157 std::vector<InstallWarning>* warnings) { | 197 std::vector<InstallWarning>* warnings) { |
158 sane_csp_parts->push_back(directive_name); | 198 std::vector<std::string> sane_csp_parts(1, directive_name); |
159 while (tokenizer->GetNext()) { | 199 for (base::StringPiece source_literal : directive_values) { |
160 std::string source_literal = tokenizer->token(); | |
161 std::string source_lower = base::ToLowerASCII(source_literal); | 200 std::string source_lower = base::ToLowerASCII(source_literal); |
162 bool is_secure_csp_token = false; | 201 bool is_secure_csp_token = false; |
163 | 202 |
164 // We might need to relax this whitelist over time. | 203 // We might need to relax this whitelist over time. |
165 if (source_lower == "'self'" || source_lower == "'none'" || | 204 if (source_lower == "'self'" || source_lower == "'none'" || |
166 source_lower == "http://127.0.0.1" || source_lower == "blob:" || | 205 source_lower == "http://127.0.0.1" || source_lower == "blob:" || |
167 source_lower == "filesystem:" || source_lower == "http://localhost" || | 206 source_lower == "filesystem:" || source_lower == "http://localhost" || |
168 base::StartsWith(source_lower, "http://127.0.0.1:", | 207 base::StartsWith(source_lower, "http://127.0.0.1:", |
169 base::CompareCase::SENSITIVE) || | 208 base::CompareCase::SENSITIVE) || |
170 base::StartsWith(source_lower, "http://localhost:", | 209 base::StartsWith(source_lower, "http://localhost:", |
(...skipping 12 matching lines...) Expand all Loading... | |
183 } else if (base::StartsWith(source_lower, "chrome-extension-resource:", | 222 } else if (base::StartsWith(source_lower, "chrome-extension-resource:", |
184 base::CompareCase::SENSITIVE)) { | 223 base::CompareCase::SENSITIVE)) { |
185 // The "chrome-extension-resource" scheme has been removed from the | 224 // The "chrome-extension-resource" scheme has been removed from the |
186 // codebase, but it may still appear in existing CSPs. We continue to | 225 // codebase, but it may still appear in existing CSPs. We continue to |
187 // allow it here for compatibility. Requests on this scheme will not | 226 // allow it here for compatibility. Requests on this scheme will not |
188 // return any kind of network response. | 227 // return any kind of network response. |
189 is_secure_csp_token = true; | 228 is_secure_csp_token = true; |
190 } | 229 } |
191 | 230 |
192 if (is_secure_csp_token) { | 231 if (is_secure_csp_token) { |
193 sane_csp_parts->push_back(source_literal); | 232 sane_csp_parts.push_back(source_literal.as_string()); |
194 } else if (warnings) { | 233 } else if (warnings) { |
195 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( | 234 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( |
196 manifest_errors::kInvalidCSPInsecureValue, source_literal, | 235 manifest_errors::kInvalidCSPInsecureValue, source_literal.as_string(), |
197 directive_name))); | 236 directive_name))); |
198 } | 237 } |
199 } | 238 } |
200 // End of CSP directive that was started at the beginning of this method. If | 239 // End of CSP directive that was started at the beginning of this method. If |
201 // none of the values are secure, the policy will be empty and default to | 240 // none of the values are secure, the policy will be empty and default to |
202 // 'none', which is secure. | 241 // 'none', which is secure. |
203 sane_csp_parts->back().push_back(';'); | 242 sane_csp_parts.back().push_back(kDirectiveSeparator); |
243 return base::JoinString(sane_csp_parts, " "); | |
204 } | 244 } |
205 | 245 |
206 // Returns true if |directive_name| matches |status.directive_name|. | 246 // Given a CSP directive-token for app sandbox, returns a secure value of that |
207 bool UpdateStatus(const std::string& directive_name, | 247 // directive. |
