OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 329 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
340 CSPDirectiveList::Create(this, begin, position, type, source); | 340 CSPDirectiveList::Create(this, begin, position, type, source); |
341 | 341 |
342 if (!policy->AllowEval( | 342 if (!policy->AllowEval( |
343 0, SecurityViolationReportingPolicy::kSuppressReporting) && | 343 0, SecurityViolationReportingPolicy::kSuppressReporting) && |
344 disable_eval_error_message_.IsNull()) | 344 disable_eval_error_message_.IsNull()) |
345 disable_eval_error_message_ = policy->EvalDisabledErrorMessage(); | 345 disable_eval_error_message_ = policy->EvalDisabledErrorMessage(); |
346 | 346 |
347 policies_.push_back(policy.Release()); | 347 policies_.push_back(policy.Release()); |
348 | 348 |
349 // Skip the comma, and begin the next header from the current position. | 349 // Skip the comma, and begin the next header from the current position. |
350 ASSERT(position == end || *position == ','); | 350 DCHECK(position == end || *position == ','); |
351 skipExactly<UChar>(position, end, ','); | 351 skipExactly<UChar>(position, end, ','); |
352 begin = position; | 352 begin = position; |
353 } | 353 } |
354 } | 354 } |
355 | 355 |
356 void ContentSecurityPolicy::ReportAccumulatedHeaders( | 356 void ContentSecurityPolicy::ReportAccumulatedHeaders( |
357 LocalFrameClient* client) const { | 357 LocalFrameClient* client) const { |
358 // Notify the embedder about headers that have accumulated before the | 358 // Notify the embedder about headers that have accumulated before the |
359 // navigation got committed. See comments in | 359 // navigation got committed. See comments in |
360 // addAndReportPolicyFromHeaderValue for more details and context. | 360 // addAndReportPolicyFromHeaderValue for more details and context. |
(...skipping 806 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1167 const KURL& blocked_url, | 1167 const KURL& blocked_url, |
1168 const Vector<String>& report_endpoints, | 1168 const Vector<String>& report_endpoints, |
1169 const String& header, | 1169 const String& header, |
1170 ContentSecurityPolicyHeaderType header_type, | 1170 ContentSecurityPolicyHeaderType header_type, |
1171 ViolationType violation_type, | 1171 ViolationType violation_type, |
1172 std::unique_ptr<SourceLocation> source_location, | 1172 std::unique_ptr<SourceLocation> source_location, |
1173 LocalFrame* context_frame, | 1173 LocalFrame* context_frame, |
1174 RedirectStatus redirect_status, | 1174 RedirectStatus redirect_status, |
1175 Element* element, | 1175 Element* element, |
1176 const String& source) { | 1176 const String& source) { |
1177 ASSERT(violation_type == kURLViolation || blocked_url.IsEmpty()); | 1177 DCHECK(violation_type == kURLViolation || blocked_url.IsEmpty()); |
1178 | 1178 |
1179 // TODO(lukasza): Support sending reports from OOPIFs - | 1179 // TODO(lukasza): Support sending reports from OOPIFs - |
1180 // https://crbug.com/611232 (or move CSP child-src and frame-src checks to the | 1180 // https://crbug.com/611232 (or move CSP child-src and frame-src checks to the |
1181 // browser process - see https://crbug.com/376522). | 1181 // browser process - see https://crbug.com/376522). |
1182 if (!execution_context_ && !context_frame) { | 1182 if (!execution_context_ && !context_frame) { |
1183 DCHECK(effective_type == DirectiveType::kChildSrc || | 1183 DCHECK(effective_type == DirectiveType::kChildSrc || |
1184 effective_type == DirectiveType::kFrameSrc || | 1184 effective_type == DirectiveType::kFrameSrc || |
1185 effective_type == DirectiveType::kPluginTypes); | 1185 effective_type == DirectiveType::kPluginTypes); |
1186 return; | 1186 return; |
1187 } | 1187 } |
(...skipping 278 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1466 "'. Non-whitespace characters outside ASCII 0x21-0x7E must " | 1466 "'. Non-whitespace characters outside ASCII 0x21-0x7E must " |
1467 "be percent-encoded, as described in RFC 3986, section 2.1: " | 1467 "be percent-encoded, as described in RFC 3986, section 2.1: " |
1468 "http://tools.ietf.org/html/rfc3986#section-2.1."; | 1468 "http://tools.ietf.org/html/rfc3986#section-2.1."; |
1469 LogToConsole(message); | 1469 LogToConsole(message); |
1470 } | 1470 } |
1471 | 1471 |
1472 void ContentSecurityPolicy::ReportInvalidPathCharacter( | 1472 void ContentSecurityPolicy::ReportInvalidPathCharacter( |
1473 const String& directive_name, | 1473 const String& directive_name, |
1474 const String& value, | 1474 const String& value, |
1475 const char invalid_char) { | 1475 const char invalid_char) { |
1476 ASSERT(invalid_char == '#' || invalid_char == '?'); | 1476 DCHECK(invalid_char == '#' || invalid_char == '?'); |
1477 | 1477 |
1478 String ignoring = | 1478 String ignoring = |
1479 "The fragment identifier, including the '#', will be ignored."; | 1479 "The fragment identifier, including the '#', will be ignored."; |
1480 if (invalid_char == '?') | 1480 if (invalid_char == '?') |
1481 ignoring = "The query component, including the '?', will be ignored."; | 1481 ignoring = "The query component, including the '?', will be ignored."; |
1482 String message = "The source list for Content Security Policy directive '" + | 1482 String message = "The source list for Content Security Policy directive '" + |
1483 directive_name + | 1483 directive_name + |
1484 "' contains a source with an invalid path: '" + value + | 1484 "' contains a source with an invalid path: '" + value + |
1485 "'. " + ignoring; | 1485 "'. " + ignoring; |
1486 LogToConsole(message); | 1486 LogToConsole(message); |
(...skipping 216 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1703 if (SecurityOrigin::ShouldUseInnerURL(url)) { | 1703 if (SecurityOrigin::ShouldUseInnerURL(url)) { |
1704 return SchemeRegistry::SchemeShouldBypassContentSecurityPolicy( | 1704 return SchemeRegistry::SchemeShouldBypassContentSecurityPolicy( |
1705 SecurityOrigin::ExtractInnerURL(url).Protocol(), area); | 1705 SecurityOrigin::ExtractInnerURL(url).Protocol(), area); |
1706 } else { | 1706 } else { |
1707 return SchemeRegistry::SchemeShouldBypassContentSecurityPolicy( | 1707 return SchemeRegistry::SchemeShouldBypassContentSecurityPolicy( |
1708 url.Protocol(), area); | 1708 url.Protocol(), area); |
1709 } | 1709 } |
1710 } | 1710 } |
1711 | 1711 |
1712 } // namespace blink | 1712 } // namespace blink |
OLD | NEW |