OLD | NEW |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
7 | 7 |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "content/common/content_export.h" | 10 #include "content/common/content_export.h" |
11 #include "content/common/content_security_policy/content_security_policy.h" | 11 #include "content/common/content_security_policy/content_security_policy.h" |
12 #include "content/common/content_security_policy_header.h" | 12 #include "content/common/content_security_policy_header.h" |
13 #include "url/gurl.h" | 13 #include "url/gurl.h" |
14 #include "url/origin.h" | 14 #include "url/origin.h" |
15 | 15 |
16 namespace content { | 16 namespace content { |
17 | 17 |
18 struct CSPViolationParams; | |
19 | |
20 // A CSPContext represents the system on which the Content-Security-Policy are | 18 // A CSPContext represents the system on which the Content-Security-Policy are |
21 // enforced. One must define via its virtual methods how to report violations, | 19 // enforced. One must define via its virtual methods how to report violations, |
22 // how to log messages on the console and what is the set of scheme that bypass | 20 // how to log messages on the console and what is the set of scheme that bypass |
23 // the CSP. Its main implementation is in | 21 // the CSP. |
24 // content/browser/frame_host/render_frame_host_impl.h | 22 // Its main implementation is in content/browser/frame_host/csp_context_impl.h |
25 class CONTENT_EXPORT CSPContext { | 23 class CONTENT_EXPORT CSPContext { |
26 public: | 24 public: |
27 CSPContext(); | 25 CSPContext(); |
28 virtual ~CSPContext(); | 26 virtual ~CSPContext(); |
29 | 27 |
30 bool IsAllowedByCsp(CSPDirective::Name directive_name, | 28 bool Allow(const std::vector<ContentSecurityPolicy>& policies, |
31 const GURL& url, | 29 CSPDirective::Name directive_name, |
32 bool is_redirect = false); | 30 const GURL& url, |
| 31 bool is_redirect = false); |
33 | 32 |
34 void SetSelf(const url::Origin origin); | 33 void SetSelf(const url::Origin origin); |
35 bool AllowSelf(const GURL& url); | 34 bool AllowSelf(const GURL& url); |
36 bool ProtocolMatchesSelf(const GURL& url); | 35 bool ProtocolMatchesSelf(const GURL& url); |
37 | 36 |
38 virtual void LogToConsole(const std::string& message); | 37 virtual void LogToConsole(const std::string& message); |
39 virtual void ReportContentSecurityPolicyViolation( | 38 virtual void ReportViolation( |
40 const CSPViolationParams& violation_params); | 39 const std::string& directive_text, |
| 40 const std::string& effective_directive, |
| 41 const std::string& message, |
| 42 const GURL& blocked_url, |
| 43 const std::vector<std::string>& report_end_points, |
| 44 const std::string& header, |
| 45 blink::WebContentSecurityPolicyType disposition); |
41 | 46 |
42 bool SelfSchemeShouldBypassCsp(); | 47 bool SelfSchemeShouldBypassCSP(); |
43 | |
44 void ResetContentSecurityPolicies() { policies_.clear(); } | |
45 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { | |
46 policies_.push_back(policy); | |
47 } | |
48 | 48 |
49 private: | 49 private: |
50 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); | 50 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); |
51 | 51 |
52 bool has_self_ = false; | 52 bool has_self_ = false; |
53 std::string self_scheme_; | 53 std::string self_scheme_; |
54 CSPSource self_source_; | 54 CSPSource self_source_; |
55 | 55 |
56 std::vector<ContentSecurityPolicy> policies_; | |
57 | |
58 DISALLOW_COPY_AND_ASSIGN(CSPContext); | 56 DISALLOW_COPY_AND_ASSIGN(CSPContext); |
59 }; | 57 }; |
60 | 58 |
61 // Used in CSPContext::ReportViolation() | |
62 struct CONTENT_EXPORT CSPViolationParams { | |
63 CSPViolationParams(); | |
64 CSPViolationParams(const std::string& directive, | |
65 const std::string& effective_directive, | |
66 const std::string& console_message, | |
67 const GURL& blocked_url, | |
68 const std::vector<std::string>& report_endpoints, | |
69 const std::string& header, | |
70 const blink::WebContentSecurityPolicyType& disposition, | |
71 bool after_redirect); | |
72 CSPViolationParams(const CSPViolationParams& other); | |
73 ~CSPViolationParams(); | |
74 | |
75 // The name of the directive that violates the policy. |directive| might be a | |
76 // directive that serves as a fallback to the |effective_directive|. | |
77 std::string directive; | |
78 | |
79 // The name the effective directive that was checked against. | |
80 std::string effective_directive; | |
81 | |
82 // The console message to be displayed to the user. | |
83 std::string console_message; | |
84 | |
85 // The URL that was blocked by the policy. | |
86 GURL blocked_url; | |
87 | |
88 // The set of URI where a JSON-formatted report of the violation should be | |
89 // sent. | |
90 std::vector<std::string> report_endpoints; | |
91 | |
92 // The raw content security policy header that was violated. | |
93 std::string header; | |
94 | |
95 // Each policy has an associated disposition, which is either "enforce" or | |
96 // "report". | |
97 blink::WebContentSecurityPolicyType disposition; | |
98 | |
99 // Whether or not the violation happens after a redirect. | |
100 bool after_redirect; | |
101 }; | |
102 | |
103 } // namespace content | 59 } // namespace content |
104 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 60 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
OLD | NEW |