Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(17)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/csp/ContentSecurityPolicy.h

Issue 27073003: CSP Suborigins Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Address many of mkwst's comments Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« LayoutTests/http/tests/security/suborigins/suborigin-blocked-notifications.php ('K') | « Source/core/frame/csp/CSPDirectiveList.cpp ('k') | Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | Source/platform/weborigin/SecurityOriginTest.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google, Inc. All rights reserved. 2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after
89 // https://w3c.github.io/manifest/#content-security-policy 89 // https://w3c.github.io/manifest/#content-security-policy
90 static const char ManifestSrc[]; 90 static const char ManifestSrc[];
91 91
92 // Mixed Content Directive 92 // Mixed Content Directive
93 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode 93 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode
94 static const char BlockAllMixedContent[]; 94 static const char BlockAllMixedContent[];
95 95
96 // https://w3c.github.io/webappsec/specs/upgrade/ 96 // https://w3c.github.io/webappsec/specs/upgrade/
97 static const char UpgradeInsecureRequests[]; 97 static const char UpgradeInsecureRequests[];
98 98
99 // Suborigin Directive
100 // https://metromoxie.github.io/webappsec/specs/suborigins/index.html
101 static const char Suborigin[];
102
99 enum ReportingStatus { 103 enum ReportingStatus {
100 SendReport, 104 SendReport,
101 SuppressReport 105 SuppressReport
102 }; 106 };
103 107
104 // When a resource is loaded after a redirect, source paths are 108 // When a resource is loaded after a redirect, source paths are
105 // ignored in the matching algorithm. 109 // ignored in the matching algorithm.
106 enum RedirectStatus { 110 enum RedirectStatus {
107 DidRedirect, 111 DidRedirect,
108 DidNotRedirect 112 DidNotRedirect
(...skipping 76 matching lines...) Expand 10 before | Expand all | Expand 10 after
185 // If a frame is passed in, the message will be logged to its active documen t's console. 189 // If a frame is passed in, the message will be logged to its active documen t's console.
186 // Otherwise, the message will be logged to this object's |m_executionContex t|. 190 // Otherwise, the message will be logged to this object's |m_executionContex t|.
187 void logToConsole(PassRefPtrWillBeRawPtr<ConsoleMessage>, LocalFrame* = null ptr); 191 void logToConsole(PassRefPtrWillBeRawPtr<ConsoleMessage>, LocalFrame* = null ptr);
188 192
189 void reportDirectiveAsSourceExpression(const String& directiveName, const St ring& sourceExpression); 193 void reportDirectiveAsSourceExpression(const String& directiveName, const St ring& sourceExpression);
190 void reportDuplicateDirective(const String&); 194 void reportDuplicateDirective(const String&);
191 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value); 195 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value);
192 void reportInvalidPathCharacter(const String& directiveName, const String& v alue, const char); 196 void reportInvalidPathCharacter(const String& directiveName, const String& v alue, const char);
193 void reportInvalidPluginTypes(const String&); 197 void reportInvalidPluginTypes(const String&);
194 void reportInvalidSandboxFlags(const String&); 198 void reportInvalidSandboxFlags(const String&);
199 void reportInvalidSuboriginFlags(const String&);
195 void reportInvalidSourceExpression(const String& directiveName, const String & source); 200 void reportInvalidSourceExpression(const String& directiveName, const String & source);
196 void reportInvalidReflectedXSS(const String&); 201 void reportInvalidReflectedXSS(const String&);
197 void reportMissingReportURI(const String&); 202 void reportMissingReportURI(const String&);
198 void reportUnsupportedDirective(const String&); 203 void reportUnsupportedDirective(const String&);
199 void reportInvalidInReportOnly(const String&); 204 void reportInvalidInReportOnly(const String&);
200 void reportInvalidReferrer(const String&); 205 void reportInvalidReferrer(const String&);
201 void reportReportOnlyInMeta(const String&); 206 void reportReportOnlyInMeta(const String&);
202 void reportMetaOutsideHead(const String&); 207 void reportMetaOutsideHead(const String&);
208 void reportSuboriginInMeta(const String&);
203 void reportValueForEmptyDirective(const String& directiveName, const String& value); 209 void reportValueForEmptyDirective(const String& directiveName, const String& value);
204 210
205 // If a frame is passed in, the report will be sent using it as a context. I f no frame is 211 // If a frame is passed in, the report will be sent using it as a context. I f no frame is
206 // passed in, the report will be sent via this object's |m_executionContext| (or dropped 212 // passed in, the report will be sent via this object's |m_executionContext| (or dropped
207 // on the floor if no such context is available). 213 // on the floor if no such context is available).
