OLD | NEW |
---|---|
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
7 | 7 |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "content/common/content_export.h" | 10 #include "content/common/content_export.h" |
11 #include "content/common/content_security_policy/csp_policy.h" | 11 #include "content/common/content_security_policy/csp_policy.h" |
12 #include "content/common/content_security_policy_header.h" | 12 #include "content/common/content_security_policy_header.h" |
13 #include "url/gurl.h" | 13 #include "url/gurl.h" |
14 #include "url/origin.h" | 14 #include "url/origin.h" |
15 | 15 |
16 namespace content { | 16 namespace content { |
17 | 17 |
18 struct CSPViolationParams; | |
19 | |
18 // A CSPContext define every dependencies that have to be implemented to be | 20 // A CSPContext define every dependencies that have to be implemented to be |
19 // able to check the Content-Security-Policy and report violations to the users. | 21 // able to check the Content-Security-Policy and report violations to the users. |
20 class CONTENT_EXPORT CSPContext { | 22 class CONTENT_EXPORT CSPContext { |
21 public: | 23 public: |
22 CSPContext(); | 24 CSPContext(); |
23 virtual ~CSPContext(); | 25 virtual ~CSPContext(); |
24 | 26 |
25 bool Allow(const std::vector<CSPPolicy>& policies, | 27 bool Allow(const std::vector<CSPPolicy>& policies, |
26 CSPDirective::Name directive_name, | 28 CSPDirective::Name directive_name, |
27 const GURL& url, | 29 const GURL& url, |
28 bool is_redirect = false); | 30 bool is_redirect = false); |
29 | 31 |
30 void SetSelf(const url::Origin origin); | 32 void SetSelf(const url::Origin origin); |
31 bool AllowSelf(const GURL& url); | 33 bool AllowSelf(const GURL& url); |
32 bool ProtocolMatchesSelf(const GURL& url); | 34 bool ProtocolMatchesSelf(const GURL& url); |
33 | 35 |
34 virtual void LogToConsole(const std::string& message); | 36 virtual void LogToConsole(const std::string& message); |
35 virtual void ReportViolation( | 37 virtual void ReportViolation(const CSPViolationParams& violation_params); |
36 const std::string& directive_text, | |
37 const std::string& effective_directive, | |
38 const std::string& message, | |
39 const GURL& blocked_url, | |
40 const std::vector<std::string>& report_end_points, | |
41 const std::string& header, | |
42 blink::WebContentSecurityPolicyType disposition); | |
43 | 38 |
44 bool SelfSchemeShouldBypassCSP(); | 39 bool SelfSchemeShouldBypassCSP(); |
45 | 40 |
46 private: | 41 private: |
47 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); | 42 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); |
48 | 43 |
49 bool has_self_ = false; | 44 bool has_self_ = false; |
50 std::string self_scheme_; | 45 std::string self_scheme_; |
51 CSPSource self_source_; | 46 CSPSource self_source_; |
52 | 47 |
53 DISALLOW_COPY_AND_ASSIGN(CSPContext); | 48 DISALLOW_COPY_AND_ASSIGN(CSPContext); |
54 }; | 49 }; |
55 | 50 |
51 // Used in CSPContext::ReportViolation() | |
52 struct CONTENT_EXPORT CSPViolationParams { | |
53 CSPViolationParams(); | |
54 CSPViolationParams(const std::string& directive, | |
55 const std::string& effective_directive, | |
56 const std::string& console_message, | |
57 const GURL& blocked_url, | |
58 const std::vector<std::string>& report_endpoints, | |
59 const std::string& header, | |
60 const blink::WebContentSecurityPolicyType& disposition, | |
61 bool followed_redirect); | |
62 CSPViolationParams(const CSPViolationParams& other); | |
63 ~CSPViolationParams(); | |
64 | |
65 // The name of the directive that infringe the policy. |directive| might be a | |
66 // directive that serves as a fallback to the |effective_directive|. | |
67 std::string directive; | |
68 | |
69 // The name the effective directive that was checked against. | |
70 std::string effective_directive; | |
71 | |
72 // The console message that was displayed to the user. | |
nasko
2017/02/15 21:28:44
"to be displayed"? This will be sent to the render
| |
73 std::string console_message; | |
74 | |
75 // The URL that was blocked by the policy. | |
76 GURL blocked_url; | |
77 | |
78 // The set of URI where a JSON-formatted report of the violation should be | |
79 // sent. | |
80 std::vector<std::string> report_endpoints; | |
81 | |
82 // The raw content security policy header that was infringed. | |
nasko
2017/02/15 21:28:44
nit: s/infringed/violated/
| |
83 std::string header; | |
84 | |
85 // Each policy has an associated disposition, which is either "enforce" or | |
86 // "report". | |
87 blink::WebContentSecurityPolicyType disposition; | |
88 | |
89 // Whether or not the violation happens after a redirect. | |
90 bool followed_redirect; | |
nasko
2017/02/15 21:28:44
nit: after_redirect?
arthursonzogni
2017/02/16 17:32:41
I followed the naming I've found in:
https://coder
| |
91 }; | |
92 | |
56 } // namespace content | 93 } // namespace content |
57 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 94 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
OLD | NEW |