208 base::StringTokenizer* tokenizer, | 248 // The directive-token's name is |directive_name| and its values are splitted |
209 DirectiveStatus* status, | 249 // into |directive_values|. |
210 int options, | 250 std::string GetAppSandboxSecureDirectiveValues( |
211 std::vector<std::string>* sane_csp_parts, | 251 const std::string& directive_name, |
212 std::vector<InstallWarning>* warnings) { | 252 const std::vector<base::StringPiece>& directive_values, |
213 if (directive_name != status->directive_name) | 253 std::vector<InstallWarning>* warnings) { |
214 return false; | 254 std::vector<std::string> sane_csp_parts(1, directive_name); |
255 bool seen_self_or_none = false; | |
256 for (base::StringPiece source_literal : directive_values) { | |
257 std::string source_lower = base::ToLowerASCII(source_literal); | |
215 | 258 |
216 if (!status->seen_in_policy) { | 259 // Keyword directive sources are surrounded with quotes, e.g. 'self', |
217 status->seen_in_policy = true; | 260 // 'sha256-...', 'unsafe-eval', 'nonce-...'. These do not specify a remote |
218 GetSecureDirectiveValues(directive_name, tokenizer, options, sane_csp_parts, | 261 // host or '*', so keep them and restrict the rest. |
219 warnings); | 262 if (source_lower.size() > 1u && source_lower[0] == '\'' && |
220 } else { | 263 source_lower.back() == '\'') { |
221 // Don't show any errors for duplicate CSP directives, because it will be | 264 seen_self_or_none |= source_lower == "'none'" || source_lower == "'self'"; |
222 // ignored by the CSP parser (http://www.w3.org/TR/CSP2/#policy-parsing). | 265 sane_csp_parts.push_back(source_lower); |
223 GetSecureDirectiveValues(directive_name, tokenizer, options, sane_csp_parts, | 266 } else if (warnings) { |
224 NULL); | 267 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( |
268 manifest_errors::kInvalidCSPInsecureValue, source_literal.as_string(), | |
269 directive_name))); | |
270 } | |
225 } | 271 } |
226 return true; | 272 |
273 // If we haven't seen any of 'self' or 'none', that means this directive | |
274 // value isn't secure. Specify 'self' to secure it. | |
275 if (!seen_self_or_none) | |
276 sane_csp_parts.push_back("'self'"); | |
277 | |
278 sane_csp_parts.back().push_back(kDirectiveSeparator); | |
279 return base::JoinString(sane_csp_parts, " "); | |
227 } | 280 } |
228 | 281 |
229 // Returns true if the |plugin_type| is one of the fully sandboxed plugin types. | 282 // Returns true if the |plugin_type| is one of the fully sandboxed plugin types. |
230 bool PluginTypeAllowed(const std::string& plugin_type) { | 283 bool PluginTypeAllowed(const std::string& plugin_type) { |
231 for (size_t i = 0; i < arraysize(kSandboxedPluginTypes); ++i) { | 284 for (size_t i = 0; i < arraysize(kSandboxedPluginTypes); ++i) { |
232 if (plugin_type == kSandboxedPluginTypes[i]) | 285 if (plugin_type == kSandboxedPluginTypes[i]) |
233 return true; | 286 return true; |
234 } | 287 } |
235 return false; | 288 return false; |
236 } | 289 } |
(...skipping 19 matching lines...) Expand all Loading... | |
256 if (!PluginTypeAllowed(tokenizer.token())) | 309 if (!PluginTypeAllowed(tokenizer.token())) |
257 return false; | 310 return false; |
258 } | 311 } |
259 // All listed plugin types are whitelisted. | 312 // All listed plugin types are whitelisted. |
260 return true; | 313 return true; |
261 } | 314 } |
262 // plugin-types not specified. | 315 // plugin-types not specified. |
263 return false; | 316 return false; |
264 } | 317 } |
265 | 318 |
319 using SecureDirectiveValueFunction = base::Callback<std::string( | |
320 const std::string& directive_name, | |
321 const std::vector<base::StringPiece>& directive_values, | |
322 std::vector<InstallWarning>* warnings)>; | |
323 | |
324 // Represents a token in CSP string. | |
325 // Tokens are delimited by ";" CSP string. | |
