content/common/content_security_policy/csp_context.h - Issue 2869423002: PlzNavigate: Do not disclose urls between cross-origin renderers.

Side by Side Diff: content/common/content_security_policy/csp_context.h

Issue 2869423002: PlzNavigate: Do not disclose urls between cross-origin renderers. (Closed)

Patch Set: Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« content/common/content_security_policy/content_security_policy.cc ('K') | « content/common/content_security_policy/content_security_policy.cc ('k') | content/common/content_security_policy/csp_context.cc » ('j') | content/common/content_security_policy/csp_context_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2017 The Chromium Authors. All rights reserved.	1 // Copyright 2017 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_	5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_

6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_	6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_

7	7

8 #include <vector>	8 #include <vector>

9	9

10 #include "content/common/content_export.h"	10 #include "content/common/content_export.h"

(...skipping 37 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
48	48

49 bool SelfSchemeShouldBypassCsp();	49 bool SelfSchemeShouldBypassCsp();

50	50

51 void ResetContentSecurityPolicies() { policies_.clear(); }	51 void ResetContentSecurityPolicies() { policies_.clear(); }

52 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) {	52 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) {

53 policies_.push_back(policy);	53 policies_.push_back(policy);

54 }	54 }

55	55

56 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme);	56 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme);

57	57

	58 // For security reasons, some urls must not be disclosed in console error

	59 // messages, source location and reports. When this function returns false,
	alexmos 2017/05/10 22:33:08 Note: using those URLs in console error messages i Note: using those URLs in console error messages is fine/fixable, as long as only the devtools process knows them, and we don't pass them through the renderer process (see by comment on the disabled tests below). arthursonzogni 2017/05/11 13:06:23 Yes, using those URLs will be fine as soon as we w Show quoted text On 2017/05/10 22:33:08, alexmos wrote: > Note: using those URLs in console error messages is fine/fixable, as long as > only the devtools process knows them, and we don't pass them through the > renderer process (see by comment on the disabled tests below). Yes, using those URLs will be fine as soon as we will be able to send console error message directly to the devtool process without using the renderer process in between. I don't know how hard it is.
	60 // only the url's origin is displayed instead.
	alexmos 2017/05/10 22:33:08 This latter part doesn't apply to SourceLocation, This latter part doesn't apply to SourceLocation, which you clear out entirely, so perhaps the wording can account for that? (I.e., it can clarify that it's the blocked_url in violation events that is converted to origins.) arthursonzogni 2017/05/11 13:06:23 source_location is used in console message and in Show quoted text On 2017/05/10 22:33:08, alexmos wrote: > This latter part doesn't apply to SourceLocation, which you clear out entirely, > so perhaps the wording can account for that? (I.e., it can clarify that it's > the blocked_url in violation events that is converted to origins.) source_location is used in console message and in reports. I need to fix this comment. It looks weird.
	61 virtual bool IsOriginSafeToUseInCspViolation(const url::Origin& origin) const;

	62

58 private:	63 private:

59 bool has_self_ = false;	64 bool has_self_ = false;

60 std::string self_scheme_;	65 std::string self_scheme_;

61 CSPSource self_source_;	66 CSPSource self_source_;

62	67

63 std::vector<ContentSecurityPolicy> policies_;	68 std::vector<ContentSecurityPolicy> policies_;

64	69

65 DISALLOW_COPY_AND_ASSIGN(CSPContext);	70 DISALLOW_COPY_AND_ASSIGN(CSPContext);

66 };	71 };

67	72

(...skipping 38 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
106	111

107 // Whether or not the violation happens after a redirect.	112 // Whether or not the violation happens after a redirect.

108 bool after_redirect;	113 bool after_redirect;

109	114

110 // The source code location that triggered the blocked navigation.	115 // The source code location that triggered the blocked navigation.

111 SourceLocation source_location;	116 SourceLocation source_location;

112 };	117 };

113	118

114 } // namespace content	119 } // namespace content

115 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_	120 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_

OLD	NEW