| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
| 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
| 7 | 7 |
| 8 #include <vector> | 8 #include <vector> |
| 9 | 9 |
| 10 #include "content/common/content_export.h" | 10 #include "content/common/content_export.h" |
| 11 #include "content/common/content_security_policy/content_security_policy.h" | 11 #include "content/common/content_security_policy/content_security_policy.h" |
| 12 #include "content/common/content_security_policy_header.h" | 12 #include "content/common/content_security_policy_header.h" |
| 13 #include "content/common/navigation_params.h" | 13 #include "content/common/navigation_params.h" |
| 14 #include "url/gurl.h" | 14 #include "url/gurl.h" |
| 15 #include "url/origin.h" | 15 #include "url/origin.h" |
| 16 | 16 |
| 17 namespace content { | 17 namespace content { |
| 18 | 18 |
| 19 struct CSPViolationParams; | 19 struct CSPViolationParams; |
| 20 | 20 |
| 21 // A CSPContext represents the system on which the Content-Security-Policy are | 21 // A CSPContext represents the system on which the Content-Security-Policy are |
| 22 // enforced. One must define via its virtual methods how to report violations | 22 // enforced. One must define via its virtual methods how to report violations |
| 23 // and what is the set of scheme that bypass the CSP. Its main implementation | 23 // and what is the set of scheme that bypass the CSP. Its main implementation |
| 24 // is in content/browser/frame_host/render_frame_host_impl.h | 24 // is in content/browser/frame_host/render_frame_host_impl.h |
| 25 class CONTENT_EXPORT CSPContext { | 25 class CONTENT_EXPORT CSPContext { |
| 26 public: | 26 public: |
| 27 // This enum represents what set of policies should be checked by |
| 28 // IsAllowedByCsp(). |
| 29 enum CheckCSPDisposition { |
| 30 // Only check report-only policies. |
| 31 CHECK_REPORT_ONLY_CSP, |
| 32 // Only check enforced policies. (Note that enforced policies can still |
| 33 // trigger reports.) |
| 34 CHECK_ENFORCED_CSP, |
| 35 // Check all policies. |
| 36 CHECK_ALL_CSP, |
| 37 }; |
| 38 |
| 27 CSPContext(); | 39 CSPContext(); |
| 28 virtual ~CSPContext(); | 40 virtual ~CSPContext(); |
| 29 | 41 |
| 30 // Check if an |url| is allowed by the set of Content-Security-Policy. It will | 42 // Check if an |url| is allowed by the set of Content-Security-Policy. It will |
| 31 // report any violation by: | 43 // report any violation by: |
| 32 // * displaying a console message. | 44 // * displaying a console message. |
| 33 // * triggering the "SecurityPolicyViolation" javascript event. | 45 // * triggering the "SecurityPolicyViolation" javascript event. |
| 34 // * sending a JSON report to any uri defined with the "report-uri" directive. | 46 // * sending a JSON report to any uri defined with the "report-uri" directive. |
| 35 // Returns true when the request can proceed, false otherwise. | 47 // Returns true when the request can proceed, false otherwise. |
| 36 bool IsAllowedByCsp(CSPDirective::Name directive_name, | 48 bool IsAllowedByCsp(CSPDirective::Name directive_name, |
| 37 const GURL& url, | 49 const GURL& url, |
| 38 bool is_redirect, | 50 bool is_redirect, |
| 39 const SourceLocation& source_location); | 51 const SourceLocation& source_location, |
| 52 CheckCSPDisposition check_csp_disposition); |
| 53 |
| 54 // Returns true if the request URL needs to be modified (e.g. upgraded to |
| 55 // HTTPS) according to the CSP. If true, |new_url| will contain the new URL |
| 56 // that should be used instead of |url|. |
| 57 bool ShouldModifyRequestUrlForCsp(const GURL& url, |
| 58 bool is_suresource_or_form_submssion, |
| 59 GURL* new_url); |
| 40 | 60 |
| 41 void SetSelf(const url::Origin origin); | 61 void SetSelf(const url::Origin origin); |
| 42 bool AllowSelf(const GURL& url); | 62 bool AllowSelf(const GURL& url); |
| 43 bool ProtocolIsSelf(const GURL& url); | 63 bool ProtocolIsSelf(const GURL& url); |
| 44 const std::string& GetSelfScheme(); | 64 const std::string& GetSelfScheme(); |
| 45 | 65 |
| 46 virtual void ReportContentSecurityPolicyViolation( | 66 virtual void ReportContentSecurityPolicyViolation( |
| 47 const CSPViolationParams& violation_params); | 67 const CSPViolationParams& violation_params); |
| 48 | 68 |
| 49 bool SelfSchemeShouldBypassCsp(); | 69 bool SelfSchemeShouldBypassCsp(); |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 120 | 140 |
| 121 // Whether or not the violation happens after a redirect. | 141 // Whether or not the violation happens after a redirect. |
| 122 bool after_redirect; | 142 bool after_redirect; |
| 123 | 143 |
| 124 // The source code location that triggered the blocked navigation. | 144 // The source code location that triggered the blocked navigation. |
| 125 SourceLocation source_location; | 145 SourceLocation source_location; |
| 126 }; | 146 }; |
| 127 | 147 |
| 128 } // namespace content | 148 } // namespace content |
| 129 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 149 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2910573002:
Implement upgrade-insecure-requests in browser for frame requests (Closed)
