Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(430)

Side by Side Diff: third_party/WebKit/Source/core/html/HTMLIFrameElement.cpp

Issue 2896833002: Added validation of the policy specified in the 'csp' attribute (Closed)
Patch Set: Code Review suggestions Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2000 Simon Hausmann (hausmann@kde.org) 4 * (C) 2000 Simon Hausmann (hausmann@kde.org)
5 * (C) 2001 Dirk Mueller (mueller@kde.org) 5 * (C) 2001 Dirk Mueller (mueller@kde.org)
6 * Copyright (C) 2004, 2006, 2008, 2009 Apple Inc. All rights reserved. 6 * Copyright (C) 2004, 2006, 2008, 2009 Apple Inc. All rights reserved.
7 * Copyright (C) 2009 Ericsson AB. All rights reserved. 7 * Copyright (C) 2009 Ericsson AB. All rights reserved.
8 * 8 *
9 * This library is free software; you can redistribute it and/or 9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Library General Public 10 * modify it under the terms of the GNU Library General Public
11 * License as published by the Free Software Foundation; either 11 * License as published by the Free Software Foundation; either
12 * version 2 of the License, or (at your option) any later version. 12 * version 2 of the License, or (at your option) any later version.
13 * 13 *
14 * This library is distributed in the hope that it will be useful, 14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Library General Public License for more details. 17 * Library General Public License for more details.
18 * 18 *
19 * You should have received a copy of the GNU Library General Public License 19 * You should have received a copy of the GNU Library General Public License
20 * along with this library; see the file COPYING.LIB. If not, write to 20 * along with this library; see the file COPYING.LIB. If not, write to
21 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, 21 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
22 * Boston, MA 02110-1301, USA. 22 * Boston, MA 02110-1301, USA.
23 */ 23 */
24 24
25 #include "core/html/HTMLIFrameElement.h" 25 #include "core/html/HTMLIFrameElement.h"
26 26
27 #include "core/CSSPropertyNames.h" 27 #include "core/CSSPropertyNames.h"
28 #include "core/HTMLNames.h" 28 #include "core/HTMLNames.h"
29 #include "core/frame/UseCounter.h" 29 #include "core/frame/UseCounter.h"
30 #include "core/frame/csp/ContentSecurityPolicy.h"
30 #include "core/html/HTMLDocument.h" 31 #include "core/html/HTMLDocument.h"
31 #include "core/inspector/ConsoleMessage.h" 32 #include "core/inspector/ConsoleMessage.h"
32 #include "core/layout/LayoutIFrame.h" 33 #include "core/layout/LayoutIFrame.h"
33 #include "platform/RuntimeEnabledFeatures.h" 34 #include "platform/RuntimeEnabledFeatures.h"
34 35
35 namespace blink { 36 namespace blink {
36 37
37 using namespace HTMLNames; 38 using namespace HTMLNames;
38 39
39 inline HTMLIFrameElement::HTMLIFrameElement(Document& document) 40 inline HTMLIFrameElement::HTMLIFrameElement(Document& document)
(...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after
160 } 161 }
161 } else if (name == allowpaymentrequestAttr) { 162 } else if (name == allowpaymentrequestAttr) {
162 bool old_allow_payment_request = allow_payment_request_; 163 bool old_allow_payment_request = allow_payment_request_;
163 allow_payment_request_ = !value.IsNull(); 164 allow_payment_request_ = !value.IsNull();
164 if (allow_payment_request_ != old_allow_payment_request) { 165 if (allow_payment_request_ != old_allow_payment_request) {
165 FrameOwnerPropertiesChanged(); 166 FrameOwnerPropertiesChanged();
166 UpdateContainerPolicy(); 167 UpdateContainerPolicy();
167 } 168 }
168 } else if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() && 169 } else if (RuntimeEnabledFeatures::embedderCSPEnforcementEnabled() &&
169 name == cspAttr) { 170 name == cspAttr) {
170 // TODO(amalika): add more robust validation of the value 171 if (!ContentSecurityPolicy::IsValidCSPAttr(value.GetString())) {
171 if (!value.GetString().ContainsOnlyASCII()) {
172 csp_ = g_null_atom; 172 csp_ = g_null_atom;
173 GetDocument().AddConsoleMessage(ConsoleMessage::Create( 173 GetDocument().AddConsoleMessage(ConsoleMessage::Create(
174 kOtherMessageSource, kErrorMessageLevel, 174 kOtherMessageSource, kErrorMessageLevel,
175 "'csp' attribute contains non-ASCII characters: " + value)); 175 "'csp' attribute is not a valid policy: " + value));
176 return; 176 return;
177 } 177 }
178 AtomicString old_csp = csp_; 178 AtomicString old_csp = csp_;
179 csp_ = value; 179 csp_ = value;
180 if (csp_ != old_csp) 180 if (csp_ != old_csp)
181 FrameOwnerPropertiesChanged(); 181 FrameOwnerPropertiesChanged();
182 } else if (RuntimeEnabledFeatures::featurePolicyEnabled() && 182 } else if (RuntimeEnabledFeatures::featurePolicyEnabled() &&
183 name == allowAttr) { 183 name == allowAttr) {
184 allow_->DidUpdateAttributeValue(params.old_value, value); 184 allow_->DidUpdateAttributeValue(params.old_value, value);
185 String invalid_tokens; 185 String invalid_tokens;
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after
225 225
226 bool HTMLIFrameElement::IsInteractiveContent() const { 226 bool HTMLIFrameElement::IsInteractiveContent() const {
227 return true; 227 return true;
228 } 228 }
229 229
230 ReferrerPolicy HTMLIFrameElement::ReferrerPolicyAttribute() { 230 ReferrerPolicy HTMLIFrameElement::ReferrerPolicyAttribute() {
231 return referrer_policy_; 231 return referrer_policy_;
232 } 232 }
233 233
234 } // namespace blink 234 } // namespace blink
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698