Chromium Code Reviews Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "content/common/content_security_policy/csp_context.h" | |
| 6 | |
| 7 namespace content { | |
| 8 | |
| 9 CSPContext::CSPContext() | |
| 10 : has_self_(false), | |
| 11 self_scheme_(""), | |
|
nasko
2017/02/17 01:03:15
nit: No need to initialize it to empty string expl
arthursonzogni
2017/02/17 09:30:22
Done.
| |
| 12 self_source_("", "", false, -1, false, "") {} | |
|
nasko
2017/02/17 01:03:16
s/""/std::string()/, use url::PORT_UNSPECIFIED as
arthursonzogni
2017/02/17 09:30:22
I have a default constructor that already does the
| |
| 13 CSPContext::~CSPContext() {} | |
| 14 | |
| 15 bool CSPContext::Allow(const std::vector<ContentSecurityPolicy>& policies, | |
| 16 CSPDirective::Name directive_name, | |
| 17 const GURL& url, | |
| 18 bool is_redirect) { | |
| 19 if (this->SchemeShouldBypassCSP(url.scheme_piece())) | |
|
nasko
2017/02/17 01:03:16
nit: Chromium code avoids using "this->".
arthursonzogni
2017/02/17 09:30:22
Done.
| |
| 20 return true; | |
| 21 | |
| 22 for (const auto& policy : policies) { | |
| 23 if (!ContentSecurityPolicy::Allow(policy, directive_name, url, this, | |
| 24 is_redirect)) | |
| 25 return false; | |
| 26 } | |
| 27 return true; | |
| 28 } | |
| 29 | |
| 30 void CSPContext::SetSelf(const url::Origin origin) { | |
| 31 if (origin.unique()) { | |
| 32 // TODO(arthursonzogni): Decide what to do with unique origins. | |
| 33 has_self_ = false; | |
| 34 return; | |
| 35 } | |
| 36 | |
| 37 if (origin.scheme() == "file") { | |
|
nasko
2017/02/17 01:03:17
nit: Please use symbolic constants, kFileScheme in
arthursonzogni
2017/02/17 09:30:22
Done.
| |
| 38 has_self_ = true; | |
| 39 self_scheme_ = "file"; | |
| 40 self_source_ = | |
| 41 CSPSource("file", "", false, url::PORT_UNSPECIFIED, false, ""); | |
| 42 return; | |
| 43 } | |
| 44 | |
| 45 has_self_ = true; | |
| 46 self_scheme_ = origin.scheme(); | |
| 47 self_source_ = CSPSource( | |
| 48 origin.scheme(), origin.host(), false, | |
| 49 origin.port() == 0 ? url::PORT_UNSPECIFIED : origin.port(), // port | |
| 50 false, ""); | |
| 51 } | |
| 52 | |
| 53 bool CSPContext::AllowSelf(const GURL& url) { | |
| 54 return has_self_ && CSPSource::Allow(self_source_, url, this); | |
| 55 } | |
| 56 | |
| 57 bool CSPContext::ProtocolMatchesSelf(const GURL& url) { | |
| 58 if (!has_self_) | |
| 59 return false; | |
| 60 if (self_scheme_ == url::kHttpScheme) | |
|
nasko
2017/02/17 01:03:17
What about httpS?
arthursonzogni
2017/02/17 09:30:22
I don't know what is the correct behavior, but at
| |
| 61 return url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin(); | |
| 62 return url.SchemeIs(self_scheme_); | |
| 63 } | |
| 64 | |
| 65 void CSPContext::LogToConsole(const std::string& message) { | |
| 66 return; | |
| 67 } | |
| 68 | |
| 69 bool CSPContext::SchemeShouldBypassCSP(const base::StringPiece& scheme) { | |
| 70 return false; | |
| 71 } | |
| 72 | |
| 73 bool CSPContext::SelfSchemeShouldBypassCSP() { | |
| 74 if (!has_self_) | |
| 75 return false; | |
| 76 return SchemeShouldBypassCSP(self_scheme_); | |
|
nasko
2017/02/17 01:03:16
This method isn't virtual, so it cannot be overrid
arthursonzogni
2017/02/17 09:30:22
SchemeShouldBypassCSP is virtual :)
| |
| 77 } | |
| 78 | |
| 79 void CSPContext::ReportViolation( | |
| 80 const std::string& directive_text, | |
| 81 const std::string& effective_directive, | |
| 82 const std::string& message, | |
| 83 const GURL& blocked_url, | |
| 84 const std::vector<std::string>& report_end_points, | |
| 85 const std::string& header, | |
| 86 blink::WebContentSecurityPolicyType disposition) { | |
| 87 return; | |
| 88 } | |
| 89 | |
| 90 } // namespace content | |
| OLD | NEW |
