OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "extensions/common/csp_validator.h" | 5 #include "extensions/common/csp_validator.h" |
6 | 6 |
7 #include <stddef.h> | 7 #include <stddef.h> |
8 | 8 |
| 9 #include <initializer_list> |
9 #include <vector> | 10 #include <vector> |
10 | 11 |
| 12 #include "base/bind.h" |
| 13 #include "base/callback.h" |
11 #include "base/macros.h" | 14 #include "base/macros.h" |
12 #include "base/strings/string_split.h" | 15 #include "base/strings/string_split.h" |
13 #include "base/strings/string_tokenizer.h" | 16 #include "base/strings/string_tokenizer.h" |
14 #include "base/strings/string_util.h" | 17 #include "base/strings/string_util.h" |
| 18 #include "base/strings/stringprintf.h" |
15 #include "content/public/common/url_constants.h" | 19 #include "content/public/common/url_constants.h" |
16 #include "extensions/common/constants.h" | 20 #include "extensions/common/constants.h" |
17 #include "extensions/common/error_utils.h" | 21 #include "extensions/common/error_utils.h" |
18 #include "extensions/common/install_warning.h" | 22 #include "extensions/common/install_warning.h" |
19 #include "extensions/common/manifest_constants.h" | 23 #include "extensions/common/manifest_constants.h" |
20 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" | 24 #include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
21 | 25 |
22 namespace extensions { | 26 namespace extensions { |
23 | 27 |
24 namespace csp_validator { | 28 namespace csp_validator { |
25 | 29 |
26 namespace { | 30 namespace { |
27 | 31 |
28 const char kDefaultSrc[] = "default-src"; | 32 const char kDefaultSrc[] = "default-src"; |
29 const char kScriptSrc[] = "script-src"; | 33 const char kScriptSrc[] = "script-src"; |
30 const char kObjectSrc[] = "object-src"; | 34 const char kObjectSrc[] = "object-src"; |
| 35 const char kFrameSrc[] = "frame-src"; |
| 36 const char kChildSrc[] = "child-src"; |
| 37 |
| 38 const char kDirectiveSeparator = ';'; |
| 39 |
31 const char kPluginTypes[] = "plugin-types"; | 40 const char kPluginTypes[] = "plugin-types"; |
32 | 41 |
33 const char kObjectSrcDefaultDirective[] = "object-src 'self';"; | 42 const char kObjectSrcDefaultDirective[] = "object-src 'self';"; |
34 const char kScriptSrcDefaultDirective[] = "script-src 'self';"; | 43 const char kScriptSrcDefaultDirective[] = "script-src 'self';"; |
35 | 44 |
| 45 const char kAppSandboxSubframeSrcDefaultDirective[] = "child-src 'self';"; |
| 46 const char kAppSandboxScriptSrcDefaultDirective[] = |
| 47 "script-src 'self' 'unsafe-inline' 'unsafe-eval';"; |
| 48 |
36 const char kSandboxDirectiveName[] = "sandbox"; | 49 const char kSandboxDirectiveName[] = "sandbox"; |
37 const char kAllowSameOriginToken[] = "allow-same-origin"; | 50 const char kAllowSameOriginToken[] = "allow-same-origin"; |
38 const char kAllowTopNavigation[] = "allow-top-navigation"; | 51 const char kAllowTopNavigation[] = "allow-top-navigation"; |
39 | 52 |
40 // This is the list of plugin types which are fully sandboxed and are safe to | 53 // This is the list of plugin types which are fully sandboxed and are safe to |
41 // load up in an extension, regardless of the URL they are navigated to. | 54 // load up in an extension, regardless of the URL they are navigated to. |
42 const char* const kSandboxedPluginTypes[] = { | 55 const char* const kSandboxedPluginTypes[] = { |
43 "application/pdf", | 56 "application/pdf", |
44 "application/x-google-chrome-pdf", | 57 "application/x-google-chrome-pdf", |
45 "application/x-pnacl" | 58 "application/x-pnacl" |
46 }; | 59 }; |
47 | 60 |
48 // List of CSP hash-source prefixes that are accepted. Blink is a bit more | 61 // List of CSP hash-source prefixes that are accepted. Blink is a bit more |
49 // lenient, but we only accept standard hashes to be forward-compatible. | 62 // lenient, but we only accept standard hashes to be forward-compatible. |
