| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 |
| 7 namespace content { |
| 8 |
| 9 namespace { |
| 10 |
| 11 const GURL ExtractInnerURL(const GURL& url) { |
| 12 if (const GURL* inner_url = url.inner_url()) |
| 13 return *inner_url; |
| 14 else |
| 15 // TODO(arthursonzogni): revisit this once GURL::inner_url support blob-URL. |
| 16 return GURL(url.path()); |
| 17 } |
| 18 |
| 19 const GURL GetEffectiveURL(CSPContext* context, const GURL& url) { |
| 20 // Due to backwards-compatibility concerns, we allow 'self' to match blob and |
| 21 // filesystem inner URLs if we are in a context that bypasses |
| 22 // ContentSecurityPolicy in the main world. |
| 23 if (context->SelfSchemeShouldBypassCSP()) { |
| 24 if (url.SchemeIsFileSystem() || url.SchemeIsBlob()) |
| 25 return ExtractInnerURL(url); |
| 26 } |
| 27 return url; |
| 28 } |
| 29 |
| 30 }; // namespace |
| 31 |
| 32 CSPSourceList::CSPSourceList() |
| 33 : allow_self(false), allow_star(false), source_list() {} |
| 34 |
| 35 CSPSourceList::CSPSourceList(bool allow_self, |
| 36 bool allow_star, |
| 37 std::vector<CSPSource> source_list) |
| 38 : allow_self(allow_self), |
| 39 allow_star(allow_star), |
| 40 source_list(source_list) {} |
| 41 |
| 42 CSPSourceList::CSPSourceList(const CSPSourceList&) = default; |
| 43 CSPSourceList::~CSPSourceList() = default; |
| 44 |
| 45 bool CSPSourceList::Allow(CSPContext* context, |
| 46 const GURL& url, |
| 47 bool is_redirect) const { |
| 48 // Wildcards match network schemes ('http', 'https', 'ftp', 'ws', 'wss'), and |
| 49 // the scheme of the protected resource: |
| 50 // https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. Other |
| 51 // schemes, including custom schemes, must be explicitly listed in a source |
| 52 // list. |
| 53 if (allow_star) { |
| 54 if (url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin() || |
| 55 url.SchemeIsWSOrWSS() || url.SchemeIs("ftp") || |
| 56 context->ProtocolMatchesSelf(url)) |
| 57 return true; |
| 58 |
| 59 return AllowFromSources(context, url, is_redirect); |
| 60 } |
| 61 |
| 62 const GURL effective_url = GetEffectiveURL(context, url); |
| 63 |
| 64 if (allow_self && context->AllowSelf(effective_url)) |
| 65 return true; |
| 66 |
| 67 return AllowFromSources(context, effective_url, is_redirect); |
| 68 } |
| 69 |
| 70 bool CSPSourceList::AllowFromSources(CSPContext* context, |
| 71 const GURL& url, |
| 72 bool is_redirect) const { |
| 73 for (const CSPSource& source : source_list) { |
| 74 if (source.Allow(context, url, is_redirect)) |
| 75 return true; |
| 76 } |
| 77 return false; |
| 78 } |
| 79 |
| 80 std::string CSPSourceList::ToString() const { |
| 81 if (IsNone()) |
| 82 return "'none'"; |
| 83 if (allow_star) |
| 84 return "*"; |
| 85 |
| 86 bool is_empty = true; |
| 87 std::stringstream text; |
| 88 if (allow_self) { |
| 89 text << "'self'"; |
| 90 is_empty = false; |
| 91 } |
| 92 |
| 93 for (const auto& source : source_list) { |
| 94 if (!is_empty) |
| 95 text << " "; |
| 96 text << source.ToString(); |
| 97 is_empty = false; |
| 98 } |
| 99 |
| 100 return text.str(); |
| 101 } |
| 102 |
| 103 bool CSPSourceList::IsNone() const { |
| 104 return !allow_self && !allow_star && source_list.empty(); |
| 105 } |
| 106 |
| 107 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
