Chromium Code Reviews Chromium Code Reviews
Issue 26481005:
Implementation of script hashes for CSP. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 68 Enforce, | 68 Enforce, |
| 69 PrefixedReport, | 69 PrefixedReport, |
| 70 PrefixedEnforce | 70 PrefixedEnforce |
| 71 }; | 71 }; |
| 72 | 72 |
| 73 enum ReportingStatus { | 73 enum ReportingStatus { |
| 74 SendReport, | 74 SendReport, |
| 75 SuppressReport | 75 SuppressReport |
| 76 }; | 76 }; |
| 77 | 77 |
| 78 enum HashFunctions { | |
| 79 HashFunctionsNone = 0x0, | |
| 80 HashFunctionsSha1 = 0x1, | |
| 81 HashFunctionsSha256 = 0x2 | |
| 82 }; | |
| 83 | |
| 78 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); | 84 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); |
| 79 void didReceiveHeader(const String&, HeaderType); | 85 void didReceiveHeader(const String&, HeaderType); |
| 80 | 86 |
| 81 // These functions are wrong because they assume that there is only one head er. | 87 // These functions are wrong because they assume that there is only one head er. |
| 82 // FIXME: Replace them with functions that return vectors. | 88 // FIXME: Replace them with functions that return vectors. |
| 83 const String& deprecatedHeader() const; | 89 const String& deprecatedHeader() const; |
| 84 HeaderType deprecatedHeaderType() const; | 90 HeaderType deprecatedHeaderType() const; |
| 85 | 91 |
| 86 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; | 92 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; |
| 87 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu mber& contextLine, ReportingStatus = SendReport) const; | 93 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu mber& contextLine, ReportingStatus = SendReport) const; |
| 88 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c ontextLine, ReportingStatus = SendReport) const; | 94 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c ontextLine, ReportingStatus = SendReport) const; |
| 89 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co ntextLine, ReportingStatus = SendReport) const; | 95 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co ntextLine, ReportingStatus = SendReport) const; |
| 90 bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const; | 96 bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const; |
| 91 bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const; | 97 bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const; |
| 92 | 98 |
| 93 bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const; | 99 bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 94 bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const; | 100 bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 95 bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) co nst; | 101 bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) co nst; |
| 96 bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const; | 102 bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 97 bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const; | 103 bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 98 bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const; | 104 bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 99 bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const; | 105 bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 100 bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const; | 106 bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const; |
| 101 bool allowFormAction(const KURL&, ReportingStatus = SendReport) const; | 107 bool allowFormAction(const KURL&, ReportingStatus = SendReport) const; |
| 102 bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const; | 108 bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const; |
| 103 bool allowScriptNonce(const String& nonce) const; | 109 bool allowScriptNonce(const String& nonce) const; |
| 104 bool allowStyleNonce(const String& nonce) const; | 110 bool allowStyleNonce(const String& nonce) const; |
| 111 bool allowScriptHash(const String& source) const; | |
| 112 | |
| 113 void usesScriptHashFunction(HashFunctions); | |
|
Mike West
2013/10/21 07:11:55
This can probably be private.
jww
2013/10/21 19:18:04
See responses below.
| |
| 105 | 114 |
| 106 ReflectedXSSDisposition reflectedXSSDisposition() const; | 115 ReflectedXSSDisposition reflectedXSSDisposition() const; |
| 107 | 116 |
| 108 void setOverrideAllowInlineStyle(bool); | 117 void setOverrideAllowInlineStyle(bool); |
| 109 | 118 |
| 110 bool isActive() const; | 119 bool isActive() const; |
| 111 void gatherReportURIs(DOMStringList&) const; | 120 void gatherReportURIs(DOMStringList&) const; |
| 112 | 121 |
| 113 void reportDirectiveAsSourceExpression(const String& directiveName, const St ring& sourceExpression) const; | 122 void reportDirectiveAsSourceExpression(const String& directiveName, const St ring& sourceExpression) const; |
| 114 void reportDuplicateDirective(const String&) const; | 123 void reportDuplicateDirective(const String&) const; |
| 115 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const; | 124 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const; |
| 116 void reportInvalidPathCharacter(const String& directiveName, const String& v alue, const char) const; | 125 void reportInvalidPathCharacter(const String& directiveName, const String& v alue, const char) const; |
| 117 void reportInvalidNonce(const String&) const; | |
| 118 void reportInvalidPluginTypes(const String&) const; | 126 void reportInvalidPluginTypes(const String&) const; |
| 119 void reportInvalidSandboxFlags(const String&) const; | 127 void reportInvalidSandboxFlags(const String&) const; |
| 120 void reportInvalidSourceExpression(const String& directiveName, const String & source) const; | 128 void reportInvalidSourceExpression(const String& directiveName, const String & source) const; |
| 121 void reportInvalidReflectedXSS(const String&) const; | 129 void reportInvalidReflectedXSS(const String&) const; |
| 122 void reportMissingReportURI(const String&) const; | 130 void reportMissingReportURI(const String&) const; |
| 123 void reportUnsupportedDirective(const String&) const; | 131 void reportUnsupportedDirective(const String&) const; |
| 124 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL> & reportURIs, const String& header); | 132 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL> & reportURIs, const String& header); |
| 125 | 133 |
| 126 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst; | 134 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst; |
| 127 | 135 |
| (...skipping 16 matching lines...) Expand all Loading... | |
| 144 void addPolicyFromHeaderValue(const String&, HeaderType); | 152 void addPolicyFromHeaderValue(const String&, HeaderType); |
| 145 | 153 |
| 146 bool shouldSendViolationReport(const String&) const; | 154 bool shouldSendViolationReport(const String&) const; |
| 147 void didSendViolationReport(const String&); | 155 void didSendViolationReport(const String&); |
| 148 | 156 |
| 149 ExecutionContext* m_executionContext; | 157 ExecutionContext* m_executionContext; |
| 150 bool m_overrideInlineStyleAllowed; | 158 bool m_overrideInlineStyleAllowed; |
| 151 CSPDirectiveListVector m_policies; | 159 CSPDirectiveListVector m_policies; |
| 152 | 160 |
| 153 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; | 161 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; |
| 162 | |
| 163 uint8_t m_sourceHashFunctionsUsed; | |
|
Mike West
2013/10/21 07:11:55
It surprises me that this is on the policy object,
jww
2013/10/21 19:18:04
I believe you answered this in your later comments
| |
| 154 }; | 164 }; |
| 155 | 165 |
| 156 } | 166 } |
| 157 | 167 |
| 158 #endif | 168 #endif |
| OLD | NEW |