50 // http://www.w3.org/TR/2015/CR-CSP2-20150721/#hash_algo | 63 // http://www.w3.org/TR/2015/CR-CSP2-20150721/#hash_algo |
51 const char* const kHashSourcePrefixes[] = { | 64 const char* const kHashSourcePrefixes[] = { |
52 "'sha256-", | 65 "'sha256-", |
53 "'sha384-", | 66 "'sha384-", |
54 "'sha512-" | 67 "'sha512-" |
55 }; | 68 }; |
56 | 69 |
57 struct DirectiveStatus { | 70 // Represents the status of a directive in a CSP string. |
58 explicit DirectiveStatus(const char* name) | 71 // |
59 : directive_name(name), seen_in_policy(false) {} | 72 // Examples of directive: |
| 73 // script source related: scrict-src |
| 74 // subframe source related: child-src/frame-src. |
| 75 class DirectiveStatus { |
| 76 public: |
| 77 // Subframe related directives can have multiple directive names: "child-src" |
| 78 // or "frame-src". |
| 79 DirectiveStatus(std::initializer_list<const char*> directives) |
| 80 : directive_names_(directives.begin(), directives.end()) {} |
60 | 81 |
61 const char* directive_name; | 82 // Returns true if |directive_name| matches this DirectiveStatus. |
62 bool seen_in_policy; | 83 bool Matches(const std::string& directive_name) const { |
| 84 for (const auto& directive : directive_names_) { |
| 85 if (!base::CompareCaseInsensitiveASCII(directive_name, directive)) |
| 86 return true; |
| 87 } |
| 88 return false; |
| 89 } |
| 90 |
| 91 bool seen_in_policy() const { return seen_in_policy_; } |
| 92 void set_seen_in_policy() { seen_in_policy_ = true; } |
| 93 |
| 94 const std::string& name() const { |
| 95 DCHECK(!directive_names_.empty()); |
| 96 return directive_names_[0]; |
| 97 } |
| 98 |
| 99 private: |
| 100 // The CSP directive names this DirectiveStatus cares about. |
| 101 std::vector<std::string> directive_names_; |
| 102 // Whether or not we've seen any directive name that matches |this|. |
| 103 bool seen_in_policy_ = false; |
| 104 |
| 105 DISALLOW_COPY_AND_ASSIGN(DirectiveStatus); |
63 }; | 106 }; |
64 | 107 |
65 // Returns whether |url| starts with |scheme_and_separator| and does not have a | 108 // Returns whether |url| starts with |scheme_and_separator| and does not have a |
66 // too permissive wildcard host name. If |should_check_rcd| is true, then the | 109 // too permissive wildcard host name. If |should_check_rcd| is true, then the |
67 // Public suffix list is used to exclude wildcard TLDs such as "https://*.org". | 110 // Public suffix list is used to exclude wildcard TLDs such as "https://*.org". |
68 bool isNonWildcardTLD(const std::string& url, | 111 bool isNonWildcardTLD(const std::string& url, |
69 const std::string& scheme_and_separator, | 112 const std::string& scheme_and_separator, |
70 bool should_check_rcd) { | 113 bool should_check_rcd) { |
71 if (!base::StartsWith(url, scheme_and_separator, | 114 if (!base::StartsWith(url, scheme_and_separator, |
72 base::CompareCase::SENSITIVE)) | 115 base::CompareCase::SENSITIVE)) |
(...skipping 43 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
116 if (host == "googleapis.com") | 159 if (host == "googleapis.com") |
117 return true; | 160 return true; |
118 | 161 |
119 // Wildcards on subdomains of a TLD are not allowed. | 162 // Wildcards on subdomains of a TLD are not allowed. |
120 return net::registry_controlled_domains::HostHasRegistryControlledDomain( | 163 return net::registry_controlled_domains::HostHasRegistryControlledDomain( |
121 host, net::registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES, | 164 host, net::registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES, |
122 net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); | 165 net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES); |
123 } | 166 } |
124 | 167 |
125 // Checks whether the source is a syntactically valid hash. | 168 // Checks whether the source is a syntactically valid hash. |
