Chromium Code Reviews Chromium Code Reviews
Issue 2761153003:
PlzNavigate & CSP. Use the SourceLocation in violation reports. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
| 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
| 7 | 7 |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "content/common/content_export.h" | 10 #include "content/common/content_export.h" |
| 11 #include "content/common/content_security_policy/content_security_policy.h" | 11 #include "content/common/content_security_policy/content_security_policy.h" |
| 12 #include "content/common/content_security_policy_header.h" | 12 #include "content/common/content_security_policy_header.h" |
| 13 #include "content/common/navigation_params.h" | |
| 13 #include "url/gurl.h" | 14 #include "url/gurl.h" |
| 14 #include "url/origin.h" | 15 #include "url/origin.h" |
| 15 | 16 |
| 16 namespace content { | 17 namespace content { |
| 17 | 18 |
| 18 struct CSPViolationParams; | 19 struct CSPViolationParams; |
| 19 | 20 |
| 20 // A CSPContext represents the system on which the Content-Security-Policy are | 21 // A CSPContext represents the system on which the Content-Security-Policy are |
| 21 // enforced. One must define via its virtual methods how to report violations, | 22 // enforced. One must define via its virtual methods how to report violations |
| 22 // how to log messages on the console and what is the set of scheme that bypass | 23 // and what is the set of scheme that bypasses the CSP. Its main implementation |
|
alexmos
2017/03/29 23:27:32
nit: "set of schemes that bypass the CSP"
arthursonzogni
2017/03/30 11:36:27
Done.
| |
| 23 // the CSP. Its main implementation is in | 24 // is in content/browser/frame_host/render_frame_host_impl.h |
| 24 // content/browser/frame_host/render_frame_host_impl.h | |
| 25 class CONTENT_EXPORT CSPContext { | 25 class CONTENT_EXPORT CSPContext { |
| 26 public: | 26 public: |
| 27 CSPContext(); | 27 CSPContext(); |
| 28 virtual ~CSPContext(); | 28 virtual ~CSPContext(); |
| 29 | 29 |
| 30 // Check if an |url| is allowed by the set of Content-Security-Policy. It will | |
| 31 // report any violation by: | |
| 32 // * displaying a console message. | |
| 33 // * triggering the "SecurityPolicyViolation" javascript event. | |
| 34 // * sending a JSON report to any uri defined with the "report-uri" directive. | |
| 35 // Returns true when the request can proceed, false otherwise. | |
| 30 bool IsAllowedByCsp(CSPDirective::Name directive_name, | 36 bool IsAllowedByCsp(CSPDirective::Name directive_name, |
| 31 const GURL& url, | 37 const GURL& url, |
| 32 bool is_redirect = false); | 38 bool is_redirect, |
| 39 const SourceLocation& source_location); | |
| 33 | 40 |
| 34 void SetSelf(const url::Origin origin); | 41 void SetSelf(const url::Origin origin); |
| 35 bool AllowSelf(const GURL& url); | 42 bool AllowSelf(const GURL& url); |
| 36 bool ProtocolMatchesSelf(const GURL& url); | 43 bool ProtocolMatchesSelf(const GURL& url); |
| 37 | 44 |
| 38 virtual void LogToConsole(const std::string& message); | |
| 39 virtual void ReportContentSecurityPolicyViolation( | 45 virtual void ReportContentSecurityPolicyViolation( |
| 40 const CSPViolationParams& violation_params); | 46 const CSPViolationParams& violation_params); |
| 41 | 47 |
| 42 bool SelfSchemeShouldBypassCsp(); | 48 bool SelfSchemeShouldBypassCsp(); |
| 43 | 49 |
| 44 void ResetContentSecurityPolicies() { policies_.clear(); } | 50 void ResetContentSecurityPolicies() { policies_.clear(); } |
| 45 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { | 51 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { |
| 46 policies_.push_back(policy); | 52 policies_.push_back(policy); |
| 47 } | 53 } |
| 48 | 54 |
| (...skipping 12 matching lines...) Expand all Loading... | |
| 61 // Used in CSPContext::ReportViolation() | 67 // Used in CSPContext::ReportViolation() |
| 62 struct CONTENT_EXPORT CSPViolationParams { | 68 struct CONTENT_EXPORT CSPViolationParams { |
| 63 CSPViolationParams(); | 69 CSPViolationParams(); |
| 64 CSPViolationParams(const std::string& directive, | 70 CSPViolationParams(const std::string& directive, |
| 65 const std::string& effective_directive, | 71 const std::string& effective_directive, |
| 66 const std::string& console_message, | 72 const std::string& console_message, |
| 67 const GURL& blocked_url, | 73 const GURL& blocked_url, |
| 68 const std::vector<std::string>& report_endpoints, | 74 const std::vector<std::string>& report_endpoints, |
| 69 const std::string& header, | 75 const std::string& header, |
| 70 const blink::WebContentSecurityPolicyType& disposition, | 76 const blink::WebContentSecurityPolicyType& disposition, |
| 71 bool after_redirect); | 77 bool after_redirect, |
| 78 const SourceLocation& source_location); | |
| 72 CSPViolationParams(const CSPViolationParams& other); | 79 CSPViolationParams(const CSPViolationParams& other); |
| 73 ~CSPViolationParams(); | 80 ~CSPViolationParams(); |
| 74 | 81 |
| 75 // The name of the directive that violates the policy. |directive| might be a | 82 // The name of the directive that violates the policy. |directive| might be a |
| 76 // directive that serves as a fallback to the |effective_directive|. | 83 // directive that serves as a fallback to the |effective_directive|. |
| 77 std::string directive; | 84 std::string directive; |
| 78 | 85 |
| 79 // The name the effective directive that was checked against. | 86 // The name the effective directive that was checked against. |
| 80 std::string effective_directive; | 87 std::string effective_directive; |
| 81 | 88 |
| 82 // The console message to be displayed to the user. | 89 // The console message to be displayed to the user. |
| 83 std::string console_message; | 90 std::string console_message; |
| 84 | 91 |
| 85 // The URL that was blocked by the policy. | 92 // The URL that was blocked by the policy. |
| 86 GURL blocked_url; | 93 GURL blocked_url; |
| 87 | 94 |
| 88 // The set of URI where a JSON-formatted report of the violation should be | 95 // The set of URI where a JSON-formatted report of the violation should be |
| 89 // sent. | 96 // sent. |
| 90 std::vector<std::string> report_endpoints; | 97 std::vector<std::string> report_endpoints; |
| 91 | 98 |
| 92 // The raw content security policy header that was violated. | 99 // The raw content security policy header that was violated. |
| 93 std::string header; | 100 std::string header; |
| 94 | 101 |
| 95 // Each policy has an associated disposition, which is either "enforce" or | 102 // Each policy has an associated disposition, which is either "enforce" or |
| 96 // "report". | 103 // "report". |
| 97 blink::WebContentSecurityPolicyType disposition; | 104 blink::WebContentSecurityPolicyType disposition; |
| 98 | 105 |
| 99 // Whether or not the violation happens after a redirect. | 106 // Whether or not the violation happens after a redirect. |
| 100 bool after_redirect; | 107 bool after_redirect; |
| 108 | |
| 109 // The source code location that triggered the blocked navigation. | |
| 110 SourceLocation source_location; | |
| 101 }; | 111 }; |
| 102 | 112 |
| 103 } // namespace content | 113 } // namespace content |
| 104 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 114 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
| OLD | NEW |
