Chromium Code Reviews Chromium Code Reviews
Issue 27073003:
CSP Suborigins
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| Index: Source/core/frame/csp/ContentSecurityPolicy.cpp |
| diff --git a/Source/core/frame/csp/ContentSecurityPolicy.cpp b/Source/core/frame/csp/ContentSecurityPolicy.cpp |
| index c561c3bbe00734e23f06b58c2594f3a2d6b7f17c..8887729774ab5232cae130a2f8d5d7a73f98754e 100644 |
| --- a/Source/core/frame/csp/ContentSecurityPolicy.cpp |
| +++ b/Source/core/frame/csp/ContentSecurityPolicy.cpp |
| @@ -92,6 +92,9 @@ const char ContentSecurityPolicy::Referrer[] = "referrer"; |
| // https://w3c.github.io/manifest/#content-security-policy |
| const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src"; |
| +// Experimental Directives (post CSP 1.1) |
|
Mike West
2014/10/23 12:59:20
Nit: Since we changed the name, can you change bot
jww
2015/03/20 22:50:03
I ended up putting a "Suborigin" comment above it
|
| +const char ContentSecurityPolicy::Suborigin[] = "suborigin"; |
| + |
| bool ContentSecurityPolicy::isDirectiveName(const String& name) |
| { |
| return (equalIgnoringCase(name, ConnectSrc) |
| @@ -103,6 +106,7 @@ bool ContentSecurityPolicy::isDirectiveName(const String& name) |
| || equalIgnoringCase(name, ObjectSrc) |
| || equalIgnoringCase(name, ReportURI) |
| || equalIgnoringCase(name, Sandbox) |
| + || equalIgnoringCase(name, Suborigin) |
| || equalIgnoringCase(name, ScriptSrc) |
| || equalIgnoringCase(name, StyleSrc) |
| || equalIgnoringCase(name, BaseURI) |
| @@ -141,6 +145,7 @@ ContentSecurityPolicy::ContentSecurityPolicy() |
| , m_scriptHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone) |
| , m_styleHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone) |
| , m_sandboxMask(0) |
| + , m_suboriginName(String()) |
| , m_referrerPolicy(ReferrerPolicyDefault) |
| { |
| } |
| @@ -162,6 +167,8 @@ void ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext() |
| // parsing error messages, then poke at histograms. |
| if (Document* document = this->document()) { |
| document->enforceSandboxFlags(m_sandboxMask); |
| + if (experimentalFeaturesEnabled()) |
|
Mike West
2014/10/23 12:59:20
`&& hasSuborigin`?
jww
2015/03/20 22:50:03
Enforce only "turns on" Suborigins if the Suborigi
|
| + document->enforceSuborigin(m_suboriginName); |
| if (didSetReferrerPolicy()) |
| document->setReferrerPolicy(m_referrerPolicy); |
| @@ -601,6 +608,11 @@ void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask) |
| m_sandboxMask |= mask; |
| } |
| +void ContentSecurityPolicy::enforceSuborigin(const String& name) |
| +{ |
| + m_suboriginName = name; |
| +} |
| + |
| static String stripURLForUseInReport(Document* document, const KURL& url) |
| { |
| if (!url.isValid()) |
| @@ -787,6 +799,11 @@ void ContentSecurityPolicy::reportInvalidSandboxFlags(const String& invalidFlags |
| logToConsole("Error while parsing the 'sandbox' Content Security Policy directive: " + invalidFlags); |
| } |
| +void ContentSecurityPolicy::reportInvalidSuboriginFlags(const String& invalidFlags) |
| +{ |
| + logToConsole("Error while parsing the 'suborigin' Content Security Policy directive: " + invalidFlags); |
| +} |
| + |
| void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue) |
| { |
| logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Valid values are \"allow\", \"filter\", and \"block\"."); |
