Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1266)

Unified Diff: Source/core/page/ContentSecurityPolicy.cpp

Issue 27073003: CSP Suborigins Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 7 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: Source/core/page/ContentSecurityPolicy.cpp
diff --git a/Source/core/page/ContentSecurityPolicy.cpp b/Source/core/page/ContentSecurityPolicy.cpp
index 99adda29a425018da59e43481d048c5d0d9288e0..6a06d4351a0eb308b1615e53fd852fc888056e76 100644
--- a/Source/core/page/ContentSecurityPolicy.cpp
+++ b/Source/core/page/ContentSecurityPolicy.cpp
@@ -128,6 +128,9 @@ static const char formAction[] = "form-action";
static const char pluginTypes[] = "plugin-types";
static const char reflectedXSS[] = "reflected-xss";
+// Experimental Directives (post CSP 1.1)
+static const char suborigin[] = "suborigin";
+
bool isDirectiveName(const String& name)
{
return (equalIgnoringCase(name, connectSrc)
@@ -140,6 +143,7 @@ bool isDirectiveName(const String& name)
|| equalIgnoringCase(name, reportURI)
|| equalIgnoringCase(name, sandbox)
|| equalIgnoringCase(name, scriptSrc)
+ || equalIgnoringCase(name, suborigin)
|| equalIgnoringCase(name, styleSrc)
|| equalIgnoringCase(name, baseURI)
|| equalIgnoringCase(name, formAction)
@@ -816,6 +820,7 @@ private:
void parseReflectedXSS(const String& name, const String& value);
void addDirective(const String& name, const String& value);
void applySandboxPolicy(const String& name, const String& sandboxPolicy);
+ void applySuboriginPolicy(const String& name, const String& suboriginPolicy);
template <class CSPDirectiveType>
void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&);
@@ -848,6 +853,7 @@ private:
bool m_reportOnly;
bool m_haveSandboxPolicy;
+ bool m_haveSuboriginPolicy;
ReflectedXSSDisposition m_reflectedXSSDisposition;
OwnPtr<MediaListDirective> m_pluginTypes;
@@ -873,6 +879,7 @@ CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
, m_headerType(type)
, m_reportOnly(false)
, m_haveSandboxPolicy(false)
+ , m_haveSuboriginPolicy(false)
, m_reflectedXSSDisposition(ReflectedXSSUnset)
{
m_reportOnly = (type == ContentSecurityPolicy::Report || type == ContentSecurityPolicy::PrefixedReport);
@@ -1306,6 +1313,19 @@ void CSPDirectiveList::applySandboxPolicy(const String& name, const String& sand
m_policy->reportInvalidSandboxFlags(invalidTokens);
}
+void CSPDirectiveList::applySuboriginPolicy(const String& name, const String& suboriginPolicy)
+{
+ if (m_haveSuboriginPolicy) {
+ m_policy->reportDuplicateDirective(name);
+ return;
+ }
+ m_haveSuboriginPolicy = true;
+ String invalidTokens;
+ m_policy->enforceSuboriginFlags(SecurityContext::parseSuboriginPolicy(suboriginPolicy, invalidTokens));
+ if (!invalidTokens.isNull())
+ m_policy->reportInvalidSuboriginFlags(invalidTokens);
+}
+
void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value)
{
if (m_reflectedXSSDisposition != ReflectedXSSUnset) {
@@ -1378,6 +1398,8 @@ void CSPDirectiveList::addDirective(const String& name, const String& value)
setCSPDirective<SourceListDirective>(name, value, m_connectSrc);
else if (equalIgnoringCase(name, sandbox))
applySandboxPolicy(name, value);
+ else if (equalIgnoringCase(name, suborigin))
+ applySuboriginPolicy(name, value);
else if (equalIgnoringCase(name, reportURI))
parseReportURI(name, value);
else if (m_policy->experimentalFeaturesEnabled()) {
@@ -1683,6 +1705,12 @@ void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask) const
m_scriptExecutionContext->enforceSandboxFlags(mask);
}
+void ContentSecurityPolicy::enforceSuboriginFlags(SuboriginFlags mask) const
+{
+ m_scriptExecutionContext->enforceSuboriginFlags(mask);
+ logToConsole("enforcing suborigin flags.");
+}
+
static String stripURLForUseInReport(Document* document, const KURL& url)
{
if (!url.isValid())
@@ -1829,6 +1857,11 @@ void ContentSecurityPolicy::reportInvalidSandboxFlags(const String& invalidFlags
logToConsole("Error while parsing the 'sandbox' Content Security Policy directive: " + invalidFlags);
}
+void ContentSecurityPolicy::reportInvalidSuboriginFlags(const String& invalidFlags) const
+{
+ logToConsole("Error while parsing the 'suborigin' Content Security Policy directive: " + invalidFlags);
+}
+
void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue) const
{
logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Valid values are \"allow\", \"filter\", and \"block\".");
« Source/core/dom/SecurityContext.h ('K') | « Source/core/page/ContentSecurityPolicy.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698