Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(425)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp

Issue 2896833002: Added validation of the policy specified in the 'csp' attribute (Closed)
Patch Set: Fixed incomplete validation. Added more tests inspired by existing source parsing tests. Created 3 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h ('k') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
index 772b48e6dbface86415d6e636a7f3efa6acd07db..e46f5e9eca75501c9ca1cfa29d77b3c8af13a1db 100644
--- a/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -967,6 +967,38 @@ void CSPDirectiveList::Parse(const UChar* begin, const UChar* end) {
}
}
+// static
+bool CSPDirectiveList::IsValid(
+ const String& directive_list,
+ ContentSecurityPolicyHeaderType header_type,
+ ContentSecurityPolicyHeaderSource header_source) {
+ Vector<UChar> characters;
+ directive_list.AppendTo(characters);
+ const UChar* begin = characters.data();
+ const UChar* end = begin + characters.size();
+
+ return IsValid(begin, end, header_type, header_source);
+}
+
+// static
+bool CSPDirectiveList::IsValid(
+ const UChar* begin,
+ const UChar* end,
+ ContentSecurityPolicyHeaderType header_type,
+ ContentSecurityPolicyHeaderSource header_source) {
+ if (begin == end)
+ return false;
+
+ ContentSecurityPolicy* policy = ContentSecurityPolicy::Create(
+ SecurityViolationReportingPolicy::kSuppressReporting);
+
+ CSPDirectiveList::Create(policy, begin, end, header_type, header_source);
Mike West 2017/05/29 07:46:21 I think this will accept something like `script-sr
+
+ bool is_valid = policy->IsValid();
+
+ return is_valid;
+}
+
// directive = *WSP [ directive-name [ WSP directive-value ] ]
// directive-name = 1*( ALPHA / DIGIT / "-" )
// directive-value = *( WSP / <VCHAR except ";"> )
@@ -1225,9 +1257,7 @@ void CSPDirectiveList::AddDirective(const String& name, const String& value) {
policy_->UsesScriptHashAlgorithms(script_src_->HashAlgorithmsUsed());
} else if (type == ContentSecurityPolicy::DirectiveType::kObjectSrc) {
SetCSPDirective<SourceListDirective>(name, value, object_src_);
- } else if (type ==
-
- ContentSecurityPolicy::DirectiveType::kFrameAncestors) {
+ } else if (type == ContentSecurityPolicy::DirectiveType::kFrameAncestors) {
SetCSPDirective<SourceListDirective>(name, value, frame_ancestors_);
} else if (type == ContentSecurityPolicy::DirectiveType::kFrameSrc) {
SetCSPDirective<SourceListDirective>(name, value, frame_src_);
« no previous file with comments | « third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.h ('k') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveListTest.cpp » ('j') | third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698