OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
6 | 6 |
7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
(...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
92 const ContentSecurityPolicy::DirectiveType& effectiveType, | 92 const ContentSecurityPolicy::DirectiveType& effectiveType, |
93 const String& consoleMessage, | 93 const String& consoleMessage, |
94 const KURL& blockedURL, | 94 const KURL& blockedURL, |
95 ResourceRequest::RedirectStatus redirectStatus) const { | 95 ResourceRequest::RedirectStatus redirectStatus) const { |
96 String message = | 96 String message = |
97 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 97 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
98 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, | 98 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, |
99 ErrorMessageLevel, message)); | 99 ErrorMessageLevel, message)); |
100 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 100 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
101 m_reportEndpoints, m_header, m_headerType, | 101 m_reportEndpoints, m_header, m_headerType, |
102 ContentSecurityPolicy::URLViolation, nullptr, | 102 ContentSecurityPolicy::URLViolation, |
| 103 std::unique_ptr<SourceLocation>(), |
| 104 nullptr, // localFrame |
103 redirectStatus); | 105 redirectStatus); |
104 } | 106 } |
105 | 107 |
106 void CSPDirectiveList::reportViolationWithFrame( | 108 void CSPDirectiveList::reportViolationWithFrame( |
107 const String& directiveText, | 109 const String& directiveText, |
108 const ContentSecurityPolicy::DirectiveType& effectiveType, | 110 const ContentSecurityPolicy::DirectiveType& effectiveType, |
109 const String& consoleMessage, | 111 const String& consoleMessage, |
110 const KURL& blockedURL, | 112 const KURL& blockedURL, |
111 LocalFrame* frame) const { | 113 LocalFrame* frame) const { |
112 String message = | 114 String message = |
113 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 115 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
114 m_policy->logToConsole( | 116 m_policy->logToConsole( |
115 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), | 117 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), |
116 frame); | 118 frame); |
117 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 119 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
118 m_reportEndpoints, m_header, m_headerType, | 120 m_reportEndpoints, m_header, m_headerType, |
119 ContentSecurityPolicy::URLViolation, frame); | 121 ContentSecurityPolicy::URLViolation, |
| 122 std::unique_ptr<SourceLocation>(), frame); |
120 } | 123 } |
121 | 124 |
122 void CSPDirectiveList::reportViolationWithLocation( | 125 void CSPDirectiveList::reportViolationWithLocation( |
123 const String& directiveText, | 126 const String& directiveText, |
124 const ContentSecurityPolicy::DirectiveType& effectiveType, | 127 const ContentSecurityPolicy::DirectiveType& effectiveType, |
125 const String& consoleMessage, | 128 const String& consoleMessage, |
126 const KURL& blockedURL, | 129 const KURL& blockedURL, |
127 const String& contextURL, | 130 const String& contextURL, |
128 const WTF::OrdinalNumber& contextLine, | 131 const WTF::OrdinalNumber& contextLine, |
129 Element* element, | 132 Element* element, |
130 const String& source) const { | 133 const String& source) const { |
131 String message = | 134 String message = |
132 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 135 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
133 m_policy->logToConsole(ConsoleMessage::create( | 136 std::unique_ptr<SourceLocation> sourceLocation = |
134 SecurityMessageSource, ErrorMessageLevel, message, | 137 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0); |
135 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0))); | 138 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, |
136 m_policy->reportViolation( | 139 ErrorMessageLevel, message, |
137 directiveText, effectiveType, message, blockedURL, m_reportEndpoints, | 140 sourceLocation->clone())); |
138 m_header, m_headerType, ContentSecurityPolicy::InlineViolation, nullptr, | 141 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
139 RedirectStatus::NoRedirect, contextLine.oneBasedInt(), element, source); | 142 m_reportEndpoints, m_header, m_headerType, |
| 143 ContentSecurityPolicy::InlineViolation, |
| 144 std::move(sourceLocation), nullptr, // localFrame |
| 145 RedirectStatus::NoRedirect, element, source); |
140 } | 146 } |
141 | 147 |
142 void CSPDirectiveList::reportViolationWithState( | 148 void CSPDirectiveList::reportViolationWithState( |
143 const String& directiveText, | 149 const String& directiveText, |
144 const ContentSecurityPolicy::DirectiveType& effectiveType, | 150 const ContentSecurityPolicy::DirectiveType& effectiveType, |
145 const String& message, | 151 const String& message, |
146 const KURL& blockedURL, | 152 const KURL& blockedURL, |
