Chromium Code Reviews Chromium Code Reviews
Issue 2727633005:
PlzNavigate: Enforce frame-src CSP on the browser. (Closed)
| Index: content/common/content_security_policy/csp_context.h |
| diff --git a/content/common/content_security_policy/csp_context.h b/content/common/content_security_policy/csp_context.h |
| index bbc03017f23fb03b558f902263bf1b71a2f0c592..390c60ff4e447fbc750fb9bc0f01235b1fc18616 100644 |
| --- a/content/common/content_security_policy/csp_context.h |
| +++ b/content/common/content_security_policy/csp_context.h |
| @@ -15,37 +15,37 @@ |
| namespace content { |
| +struct CSPViolationParams; |
| + |
| // A CSPContext represents the system on which the Content-Security-Policy are |
| // enforced. One must define via its virtual methods how to report violations, |
| // how to log messages on the console and what is the set of scheme that bypass |
| -// the CSP. |
| -// Its main implementation is in content/browser/frame_host/csp_context_impl.h |
| +// the CSP. Its main implementation is in |
| +// content/browser/frame_host/render_frame_host_impl.h |
| class CONTENT_EXPORT CSPContext { |
| public: |
| CSPContext(); |
| virtual ~CSPContext(); |
| - bool Allow(const std::vector<ContentSecurityPolicy>& policies, |
| - CSPDirective::Name directive_name, |
| - const GURL& url, |
| - bool is_redirect = false); |
| + bool AllowContentSecurityPolicy(CSPDirective::Name directive_name, |
|
nasko
2017/03/03 23:04:23
nit: IsAllowedByCsp?
arthursonzogni
2017/03/06 15:10:13
Done.
|
| + const GURL& url, |
| + bool is_redirect = false); |
| void SetSelf(const url::Origin origin); |
| bool AllowSelf(const GURL& url); |
| bool ProtocolMatchesSelf(const GURL& url); |
| virtual void LogToConsole(const std::string& message); |
| - virtual void ReportViolation( |
| - const std::string& directive_text, |
| - const std::string& effective_directive, |
| - const std::string& message, |
| - const GURL& blocked_url, |
| - const std::vector<std::string>& report_end_points, |
| - const std::string& header, |
| - blink::WebContentSecurityPolicyType disposition); |
| + virtual void ReportContentSecurityPolicyViolation( |
| + const CSPViolationParams& violation_params); |
| bool SelfSchemeShouldBypassCSP(); |
| + void ResetContentSecurityPolicies() { policies_.clear(); } |
| + void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { |
| + policies_.push_back(policy); |
| + } |
| + |
| private: |
| virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); |
| @@ -53,8 +53,52 @@ class CONTENT_EXPORT CSPContext { |
| std::string self_scheme_; |
| CSPSource self_source_; |
| + std::vector<ContentSecurityPolicy> policies_; |
| + |
| DISALLOW_COPY_AND_ASSIGN(CSPContext); |
| }; |
| +// Used in CSPContext::ReportViolation() |
| +struct CONTENT_EXPORT CSPViolationParams { |
| + CSPViolationParams(); |
| + CSPViolationParams(const std::string& directive, |
| + const std::string& effective_directive, |
| + const std::string& console_message, |
| + const GURL& blocked_url, |
| + const std::vector<std::string>& report_endpoints, |
| + const std::string& header, |
| + const blink::WebContentSecurityPolicyType& disposition, |
| + bool after_redirect); |
| + CSPViolationParams(const CSPViolationParams& other); |
| + ~CSPViolationParams(); |
| + |
| + // The name of the directive that infringe the policy. |directive| might be a |
| + // directive that serves as a fallback to the |effective_directive|. |
| + std::string directive; |
| + |
| + // The name the effective directive that was checked against. |
| + std::string effective_directive; |
| + |
| + // The console message to be displayed to the user. |
| + std::string console_message; |
| + |
| + // The URL that was blocked by the policy. |
| + GURL blocked_url; |
| + |
| + // The set of URI where a JSON-formatted report of the violation should be |
| + // sent. |
| + std::vector<std::string> report_endpoints; |
| + |
| + // The raw content security policy header that was violated. |
| + std::string header; |
| + |
| + // Each policy has an associated disposition, which is either "enforce" or |
| + // "report". |
| + blink::WebContentSecurityPolicyType disposition; |
| + |
| + // Whether or not the violation happens after a redirect. |
| + bool after_redirect; |
| +}; |
| + |
| } // namespace content |
| #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