326 class CSPDirectiveToken { | |
327 public: | |
328 explicit CSPDirectiveToken(base::StringPiece directive_token) | |
329 : directive_token_(directive_token), | |
330 parsed_(false), | |
331 tokenizer_(directive_token.begin(), directive_token.end(), " \t\r\n") { | |
332 is_empty_ = !tokenizer_.GetNext(); | |
333 if (!is_empty_) | |
334 directive_name_ = tokenizer_.token(); | |
335 } | |
336 | |
337 // Returns true if this token affects |status|. In that case, the token's | |
338 // directive values are secured by |secure_function|. | |
339 bool MatchAndUpdateStatus(DirectiveStatus* status, | |
340 const SecureDirectiveValueFunction& secure_function, | |
341 std::vector<InstallWarning>* warnings) { | |
342 if (is_empty_ || !status->Matches(directive_name_)) | |
343 return false; | |
344 | |
345 EnsureTokenPartsParsed(); | |
346 | |
347 bool is_duplicate_directive = status->seen_in_policy(); | |
348 status->set_seen_in_policy(); | |
349 | |
350 secure_value_ = secure_function.Run( | |
351 directive_name_, directive_values_, | |
352 // Don't show any errors for duplicate CSP directives, because it will | |
353 // be ignored by the CSP parser | |
354 // (http://www.w3.org/TR/CSP2/#policy-parsing). Therefore, set warnings | |
355 // param to nullptr. | |
356 is_duplicate_directive ? nullptr : warnings); | |
357 return true; | |
358 } | |
359 | |
360 std::string ToString() { | |
361 if (secure_value_) | |
362 return secure_value_.value(); | |
363 // This token didn't require modification. | |
364 return base::StringPrintf("%s%c", directive_token_.as_string().c_str(), | |
365 kDirectiveSeparator); | |
366 } | |
367 | |
368 private: | |
369 void EnsureTokenPartsParsed() { | |
370 if (!parsed_) { | |
371 while (tokenizer_.GetNext()) | |
372 directive_values_.push_back(tokenizer_.token_piece()); | |
373 parsed_ = true; | |
374 } | |
375 } | |
376 | |
377 base::StringPiece directive_token_; | |
378 std::string directive_name_; | |
379 std::vector<base::StringPiece> directive_values_; | |
380 | |
381 base::Optional<std::string> secure_value_; | |
382 | |
383 bool is_empty_; | |
384 bool parsed_; | |
385 base::CStringTokenizer tokenizer_; | |
386 | |
387 DISALLOW_COPY_AND_ASSIGN(CSPDirectiveToken); | |
388 }; | |
389 | |
390 // Class responsible for parsing a given CSP string |policy|, and enforcing | |
391 // secure directive-tokens within the policy. | |
392 // | |
393 // If a CSP directive's value is not secure, this class will use secure | |
394 // values (via |secure_function|). If a CSP directive-token is not present and | |
395 // as a result will fallback to default (possibly non-secure), this class | |
396 // will use default secure values (via GetDefaultCSPValue). | |
397 class CSPEnforcer { | |
398 public: | |
399 CSPEnforcer(bool show_missing_csp_warnings, | |
400 const SecureDirectiveValueFunction& secure_function) | |
401 : show_missing_csp_warnings_(show_missing_csp_warnings), | |
402 secure_function_(secure_function) {} | |
403 virtual ~CSPEnforcer() {} | |
404 | |
405 // Returns the enforced CSP. | |
406 // Emits warnings in |warnings| for insecure directive values. If | |
407 // |show_missing_csp_warnings_| is true, these will also include missing CSP | |
408 // directive warnings. | |
409 std::string Enforce(const std::string& policy, | |
410 std::vector<InstallWarning>* warnings); | |
411 | |
412 protected: | |
413 virtual std::string GetDefaultCSPValue(const DirectiveStatus& status) = 0; | |
414 | |
415 // List of directives we care about. | |
416 std::vector<DirectiveStatus> directives_; | |
Devlin
2016/12/22 17:04:32
could we make these members private and pass in th
lazyboy
2016/12/22 22:57:06
Moved others except |directives_| as directives_ i
| |
417 | |
418 std::vector<std::string> enforced_csp_parts_; | |
Devlin
2016/12/22 17:04:32
Is this used?