126 bool IsHashSource(const std::string& source) { | 169 bool IsHashSource(base::StringPiece source) { |
| 170 if (source.empty() || source.back() != '\'') |
| 171 return false; |
| 172 |
127 size_t hash_end = source.length() - 1; | 173 size_t hash_end = source.length() - 1; |
128 if (source.empty() || source[hash_end] != '\'') { | |
129 return false; | |
130 } | |
131 | |
132 for (const char* prefix : kHashSourcePrefixes) { | 174 for (const char* prefix : kHashSourcePrefixes) { |
133 if (base::StartsWith(source, prefix, | 175 if (base::StartsWith(source, prefix, |
134 base::CompareCase::INSENSITIVE_ASCII)) { | 176 base::CompareCase::INSENSITIVE_ASCII)) { |
135 for (size_t i = strlen(prefix); i < hash_end; ++i) { | 177 for (size_t i = strlen(prefix); i < hash_end; ++i) { |
136 const char c = source[i]; | 178 const char c = source[i]; |
137 // The hash must be base64-encoded. Do not allow any other characters. | 179 // The hash must be base64-encoded. Do not allow any other characters. |
138 if (!base::IsAsciiAlpha(c) && !base::IsAsciiDigit(c) && c != '+' && | 180 if (!base::IsAsciiAlpha(c) && !base::IsAsciiDigit(c) && c != '+' && |
139 c != '/' && c != '=') { | 181 c != '/' && c != '=') { |
140 return false; | 182 return false; |
141 } | 183 } |
142 } | 184 } |
143 return true; | 185 return true; |
144 } | 186 } |
145 } | 187 } |
146 return false; | 188 return false; |
147 } | 189 } |
148 | 190 |
149 InstallWarning CSPInstallWarning(const std::string& csp_warning) { | 191 InstallWarning CSPInstallWarning(const std::string& csp_warning) { |
150 return InstallWarning(csp_warning, manifest_keys::kContentSecurityPolicy); | 192 return InstallWarning(csp_warning, manifest_keys::kContentSecurityPolicy); |
151 } | 193 } |
152 | 194 |
153 void GetSecureDirectiveValues(const std::string& directive_name, | 195 std::string GetSecureDirectiveValues( |
154 base::StringTokenizer* tokenizer, | 196 int options, |
155 int options, | 197 const std::string& directive_name, |
156 std::vector<std::string>* sane_csp_parts, | 198 const std::vector<base::StringPiece>& directive_values, |
157 std::vector<InstallWarning>* warnings) { | 199 std::vector<InstallWarning>* warnings) { |
158 sane_csp_parts->push_back(directive_name); | 200 std::vector<std::string> sane_csp_parts(1, directive_name); |
159 while (tokenizer->GetNext()) { | 201 for (base::StringPiece source_literal : directive_values) { |
160 std::string source_literal = tokenizer->token(); | |
161 std::string source_lower = base::ToLowerASCII(source_literal); | 202 std::string source_lower = base::ToLowerASCII(source_literal); |
162 bool is_secure_csp_token = false; | 203 bool is_secure_csp_token = false; |
163 | 204 |
164 // We might need to relax this whitelist over time. | 205 // We might need to relax this whitelist over time. |
165 if (source_lower == "'self'" || source_lower == "'none'" || | 206 if (source_lower == "'self'" || source_lower == "'none'" || |
166 source_lower == "http://127.0.0.1" || source_lower == "blob:" || | 207 source_lower == "http://127.0.0.1" || source_lower == "blob:" || |
167 source_lower == "filesystem:" || source_lower == "http://localhost" || | 208 source_lower == "filesystem:" || source_lower == "http://localhost" || |
168 base::StartsWith(source_lower, "http://127.0.0.1:", | 209 base::StartsWith(source_lower, "http://127.0.0.1:", |
169 base::CompareCase::SENSITIVE) || | 210 base::CompareCase::SENSITIVE) || |
170 base::StartsWith(source_lower, "http://localhost:", | 211 base::StartsWith(source_lower, "http://localhost:", |
(...skipping 12 matching lines...) Expand all Loading... |
183 } else if (base::StartsWith(source_lower, "chrome-extension-resource:", | 224 } else if (base::StartsWith(source_lower, "chrome-extension-resource:", |
