OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
66 enum HeaderType { | 66 enum HeaderType { |
67 Report, | 67 Report, |
68 Enforce, | 68 Enforce, |
69 }; | 69 }; |
70 | 70 |
71 enum ReportingStatus { | 71 enum ReportingStatus { |
72 SendReport, | 72 SendReport, |
73 SuppressReport | 73 SuppressReport |
74 }; | 74 }; |
75 | 75 |
| 76 enum HashAlgorithms { |
| 77 HashAlgorithmsNone = 0, |
| 78 HashAlgorithmsSha1 = 1 << 1, |
| 79 HashAlgorithmsSha256 = 1 << 2 |
| 80 }; |
| 81 |
76 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); | 82 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); |
77 void didReceiveHeader(const String&, HeaderType); | 83 void didReceiveHeader(const String&, HeaderType); |
78 | 84 |
79 // These functions are wrong because they assume that there is only one head
er. | 85 // These functions are wrong because they assume that there is only one head
er. |
80 // FIXME: Replace them with functions that return vectors. | 86 // FIXME: Replace them with functions that return vectors. |
81 const String& deprecatedHeader() const; | 87 const String& deprecatedHeader() const; |
82 HeaderType deprecatedHeaderType() const; | 88 HeaderType deprecatedHeaderType() const; |
83 | 89 |
84 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber&
contextLine, ReportingStatus = SendReport) const; | 90 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber&
contextLine, ReportingStatus = SendReport) const; |
85 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu
mber& contextLine, ReportingStatus = SendReport) const; | 91 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu
mber& contextLine, ReportingStatus = SendReport) const; |
86 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c
ontextLine, ReportingStatus = SendReport) const; | 92 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c
ontextLine, ReportingStatus = SendReport) const; |
87 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co
ntextLine, ReportingStatus = SendReport) const; | 93 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co
ntextLine, ReportingStatus = SendReport) const; |
88 bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const; | 94 bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const; |
89 bool allowPluginType(const String& type, const String& typeAttribute, const
KURL&, ReportingStatus = SendReport) const; | 95 bool allowPluginType(const String& type, const String& typeAttribute, const
KURL&, ReportingStatus = SendReport) const; |
90 | 96 |
91 bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const; | 97 bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const; |
92 bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const; | 98 bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const; |
93 bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) co
nst; | 99 bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) co
nst; |
94 bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const; | 100 bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const; |
95 bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const; | 101 bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const; |
96 bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const; | 102 bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const; |
97 bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const; | 103 bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const; |
98 bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const; | 104 bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const; |
99 bool allowFormAction(const KURL&, ReportingStatus = SendReport) const; | 105 bool allowFormAction(const KURL&, ReportingStatus = SendReport) const; |
100 bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const; | 106 bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const; |
| 107 // The nonce and hash allow functions are guaranteed to not have any side |
| 108 // effects, including reporting. |
101 bool allowScriptNonce(const String& nonce) const; | 109 bool allowScriptNonce(const String& nonce) const; |
102 bool allowStyleNonce(const String& nonce) const; | 110 bool allowStyleNonce(const String& nonce) const; |
| 111 bool allowScriptHash(const String& source) const; |
| 112 |
| 113 void usesScriptHashAlgorithms(uint8_t HashAlgorithms); |
103 | 114 |
104 ReflectedXSSDisposition reflectedXSSDisposition() const; | 115 ReflectedXSSDisposition reflectedXSSDisposition() const; |
105 | 116 |
106 void setOverrideAllowInlineStyle(bool); | 117 void setOverrideAllowInlineStyle(bool); |
107 | 118 |
108 bool isActive() const; | 119 bool isActive() const; |
109 void gatherReportURIs(DOMStringList&) const; | 120 void gatherReportURIs(DOMStringList&) const; |
110 | 121 |
111 void reportDirectiveAsSourceExpression(const String& directiveName, const St
ring& sourceExpression) const; | 122 void reportDirectiveAsSourceExpression(const String& directiveName, const St
ring& sourceExpression) const; |
112 void reportDuplicateDirective(const String&) const; | 123 void reportDuplicateDirective(const String&) const; |
113 void reportInvalidDirectiveValueCharacter(const String& directiveName, const
String& value) const; | 124 void reportInvalidDirectiveValueCharacter(const String& directiveName, const
String& value) const; |
114 void reportInvalidPathCharacter(const String& directiveName, const String& v
alue, const char) const; | 125 void reportInvalidPathCharacter(const String& directiveName, const String& v
alue, const char) const; |
115 void reportInvalidNonce(const String&) const; | |
116 void reportInvalidPluginTypes(const String&) const; | 126 void reportInvalidPluginTypes(const String&) const; |
117 void reportInvalidSandboxFlags(const String&) const; | 127 void reportInvalidSandboxFlags(const String&) const; |
118 void reportInvalidSourceExpression(const String& directiveName, const String
& source) const; | 128 void reportInvalidSourceExpression(const String& directiveName, const String
& source) const; |
119 void reportInvalidReflectedXSS(const String&) const; | 129 void reportInvalidReflectedXSS(const String&) const; |
120 void reportMissingReportURI(const String&) const; | 130 void reportMissingReportURI(const String&) const; |
121 void reportUnsupportedDirective(const String&) const; | 131 void reportUnsupportedDirective(const String&) const; |
122 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>
& reportURIs, const String& header); | 132 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>
& reportURIs, const String& header); |
123 | 133 |
124 void reportBlockedScriptExecutionToInspector(const String& directiveText) co
nst; | 134 void reportBlockedScriptExecutionToInspector(const String& directiveText) co
nst; |
125 | 135 |
(...skipping 16 matching lines...) Expand all Loading... |
142 void addPolicyFromHeaderValue(const String&, HeaderType); | 152 void addPolicyFromHeaderValue(const String&, HeaderType); |
143 | 153 |
144 bool shouldSendViolationReport(const String&) const; | 154 bool shouldSendViolationReport(const String&) const; |
145 void didSendViolationReport(const String&); | 155 void didSendViolationReport(const String&); |
146 | 156 |
147 ExecutionContextClient* m_client; | 157 ExecutionContextClient* m_client; |
148 bool m_overrideInlineStyleAllowed; | 158 bool m_overrideInlineStyleAllowed; |
149 CSPDirectiveListVector m_policies; | 159 CSPDirectiveListVector m_policies; |
150 | 160 |
151 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; | 161 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; |
| 162 |
| 163 // We put the hash functions used on the policy object so that we only need |
| 164 // to calculate a script hash once and then distribute it to all of the |
| 165 // directives for validation. |
| 166 uint8_t m_sourceHashAlgorithmsUsed; |
152 }; | 167 }; |
153 | 168 |
154 } | 169 } |
155 | 170 |
156 #endif | 171 #endif |
OLD | NEW |