Chromium Code Reviews Chromium Code Reviews
Issue 2869423002:
PlzNavigate: Do not disclose urls between cross-origin renderers. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
| 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
| 7 | 7 |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "content/common/content_export.h" | 10 #include "content/common/content_export.h" |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 48 | 48 |
| 49 bool SelfSchemeShouldBypassCsp(); | 49 bool SelfSchemeShouldBypassCsp(); |
| 50 | 50 |
| 51 void ResetContentSecurityPolicies() { policies_.clear(); } | 51 void ResetContentSecurityPolicies() { policies_.clear(); } |
| 52 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { | 52 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { |
| 53 policies_.push_back(policy); | 53 policies_.push_back(policy); |
| 54 } | 54 } |
| 55 | 55 |
| 56 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); | 56 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); |
| 57 | 57 |
| 58 // For security reasons, some urls must not be disclosed cross-origin in | |
| 59 // violation reports. It includes the blocked url and the url of the initiator | |
| 60 // of the navigation. This information is potentially transmitted between | |
| 61 // different renderer processes. | |
| 62 // TODO(arthursonzogni): Stop hiding sensitive parts of URLs in console error | |
| 63 // messages as soon as there is a way to send it to the devtools process | |
|
alexmos
2017/05/16 05:56:49
nit: s/it/them/
arthursonzogni
2017/05/16 12:48:44
Done.
| |
| 64 // without the round trip in the renderer process. | |
| 65 // See https://crbug.com/721329 | |
| 66 virtual void SanitizeDataForUseInCspViolation( | |
| 67 GURL* blocked_url, | |
| 68 SourceLocation* source_location, | |
| 69 bool is_redirect, | |
| 70 CSPDirective::Name directive) const; | |
| 71 | |
| 58 private: | 72 private: |
| 59 bool has_self_ = false; | 73 bool has_self_ = false; |
| 60 std::string self_scheme_; | 74 std::string self_scheme_; |
| 61 CSPSource self_source_; | 75 CSPSource self_source_; |
| 62 | 76 |
| 63 std::vector<ContentSecurityPolicy> policies_; | 77 std::vector<ContentSecurityPolicy> policies_; |
| 64 | 78 |
| 65 DISALLOW_COPY_AND_ASSIGN(CSPContext); | 79 DISALLOW_COPY_AND_ASSIGN(CSPContext); |
| 66 }; | 80 }; |
| 67 | 81 |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 106 | 120 |
| 107 // Whether or not the violation happens after a redirect. | 121 // Whether or not the violation happens after a redirect. |
| 108 bool after_redirect; | 122 bool after_redirect; |
| 109 | 123 |
| 110 // The source code location that triggered the blocked navigation. | 124 // The source code location that triggered the blocked navigation. |
| 111 SourceLocation source_location; | 125 SourceLocation source_location; |
| 112 }; | 126 }; |
| 113 | 127 |
| 114 } // namespace content | 128 } // namespace content |
| 115 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 129 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
| OLD | NEW |