184 base::CompareCase::SENSITIVE)) { | 225 base::CompareCase::SENSITIVE)) { |
185 // The "chrome-extension-resource" scheme has been removed from the | 226 // The "chrome-extension-resource" scheme has been removed from the |
186 // codebase, but it may still appear in existing CSPs. We continue to | 227 // codebase, but it may still appear in existing CSPs. We continue to |
187 // allow it here for compatibility. Requests on this scheme will not | 228 // allow it here for compatibility. Requests on this scheme will not |
188 // return any kind of network response. | 229 // return any kind of network response. |
189 is_secure_csp_token = true; | 230 is_secure_csp_token = true; |
190 } | 231 } |
191 | 232 |
192 if (is_secure_csp_token) { | 233 if (is_secure_csp_token) { |
193 sane_csp_parts->push_back(source_literal); | 234 sane_csp_parts.push_back(source_literal.as_string()); |
194 } else if (warnings) { | 235 } else if (warnings) { |
195 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( | 236 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( |
196 manifest_errors::kInvalidCSPInsecureValue, source_literal, | 237 manifest_errors::kInvalidCSPInsecureValue, source_literal.as_string(), |
197 directive_name))); | 238 directive_name))); |
198 } | 239 } |
199 } | 240 } |
200 // End of CSP directive that was started at the beginning of this method. If | 241 // End of CSP directive that was started at the beginning of this method. If |
201 // none of the values are secure, the policy will be empty and default to | 242 // none of the values are secure, the policy will be empty and default to |
202 // 'none', which is secure. | 243 // 'none', which is secure. |
203 sane_csp_parts->back().push_back(';'); | 244 sane_csp_parts.back().push_back(kDirectiveSeparator); |
| 245 return base::JoinString(sane_csp_parts, " "); |
204 } | 246 } |
205 | 247 |
206 // Returns true if |directive_name| matches |status.directive_name|. | 248 // Given a CSP directive-token for app sandbox, returns a secure value of that |
207 bool UpdateStatus(const std::string& directive_name, | 249 // directive. |
208 base::StringTokenizer* tokenizer, | 250 // The directive-token's name is |directive_name| and its values are splitted |
209 DirectiveStatus* status, | 251 // into |directive_values|. |
210 int options, | 252 std::string GetAppSandboxSecureDirectiveValues( |
211 std::vector<std::string>* sane_csp_parts, | 253 const std::string& directive_name, |
212 std::vector<InstallWarning>* warnings) { | 254 const std::vector<base::StringPiece>& directive_values, |
213 if (directive_name != status->directive_name) | 255 std::vector<InstallWarning>* warnings) { |
214 return false; | 256 std::vector<std::string> sane_csp_parts(1, directive_name); |
| 257 bool seen_self_or_none = false; |
| 258 for (base::StringPiece source_literal : directive_values) { |
| 259 std::string source_lower = base::ToLowerASCII(source_literal); |
215 | 260 |
216 if (!status->seen_in_policy) { | 261 // Keyword directive sources are surrounded with quotes, e.g. 'self', |
217 status->seen_in_policy = true; | 262 // 'sha256-...', 'unsafe-eval', 'nonce-...'. These do not specify a remote |
218 GetSecureDirectiveValues(directive_name, tokenizer, options, sane_csp_parts, | 263 // host or '*', so keep them and restrict the rest. |
219 warnings); | 264 if (source_lower.size() > 1u && source_lower[0] == '\'' && |
220 } else { | 265 source_lower.back() == '\'') { |
221 // Don't show any errors for duplicate CSP directives, because it will be | 266 seen_self_or_none |= source_lower == "'none'" || source_lower == "'self'"; |
222 // ignored by the CSP parser (http://www.w3.org/TR/CSP2/#policy-parsing). | 267 sane_csp_parts.push_back(source_lower); |
223 GetSecureDirectiveValues(directive_name, tokenizer, options, sane_csp_parts, | 268 } else if (warnings) { |
