| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPDirectiveList.h" | 5 #include "core/frame/csp/CSPDirectiveList.h" |
| 6 | 6 |
| 7 #include "bindings/core/v8/SourceLocation.h" | 7 #include "bindings/core/v8/SourceLocation.h" |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
| 10 #include "core/dom/SpaceSplitString.h" | 10 #include "core/dom/SpaceSplitString.h" |
| (...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 92 const ContentSecurityPolicy::DirectiveType& effectiveType, | 92 const ContentSecurityPolicy::DirectiveType& effectiveType, |
| 93 const String& consoleMessage, | 93 const String& consoleMessage, |
| 94 const KURL& blockedURL, | 94 const KURL& blockedURL, |
| 95 ResourceRequest::RedirectStatus redirectStatus) const { | 95 ResourceRequest::RedirectStatus redirectStatus) const { |
| 96 String message = | 96 String message = |
| 97 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 97 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
| 98 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, | 98 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, |
| 99 ErrorMessageLevel, message)); | 99 ErrorMessageLevel, message)); |
| 100 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 100 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
| 101 m_reportEndpoints, m_header, m_headerType, | 101 m_reportEndpoints, m_header, m_headerType, |
| 102 ContentSecurityPolicy::URLViolation, nullptr, | 102 ContentSecurityPolicy::URLViolation, |
| 103 std::unique_ptr<SourceLocation>(), |
| 104 nullptr, // localFrame |
| 103 redirectStatus); | 105 redirectStatus); |
| 104 } | 106 } |
| 105 | 107 |
| 106 void CSPDirectiveList::reportViolationWithFrame( | 108 void CSPDirectiveList::reportViolationWithFrame( |
| 107 const String& directiveText, | 109 const String& directiveText, |
| 108 const ContentSecurityPolicy::DirectiveType& effectiveType, | 110 const ContentSecurityPolicy::DirectiveType& effectiveType, |
| 109 const String& consoleMessage, | 111 const String& consoleMessage, |
| 110 const KURL& blockedURL, | 112 const KURL& blockedURL, |
| 111 LocalFrame* frame) const { | 113 LocalFrame* frame) const { |
| 112 String message = | 114 String message = |
| 113 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 115 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
| 114 m_policy->logToConsole( | 116 m_policy->logToConsole( |
| 115 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), | 117 ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), |
| 116 frame); | 118 frame); |
| 117 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 119 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
| 118 m_reportEndpoints, m_header, m_headerType, | 120 m_reportEndpoints, m_header, m_headerType, |
| 119 ContentSecurityPolicy::URLViolation, frame); | 121 ContentSecurityPolicy::URLViolation, |
| 122 std::unique_ptr<SourceLocation>(), frame); |
| 120 } | 123 } |
| 121 | 124 |
| 122 void CSPDirectiveList::reportViolationWithLocation( | 125 void CSPDirectiveList::reportViolationWithLocation( |
| 123 const String& directiveText, | 126 const String& directiveText, |
| 124 const ContentSecurityPolicy::DirectiveType& effectiveType, | 127 const ContentSecurityPolicy::DirectiveType& effectiveType, |
| 125 const String& consoleMessage, | 128 const String& consoleMessage, |
| 126 const KURL& blockedURL, | 129 const KURL& blockedURL, |
| 127 const String& contextURL, | 130 const String& contextURL, |
| 128 const WTF::OrdinalNumber& contextLine, | 131 const WTF::OrdinalNumber& contextLine, |
| 129 Element* element, | 132 Element* element, |
| 130 const String& source) const { | 133 const String& source) const { |
| 131 String message = | 134 String message = |
| 132 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; | 135 isReportOnly() ? "[Report Only] " + consoleMessage : consoleMessage; |
| 133 m_policy->logToConsole(ConsoleMessage::create( | 136 std::unique_ptr<SourceLocation> sourceLocation = |
| 134 SecurityMessageSource, ErrorMessageLevel, message, | 137 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0); |
| 135 SourceLocation::capture(contextURL, contextLine.oneBasedInt(), 0))); | 138 m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, |
| 136 m_policy->reportViolation( | 139 ErrorMessageLevel, message, |
| 137 directiveText, effectiveType, message, blockedURL, m_reportEndpoints, | 140 sourceLocation->clone())); |
| 138 m_header, m_headerType, ContentSecurityPolicy::InlineViolation, nullptr, | 141 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
| 139 RedirectStatus::NoRedirect, contextLine.oneBasedInt(), element, source); | 142 m_reportEndpoints, m_header, m_headerType, |
| 143 ContentSecurityPolicy::InlineViolation, |
| 144 std::move(sourceLocation), nullptr, // localFrame |
| 145 RedirectStatus::NoRedirect, element, source); |
| 140 } | 146 } |
| 141 | 147 |
| 142 void CSPDirectiveList::reportViolationWithState( | 148 void CSPDirectiveList::reportViolationWithState( |
| 143 const String& directiveText, | 149 const String& directiveText, |
| 144 const ContentSecurityPolicy::DirectiveType& effectiveType, | 150 const ContentSecurityPolicy::DirectiveType& effectiveType, |
| 145 const String& message, | 151 const String& message, |
| 146 const KURL& blockedURL, | 152 const KURL& blockedURL, |
