OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 307 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
318 } | 318 } |
319 } | 319 } |
320 | 320 |
321 void ContentSecurityPolicy::reportAccumulatedHeaders( | 321 void ContentSecurityPolicy::reportAccumulatedHeaders( |
322 LocalFrameClient* client) const { | 322 LocalFrameClient* client) const { |
323 // Notify the embedder about headers that have accumulated before the | 323 // Notify the embedder about headers that have accumulated before the |
324 // navigation got committed. See comments in | 324 // navigation got committed. See comments in |
325 // addAndReportPolicyFromHeaderValue for more details and context. | 325 // addAndReportPolicyFromHeaderValue for more details and context. |
326 DCHECK(client); | 326 DCHECK(client); |
327 for (const auto& policy : m_policies) { | 327 for (const auto& policy : m_policies) { |
328 client->didAddContentSecurityPolicy( | 328 client->didAddContentSecurityPolicy(policy->header(), policy->headerType(), |
329 policy->header(), policy->headerType(), policy->headerSource(), | 329 policy->headerSource(), |
330 {policy->exposeForNavigationalChecks()}); | 330 policy->exposeForNavigationalChecks()); |
Mike West
2017/03/22 09:45:53
It seems like doing the opposite might be more per
arthursonzogni
2017/03/22 10:27:09
I agree, I did this CL in order to improve the sim
| |
331 } | 331 } |
332 } | 332 } |
333 | 333 |
334 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue( | 334 void ContentSecurityPolicy::addAndReportPolicyFromHeaderValue( |
335 const String& header, | 335 const String& header, |
336 ContentSecurityPolicyHeaderType type, | 336 ContentSecurityPolicyHeaderType type, |
337 ContentSecurityPolicyHeaderSource source) { | 337 ContentSecurityPolicyHeaderSource source) { |
338 size_t previousPolicyCount = m_policies.size(); | 338 size_t previousPolicyCount = m_policies.size(); |
339 addPolicyFromHeaderValue(header, type, source); | 339 addPolicyFromHeaderValue(header, type, source); |
340 if (document() && document()->frame()) { | 340 if (document() && document()->frame()) { |
341 // Notify about the new header, so that it can be reported back to the | 341 // Notify about the new header, so that it can be reported back to the |
342 // browser process. This is needed in order to: | 342 // browser process. This is needed in order to: |
343 // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now / | 343 // 1) replicate CSP directives (i.e. frame-src) to OOPIFs (only for now / |
344 // short-term). | 344 // short-term). |
345 // 2) enforce CSP in the browser process (long-term - see | 345 // 2) enforce CSP in the browser process (long-term - see |
346 // https://crbug.com/376522). | 346 // https://crbug.com/376522). |
347 // TODO(arthursonzogni): policies are actually replicated (1) and some of | 347 // TODO(arthursonzogni): policies are actually replicated (1) and some of |
348 // them are (or will) be enforced on the browser process (2). Stop doing (1) | 348 // them are enforced on the browser process (2). Stop doing (1) when (2) is |
349 // when (2) is finished. | 349 // finished. |
350 | 350 |
351 // Zero, one or several policies could be produced by only one header. | 351 // RFC2616, section 4.2 specifies that headers appearing multiple times can |
352 std::vector<blink::WebContentSecurityPolicyPolicy> policies; | 352 // be combined with a comma. That's why a single header could causes several |
353 for (size_t i = previousPolicyCount; i < m_policies.size(); ++i) | 353 // policies to be added. |
Mike West
2017/03/22 09:45:53
I don't think this is necessary; we say something
arthursonzogni
2017/03/22 10:27:09
Okay, I will remove this comment.
| |
354 policies.push_back(m_policies[i]->exposeForNavigationalChecks()); | 354 for (size_t i = previousPolicyCount; i < m_policies.size(); ++i) { |
355 document()->frame()->client()->didAddContentSecurityPolicy( | 355 document()->frame()->client()->didAddContentSecurityPolicy( |
356 header, type, source, policies); | 356 m_policies[i]->header(), m_policies[i]->headerType(), |
357 m_policies[i]->headerSource(), | |
358 m_policies[i]->exposeForNavigationalChecks()); | |
359 } | |
357 } | 360 } |
358 } | 361 } |
359 | 362 |
360 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) { | 363 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value) { |
361 m_overrideInlineStyleAllowed = value; | 364 m_overrideInlineStyleAllowed = value; |
362 } | 365 } |
363 | 366 |
364 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) { | 367 void ContentSecurityPolicy::setOverrideURLForSelf(const KURL& url) { |
365 // Create a temporary CSPSource so that 'self' expressions can be resolved | 368 // Create a temporary CSPSource so that 'self' expressions can be resolved |
366 // before we bind to an execution context (for 'frame-ancestor' resolution, | 369 // before we bind to an execution context (for 'frame-ancestor' resolution, |
(...skipping 1277 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1644 if (SecurityOrigin::shouldUseInnerURL(url)) { | 1647 if (SecurityOrigin::shouldUseInnerURL(url)) { |
1645 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy( | 1648 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy( |
1646 SecurityOrigin::extractInnerURL(url).protocol(), area); | 1649 SecurityOrigin::extractInnerURL(url).protocol(), area); |
1647 } else { | 1650 } else { |
1648 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy( | 1651 return SchemeRegistry::schemeShouldBypassContentSecurityPolicy( |
1649 url.protocol(), area); | 1652 url.protocol(), area); |
1650 } | 1653 } |
1651 } | 1654 } |
1652 | 1655 |
1653 } // namespace blink | 1656 } // namespace blink |
OLD | NEW |