| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 |
| 7 namespace content { |
| 8 |
| 9 namespace { |
| 10 |
| 11 const GURL ExtractInnerURL(const GURL& url) { |
| 12 if (const GURL* inner_url = url.inner_url()) |
| 13 return *inner_url; |
| 14 else |
| 15 // TODO(arthursonzogni): revisit this once GURL::inner_url support blob-URL. |
| 16 return GURL(url.path()); |
| 17 } |
| 18 |
| 19 const GURL GetEffectiveURL(CSPContext* context, const GURL& url) { |
| 20 // Due to backwards-compatibility concerns, we allow 'self' to match blob and |
| 21 // filesystem inner URLs if we are in a context that bypasses |
| 22 // ContentSecurityPolicy in the main world. |
| 23 if (context->SelfSchemeShouldBypassCSP()) { |
| 24 if (url.SchemeIsFileSystem() || url.SchemeIsBlob()) |
| 25 return ExtractInnerURL(url); |
| 26 } |
| 27 return url; |
| 28 } |
| 29 |
| 30 }; // namespace |
| 31 |
| 32 CSPSourceList::CSPSourceList() |
| 33 : allow_self(false), allow_star(false), sources() {} |
| 34 |
| 35 CSPSourceList::CSPSourceList(bool allow_self, |
| 36 bool allow_star, |
| 37 std::vector<CSPSource> sources) |
| 38 : allow_self(allow_self), allow_star(allow_star), sources(sources) {} |
| 39 |
| 40 CSPSourceList::CSPSourceList(const CSPSourceList&) = default; |
| 41 CSPSourceList::~CSPSourceList() = default; |
| 42 |
| 43 bool CSPSourceList::Allow(CSPContext* context, |
| 44 const GURL& url, |
| 45 bool is_redirect) const { |
| 46 // Wildcards match network schemes ('http', 'https', 'ftp', 'ws', 'wss'), and |
| 47 // the scheme of the protected resource: |
| 48 // https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. Other |
| 49 // schemes, including custom schemes, must be explicitly listed in a source |
| 50 // list. |
| 51 if (allow_star) { |
| 52 if (url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin() || |
| 53 url.SchemeIsWSOrWSS() || url.SchemeIs("ftp") || |
| 54 context->ProtocolMatchesSelf(url)) |
| 55 return true; |
| 56 |
| 57 return AllowFromSources(context, url, is_redirect); |
| 58 } |
| 59 |
| 60 const GURL effective_url = GetEffectiveURL(context, url); |
| 61 |
| 62 if (allow_self && context->AllowSelf(effective_url)) |
| 63 return true; |
| 64 |
| 65 return AllowFromSources(context, effective_url, is_redirect); |
| 66 } |
| 67 |
| 68 bool CSPSourceList::AllowFromSources(CSPContext* context, |
| 69 const GURL& url, |
| 70 bool is_redirect) const { |
| 71 for (const CSPSource& source : sources) { |
| 72 if (source.Allow(context, url, is_redirect)) |
| 73 return true; |
| 74 } |
| 75 return false; |
| 76 } |
| 77 |
| 78 std::string CSPSourceList::ToString() const { |
| 79 if (IsNone()) |
| 80 return "'none'"; |
| 81 if (allow_star) |
| 82 return "*"; |
| 83 |
| 84 bool is_empty = true; |
| 85 std::stringstream text; |
| 86 if (allow_self) { |
| 87 text << "'self'"; |
| 88 is_empty = false; |
| 89 } |
| 90 |
| 91 for (const auto& source : sources) { |
| 92 if (!is_empty) |
| 93 text << " "; |
| 94 text << source.ToString(); |
| 95 is_empty = false; |
| 96 } |
| 97 |
| 98 return text.str(); |
| 99 } |
| 100 |
| 101 bool CSPSourceList::IsNone() const { |
| 102 return !allow_self && !allow_star && sources.empty(); |
| 103 } |
| 104 |
| 105 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
