OLD | NEW |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
7 | 7 |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "content/common/content_export.h" | 10 #include "content/common/content_export.h" |
11 #include "content/common/content_security_policy/content_security_policy.h" | 11 #include "content/common/content_security_policy/content_security_policy.h" |
12 #include "content/common/content_security_policy_header.h" | 12 #include "content/common/content_security_policy_header.h" |
| 13 #include "content/common/navigation_params.h" |
13 #include "url/gurl.h" | 14 #include "url/gurl.h" |
14 #include "url/origin.h" | 15 #include "url/origin.h" |
15 | 16 |
16 namespace content { | 17 namespace content { |
17 | 18 |
18 struct CSPViolationParams; | 19 struct CSPViolationParams; |
19 | 20 |
20 // A CSPContext represents the system on which the Content-Security-Policy are | 21 // A CSPContext represents the system on which the Content-Security-Policy are |
21 // enforced. One must define via its virtual methods how to report violations, | 22 // enforced. One must define via its virtual methods how to report violations |
22 // how to log messages on the console and what is the set of scheme that bypass | 23 // and what is the set of scheme that bypasses the CSP. Its main implementation |
23 // the CSP. Its main implementation is in | 24 // is in content/browser/frame_host/render_frame_host_impl.h |
24 // content/browser/frame_host/render_frame_host_impl.h | |
25 class CONTENT_EXPORT CSPContext { | 25 class CONTENT_EXPORT CSPContext { |
26 public: | 26 public: |
27 CSPContext(); | 27 CSPContext(); |
28 virtual ~CSPContext(); | 28 virtual ~CSPContext(); |
29 | 29 |
30 bool IsAllowedByCsp(CSPDirective::Name directive_name, | 30 // Check if an |url| is allowed by the set of Content-Security-Policy. It will |
31 const GURL& url, | 31 // report any violation by: |
32 bool is_redirect = false); | 32 // * displaying a console message. |
| 33 // * triggering the "SecurityPolicyViolation" javascript event. |
| 34 // * sending a JSON report to any uri defined with the "report-uri" directive. |
| 35 // Returns true when the request can proceed, false otherwise. |
| 36 bool EnforceCsp(CSPDirective::Name directive_name, |
| 37 const GURL& url, |
| 38 bool is_redirect, |
| 39 const SourceLocation& source_location); |
33 | 40 |
34 void SetSelf(const url::Origin origin); | 41 void SetSelf(const url::Origin origin); |
35 bool AllowSelf(const GURL& url); | 42 bool AllowSelf(const GURL& url); |
36 bool ProtocolMatchesSelf(const GURL& url); | 43 bool ProtocolMatchesSelf(const GURL& url); |
37 | 44 |
38 virtual void LogToConsole(const std::string& message); | |
39 virtual void ReportContentSecurityPolicyViolation( | 45 virtual void ReportContentSecurityPolicyViolation( |
40 const CSPViolationParams& violation_params); | 46 const CSPViolationParams& violation_params); |
41 | 47 |
42 bool SelfSchemeShouldBypassCsp(); | 48 bool SelfSchemeShouldBypassCsp(); |
43 | 49 |
44 void ResetContentSecurityPolicies() { policies_.clear(); } | 50 void ResetContentSecurityPolicies() { policies_.clear(); } |
45 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { | 51 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { |
46 policies_.push_back(policy); | 52 policies_.push_back(policy); |
47 } | 53 } |
48 | 54 |
(...skipping 12 matching lines...) Expand all Loading... |
61 // Used in CSPContext::ReportViolation() | 67 // Used in CSPContext::ReportViolation() |
62 struct CONTENT_EXPORT CSPViolationParams { | 68 struct CONTENT_EXPORT CSPViolationParams { |
63 CSPViolationParams(); | 69 CSPViolationParams(); |
64 CSPViolationParams(const std::string& directive, | 70 CSPViolationParams(const std::string& directive, |
65 const std::string& effective_directive, | 71 const std::string& effective_directive, |
66 const std::string& console_message, | 72 const std::string& console_message, |
67 const GURL& blocked_url, | 73 const GURL& blocked_url, |
68 const std::vector<std::string>& report_endpoints, | 74 const std::vector<std::string>& report_endpoints, |
69 const std::string& header, | 75 const std::string& header, |
70 const blink::WebContentSecurityPolicyType& disposition, | 76 const blink::WebContentSecurityPolicyType& disposition, |
71 bool after_redirect); | 77 bool after_redirect, |
| 78 const SourceLocation& source_location); |
72 CSPViolationParams(const CSPViolationParams& other); | 79 CSPViolationParams(const CSPViolationParams& other); |
73 ~CSPViolationParams(); | 80 ~CSPViolationParams(); |
74 | 81 |
75 // The name of the directive that violates the policy. |directive| might be a | 82 // The name of the directive that violates the policy. |directive| might be a |
76 // directive that serves as a fallback to the |effective_directive|. | 83 // directive that serves as a fallback to the |effective_directive|. |
77 std::string directive; | 84 std::string directive; |
78 | 85 |
79 // The name the effective directive that was checked against. | 86 // The name the effective directive that was checked against. |
80 std::string effective_directive; | 87 std::string effective_directive; |
81 | 88 |
82 // The console message to be displayed to the user. | 89 // The console message to be displayed to the user. |
83 std::string console_message; | 90 std::string console_message; |
84 | 91 |
85 // The URL that was blocked by the policy. | 92 // The URL that was blocked by the policy. |
86 GURL blocked_url; | 93 GURL blocked_url; |
87 | 94 |
88 // The set of URI where a JSON-formatted report of the violation should be | 95 // The set of URI where a JSON-formatted report of the violation should be |
89 // sent. | 96 // sent. |
90 std::vector<std::string> report_endpoints; | 97 std::vector<std::string> report_endpoints; |
91 | 98 |
92 // The raw content security policy header that was violated. | 99 // The raw content security policy header that was violated. |
93 std::string header; | 100 std::string header; |
94 | 101 |
95 // Each policy has an associated disposition, which is either "enforce" or | 102 // Each policy has an associated disposition, which is either "enforce" or |
96 // "report". | 103 // "report". |
97 blink::WebContentSecurityPolicyType disposition; | 104 blink::WebContentSecurityPolicyType disposition; |
98 | 105 |
99 // Whether or not the violation happens after a redirect. | 106 // Whether or not the violation happens after a redirect. |
100 bool after_redirect; | 107 bool after_redirect; |
| 108 |
| 109 // The source code location that triggered the blocked navigation. |
| 110 SourceLocation source_location; |
101 }; | 111 }; |
102 | 112 |
103 } // namespace content | 113 } // namespace content |
104 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 114 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
OLD | NEW |