third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp - Issue 2764993002: CSP: group policies in didAddContentSecurityPolicy.

Side by Side Diff: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 2764993002: CSP: group policies in didAddContentSecurityPolicy. (Closed)

Patch Set: Nit. Created 3 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« third_party/WebKit/Source/core/frame/LocalFrameClient.h ('K') | « third_party/WebKit/Source/core/frame/LocalFrameClient.h ('k') | third_party/WebKit/Source/web/LocalFrameClientImpl.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 /*	1 /*

2 * Copyright (C) 2011 Google, Inc. All rights reserved.	2 * Copyright (C) 2011 Google, Inc. All rights reserved.

3 *	3 *

4 * Redistribution and use in source and binary forms, with or without	4 * Redistribution and use in source and binary forms, with or without

5 * modification, are permitted provided that the following conditions	5 * modification, are permitted provided that the following conditions

6 * are met:	6 * are met:

7 * 1. Redistributions of source code must retain the above copyright	7 * 1. Redistributions of source code must retain the above copyright

8 * notice, this list of conditions and the following disclaimer.	8 * notice, this list of conditions and the following disclaimer.

9 * 2. Redistributions in binary form must reproduce the above copyright	9 * 2. Redistributions in binary form must reproduce the above copyright

10 * notice, this list of conditions and the following disclaimer in the	10 * notice, this list of conditions and the following disclaimer in the

(...skipping 306 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
317 begin = position;	317 begin = position;

318 }	318 }

319 }	319 }

320	320

321 void ContentSecurityPolicy::reportAccumulatedHeaders(	321 void ContentSecurityPolicy::reportAccumulatedHeaders(

322 LocalFrameClient* client) const {	322 LocalFrameClient* client) const {

323 // Notify the embedder about headers that have accumulated before the	323 // Notify the embedder about headers that have accumulated before the

324 // navigation got committed. See comments in	324 // navigation got committed. See comments in

325 // addAndReportPolicyFromHeaderValue for more details and context.	325 // addAndReportPolicyFromHeaderValue for more details and context.

326 DCHECK(client);	326 DCHECK(client);

327 for (const auto& policy : m_policies) {	327 WebVector<WebContentSecurityPolicyPolicy> policies(m_policies.size());

328 client->didAddContentSecurityPolicy(	328 for (size_t i = 0; i < m_policies.size(); ++i)

329 policy->header(), policy->headerType(), policy->headerSource(),	329 policies[i] = m_policies[i]->exposeForNavigationalChecks();

330 {policy->exposeForNavigationalChecks()});	330 client->didAddContentSecurityPolicies(policies);

331 }

332 }	331 }

333	332

334 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue(	333 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue(

335 const String& header,	334 const String& header,

336 ContentSecurityPolicyHeaderType type,	335 ContentSecurityPolicyHeaderType type,

337 ContentSecurityPolicyHeaderSource source) {	336 ContentSecurityPolicyHeaderSource source) {

338 size_t previousPolicyCount = m_policies.size();	337 size_t previousPolicyCount = m_policies.size();

339 addPolicyFromHeaderValue(header, type, source);	338 addPolicyFromHeaderValue(header, type, source);

340 if (document() && document()->frame()) {	339 if (document() && document()->frame()) {

341 // Notify about the new header, so that it can be reported back to the	340 // Notify about the new header, so that it can be reported back to the

342 // browser process. This is needed in order to:	341 // browser process. This is needed in order to:

343 // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now /	342 // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now /

344 // short-term).	343 // short-term).

345 // 2) enforce CSP in the browser process (long-term - see	344 // 2) enforce CSP in the browser process (long-term - see

346 // https://crbug.com/376522).	345 // https://crbug.com/376522).

347 // TODO(arthursonzogni): policies are actually replicated (1) and some of	346 // TODO(arthursonzogni): policies are actually replicated (1) and some of

348 // them are (or will) be enforced on the browser process (2). Stop doing (1)	347 // them are enforced on the browser process (2). Stop doing (1) when (2) is

349 // when (2) is finished.	348 // finished.

350	349

351 // Zero, one or several policies could be produced by only one header.	350 WebVector<WebContentSecurityPolicyPolicy> policies(m_policies.size());

352 std::vector<blink::WebContentSecurityPolicyPolicy> policies;

353 for (size_t i = previousPolicyCount; i < m_policies.size(); ++i)	351 for (size_t i = previousPolicyCount; i < m_policies.size(); ++i)

354 policies.push_back(m_policies[i]->exposeForNavigationalChecks());	352 policies[i] = m_policies[i]->exposeForNavigationalChecks();

355 document()->frame()->client()->didAddContentSecurityPolicy(	353 document()->frame()->client()->didAddContentSecurityPolicies(policies);
	alexmos 2017/03/25 01:46:27 Presumably, \|policies\| should only contain the new Presumably, \|policies\| should only contain the newly added policies, not all policies? I'm asking because \|policies\| is allocated with the size of all policies, but only the new ones are initialized. E.g., if we had 3 policies and we're adding a new one here, it seems \|policies\| will have four entries with only the fourth one initialized. Does that need to be fixed? arthursonzogni 2017/03/27 12:03:52 Yes, you are absolutely right. I made this mistake Show quoted text On 2017/03/25 01:46:27, alexmos wrote: > Presumably, \|policies\| should only contain the newly added policies, not all > policies? I'm asking because \|policies\| is allocated with the size of all > policies, but only the new ones are initialized. E.g., if we had 3 policies and > we're adding a new one here, it seems \|policies\| will have four entries with > only the fourth one initialized. Does that need to be fixed? Yes, you are absolutely right. I made this mistake in one of the latest patch when I switched from a std::vector to the WebVector. Thanks!
356 header, type, source, policies);

357 }	354 }

358 }	355 }

359	356

360 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) {	357 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) {

361 m_overrideInlineStyleAllowed = value;	358 m_overrideInlineStyleAllowed = value;

362 }	359 }

363	360

364 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) {	361 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) {

365 // Create a temporary CSPSource so that 'self' expressions can be resolved	362 // Create a temporary CSPSource so that 'self' expressions can be resolved

366 // before we bind to an execution context (for 'frame-ancestor' resolution,	363 // before we bind to an execution context (for 'frame-ancestor' resolution,

(...skipping 1277 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1644 if (SecurityOrigin::shouldUseInnerURL(url)) {	1641 if (SecurityOrigin::shouldUseInnerURL(url)) {

1645 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy(	1642 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy(

1646 SecurityOrigin::extractInnerURL(url).protocol(), area);	1643 SecurityOrigin::extractInnerURL(url).protocol(), area);

1647 } else {	1644 } else {

1648 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy(	1645 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy(

1649 url.protocol(), area);	1646 url.protocol(), area);

1650 }	1647 }

1651 }	1648 }

1652	1649

1653 } // namespace blink	1650 } // namespace blink

OLD	NEW