| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <sstream> | 5 #include <sstream> |
| 6 #include "base/strings/string_split.h" | 6 #include "base/strings/string_split.h" |
| 7 #include "base/strings/string_util.h" | 7 #include "base/strings/string_util.h" |
| 8 #include "content/common/content_security_policy/csp_context.h" | 8 #include "content/common/content_security_policy/csp_context.h" |
| 9 | 9 |
| 10 namespace content { | 10 namespace content { |
| (...skipping 23 matching lines...) Expand all Loading... |
| 34 std::string ElideURLForReportViolation(const GURL& url) { | 34 std::string ElideURLForReportViolation(const GURL& url) { |
| 35 // TODO(arthursonzogni): the url length should be limited to 1024 char. Find | 35 // TODO(arthursonzogni): the url length should be limited to 1024 char. Find |
| 36 // a function that will not break the utf8 encoding while eliding the string. | 36 // a function that will not break the utf8 encoding while eliding the string. |
| 37 return url.spec(); | 37 return url.spec(); |
| 38 } | 38 } |
| 39 | 39 |
| 40 void ReportViolation(CSPContext* context, | 40 void ReportViolation(CSPContext* context, |
| 41 const ContentSecurityPolicy& policy, | 41 const ContentSecurityPolicy& policy, |
| 42 const CSPDirective& directive, | 42 const CSPDirective& directive, |
| 43 const CSPDirective::Name directive_name, | 43 const CSPDirective::Name directive_name, |
| 44 const GURL& url, | 44 const GURL& url) { |
| 45 bool is_redirect) { | |
| 46 // We should never have a violation against `child-src` or `default-src` | 45 // We should never have a violation against `child-src` or `default-src` |
| 47 // directly; the effective directive should always be one of the explicit | 46 // directly; the effective directive should always be one of the explicit |
| 48 // fetch directives. | 47 // fetch directives. |
| 49 DCHECK_NE(directive_name, CSPDirective::DefaultSrc); | 48 DCHECK_NE(directive_name, CSPDirective::DefaultSrc); |
| 50 DCHECK_NE(directive_name, CSPDirective::ChildSrc); | 49 DCHECK_NE(directive_name, CSPDirective::ChildSrc); |
| 51 | 50 |
| 52 std::stringstream message; | 51 std::stringstream message; |
| 53 | 52 |
| 54 if (policy.disposition == blink::WebContentSecurityPolicyTypeReport) | 53 if (policy.disposition == blink::WebContentSecurityPolicyTypeReport) |
| 55 message << "[Report Only] "; | 54 message << "[Report Only] "; |
| (...skipping 10 matching lines...) Expand all Loading... |
| 66 | 65 |
| 67 if (directive.name != directive_name) | 66 if (directive.name != directive_name) |
| 68 message << " Note that '" << CSPDirective::NameToString(directive_name) | 67 message << " Note that '" << CSPDirective::NameToString(directive_name) |
| 69 << "' was not explicitly set, so '" | 68 << "' was not explicitly set, so '" |
| 70 << CSPDirective::NameToString(directive.name) | 69 << CSPDirective::NameToString(directive.name) |
| 71 << "' is used as a fallback."; | 70 << "' is used as a fallback."; |
| 72 | 71 |
| 73 message << "\n"; | 72 message << "\n"; |
| 74 | 73 |
| 75 context->LogToConsole(message.str()); | 74 context->LogToConsole(message.str()); |
| 76 | 75 context->ReportViolation(CSPDirective::NameToString(directive.name), |
| 77 context->ReportContentSecurityPolicyViolation(CSPViolationParams( | 76 CSPDirective::NameToString(directive_name), |
| 78 CSPDirective::NameToString(directive.name), | 77 message.str(), url, policy.report_endpoints, |
| 79 CSPDirective::NameToString(directive_name), message.str(), url, | 78 policy.header, policy.disposition); |
| 80 policy.report_endpoints, policy.header, policy.disposition, is_redirect)); | |
| 81 } | 79 } |
| 82 | 80 |
| 83 bool AllowDirective(CSPContext* context, | 81 bool AllowDirective(CSPContext* context, |
| 84 const ContentSecurityPolicy& policy, | 82 const ContentSecurityPolicy& policy, |
| 85 const CSPDirective& directive, | 83 const CSPDirective& directive, |
| 86 CSPDirective::Name directive_name, | 84 CSPDirective::Name directive_name, |
| 87 const GURL& url, | 85 const GURL& url, |
| 88 bool is_redirect) { | 86 bool is_redirect) { |
| 89 if (CSPSourceList::Allow(directive.source_list, url, context, is_redirect)) | 87 if (CSPSourceList::Allow(directive.source_list, url, context, is_redirect)) |
| 90 return true; | 88 return true; |
| 91 | 89 |
| 92 ReportViolation(context, policy, directive, directive_name, url, is_redirect); | 90 ReportViolation(context, policy, directive, directive_name, url); |
| 93 return false; | 91 return false; |
| 94 } | 92 } |
| 95 | 93 |
| 96 } // namespace | 94 } // namespace |
| 97 | 95 |
| 98 ContentSecurityPolicy::ContentSecurityPolicy() | 96 ContentSecurityPolicy::ContentSecurityPolicy() |
| 99 : disposition(blink::WebContentSecurityPolicyTypeEnforce), | 97 : disposition(blink::WebContentSecurityPolicyTypeEnforce), |
| 100 source(blink::WebContentSecurityPolicySourceHTTP) {} | 98 source(blink::WebContentSecurityPolicySourceHTTP) {} |
| 101 | 99 |
| 102 ContentSecurityPolicy::ContentSecurityPolicy( | 100 ContentSecurityPolicy::ContentSecurityPolicy( |
| (...skipping 49 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 152 is_first_policy = false; | 150 is_first_policy = false; |
| 153 text << "report-uri"; | 151 text << "report-uri"; |
| 154 for (const std::string& endpoint : report_endpoints) | 152 for (const std::string& endpoint : report_endpoints) |
| 155 text << " " << endpoint; | 153 text << " " << endpoint; |
| 156 } | 154 } |
| 157 | 155 |
| 158 return text.str(); | 156 return text.str(); |
| 159 } | 157 } |
| 160 | 158 |
| 161 } // namespace content | 159 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2756913002:
Revert of PlzNavigate: Enforce 'frame-src' CSP on the browser. (Closed)