224 NULL); | 269 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( |
| 270 manifest_errors::kInvalidCSPInsecureValue, source_literal.as_string(), |
| 271 directive_name))); |
| 272 } |
225 } | 273 } |
226 return true; | 274 |
| 275 // If we haven't seen any of 'self' or 'none', that means this directive |
| 276 // value isn't secure. Specify 'self' to secure it. |
| 277 if (!seen_self_or_none) |
| 278 sane_csp_parts.push_back("'self'"); |
| 279 |
| 280 sane_csp_parts.back().push_back(kDirectiveSeparator); |
| 281 return base::JoinString(sane_csp_parts, " "); |
227 } | 282 } |
228 | 283 |
229 // Returns true if the |plugin_type| is one of the fully sandboxed plugin types. | 284 // Returns true if the |plugin_type| is one of the fully sandboxed plugin types. |
230 bool PluginTypeAllowed(const std::string& plugin_type) { | 285 bool PluginTypeAllowed(const std::string& plugin_type) { |
231 for (size_t i = 0; i < arraysize(kSandboxedPluginTypes); ++i) { | 286 for (size_t i = 0; i < arraysize(kSandboxedPluginTypes); ++i) { |
232 if (plugin_type == kSandboxedPluginTypes[i]) | 287 if (plugin_type == kSandboxedPluginTypes[i]) |
233 return true; | 288 return true; |
234 } | 289 } |
235 return false; | 290 return false; |
236 } | 291 } |
(...skipping 19 matching lines...) Expand all Loading... |
256 if (!PluginTypeAllowed(tokenizer.token())) | 311 if (!PluginTypeAllowed(tokenizer.token())) |
257 return false; | 312 return false; |
258 } | 313 } |
259 // All listed plugin types are whitelisted. | 314 // All listed plugin types are whitelisted. |
260 return true; | 315 return true; |
261 } | 316 } |
262 // plugin-types not specified. | 317 // plugin-types not specified. |
263 return false; | 318 return false; |
264 } | 319 } |
265 | 320 |
| 321 using SecureDirectiveValueFunction = base::Callback<std::string( |
| 322 const std::string& directive_name, |
| 323 const std::vector<base::StringPiece>& directive_values, |
| 324 std::vector<InstallWarning>* warnings)>; |
| 325 |
| 326 // Represents a token in CSP string. |
| 327 // Tokens are delimited by ";" CSP string. |
| 328 class CSPDirectiveToken { |
| 329 public: |
| 330 explicit CSPDirectiveToken(base::StringPiece directive_token) |
| 331 : directive_token_(directive_token), |
| 332 parsed_(false), |
| 333 tokenizer_(directive_token.begin(), directive_token.end(), " \t\r\n") { |
| 334 is_empty_ = !tokenizer_.GetNext(); |
| 335 if (!is_empty_) |
| 336 directive_name_ = tokenizer_.token(); |
| 337 } |
| 338 |
| 339 // Returns true if this token affects |status|. In that case, the token's |
| 340 // directive values are secured by |secure_function|. |
| 341 bool MatchAndUpdateStatus(DirectiveStatus* status, |
| 342 const SecureDirectiveValueFunction& secure_function, |
| 343 std::vector<InstallWarning>* warnings) { |
| 344 if (is_empty_ || !status->Matches(directive_name_)) |
| 345 return false; |
| 346 |
| 347 EnsureTokenPartsParsed(); |
| 348 |
| 349 bool is_duplicate_directive = status->seen_in_policy(); |
| 350 status->set_seen_in_policy(); |
| 351 |
| 352 secure_value_ = secure_function.Run( |
| 353 directive_name_, directive_values_, |
| 354 // Don't show any errors for duplicate CSP directives, because it will |
| 355 // be ignored by the CSP parser |
| 356 // (http://www.w3.org/TR/CSP2/#policy-parsing). Therefore, set warnings |
| 357 // param to nullptr. |
| 358 is_duplicate_directive ? nullptr : warnings); |
| 359 return true; |
| 360 } |
| 361 |
| 362 std::string ToString() { |
| 363 if (secure_value_) |
| 364 return secure_value_.value(); |
| 365 // This token didn't require modification. |
| 366 return base::StringPrintf("%s%c", directive_token_.as_string().c_str(), |
| 367 kDirectiveSeparator); |
| 368 } |
| 369 |
| 370 private: |
| 371 void EnsureTokenPartsParsed() { |
| 372 if (!parsed_) { |
| 373 while (tokenizer_.GetNext()) |
