| Index: Source/core/page/ContentSecurityPolicy.cpp
|
| diff --git a/Source/core/page/ContentSecurityPolicy.cpp b/Source/core/page/ContentSecurityPolicy.cpp
|
| index 99adda29a425018da59e43481d048c5d0d9288e0..6a06d4351a0eb308b1615e53fd852fc888056e76 100644
|
| --- a/Source/core/page/ContentSecurityPolicy.cpp
|
| +++ b/Source/core/page/ContentSecurityPolicy.cpp
|
| @@ -128,6 +128,9 @@ static const char formAction[] = "form-action";
|
| static const char pluginTypes[] = "plugin-types";
|
| static const char reflectedXSS[] = "reflected-xss";
|
|
|
| +// Experimental Directives (post CSP 1.1)
|
| +static const char suborigin[] = "suborigin";
|
| +
|
| bool isDirectiveName(const String& name)
|
| {
|
| return (equalIgnoringCase(name, connectSrc)
|
| @@ -140,6 +143,7 @@ bool isDirectiveName(const String& name)
|
| || equalIgnoringCase(name, reportURI)
|
| || equalIgnoringCase(name, sandbox)
|
| || equalIgnoringCase(name, scriptSrc)
|
| + || equalIgnoringCase(name, suborigin)
|
| || equalIgnoringCase(name, styleSrc)
|
| || equalIgnoringCase(name, baseURI)
|
| || equalIgnoringCase(name, formAction)
|
| @@ -816,6 +820,7 @@ private:
|
| void parseReflectedXSS(const String& name, const String& value);
|
| void addDirective(const String& name, const String& value);
|
| void applySandboxPolicy(const String& name, const String& sandboxPolicy);
|
| + void applySuboriginPolicy(const String& name, const String& suboriginPolicy);
|
|
|
| template <class CSPDirectiveType>
|
| void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&);
|
| @@ -848,6 +853,7 @@ private:
|
|
|
| bool m_reportOnly;
|
| bool m_haveSandboxPolicy;
|
| + bool m_haveSuboriginPolicy;
|
| ReflectedXSSDisposition m_reflectedXSSDisposition;
|
|
|
| OwnPtr<MediaListDirective> m_pluginTypes;
|
| @@ -873,6 +879,7 @@ CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
|
| , m_headerType(type)
|
| , m_reportOnly(false)
|
| , m_haveSandboxPolicy(false)
|
| + , m_haveSuboriginPolicy(false)
|
| , m_reflectedXSSDisposition(ReflectedXSSUnset)
|
| {
|
| m_reportOnly = (type == ContentSecurityPolicy::Report || type == ContentSecurityPolicy::PrefixedReport);
|
| @@ -1306,6 +1313,19 @@ void CSPDirectiveList::applySandboxPolicy(const String& name, const String& sand
|
| m_policy->reportInvalidSandboxFlags(invalidTokens);
|
| }
|
|
|
| +void CSPDirectiveList::applySuboriginPolicy(const String& name, const String& suboriginPolicy)
|
| +{
|
| + if (m_haveSuboriginPolicy) {
|
| + m_policy->reportDuplicateDirective(name);
|
| + return;
|
| + }
|
| + m_haveSuboriginPolicy = true;
|
| + String invalidTokens;
|
| + m_policy->enforceSuboriginFlags(SecurityContext::parseSuboriginPolicy(suboriginPolicy, invalidTokens));
|
| + if (!invalidTokens.isNull())
|
| + m_policy->reportInvalidSuboriginFlags(invalidTokens);
|
| +}
|
| +
|
| void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value)
|
| {
|
| if (m_reflectedXSSDisposition != ReflectedXSSUnset) {
|
| @@ -1378,6 +1398,8 @@ void CSPDirectiveList::addDirective(const String& name, const String& value)
|
| setCSPDirective<SourceListDirective>(name, value, m_connectSrc);
|
| else if (equalIgnoringCase(name, sandbox))
|
| applySandboxPolicy(name, value);
|
| + else if (equalIgnoringCase(name, suborigin))
|
| + applySuboriginPolicy(name, value);
|
| else if (equalIgnoringCase(name, reportURI))
|
| parseReportURI(name, value);
|
| else if (m_policy->experimentalFeaturesEnabled()) {
|
| @@ -1683,6 +1705,12 @@ void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask) const
|
| m_scriptExecutionContext->enforceSandboxFlags(mask);
|
| }
|
|
|
| +void ContentSecurityPolicy::enforceSuboriginFlags(SuboriginFlags mask) const
|
| +{
|
| + m_scriptExecutionContext->enforceSuboriginFlags(mask);
|
| + logToConsole("enforcing suborigin flags.");
|
| +}
|
| +
|
| static String stripURLForUseInReport(Document* document, const KURL& url)
|
| {
|
| if (!url.isValid())
|
| @@ -1829,6 +1857,11 @@ void ContentSecurityPolicy::reportInvalidSandboxFlags(const String& invalidFlags
|
| logToConsole("Error while parsing the 'sandbox' Content Security Policy directive: " + invalidFlags);
|
| }
|
|
|
| +void ContentSecurityPolicy::reportInvalidSuboriginFlags(const String& invalidFlags) const
|
| +{
|
| + logToConsole("Error while parsing the 'suborigin' Content Security Policy directive: " + invalidFlags);
|
| +}
|
| +
|
| void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue) const
|
| {
|
| logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Valid values are \"allow\", \"filter\", and \"block\".");
|
|
|