lazyboy
2016/12/22 22:57:06
Good catch, removed.
| |
419 const bool show_missing_csp_warnings_; | |
420 const SecureDirectiveValueFunction secure_function_; | |
421 | |
422 DISALLOW_COPY_AND_ASSIGN(CSPEnforcer); | |
423 }; | |
424 | |
425 std::string CSPEnforcer::Enforce(const std::string& policy, | |
426 std::vector<InstallWarning>* warnings) { | |
427 DCHECK(!directives_.empty()); | |
428 std::vector<std::string> enforced_csp_parts; | |
429 | |
430 // If any directive that we care about isn't explicitly listed in |policy|, | |
431 // "default-src" fallback is used. | |
432 DirectiveStatus default_src_status({kDefaultSrc}); | |
433 std::vector<InstallWarning> default_src_csp_warnings; | |
434 | |
435 for (const base::StringPiece& directive_token : base::SplitStringPiece( | |
436 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY)) { | |
437 CSPDirectiveToken csp_directive_token(directive_token); | |
438 bool matches_enforcing_directive = false; | |
439 for (auto& directive_status : directives_) { | |
440 if (csp_directive_token.MatchAndUpdateStatus( | |
441 &directive_status, secure_function_, warnings)) { | |
442 matches_enforcing_directive = true; | |
443 break; | |
444 } | |
445 } | |
446 if (!matches_enforcing_directive) { | |
447 csp_directive_token.MatchAndUpdateStatus( | |
448 &default_src_status, secure_function_, &default_src_csp_warnings); | |
449 } | |
450 | |
451 enforced_csp_parts.push_back(csp_directive_token.ToString()); | |
452 } | |
453 | |
454 if (default_src_status.seen_in_policy()) { | |
455 for (const DirectiveStatus& directive_status : directives_) { | |
456 if (!directive_status.seen_in_policy()) { | |
457 // This |directive_status| falls back to "default-src". So warnings from | |
458 // "default-src" will apply. | |
459 if (warnings) { | |
460 warnings->insert(warnings->end(), default_src_csp_warnings.begin(), | |
461 default_src_csp_warnings.end()); | |
462 } | |
463 break; | |
464 } | |
465 } | |
466 } else { | |
467 // Did not see "default-src". | |
468 // Make sure we cover all sources from |directives_|. | |
469 for (const DirectiveStatus& directive_status : directives_) { | |
470 if (directive_status.seen_in_policy()) // Already covered. | |
471 continue; | |
472 enforced_csp_parts.push_back(GetDefaultCSPValue(directive_status)); | |
473 | |
474 if (warnings && show_missing_csp_warnings_) { | |
475 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( | |
476 manifest_errors::kInvalidCSPMissingSecureSrc, | |
477 directive_status.name()))); | |
478 } | |
479 } | |
480 } | |
481 | |
482 return base::JoinString(enforced_csp_parts, " "); | |
483 } | |
484 | |
485 class ExtensionCSPEnforcer : public CSPEnforcer { | |
486 public: | |
487 ExtensionCSPEnforcer(bool allow_insecure_object_src, int options) | |
488 : CSPEnforcer(true, base::Bind(&GetSecureDirectiveValues, options)) { | |
489 directives_.push_back(DirectiveStatus({kScriptSrc})); | |
490 if (!allow_insecure_object_src) | |
491 directives_.push_back(DirectiveStatus({kObjectSrc})); | |
492 } | |
493 | |
494 protected: | |
495 std::string GetDefaultCSPValue(const DirectiveStatus& status) override { | |
496 if (status.Matches(kObjectSrc)) | |
497 return kObjectSrcDefaultDirective; | |