| 374 directive_values_.push_back(tokenizer_.token_piece()); |
| 375 parsed_ = true; |
| 376 } |
| 377 } |
| 378 |
| 379 base::StringPiece directive_token_; |
| 380 std::string directive_name_; |
| 381 std::vector<base::StringPiece> directive_values_; |
| 382 |
| 383 base::Optional<std::string> secure_value_; |
| 384 |
| 385 bool is_empty_; |
| 386 bool parsed_; |
| 387 base::CStringTokenizer tokenizer_; |
| 388 |
| 389 DISALLOW_COPY_AND_ASSIGN(CSPDirectiveToken); |
| 390 }; |
| 391 |
| 392 // Class responsible for parsing a given CSP string |policy|, and enforcing |
| 393 // secure directive-tokens within the policy. |
| 394 // |
| 395 // If a CSP directive's value is not secure, this class will use secure |
| 396 // values (via |secure_function|). If a CSP directive-token is not present and |
| 397 // as a result will fallback to default (possibly non-secure), this class |
| 398 // will use default secure values (via GetDefaultCSPValue). |
| 399 class CSPEnforcer { |
| 400 public: |
| 401 CSPEnforcer(bool show_missing_csp_warnings, |
| 402 const SecureDirectiveValueFunction& secure_function) |
| 403 : show_missing_csp_warnings_(show_missing_csp_warnings), |
| 404 secure_function_(secure_function) {} |
| 405 virtual ~CSPEnforcer() {} |
| 406 |
| 407 // Returns the enforced CSP. |
| 408 // Emits warnings in |warnings| for insecure directive values. If |
| 409 // |show_missing_csp_warnings_| is true, these will also include missing CSP |
| 410 // directive warnings. |
| 411 std::string Enforce(const std::string& policy, |
| 412 std::vector<InstallWarning>* warnings); |
| 413 |
| 414 protected: |
| 415 virtual std::string GetDefaultCSPValue(const DirectiveStatus& status) = 0; |
| 416 |
| 417 // List of directives we care about. |
| 418 std::vector<std::unique_ptr<DirectiveStatus>> directives_; |
| 419 |
| 420 private: |
| 421 const bool show_missing_csp_warnings_; |
| 422 const SecureDirectiveValueFunction secure_function_; |
| 423 |
| 424 DISALLOW_COPY_AND_ASSIGN(CSPEnforcer); |
| 425 }; |
| 426 |
| 427 std::string CSPEnforcer::Enforce(const std::string& policy, |
| 428 std::vector<InstallWarning>* warnings) { |
| 429 DCHECK(!directives_.empty()); |
| 430 std::vector<std::string> enforced_csp_parts; |
| 431 |
| 432 // If any directive that we care about isn't explicitly listed in |policy|, |
| 433 // "default-src" fallback is used. |
| 434 DirectiveStatus default_src_status({kDefaultSrc}); |
| 435 std::vector<InstallWarning> default_src_csp_warnings; |
| 436 |
| 437 for (const base::StringPiece& directive_token : base::SplitStringPiece( |
| 438 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY)) { |
| 439 CSPDirectiveToken csp_directive_token(directive_token); |
| 440 bool matches_enforcing_directive = false; |
| 441 for (const std::unique_ptr<DirectiveStatus>& status : directives_) { |
| 442 if (csp_directive_token.MatchAndUpdateStatus( |
| 443 status.get(), secure_function_, warnings)) { |
| 444 matches_enforcing_directive = true; |
| 445 break; |
| 446 } |
| 447 } |
| 448 if (!matches_enforcing_directive) { |
| 449 csp_directive_token.MatchAndUpdateStatus( |
| 450 &default_src_status, secure_function_, &default_src_csp_warnings); |
| 451 } |
| 452 |
| 453 enforced_csp_parts.push_back(csp_directive_token.ToString()); |
| 454 } |
| 455 |
| 456 if (default_src_status.seen_in_policy()) { |
| 457 for (const std::unique_ptr<DirectiveStatus>& status : directives_) { |
| 458 if (!status->seen_in_policy()) { |
| 459 // This |status| falls back to "default-src". So warnings from |
| 460 // "default-src" will apply. |
| 461 if (warnings) { |
| 462 warnings->insert(warnings->end(), default_src_csp_warnings.begin(), |
| 463 default_src_csp_warnings.end()); |
| 464 } |
| 465 break; |
| 466 } |
| 467 } |
| 468 } else { |
| 469 // Did not see "default-src". |
| 470 // Make sure we cover all sources from |directives_|. |
