| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 |
| 7 namespace content { |
| 8 |
| 9 namespace { |
| 10 |
| 11 const GURL ExtractInnerURL(const GURL& url) { |
| 12 if (const GURL* inner_url = url.inner_url()) |
| 13 return *inner_url; |
| 14 else |
| 15 // TODO(arthursonzogni): revisit this once GURL::inner_url support blob-URL. |
| 16 return GURL(url.path()); |
| 17 } |
| 18 |
| 19 const GURL GetEffectiveURL(CSPContext* context, const GURL& url) { |
| 20 // Due to backwards-compatibility concerns, we allow 'self' to match blob and |
| 21 // filesystem inner URLs if we are in a context that bypasses |
| 22 // ContentSecurityPolicy in the main world. |
| 23 if (context->SelfSchemeShouldBypassCSP()) { |
| 24 if (url.SchemeIsFileSystem() || url.SchemeIsBlob()) |
| 25 return ExtractInnerURL(url); |
| 26 } |
| 27 return url; |
| 28 } |
| 29 |
| 30 bool AllowFromSources(const GURL& url, |
| 31 const std::vector<CSPSource>& sources, |
| 32 CSPContext* context, |
| 33 bool is_redirect) { |
| 34 for (const CSPSource& source : sources) { |
| 35 if (CSPSource::Allow(source, url, context, is_redirect)) |
| 36 return true; |
| 37 } |
| 38 return false; |
| 39 } |
| 40 |
| 41 }; // namespace |
| 42 |
| 43 CSPSourceList::CSPSourceList() |
| 44 : allow_self(false), allow_star(false), sources() {} |
| 45 |
| 46 CSPSourceList::CSPSourceList(bool allow_self, |
| 47 bool allow_star, |
| 48 std::vector<CSPSource> sources) |
| 49 : allow_self(allow_self), allow_star(allow_star), sources(sources) {} |
| 50 |
| 51 CSPSourceList::CSPSourceList(const CSPSourceList&) = default; |
| 52 CSPSourceList::~CSPSourceList() = default; |
| 53 |
| 54 // static |
| 55 bool CSPSourceList::Allow(const CSPSourceList& source_list, |
| 56 const GURL& url, |
| 57 CSPContext* context, |
| 58 bool is_redirect) { |
| 59 // Wildcards match network schemes ('http', 'https', 'ftp', 'ws', 'wss'), and |
| 60 // the scheme of the protected resource: |
| 61 // https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. Other |
| 62 // schemes, including custom schemes, must be explicitly listed in a source |
| 63 // list. |
| 64 if (source_list.allow_star) { |
| 65 if (url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin() || |
| 66 url.SchemeIsWSOrWSS() || url.SchemeIs("ftp") || |
| 67 context->ProtocolMatchesSelf(url)) |
| 68 return true; |
| 69 |
| 70 return AllowFromSources(url, source_list.sources, context, is_redirect); |
| 71 } |
| 72 |
| 73 const GURL effective_url = GetEffectiveURL(context, url); |
| 74 |
| 75 if (source_list.allow_self && context->AllowSelf(effective_url)) |
| 76 return true; |
| 77 |
| 78 return AllowFromSources(effective_url, source_list.sources, context, |
| 79 is_redirect); |
| 80 } |
| 81 |
| 82 std::string CSPSourceList::ToString() const { |
| 83 if (IsNone()) |
| 84 return "'none'"; |
| 85 if (allow_star) |
| 86 return "*"; |
| 87 |
| 88 bool is_empty = true; |
| 89 std::stringstream text; |
| 90 if (allow_self) { |
| 91 text << "'self'"; |
| 92 is_empty = false; |
| 93 } |
| 94 |
| 95 for (const auto& source : sources) { |
| 96 if (!is_empty) |
| 97 text << " "; |
| 98 text << source.ToString(); |
| 99 is_empty = false; |
| 100 } |
| 101 |
| 102 return text.str(); |
| 103 } |
| 104 |
| 105 bool CSPSourceList::IsNone() const { |
| 106 return !allow_self && !allow_star && sources.empty(); |
| 107 } |
| 108 |
| 109 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2612793002:
Implement ContentSecurityPolicy on the browser-side. (Closed)