498 DCHECK(status.Matches(kScriptSrc)); | |
499 return kScriptSrcDefaultDirective; | |
500 } | |
501 | |
502 private: | |
503 DISALLOW_COPY_AND_ASSIGN(ExtensionCSPEnforcer); | |
504 }; | |
505 | |
506 class AppSandboxPageCSPEnforcer : public CSPEnforcer { | |
507 public: | |
508 AppSandboxPageCSPEnforcer() | |
509 : CSPEnforcer(false, base::Bind(&GetAppSandboxSecureDirectiveValues)) { | |
510 directives_.push_back(DirectiveStatus({kChildSrc, kFrameSrc})); | |
511 directives_.push_back(DirectiveStatus({kScriptSrc})); | |
512 } | |
513 | |
514 protected: | |
515 std::string GetDefaultCSPValue(const DirectiveStatus& status) override { | |
516 if (status.Matches(kChildSrc)) | |
517 return kAppSandboxSubframeSrcDefaultDirective; | |
518 DCHECK(status.Matches(kScriptSrc)); | |
519 return kAppSandboxScriptSrcDefaultDirective; | |
520 } | |
521 | |
522 private: | |
523 DISALLOW_COPY_AND_ASSIGN(AppSandboxPageCSPEnforcer); | |
524 }; | |
525 | |
266 } // namespace | 526 } // namespace |
267 | 527 |
268 bool ContentSecurityPolicyIsLegal(const std::string& policy) { | 528 bool ContentSecurityPolicyIsLegal(const std::string& policy) { |
269 // We block these characters to prevent HTTP header injection when | 529 // We block these characters to prevent HTTP header injection when |
270 // representing the content security policy as an HTTP header. | 530 // representing the content security policy as an HTTP header. |
271 const char kBadChars[] = {',', '\r', '\n', '\0'}; | 531 const char kBadChars[] = {',', '\r', '\n', '\0'}; |
272 | 532 |
273 return policy.find_first_of(kBadChars, 0, arraysize(kBadChars)) == | 533 return policy.find_first_of(kBadChars, 0, arraysize(kBadChars)) == |
274 std::string::npos; | 534 std::string::npos; |
275 } | 535 } |
276 | 536 |
277 std::string SanitizeContentSecurityPolicy( | 537 std::string SanitizeContentSecurityPolicy( |
278 const std::string& policy, | 538 const std::string& policy, |
279 int options, | 539 int options, |
280 std::vector<InstallWarning>* warnings) { | 540 std::vector<InstallWarning>* warnings) { |
281 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. | 541 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. |
282 std::vector<std::string> directives = base::SplitString( | 542 std::vector<std::string> directives = base::SplitString( |
283 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); | 543 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); |
284 | 544 |
285 DirectiveStatus default_src_status(kDefaultSrc); | |
286 DirectiveStatus script_src_status(kScriptSrc); | |
287 DirectiveStatus object_src_status(kObjectSrc); | |
288 | |
289 bool allow_insecure_object_src = | 545 bool allow_insecure_object_src = |
290 AllowedToHaveInsecureObjectSrc(options, directives); | 546 AllowedToHaveInsecureObjectSrc(options, directives); |
291 | 547 |
292 std::vector<std::string> sane_csp_parts; | 548 ExtensionCSPEnforcer csp_enforcer(allow_insecure_object_src, options); |
293 std::vector<InstallWarning> default_src_csp_warnings; | 549 return csp_enforcer.Enforce(policy, warnings); |
294 for (size_t i = 0; i < directives.size(); ++i) { | 550 } |
295 std::string& input = directives[i]; | |
296 base::StringTokenizer tokenizer(input, " \t\r\n"); | |
