Chromium Code Reviews Chromium Code Reviews
Issue 2792973004:
Moved all tests about bypassing CSP into csp-tests (content layer) (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <sstream> | 5 #include <sstream> |
| 6 #include "base/strings/string_split.h" | 6 #include "base/strings/string_split.h" |
| 7 #include "base/strings/string_util.h" | 7 #include "base/strings/string_util.h" |
| 8 #include "content/common/content_security_policy/csp_context.h" | 8 #include "content/common/content_security_policy/csp_context.h" |
| 9 | 9 |
| 10 namespace content { | 10 namespace content { |
| (...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 88 bool is_redirect, | 88 bool is_redirect, |
| 89 const SourceLocation& source_location) { | 89 const SourceLocation& source_location) { |
| 90 if (CSPSourceList::Allow(directive.source_list, url, context, is_redirect)) | 90 if (CSPSourceList::Allow(directive.source_list, url, context, is_redirect)) |
| 91 return true; | 91 return true; |
| 92 | 92 |
| 93 ReportViolation(context, policy, directive, directive_name, url, is_redirect, | 93 ReportViolation(context, policy, directive, directive_name, url, is_redirect, |
| 94 source_location); | 94 source_location); |
| 95 return false; | 95 return false; |
| 96 } | 96 } |
| 97 | 97 |
| 98 const GURL ExtractInnerURL(const GURL& url) { | |
| 99 if (const GURL* inner_url = url.inner_url()) | |
| 100 return *inner_url; | |
| 101 else | |
| 102 // TODO(arthursonzogni): revisit this once GURL::inner_url support blob-URL. | |
| 103 return GURL(url.path()); | |
| 104 } | |
| 105 | |
| 106 bool ShouldBypassContentSecurityPolicy(CSPContext* context, const GURL& url) { | |
| 107 if (url.SchemeIsFileSystem() || url.SchemeIsBlob()) { | |
| 108 return context->SchemeShouldBypassCSP(ExtractInnerURL(url).scheme()); | |
| 109 } else { | |
| 110 return context->SchemeShouldBypassCSP(url.scheme()); | |
| 111 } | |
| 112 } | |
| 113 | |
| 98 } // namespace | 114 } // namespace |
| 99 | 115 |
| 100 ContentSecurityPolicy::ContentSecurityPolicy() | 116 ContentSecurityPolicy::ContentSecurityPolicy() |
| 101 : header(std::string(), | 117 : header(std::string(), |
| 102 blink::WebContentSecurityPolicyTypeEnforce, | 118 blink::WebContentSecurityPolicyTypeEnforce, |
| 103 blink::WebContentSecurityPolicySourceHTTP) {} | 119 blink::WebContentSecurityPolicySourceHTTP) {} |
| 104 | 120 |
| 105 ContentSecurityPolicy::ContentSecurityPolicy( | 121 ContentSecurityPolicy::ContentSecurityPolicy( |
| 106 const ContentSecurityPolicyHeader& header, | 122 const ContentSecurityPolicyHeader& header, |
| 107 const std::vector<CSPDirective>& directives, | 123 const std::vector<CSPDirective>& directives, |
| 108 const std::vector<std::string>& report_endpoints) | 124 const std::vector<std::string>& report_endpoints) |
| 109 : header(header), | 125 : header(header), |
| 110 directives(directives), | 126 directives(directives), |
| 111 report_endpoints(report_endpoints) {} | 127 report_endpoints(report_endpoints) {} |
| 112 | 128 |
| 113 ContentSecurityPolicy::ContentSecurityPolicy(const ContentSecurityPolicy&) = | 129 ContentSecurityPolicy::ContentSecurityPolicy(const ContentSecurityPolicy&) = |
| 114 default; | 130 default; |
| 115 ContentSecurityPolicy::~ContentSecurityPolicy() = default; | 131 ContentSecurityPolicy::~ContentSecurityPolicy() = default; |
| 116 | 132 |
| 117 // static | 133 // static |
| 118 bool ContentSecurityPolicy::Allow(const ContentSecurityPolicy& policy, | 134 bool ContentSecurityPolicy::Allow(const ContentSecurityPolicy& policy, |
| 119 CSPDirective::Name directive_name, | 135 CSPDirective::Name directive_name, |
| 120 const GURL& url, | 136 const GURL& url, |
| 121 bool is_redirect, | 137 bool is_redirect, |
| 122 CSPContext* context, | 138 CSPContext* context, |
| 123 const SourceLocation& source_location) { | 139 const SourceLocation& source_location) { |
| 140 if (ShouldBypassContentSecurityPolicy(context, url)) return true; | |
|
arthursonzogni
2017/04/05 08:27:13
Nit: please use two lines.
| |
| 141 | |
| 124 CSPDirective::Name current_directive_name = directive_name; | 142 CSPDirective::Name current_directive_name = directive_name; |
| 125 do { | 143 do { |
| 126 for (const CSPDirective& directive : policy.directives) { | 144 for (const CSPDirective& directive : policy.directives) { |
| 127 if (directive.name == current_directive_name) { | 145 if (directive.name == current_directive_name) { |
| 128 bool allowed = | 146 bool allowed = |
| 129 AllowDirective(context, policy, directive, directive_name, url, | 147 AllowDirective(context, policy, directive, directive_name, url, |
| 130 is_redirect, source_location); | 148 is_redirect, source_location); |
| 131 return allowed || | 149 return allowed || |
| 132 policy.header.type == blink::WebContentSecurityPolicyTypeReport; | 150 policy.header.type == blink::WebContentSecurityPolicyTypeReport; |
| 133 } | 151 } |
| (...skipping 19 matching lines...) Expand all Loading... | |
| 153 is_first_policy = false; | 171 is_first_policy = false; |
| 154 text << "report-uri"; | 172 text << "report-uri"; |
| 155 for (const std::string& endpoint : report_endpoints) | 173 for (const std::string& endpoint : report_endpoints) |
| 156 text << " " << endpoint; | 174 text << " " << endpoint; |
| 157 } | 175 } |
| 158 | 176 |
| 159 return text.str(); | 177 return text.str(); |
| 160 } | 178 } |
| 161 | 179 |
| 162 } // namespace content | 180 } // namespace content |
| OLD | NEW |
