OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 314 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
325 } | 325 } |
326 } | 326 } |
327 | 327 |
328 void ContentSecurityPolicy::reportAccumulatedHeaders( | 328 void ContentSecurityPolicy::reportAccumulatedHeaders( |
329 FrameLoaderClient* client) const { | 329 FrameLoaderClient* client) const { |
330 // Notify the embedder about headers that have accumulated before the | 330 // Notify the embedder about headers that have accumulated before the |
331 // navigation got committed. See comments in | 331 // navigation got committed. See comments in |
332 // addAndReportPolicyFromHeaderValue for more details and context. | 332 // addAndReportPolicyFromHeaderValue for more details and context. |
333 DCHECK(client); | 333 DCHECK(client); |
334 for (const auto& policy : m_policies) { | 334 for (const auto& policy : m_policies) { |
335 client->didAddContentSecurityPolicy(policy->header(), policy->headerType(), | 335 client->didAddContentSecurityPolicy( |
336 policy->headerSource()); | 336 policy->header(), policy->headerType(), policy->headerSource(), |
| 337 {policy->exposeForNavigationalChecks()}); |
337 } | 338 } |
338 } | 339 } |
339 | 340 |
340 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue( | 341 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue( |
341 const String& header, | 342 const String& header, |
342 ContentSecurityPolicyHeaderType type, | 343 ContentSecurityPolicyHeaderType type, |
343 ContentSecurityPolicyHeaderSource source) { | 344 ContentSecurityPolicyHeaderSource source) { |
344 // Notify about the new header, so that it can be reported back to the | 345 size_t previousPolicyCount = m_policies.size(); |
345 // browser process. This is needed in order to: | 346 addPolicyFromHeaderValue(header, type, source); |
346 // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now / | 347 if (document() && document()->frame()) { |
347 // short-term). | 348 // Notify about the new header, so that it can be reported back to the |
348 // 2) enforce CSP in the browser process (not yet / long-term - see | 349 // browser process. This is needed in order to: |
349 // https://crbug.com/376522). | 350 // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now / |
350 if (document() && document()->frame()) | 351 // short-term). |
351 document()->frame()->client()->didAddContentSecurityPolicy(header, type, | 352 // 2) enforce CSP in the browser process (long-term - see |
352 source); | 353 // https://crbug.com/376522). |
| 354 // TODO(arthursonzogni): policies are actually replicated (1) and some of |
| 355 // them are (or will) be enforced on the browser process (2). Stop doing (1) |
| 356 // when (2) is finished. |
353 | 357 |
354 addPolicyFromHeaderValue(header, type, source); | 358 // Zero, one or several policies could be produced by only one header. |
| 359 std::vector<blink::WebContentSecurityPolicyPolicy> policies; |
| 360 for (size_t i = previousPolicyCount; i < m_policies.size(); ++i) |
| 361 policies.push_back(m_policies[i]->exposeForNavigationalChecks()); |
| 362 document()->frame()->client()->didAddContentSecurityPolicy( |
| 363 header, type, source, policies); |
| 364 } |
355 } | 365 } |
356 | 366 |
357 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) { | 367 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) { |
358 m_overrideInlineStyleAllowed = value; | 368 m_overrideInlineStyleAllowed = value; |
359 } | 369 } |
360 | 370 |
361 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) { | 371 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) { |
362 // Create a temporary CSPSource so that 'self' expressions can be resolved | 372 // Create a temporary CSPSource so that 'self' expressions can be resolved |
363 // before we bind to an execution context (for 'frame-ancestor' resolution, | 373 // before we bind to an execution context (for 'frame-ancestor' resolution, |
364 // for example). This CSPSource will be overwritten when we bind this object | 374 // for example). This CSPSource will be overwritten when we bind this object |
(...skipping 1253 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1618 CSPDirectiveListVector otherVector; | 1628 CSPDirectiveListVector otherVector; |
1619 for (const auto& policy : other.m_policies) { | 1629 for (const auto& policy : other.m_policies) { |
1620 if (!policy->isReportOnly()) | 1630 if (!policy->isReportOnly()) |
1621 otherVector.push_back(policy); | 1631 otherVector.push_back(policy); |
1622 } | 1632 } |
1623 | 1633 |
1624 return m_policies[0]->subsumes(otherVector); | 1634 return m_policies[0]->subsumes(otherVector); |
1625 } | 1635 } |
1626 | 1636 |
1627 } // namespace blink | 1637 } // namespace blink |
OLD | NEW |