| 471 for (const std::unique_ptr<DirectiveStatus>& status : directives_) { |
| 472 if (status->seen_in_policy()) // Already covered. |
| 473 continue; |
| 474 enforced_csp_parts.push_back(GetDefaultCSPValue(*status)); |
| 475 |
| 476 if (warnings && show_missing_csp_warnings_) { |
| 477 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( |
| 478 manifest_errors::kInvalidCSPMissingSecureSrc, status->name()))); |
| 479 } |
| 480 } |
| 481 } |
| 482 |
| 483 return base::JoinString(enforced_csp_parts, " "); |
| 484 } |
| 485 |
| 486 class ExtensionCSPEnforcer : public CSPEnforcer { |
| 487 public: |
| 488 ExtensionCSPEnforcer(bool allow_insecure_object_src, int options) |
| 489 : CSPEnforcer(true, base::Bind(&GetSecureDirectiveValues, options)) { |
| 490 directives_.emplace_back(new DirectiveStatus({kScriptSrc})); |
| 491 if (!allow_insecure_object_src) |
| 492 directives_.emplace_back(new DirectiveStatus({kObjectSrc})); |
| 493 } |
| 494 |
| 495 protected: |
| 496 std::string GetDefaultCSPValue(const DirectiveStatus& status) override { |
| 497 if (status.Matches(kObjectSrc)) |
| 498 return kObjectSrcDefaultDirective; |
| 499 DCHECK(status.Matches(kScriptSrc)); |
| 500 return kScriptSrcDefaultDirective; |
| 501 } |
| 502 |
| 503 private: |
| 504 DISALLOW_COPY_AND_ASSIGN(ExtensionCSPEnforcer); |
| 505 }; |
| 506 |
| 507 class AppSandboxPageCSPEnforcer : public CSPEnforcer { |
| 508 public: |
| 509 AppSandboxPageCSPEnforcer() |
| 510 : CSPEnforcer(false, base::Bind(&GetAppSandboxSecureDirectiveValues)) { |
| 511 directives_.emplace_back(new DirectiveStatus({kChildSrc, kFrameSrc})); |
| 512 directives_.emplace_back(new DirectiveStatus({kScriptSrc})); |
| 513 } |
| 514 |
| 515 protected: |
| 516 std::string GetDefaultCSPValue(const DirectiveStatus& status) override { |
| 517 if (status.Matches(kChildSrc)) |
| 518 return kAppSandboxSubframeSrcDefaultDirective; |
| 519 DCHECK(status.Matches(kScriptSrc)); |
| 520 return kAppSandboxScriptSrcDefaultDirective; |
| 521 } |
| 522 |
| 523 private: |
| 524 DISALLOW_COPY_AND_ASSIGN(AppSandboxPageCSPEnforcer); |
| 525 }; |
| 526 |
266 } // namespace | 527 } // namespace |
267 | 528 |
268 bool ContentSecurityPolicyIsLegal(const std::string& policy) { | 529 bool ContentSecurityPolicyIsLegal(const std::string& policy) { |
269 // We block these characters to prevent HTTP header injection when | 530 // We block these characters to prevent HTTP header injection when |
270 // representing the content security policy as an HTTP header. | 531 // representing the content security policy as an HTTP header. |
271 const char kBadChars[] = {',', '\r', '\n', '\0'}; | 532 const char kBadChars[] = {',', '\r', '\n', '\0'}; |
272 | 533 |
273 return policy.find_first_of(kBadChars, 0, arraysize(kBadChars)) == | 534 return policy.find_first_of(kBadChars, 0, arraysize(kBadChars)) == |
274 std::string::npos; | 535 std::string::npos; |
275 } | 536 } |
276 | 537 |
277 std::string SanitizeContentSecurityPolicy( | 538 std::string SanitizeContentSecurityPolicy( |
278 const std::string& policy, | 539 const std::string& policy, |
279 int options, | 540 int options, |
280 std::vector<InstallWarning>* warnings) { | 541 std::vector<InstallWarning>* warnings) { |
281 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. | 542 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. |
282 std::vector<std::string> directives = base::SplitString( | 543 std::vector<std::string> directives = base::SplitString( |
283 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); | 544 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); |
284 | 545 |
285 DirectiveStatus default_src_status(kDefaultSrc); | |
286 DirectiveStatus script_src_status(kScriptSrc); | |
287 DirectiveStatus object_src_status(kObjectSrc); | |
288 | |
289 bool allow_insecure_object_src = | 546 bool allow_insecure_object_src = |
