Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(255)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/content_security_policy/csp_source_list.cc

Issue 2797183002: CSP: Allow secure upgrade from an explicitly insecure expression. (Closed)
Patch Set: Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/common/content_security_policy/csp_source.cc ('k') | content/common/content_security_policy/csp_source_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The Chromium Authors. All rights reserved. 1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/content_security_policy/csp_context.h" 5 #include "content/common/content_security_policy/csp_context.h"
6 6
7 namespace content { 7 namespace content {
8 8
9 namespace { 9 namespace {
10 10
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after
57 CSPContext* context, 57 CSPContext* context,
58 bool is_redirect) { 58 bool is_redirect) {
59 // Wildcards match network schemes ('http', 'https', 'ftp', 'ws', 'wss'), and 59 // Wildcards match network schemes ('http', 'https', 'ftp', 'ws', 'wss'), and
60 // the scheme of the protected resource: 60 // the scheme of the protected resource:
61 // https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. Other 61 // https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. Other
62 // schemes, including custom schemes, must be explicitly listed in a source 62 // schemes, including custom schemes, must be explicitly listed in a source
63 // list. 63 // list.
64 if (source_list.allow_star) { 64 if (source_list.allow_star) {
65 if (url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin() || 65 if (url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin() ||
66 url.SchemeIsWSOrWSS() || url.SchemeIs("ftp") || 66 url.SchemeIsWSOrWSS() || url.SchemeIs("ftp") ||
67 context->ProtocolMatchesSelf(url)) 67 context->ProtocolIsSelf(url))
68 return true; 68 return true;
69 69
70 return AllowFromSources(url, source_list.sources, context, is_redirect); 70 return AllowFromSources(url, source_list.sources, context, is_redirect);
71 } 71 }
72 72
73 const GURL effective_url = GetEffectiveURL(context, url); 73 const GURL effective_url = GetEffectiveURL(context, url);
74 74
75 if (source_list.allow_self && context->AllowSelf(effective_url)) 75 if (source_list.allow_self && context->AllowSelf(effective_url))
76 return true; 76 return true;
77 77
(...skipping 22 matching lines...) Expand all
100 } 100 }
101 101
102 return text.str(); 102 return text.str();
103 } 103 }
104 104
105 bool CSPSourceList::IsNone() const { 105 bool CSPSourceList::IsNone() const {
106 return !allow_self && !allow_star && sources.empty(); 106 return !allow_self && !allow_star && sources.empty();
107 } 107 }
108 108
109 } // namespace content 109 } // namespace content
OLDNEW
« no previous file with comments | « content/common/content_security_policy/csp_source.cc ('k') | content/common/content_security_policy/csp_source_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698