OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 308 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
319 } | 319 } |
320 | 320 |
321 void ContentSecurityPolicy::reportAccumulatedHeaders( | 321 void ContentSecurityPolicy::reportAccumulatedHeaders( |
322 FrameLoaderClient* client) const { | 322 FrameLoaderClient* client) const { |
323 // Notify the embedder about headers that have accumulated before the | 323 // Notify the embedder about headers that have accumulated before the |
324 // navigation got committed. See comments in | 324 // navigation got committed. See comments in |
325 // addAndReportPolicyFromHeaderValue for more details and context. | 325 // addAndReportPolicyFromHeaderValue for more details and context. |
326 DCHECK(client); | 326 DCHECK(client); |
327 for (const auto& policy : m_policies) { | 327 for (const auto& policy : m_policies) { |
328 client->didAddContentSecurityPolicy(policy->header(), policy->headerType(), | 328 client->didAddContentSecurityPolicy(policy->header(), policy->headerType(), |
329 policy->headerSource()); | 329 policy->headerSource(), |
| 330 {policy->expose()}); |
330 } | 331 } |
331 } | 332 } |
332 | 333 |
333 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue( | 334 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue( |
334 const String& header, | 335 const String& header, |
335 ContentSecurityPolicyHeaderType type, | 336 ContentSecurityPolicyHeaderType type, |
336 ContentSecurityPolicyHeaderSource source) { | 337 ContentSecurityPolicyHeaderSource source) { |
337 // Notify about the new header, so that it can be reported back to the | 338 size_t previousPolicyCount = m_policies.size(); |
338 // browser process. This is needed in order to: | 339 addPolicyFromHeaderValue(header, type, source); |
339 // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now / | 340 if (document() && document()->frame()) { |
340 // short-term). | 341 // Notify about the new header, so that it can be reported back to the |
341 // 2) enforce CSP in the browser process (not yet / long-term - see | 342 // browser process. This is needed in order to: |
342 // https://crbug.com/376522). | 343 // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now / |
343 if (document() && document()->frame()) | 344 // short-term). |
344 document()->frame()->client()->didAddContentSecurityPolicy(header, type, | 345 // 2) enforce CSP in the browser process (long-term - see |
345 source); | 346 // https://crbug.com/376522). |
| 347 // TODO(arthursonzogni): policies are actually replicated (1) and some of |
| 348 // them are (or will) be enforced on the browser process (2). Stop doing (1) |
| 349 // when (2) is finished. |
346 | 350 |
347 addPolicyFromHeaderValue(header, type, source); | 351 // Zero, one or several policies could be produced by only one header. |
| 352 std::vector<blink::WebContentSecurityPolicyPolicy> policies; |
| 353 for (size_t i = previousPolicyCount; i < m_policies.size(); ++i) |
| 354 policies.push_back(m_policies[i]->expose()); |
| 355 document()->frame()->client()->didAddContentSecurityPolicy( |
| 356 header, type, source, policies); |
| 357 } |
348 } | 358 } |
349 | 359 |
350 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) { | 360 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) { |
351 m_overrideInlineStyleAllowed = value; | 361 m_overrideInlineStyleAllowed = value; |
352 } | 362 } |
353 | 363 |
354 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) { | 364 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) { |
355 // Create a temporary CSPSource so that 'self' expressions can be resolved | 365 // Create a temporary CSPSource so that 'self' expressions can be resolved |
356 // before we bind to an execution context (for 'frame-ancestor' resolution, | 366 // before we bind to an execution context (for 'frame-ancestor' resolution, |
357 // for example). This CSPSource will be overwritten when we bind this object | 367 // for example). This CSPSource will be overwritten when we bind this object |
(...skipping 1253 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1611 CSPDirectiveListVector otherVector; | 1621 CSPDirectiveListVector otherVector; |
1612 for (const auto& policy : other.m_policies) { | 1622 for (const auto& policy : other.m_policies) { |
1613 if (!policy->isReportOnly()) | 1623 if (!policy->isReportOnly()) |
1614 otherVector.push_back(policy); | 1624 otherVector.push_back(policy); |
1615 } | 1625 } |
1616 | 1626 |
1617 return m_policies[0]->subsumes(otherVector); | 1627 return m_policies[0]->subsumes(otherVector); |
1618 } | 1628 } |
1619 | 1629 |
1620 } // namespace blink | 1630 } // namespace blink |
OLD | NEW |