297 if (!tokenizer.GetNext()) | |
298 continue; | |
299 | 551 |
300 std::string directive_name = base::ToLowerASCII(tokenizer.token_piece()); | 552 std::string GetEffectiveSandoxedPageCSP(const std::string& policy, |
301 if (UpdateStatus(directive_name, &tokenizer, &default_src_status, options, | 553 std::vector<InstallWarning>* warnings) { |
302 &sane_csp_parts, &default_src_csp_warnings)) | 554 AppSandboxPageCSPEnforcer csp_enforcer; |
303 continue; | 555 return csp_enforcer.Enforce(policy, warnings); |
304 if (UpdateStatus(directive_name, &tokenizer, &script_src_status, options, | |
305 &sane_csp_parts, warnings)) | |
306 continue; | |
307 if (!allow_insecure_object_src && | |
308 UpdateStatus(directive_name, &tokenizer, &object_src_status, options, | |
309 &sane_csp_parts, warnings)) | |
310 continue; | |
311 | |
312 // Pass the other CSP directives as-is without further validation. | |
313 sane_csp_parts.push_back(input + ";"); | |
314 } | |
315 | |
316 if (default_src_status.seen_in_policy) { | |
317 if (!script_src_status.seen_in_policy || | |
318 !object_src_status.seen_in_policy) { | |
319 // Insecure values in default-src are only relevant if either script-src | |
320 // or object-src is omitted. | |
321 if (warnings) | |
322 warnings->insert(warnings->end(), | |
323 default_src_csp_warnings.begin(), | |
324 default_src_csp_warnings.end()); | |
325 } | |
326 } else { | |
327 if (!script_src_status.seen_in_policy) { | |
328 sane_csp_parts.push_back(kScriptSrcDefaultDirective); | |
329 if (warnings) | |
330 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( | |
331 manifest_errors::kInvalidCSPMissingSecureSrc, kScriptSrc))); | |
332 } | |
333 if (!object_src_status.seen_in_policy && !allow_insecure_object_src) { | |
334 sane_csp_parts.push_back(kObjectSrcDefaultDirective); | |
335 if (warnings) | |
336 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( | |
337 manifest_errors::kInvalidCSPMissingSecureSrc, kObjectSrc))); | |
338 } | |
339 } | |
340 | |
341 return base::JoinString(sane_csp_parts, " "); | |
342 } | 556 } |
343 | 557 |
344 bool ContentSecurityPolicyIsSandboxed( | 558 bool ContentSecurityPolicyIsSandboxed( |
345 const std::string& policy, Manifest::Type type) { | 559 const std::string& policy, Manifest::Type type) { |
346 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. | 560 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. |
347 bool seen_sandbox = false; | 561 bool seen_sandbox = false; |
348 for (const std::string& input : base::SplitString( | 562 for (const std::string& input : base::SplitString( |
349 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) { | 563 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) { |
350 base::StringTokenizer tokenizer(input, " \t\r\n"); | 564 base::StringTokenizer tokenizer(input, " \t\r\n"); |
351 if (!tokenizer.GetNext()) | 565 if (!tokenizer.GetNext()) |
(...skipping 19 matching lines...) Expand all Loading... | |
371 } | 585 } |
372 } | 586 } |
373 } | 587 } |
374 | 588 |
375 return seen_sandbox; | 589 return seen_sandbox; |
376 } | 590 } |
377 | 591 |
378 } // namespace csp_validator | 592 } // namespace csp_validator |
379 | 593 |
380 } // namespace extensions | 594 } // namespace extensions |
OLD | NEW |