OLD | NEW |
---|---|
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
7 | 7 |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "content/common/content_export.h" | 10 #include "content/common/content_export.h" |
11 #include "content/common/content_security_policy/content_security_policy.h" | 11 #include "content/common/content_security_policy/content_security_policy.h" |
12 #include "content/common/content_security_policy_header.h" | 12 #include "content/common/content_security_policy_header.h" |
13 #include "url/gurl.h" | 13 #include "url/gurl.h" |
14 #include "url/origin.h" | 14 #include "url/origin.h" |
15 | 15 |
16 namespace content { | 16 namespace content { |
17 | 17 |
18 struct CSPViolationParams; | |
19 | |
18 // A CSPContext represents the system on which the Content-Security-Policy are | 20 // A CSPContext represents the system on which the Content-Security-Policy are |
19 // enforced. One must define via its virtual methods how to report violations, | 21 // enforced. One must define via its virtual methods how to report violations, |
20 // how to log messages on the console and what is the set of scheme that bypass | 22 // how to log messages on the console and what is the set of scheme that bypass |
21 // the CSP. | 23 // the CSP. |
22 // Its main implementation is in content/browser/frame_host/csp_context_impl.h | 24 // Its main implementation is in content/browser/frame_host/csp_context_impl.h |
23 class CONTENT_EXPORT CSPContext { | 25 class CONTENT_EXPORT CSPContext { |
24 public: | 26 public: |
25 CSPContext(); | 27 CSPContext(); |
26 virtual ~CSPContext(); | 28 virtual ~CSPContext(); |
27 | 29 |
28 bool Allow(const std::vector<ContentSecurityPolicy>& policies, | 30 bool Allow(const std::vector<ContentSecurityPolicy>& policies, |
29 CSPDirective::Name directive_name, | 31 CSPDirective::Name directive_name, |
30 const GURL& url, | 32 const GURL& url, |
31 bool is_redirect = false); | 33 bool is_redirect = false); |
32 | 34 |
33 void SetSelf(const url::Origin origin); | 35 void SetSelf(const url::Origin origin); |
34 bool AllowSelf(const GURL& url); | 36 bool AllowSelf(const GURL& url); |
35 bool ProtocolMatchesSelf(const GURL& url); | 37 bool ProtocolMatchesSelf(const GURL& url); |
36 | 38 |
37 virtual void LogToConsole(const std::string& message); | 39 virtual void LogToConsole(const std::string& message); |
38 virtual void ReportViolation( | 40 virtual void ReportViolation(const CSPViolationParams& violation_params); |
39 const std::string& directive_text, | |
40 const std::string& effective_directive, | |
41 const std::string& message, | |
42 const GURL& blocked_url, | |
43 const std::vector<std::string>& report_end_points, | |
44 const std::string& header, | |
45 blink::WebContentSecurityPolicyType disposition); | |
46 | 41 |
47 bool SelfSchemeShouldBypassCSP(); | 42 bool SelfSchemeShouldBypassCSP(); |
48 | 43 |
49 private: | 44 private: |
50 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); | 45 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); |
51 | 46 |
52 bool has_self_ = false; | 47 bool has_self_ = false; |
53 std::string self_scheme_; | 48 std::string self_scheme_; |
54 CSPSource self_source_; | 49 CSPSource self_source_; |
55 | 50 |
56 DISALLOW_COPY_AND_ASSIGN(CSPContext); | 51 DISALLOW_COPY_AND_ASSIGN(CSPContext); |
57 }; | 52 }; |
58 | 53 |
54 // Used in CSPContext::ReportViolation() | |
55 struct CONTENT_EXPORT CSPViolationParams { | |
56 CSPViolationParams(); | |
57 CSPViolationParams(const std::string& directive, | |
58 const std::string& effective_directive, | |
59 const std::string& console_message, | |
60 const GURL& blocked_url, | |
61 const std::vector<std::string>& report_endpoints, | |
62 const std::string& header, | |
63 const blink::WebContentSecurityPolicyType& disposition, | |
64 bool followed_redirect); | |
alexmos
2017/02/24 06:40:27
after_redirect? (that's what it's named below now
arthursonzogni
2017/02/24 16:13:29
Done.
I tried to follow the naming of @lukasza in
| |
65 CSPViolationParams(const CSPViolationParams& other); | |
66 ~CSPViolationParams(); | |
67 | |
68 // The name of the directive that infringe the policy. |directive| might be a | |
69 // directive that serves as a fallback to the |effective_directive|. | |
70 std::string directive; | |
71 | |
72 // The name the effective directive that was checked against. | |
73 std::string effective_directive; | |
74 | |
75 // The console message to be displayed to the user. | |
76 std::string console_message; | |
77 | |
78 // The URL that was blocked by the policy. | |
79 GURL blocked_url; | |
80 | |
81 // The set of URI where a JSON-formatted report of the violation should be | |
82 // sent. | |
83 std::vector<std::string> report_endpoints; | |
84 | |
85 // The raw content security policy header that was violated. | |
86 std::string header; | |
87 | |
88 // Each policy has an associated disposition, which is either "enforce" or | |
89 // "report". | |
90 blink::WebContentSecurityPolicyType disposition; | |
91 | |
92 // Whether or not the violation happens after a redirect. | |
93 bool after_redirect; | |
94 }; | |
95 | |
59 } // namespace content | 96 } // namespace content |
60 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 97 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
OLD | NEW |