OLD | NEW |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
7 | 7 |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "content/common/content_export.h" | 10 #include "content/common/content_export.h" |
11 #include "content/common/content_security_policy/content_security_policy.h" | 11 #include "content/common/content_security_policy/content_security_policy.h" |
12 #include "content/common/content_security_policy_header.h" | 12 #include "content/common/content_security_policy_header.h" |
13 #include "url/gurl.h" | 13 #include "url/gurl.h" |
14 #include "url/origin.h" | 14 #include "url/origin.h" |
15 | 15 |
16 namespace content { | 16 namespace content { |
17 | 17 |
| 18 struct CSPViolationParams; |
| 19 |
18 // A CSPContext represents the system on which the Content-Security-Policy are | 20 // A CSPContext represents the system on which the Content-Security-Policy are |
19 // enforced. One must define via its virtual methods how to report violations, | 21 // enforced. One must define via its virtual methods how to report violations, |
20 // how to log messages on the console and what is the set of scheme that bypass | 22 // how to log messages on the console and what is the set of scheme that bypass |
21 // the CSP. | 23 // the CSP. Its main implementation is in |
22 // Its main implementation is in content/browser/frame_host/csp_context_impl.h | 24 // content/browser/frame_host/render_frame_host_impl.h |
23 class CONTENT_EXPORT CSPContext { | 25 class CONTENT_EXPORT CSPContext { |
24 public: | 26 public: |
25 CSPContext(); | 27 CSPContext(); |
26 virtual ~CSPContext(); | 28 virtual ~CSPContext(); |
27 | 29 |
28 bool Allow(const std::vector<ContentSecurityPolicy>& policies, | 30 bool AllowContentSecurityPolicy(CSPDirective::Name directive_name, |
29 CSPDirective::Name directive_name, | 31 const GURL& url, |
30 const GURL& url, | 32 bool is_redirect = false); |
31 bool is_redirect = false); | |
32 | 33 |
33 void SetSelf(const url::Origin origin); | 34 void SetSelf(const url::Origin origin); |
34 bool AllowSelf(const GURL& url); | 35 bool AllowSelf(const GURL& url); |
35 bool ProtocolMatchesSelf(const GURL& url); | 36 bool ProtocolMatchesSelf(const GURL& url); |
36 | 37 |
37 virtual void LogToConsole(const std::string& message); | 38 virtual void LogToConsole(const std::string& message); |
38 virtual void ReportViolation( | 39 virtual void ReportContentSecurityPolicyViolation( |
39 const std::string& directive_text, | 40 const CSPViolationParams& violation_params); |
40 const std::string& effective_directive, | |
41 const std::string& message, | |
42 const GURL& blocked_url, | |
43 const std::vector<std::string>& report_end_points, | |
44 const std::string& header, | |
45 blink::WebContentSecurityPolicyType disposition); | |
46 | 41 |
47 bool SelfSchemeShouldBypassCSP(); | 42 bool SelfSchemeShouldBypassCSP(); |
48 | 43 |
| 44 void ResetContentSecurityPolicies() { policies_.clear(); } |
| 45 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { |
| 46 policies_.push_back(policy); |
| 47 } |
| 48 |
49 private: | 49 private: |
50 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); | 50 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); |
51 | 51 |
52 bool has_self_ = false; | 52 bool has_self_ = false; |
53 std::string self_scheme_; | 53 std::string self_scheme_; |
54 CSPSource self_source_; | 54 CSPSource self_source_; |
55 | 55 |
| 56 std::vector<ContentSecurityPolicy> policies_; |
| 57 |
56 DISALLOW_COPY_AND_ASSIGN(CSPContext); | 58 DISALLOW_COPY_AND_ASSIGN(CSPContext); |
57 }; | 59 }; |
58 | 60 |
| 61 // Used in CSPContext::ReportViolation() |
| 62 struct CONTENT_EXPORT CSPViolationParams { |
| 63 CSPViolationParams(); |
| 64 CSPViolationParams(const std::string& directive, |
| 65 const std::string& effective_directive, |
| 66 const std::string& console_message, |
| 67 const GURL& blocked_url, |
| 68 const std::vector<std::string>& report_endpoints, |
| 69 const std::string& header, |
| 70 const blink::WebContentSecurityPolicyType& disposition, |
| 71 bool after_redirect); |
| 72 CSPViolationParams(const CSPViolationParams& other); |
| 73 ~CSPViolationParams(); |
| 74 |
| 75 // The name of the directive that infringe the policy. |directive| might be a |
| 76 // directive that serves as a fallback to the |effective_directive|. |
| 77 std::string directive; |
| 78 |
| 79 // The name the effective directive that was checked against. |
| 80 std::string effective_directive; |
| 81 |
| 82 // The console message to be displayed to the user. |
| 83 std::string console_message; |
| 84 |
| 85 // The URL that was blocked by the policy. |
| 86 GURL blocked_url; |
| 87 |
| 88 // The set of URI where a JSON-formatted report of the violation should be |
| 89 // sent. |
| 90 std::vector<std::string> report_endpoints; |
| 91 |
| 92 // The raw content security policy header that was violated. |
| 93 std::string header; |
| 94 |
| 95 // Each policy has an associated disposition, which is either "enforce" or |
| 96 // "report". |
| 97 blink::WebContentSecurityPolicyType disposition; |
| 98 |
| 99 // Whether or not the violation happens after a redirect. |
| 100 bool after_redirect; |
| 101 }; |
| 102 |
59 } // namespace content | 103 } // namespace content |
60 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 104 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
OLD | NEW |