147 ScriptState* scriptState, | 153 ScriptState* scriptState, |
148 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { | 154 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { |
149 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; | 155 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; |
150 // Print a console message if it won't be redundant with a | 156 // Print a console message if it won't be redundant with a |
151 // JavaScript exception that the caller will throw. (Exceptions will | 157 // JavaScript exception that the caller will throw. (Exceptions will |
152 // never get thrown in report-only mode because the caller won't see | 158 // never get thrown in report-only mode because the caller won't see |
153 // a violation.) | 159 // a violation.) |
154 if (isReportOnly() || | 160 if (isReportOnly() || |
155 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { | 161 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { |
156 ConsoleMessage* consoleMessage = ConsoleMessage::create( | 162 ConsoleMessage* consoleMessage = ConsoleMessage::create( |
157 SecurityMessageSource, ErrorMessageLevel, reportMessage); | 163 SecurityMessageSource, ErrorMessageLevel, reportMessage); |
158 m_policy->logToConsole(consoleMessage); | 164 m_policy->logToConsole(consoleMessage); |
159 } | 165 } |
160 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 166 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
161 m_reportEndpoints, m_header, m_headerType, | 167 m_reportEndpoints, m_header, m_headerType, |
162 ContentSecurityPolicy::EvalViolation); | 168 ContentSecurityPolicy::EvalViolation, |
| 169 std::unique_ptr<SourceLocation>()); |
163 } | 170 } |
164 | 171 |
165 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { | 172 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { |
166 return !directive || directive->allowEval(); | 173 return !directive || directive->allowEval(); |
167 } | 174 } |
168 | 175 |
169 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, | 176 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, |
170 const String& nonce) const { | 177 const String& nonce) const { |
171 return directive && directive->allowNonce(nonce); | 178 return directive && directive->allowNonce(nonce); |
172 } | 179 } |
(...skipping 14 matching lines...) Expand all Loading... |
187 | 194 |
188 void CSPDirectiveList::reportMixedContent( | 195 void CSPDirectiveList::reportMixedContent( |
189 const KURL& mixedURL, | 196 const KURL& mixedURL, |
190 ResourceRequest::RedirectStatus redirectStatus) const { | 197 ResourceRequest::RedirectStatus redirectStatus) const { |
191 if (strictMixedContentChecking()) { | 198 if (strictMixedContentChecking()) { |
192 m_policy->reportViolation( | 199 m_policy->reportViolation( |
193 ContentSecurityPolicy::getDirectiveName( | 200 ContentSecurityPolicy::getDirectiveName( |
194 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent), | 201 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent), |
195 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent, String(), | 202 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent, String(), |
196 mixedURL, m_reportEndpoints, m_header, m_headerType, | 203 mixedURL, m_reportEndpoints, m_header, m_headerType, |
197 ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); | 204 ContentSecurityPolicy::URLViolation, std::unique_ptr<SourceLocation>(), |
| 205 nullptr, // contextFrame, |
| 206 redirectStatus); |
198 } | 207 } |
199 } | 208 } |
200 | 209 |
201 bool CSPDirectiveList::checkSource( | 210 bool CSPDirectiveList::checkSource( |
202 SourceListDirective* directive, | 211 SourceListDirective* directive, |
203 const KURL& url, | 212 const KURL& url, |
204 ResourceRequest::RedirectStatus redirectStatus) const { | 213 ResourceRequest::RedirectStatus redirectStatus) const { |
205 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 214 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
206 // without a `src` can be blocked/allowed, as they can still load plugins | 215 // without a `src` can be blocked/allowed, as they can still load plugins |
207 // even though they don't actually have a URL. | 216 // even though they don't actually have a URL. |
(...skipping 1146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1354 visitor->trace(m_imgSrc); | 1363 visitor->trace(m_imgSrc); |
1355 visitor->trace(m_mediaSrc); | 1364 visitor->trace(m_mediaSrc); |
1356 visitor->trace(m_manifestSrc); | 1365 visitor->trace(m_manifestSrc); |
1357 visitor->trace(m_objectSrc); | 1366 visitor->trace(m_objectSrc); |
1358 visitor->trace(m_scriptSrc); | 1367 visitor->trace(m_scriptSrc); |
1359 visitor->trace(m_styleSrc); | 1368 visitor->trace(m_styleSrc); |
1360 visitor->trace(m_workerSrc); | 1369 visitor->trace(m_workerSrc); |
1361 } | 1370 } |
1362 | 1371 |
1363 } // namespace blink | 1372 } // namespace blink |
OLD | NEW |