OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 742 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
753 m_formAction.get(), url, | 753 m_formAction.get(), url, |
754 ContentSecurityPolicy::DirectiveType::FormAction, | 754 ContentSecurityPolicy::DirectiveType::FormAction, |
755 redirectStatus) | 755 redirectStatus) |
756 : checkSource(m_formAction.get(), url, redirectStatus); | 756 : checkSource(m_formAction.get(), url, redirectStatus); |
757 } | 757 } |
758 | 758 |
759 bool CSPDirectiveList::allowBaseURI( | 759 bool CSPDirectiveList::allowBaseURI( |
760 const KURL& url, | 760 const KURL& url, |
761 ResourceRequest::RedirectStatus redirectStatus, | 761 ResourceRequest::RedirectStatus redirectStatus, |
762 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 762 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
763 return reportingStatus == ContentSecurityPolicy::SendReport | 763 bool result = |
764 ? checkSourceAndReportViolation( | 764 reportingStatus == ContentSecurityPolicy::SendReport |
765 m_baseURI.get(), url, | 765 ? checkSourceAndReportViolation( |
766 ContentSecurityPolicy::DirectiveType::BaseURI, | 766 m_baseURI.get(), url, |
767 redirectStatus) | 767 ContentSecurityPolicy::DirectiveType::BaseURI, redirectStatus) |
768 : checkSource(m_baseURI.get(), url, redirectStatus); | 768 : checkSource(m_baseURI.get(), url, redirectStatus); |
| 769 |
| 770 if (result && |
| 771 !checkSource(operativeDirective(m_baseURI.get()), url, redirectStatus)) { |
| 772 UseCounter::count(m_policy->document(), |
| 773 UseCounter::BaseWouldBeBlockedByDefaultSrc); |
| 774 } |
| 775 |
| 776 return result; |
769 } | 777 } |
770 | 778 |
771 bool CSPDirectiveList::allowWorkerFromSource( | 779 bool CSPDirectiveList::allowWorkerFromSource( |
772 const KURL& url, | 780 const KURL& url, |
773 ResourceRequest::RedirectStatus redirectStatus, | 781 ResourceRequest::RedirectStatus redirectStatus, |
774 ContentSecurityPolicy::ReportingStatus reportingStatus) const { | 782 ContentSecurityPolicy::ReportingStatus reportingStatus) const { |
775 // 'worker-src' overrides 'child-src', which overrides the default | 783 // 'worker-src' overrides 'child-src', which overrides the default |
776 // sources. So, we do this nested set of calls to 'operativeDirective()' to | 784 // sources. So, we do this nested set of calls to 'operativeDirective()' to |
777 // grab 'worker-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' | 785 // grab 'worker-src' if it exists, 'child-src' if it doesn't, and 'defaut-src' |
778 // if neither are available. | 786 // if neither are available. |
(...skipping 511 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1290 visitor->trace(m_imgSrc); | 1298 visitor->trace(m_imgSrc); |
1291 visitor->trace(m_mediaSrc); | 1299 visitor->trace(m_mediaSrc); |
1292 visitor->trace(m_manifestSrc); | 1300 visitor->trace(m_manifestSrc); |
1293 visitor->trace(m_objectSrc); | 1301 visitor->trace(m_objectSrc); |
1294 visitor->trace(m_scriptSrc); | 1302 visitor->trace(m_scriptSrc); |
1295 visitor->trace(m_styleSrc); | 1303 visitor->trace(m_styleSrc); |
1296 visitor->trace(m_workerSrc); | 1304 visitor->trace(m_workerSrc); |
1297 } | 1305 } |
1298 | 1306 |
1299 } // namespace blink | 1307 } // namespace blink |
OLD | NEW |