208 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin g>& reportEndpoints, const String& header, LocalFrame* = nullptr); 214 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin g>& reportEndpoints, const String& header, LocalFrame* = nullptr);
209 215
210 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst; 216 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst;
211 217
212 const KURL url() const; 218 const KURL url() const;
213 void enforceSandboxFlags(SandboxFlags); 219 void enforceSandboxFlags(SandboxFlags);
220 void enforceSuborigin(const String&);
214 void enforceStrictMixedContentChecking(); 221 void enforceStrictMixedContentChecking();
215 String evalDisabledErrorMessage() const; 222 String evalDisabledErrorMessage() const;
216 223
217 void setInsecureRequestsPolicy(SecurityContext::InsecureRequestsPolicy); 224 void setInsecureRequestsPolicy(SecurityContext::InsecureRequestsPolicy);
218 SecurityContext::InsecureRequestsPolicy insecureRequestsPolicy() const { ret urn m_insecureRequestsPolicy; }; 225 SecurityContext::InsecureRequestsPolicy insecureRequestsPolicy() const { ret urn m_insecureRequestsPolicy; };
219 226
220 bool urlMatchesSelf(const KURL&) const; 227 bool urlMatchesSelf(const KURL&) const;
221 bool protocolMatchesSelf(const KURL&) const; 228 bool protocolMatchesSelf(const KURL&) const;
222 229
223 bool experimentalFeaturesEnabled() const; 230 bool experimentalFeaturesEnabled() const;
(...skipping 25 matching lines...) Expand all
249 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; 256 HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
250 257
251 // We put the hash functions used on the policy object so that we only need 258 // We put the hash functions used on the policy object so that we only need
252 // to calculate a hash once and then distribute it to all of the directives 259 // to calculate a hash once and then distribute it to all of the directives
253 // for validation. 260 // for validation.
254 uint8_t m_scriptHashAlgorithmsUsed; 261 uint8_t m_scriptHashAlgorithmsUsed;
255 uint8_t m_styleHashAlgorithmsUsed; 262 uint8_t m_styleHashAlgorithmsUsed;
256 263
257 // State flags used to configure the environment after parsing a policy. 264 // State flags used to configure the environment after parsing a policy.
258 SandboxFlags m_sandboxMask; 265 SandboxFlags m_sandboxMask;
266 String m_suboriginName;
259 bool m_enforceStrictMixedContentChecking; 267 bool m_enforceStrictMixedContentChecking;
260 ReferrerPolicy m_referrerPolicy; 268 ReferrerPolicy m_referrerPolicy;
261 String m_disableEvalErrorMessage; 269 String m_disableEvalErrorMessage;
262 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy; 270 SecurityContext::InsecureRequestsPolicy m_insecureRequestsPolicy;
263 271
264 OwnPtr<CSPSource> m_selfSource; 272 OwnPtr<CSPSource> m_selfSource;
265 String m_selfProtocol; 273 String m_selfProtocol;
266 }; 274 };
267 275
268 } 276 }
269 277
270 #endif 278 #endif
OLDNEW
« LayoutTests/http/tests/security/suborigins/suborigin-blocked-notifications.php ('K') | « Source/core/frame/csp/CSPDirectiveList.cpp ('k') | Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | Source/platform/weborigin/SecurityOriginTest.cpp » ('J')

Powered by Google App Engine
This is Rietveld 408576698