290 AllowedToHaveInsecureObjectSrc(options, directives); | 547 AllowedToHaveInsecureObjectSrc(options, directives); |
291 | 548 |
292 std::vector<std::string> sane_csp_parts; | 549 ExtensionCSPEnforcer csp_enforcer(allow_insecure_object_src, options); |
293 std::vector<InstallWarning> default_src_csp_warnings; | 550 return csp_enforcer.Enforce(policy, warnings); |
294 for (size_t i = 0; i < directives.size(); ++i) { | 551 } |
295 std::string& input = directives[i]; | |
296 base::StringTokenizer tokenizer(input, " \t\r\n"); | |
297 if (!tokenizer.GetNext()) | |
298 continue; | |
299 | 552 |
300 std::string directive_name = base::ToLowerASCII(tokenizer.token_piece()); | 553 std::string GetEffectiveSandoxedPageCSP(const std::string& policy, |
301 if (UpdateStatus(directive_name, &tokenizer, &default_src_status, options, | 554 std::vector<InstallWarning>* warnings) { |
302 &sane_csp_parts, &default_src_csp_warnings)) | 555 AppSandboxPageCSPEnforcer csp_enforcer; |
303 continue; | 556 return csp_enforcer.Enforce(policy, warnings); |
304 if (UpdateStatus(directive_name, &tokenizer, &script_src_status, options, | |
305 &sane_csp_parts, warnings)) | |
306 continue; | |
307 if (!allow_insecure_object_src && | |
308 UpdateStatus(directive_name, &tokenizer, &object_src_status, options, | |
309 &sane_csp_parts, warnings)) | |
310 continue; | |
311 | |
312 // Pass the other CSP directives as-is without further validation. | |
313 sane_csp_parts.push_back(input + ";"); | |
314 } | |
315 | |
316 if (default_src_status.seen_in_policy) { | |
317 if (!script_src_status.seen_in_policy || | |
318 !object_src_status.seen_in_policy) { | |
319 // Insecure values in default-src are only relevant if either script-src | |
320 // or object-src is omitted. | |
321 if (warnings) | |
322 warnings->insert(warnings->end(), | |
323 default_src_csp_warnings.begin(), | |
324 default_src_csp_warnings.end()); | |
325 } | |
326 } else { | |
327 if (!script_src_status.seen_in_policy) { | |
328 sane_csp_parts.push_back(kScriptSrcDefaultDirective); | |
329 if (warnings) | |
330 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( | |
331 manifest_errors::kInvalidCSPMissingSecureSrc, kScriptSrc))); | |
332 } | |
333 if (!object_src_status.seen_in_policy && !allow_insecure_object_src) { | |
334 sane_csp_parts.push_back(kObjectSrcDefaultDirective); | |
335 if (warnings) | |
336 warnings->push_back(CSPInstallWarning(ErrorUtils::FormatErrorMessage( | |
337 manifest_errors::kInvalidCSPMissingSecureSrc, kObjectSrc))); | |
338 } | |
339 } | |
340 | |
341 return base::JoinString(sane_csp_parts, " "); | |
342 } | 557 } |
343 | 558 |
344 bool ContentSecurityPolicyIsSandboxed( | 559 bool ContentSecurityPolicyIsSandboxed( |
345 const std::string& policy, Manifest::Type type) { | 560 const std::string& policy, Manifest::Type type) { |
346 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. | 561 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. |
347 bool seen_sandbox = false; | 562 bool seen_sandbox = false; |
348 for (const std::string& input : base::SplitString( | 563 for (const std::string& input : base::SplitString( |
349 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) { | 564 policy, ";", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) { |
350 base::StringTokenizer tokenizer(input, " \t\r\n"); | 565 base::StringTokenizer tokenizer(input, " \t\r\n"); |
351 if (!tokenizer.GetNext()) | 566 if (!tokenizer.GetNext()) |
(...skipping 19 matching lines...) Expand all Loading... |
371 } | 586 } |
372 } | 587 } |
373 } | 588 } |
374 | 589 |
375 return seen_sandbox; | 590 return seen_sandbox; |
376 } | 591 } |
377 | 592 |
378 } // namespace csp_validator | 593 } // namespace csp_validator |
379 | 594 |
380 } // namespace extensions | 595 } // namespace extensions |
OLD | NEW |