| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 66 enum HeaderType { | 66 enum HeaderType { |
| 67 Report, | 67 Report, |
| 68 Enforce, | 68 Enforce, |
| 69 }; | 69 }; |
| 70 | 70 |
| 71 enum ReportingStatus { | 71 enum ReportingStatus { |
| 72 SendReport, | 72 SendReport, |
| 73 SuppressReport | 73 SuppressReport |
| 74 }; | 74 }; |
| 75 | 75 |
| 76 enum HashAlgorithms { |
| 77 HashAlgorithmsNone = 0, |
| 78 HashAlgorithmsSha1 = 1 << 1, |
| 79 HashAlgorithmsSha256 = 1 << 2 |
| 80 }; |
| 81 |
| 76 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); | 82 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); |
| 77 void didReceiveHeader(const String&, HeaderType); | 83 void didReceiveHeader(const String&, HeaderType); |
| 78 | 84 |
| 79 // These functions are wrong because they assume that there is only one head
er. | 85 // These functions are wrong because they assume that there is only one head
er. |
| 80 // FIXME: Replace them with functions that return vectors. | 86 // FIXME: Replace them with functions that return vectors. |
| 81 const String& deprecatedHeader() const; | 87 const String& deprecatedHeader() const; |
| 82 HeaderType deprecatedHeaderType() const; | 88 HeaderType deprecatedHeaderType() const; |
| 83 | 89 |
| 84 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber&
contextLine, ReportingStatus = SendReport) const; | 90 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber&
contextLine, ReportingStatus = SendReport) const; |
| 85 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu
mber& contextLine, ReportingStatus = SendReport) const; | 91 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu
mber& contextLine, ReportingStatus = SendReport) const; |
| 86 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c
ontextLine, ReportingStatus = SendReport) const; | 92 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c
ontextLine, ReportingStatus = SendReport) const; |
| 87 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co
ntextLine, ReportingStatus = SendReport) const; | 93 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co
ntextLine, ReportingStatus = SendReport) const; |
| 88 bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const; | 94 bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const; |
| 89 bool allowPluginType(const String& type, const String& typeAttribute, const
KURL&, ReportingStatus = SendReport) const; | 95 bool allowPluginType(const String& type, const String& typeAttribute, const
KURL&, ReportingStatus = SendReport) const; |
| 90 | 96 |
| 91 bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const; | 97 bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 92 bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const; | 98 bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 93 bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) co
nst; | 99 bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) co
nst; |
| 94 bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const; | 100 bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 95 bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const; | 101 bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 96 bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const; | 102 bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 97 bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const; | 103 bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const; |
| 98 bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const; | 104 bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const; |
| 99 bool allowFormAction(const KURL&, ReportingStatus = SendReport) const; | 105 bool allowFormAction(const KURL&, ReportingStatus = SendReport) const; |
| 100 bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const; | 106 bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const; |
| 107 // The nonce and hash allow functions are guaranteed to not have any side |
| 108 // effects, including reporting. |
| 101 bool allowScriptNonce(const String& nonce) const; | 109 bool allowScriptNonce(const String& nonce) const; |
| 102 bool allowStyleNonce(const String& nonce) const; | 110 bool allowStyleNonce(const String& nonce) const; |
| 111 bool allowScriptHash(const String& source) const; |
| 112 |
| 113 void usesScriptHashAlgorithms(uint8_t HashAlgorithms); |
| 103 | 114 |
| 104 ReflectedXSSDisposition reflectedXSSDisposition() const; | 115 ReflectedXSSDisposition reflectedXSSDisposition() const; |
| 105 | 116 |
| 106 void setOverrideAllowInlineStyle(bool); | 117 void setOverrideAllowInlineStyle(bool); |
| 107 | 118 |
| 108 bool isActive() const; | 119 bool isActive() const; |
| 109 void gatherReportURIs(DOMStringList&) const; | 120 void gatherReportURIs(DOMStringList&) const; |
| 110 | 121 |
| 111 void reportDirectiveAsSourceExpression(const String& directiveName, const St
ring& sourceExpression) const; | 122 void reportDirectiveAsSourceExpression(const String& directiveName, const St
ring& sourceExpression) const; |
| 112 void reportDuplicateDirective(const String&) const; | 123 void reportDuplicateDirective(const String&) const; |
| 113 void reportInvalidDirectiveValueCharacter(const String& directiveName, const
String& value) const; | 124 void reportInvalidDirectiveValueCharacter(const String& directiveName, const
String& value) const; |
| 114 void reportInvalidPathCharacter(const String& directiveName, const String& v
alue, const char) const; | 125 void reportInvalidPathCharacter(const String& directiveName, const String& v
alue, const char) const; |
| 115 void reportInvalidNonce(const String&) const; | |
| 116 void reportInvalidPluginTypes(const String&) const; | 126 void reportInvalidPluginTypes(const String&) const; |
| 117 void reportInvalidSandboxFlags(const String&) const; | 127 void reportInvalidSandboxFlags(const String&) const; |
| 118 void reportInvalidSourceExpression(const String& directiveName, const String
& source) const; | 128 void reportInvalidSourceExpression(const String& directiveName, const String
& source) const; |
| 119 void reportInvalidReflectedXSS(const String&) const; | 129 void reportInvalidReflectedXSS(const String&) const; |
| 120 void reportMissingReportURI(const String&) const; | 130 void reportMissingReportURI(const String&) const; |
| 121 void reportUnsupportedDirective(const String&) const; | 131 void reportUnsupportedDirective(const String&) const; |
| 122 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>
& reportURIs, const String& header); | 132 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>
& reportURIs, const String& header); |
| 123 | 133 |
| 124 void reportBlockedScriptExecutionToInspector(const String& directiveText) co
nst; | 134 void reportBlockedScriptExecutionToInspector(const String& directiveText) co
nst; |
| 125 | 135 |
| (...skipping 16 matching lines...) Expand all Loading... |
| 142 void addPolicyFromHeaderValue(const String&, HeaderType); | 152 void addPolicyFromHeaderValue(const String&, HeaderType); |
| 143 | 153 |
| 144 bool shouldSendViolationReport(const String&) const; | 154 bool shouldSendViolationReport(const String&) const; |
| 145 void didSendViolationReport(const String&); | 155 void didSendViolationReport(const String&); |
| 146 | 156 |
| 147 ExecutionContextClient* m_client; | 157 ExecutionContextClient* m_client; |
| 148 bool m_overrideInlineStyleAllowed; | 158 bool m_overrideInlineStyleAllowed; |
| 149 CSPDirectiveListVector m_policies; | 159 CSPDirectiveListVector m_policies; |
| 150 | 160 |
| 151 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; | 161 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; |
| 162 |
| 163 // We put the hash functions used on the policy object so that we only need |
| 164 // to calculate a script hash once and then distribute it to all of the |
| 165 // directives for validation. |
| 166 uint8_t m_sourceHashAlgorithmsUsed; |
| 152 }; | 167 }; |
| 153 | 168 |
| 154 } | 169 } |
| 155 | 170 |
| 156 #endif | 171 #endif |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 26481005:
Implementation of script hashes for CSP. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master