| 147 ScriptState* scriptState, | 153 ScriptState* scriptState, |
| 148 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { | 154 const ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { |
| 149 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; | 155 String reportMessage = isReportOnly() ? "[Report Only] " + message : message; |
| 150 // Print a console message if it won't be redundant with a | 156 // Print a console message if it won't be redundant with a |
| 151 // JavaScript exception that the caller will throw. (Exceptions will | 157 // JavaScript exception that the caller will throw. (Exceptions will |
| 152 // never get thrown in report-only mode because the caller won't see | 158 // never get thrown in report-only mode because the caller won't see |
| 153 // a violation.) | 159 // a violation.) |
| 154 if (isReportOnly() || | 160 if (isReportOnly() || |
| 155 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { | 161 exceptionStatus == ContentSecurityPolicy::WillNotThrowException) { |
| 156 ConsoleMessage* consoleMessage = ConsoleMessage::create( | 162 ConsoleMessage* consoleMessage = ConsoleMessage::create( |
| 157 SecurityMessageSource, ErrorMessageLevel, reportMessage); | 163 SecurityMessageSource, ErrorMessageLevel, reportMessage); |
| 158 m_policy->logToConsole(consoleMessage); | 164 m_policy->logToConsole(consoleMessage); |
| 159 } | 165 } |
| 160 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, | 166 m_policy->reportViolation(directiveText, effectiveType, message, blockedURL, |
| 161 m_reportEndpoints, m_header, m_headerType, | 167 m_reportEndpoints, m_header, m_headerType, |
| 162 ContentSecurityPolicy::EvalViolation); | 168 ContentSecurityPolicy::EvalViolation, |
| 169 std::unique_ptr<SourceLocation>()); |
| 163 } | 170 } |
| 164 | 171 |
| 165 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { | 172 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const { |
| 166 return !directive || directive->allowEval(); | 173 return !directive || directive->allowEval(); |
| 167 } | 174 } |
| 168 | 175 |
| 169 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, | 176 bool CSPDirectiveList::isMatchingNoncePresent(SourceListDirective* directive, |
| 170 const String& nonce) const { | 177 const String& nonce) const { |
| 171 return directive && directive->allowNonce(nonce); | 178 return directive && directive->allowNonce(nonce); |
| 172 } | 179 } |
| (...skipping 14 matching lines...) Expand all Loading... |
| 187 | 194 |
| 188 void CSPDirectiveList::reportMixedContent( | 195 void CSPDirectiveList::reportMixedContent( |
| 189 const KURL& mixedURL, | 196 const KURL& mixedURL, |
| 190 ResourceRequest::RedirectStatus redirectStatus) const { | 197 ResourceRequest::RedirectStatus redirectStatus) const { |
| 191 if (strictMixedContentChecking()) { | 198 if (strictMixedContentChecking()) { |
| 192 m_policy->reportViolation( | 199 m_policy->reportViolation( |
| 193 ContentSecurityPolicy::getDirectiveName( | 200 ContentSecurityPolicy::getDirectiveName( |
| 194 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent), | 201 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent), |
| 195 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent, String(), | 202 ContentSecurityPolicy::DirectiveType::BlockAllMixedContent, String(), |
| 196 mixedURL, m_reportEndpoints, m_header, m_headerType, | 203 mixedURL, m_reportEndpoints, m_header, m_headerType, |
| 197 ContentSecurityPolicy::URLViolation, nullptr, redirectStatus); | 204 ContentSecurityPolicy::URLViolation, std::unique_ptr<SourceLocation>(), |
| 205 nullptr, // contextFrame, |
| 206 redirectStatus); |
| 198 } | 207 } |
| 199 } | 208 } |
| 200 | 209 |
| 201 bool CSPDirectiveList::checkSource( | 210 bool CSPDirectiveList::checkSource( |
| 202 SourceListDirective* directive, | 211 SourceListDirective* directive, |
| 203 const KURL& url, | 212 const KURL& url, |
| 204 ResourceRequest::RedirectStatus redirectStatus) const { | 213 ResourceRequest::RedirectStatus redirectStatus) const { |
| 205 // If |url| is empty, fall back to the policy URL to ensure that <object>'s | 214 // If |url| is empty, fall back to the policy URL to ensure that <object>'s |
| 206 // without a `src` can be blocked/allowed, as they can still load plugins | 215 // without a `src` can be blocked/allowed, as they can still load plugins |
| 207 // even though they don't actually have a URL. | 216 // even though they don't actually have a URL. |
| (...skipping 1146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1354 visitor->trace(m_imgSrc); | 1363 visitor->trace(m_imgSrc); |
| 1355 visitor->trace(m_mediaSrc); | 1364 visitor->trace(m_mediaSrc); |
| 1356 visitor->trace(m_manifestSrc); | 1365 visitor->trace(m_manifestSrc); |
| 1357 visitor->trace(m_objectSrc); | 1366 visitor->trace(m_objectSrc); |
| 1358 visitor->trace(m_scriptSrc); | 1367 visitor->trace(m_scriptSrc); |
| 1359 visitor->trace(m_styleSrc); | 1368 visitor->trace(m_styleSrc); |
| 1360 visitor->trace(m_workerSrc); | 1369 visitor->trace(m_workerSrc); |
| 1361 } | 1370 } |
| 1362 | 1371 |
| 1363 } // namespace blink | 1372 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2785463002:
CSP: Don't override the location set in reportViolationWithLocation. (Closed)
