OLD | NEW |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
7 | 7 |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
10 #include "content/common/content_export.h" | 10 #include "content/common/content_export.h" |
11 #include "content/common/content_security_policy/content_security_policy.h" | 11 #include "content/common/content_security_policy/content_security_policy.h" |
12 #include "content/common/content_security_policy_header.h" | 12 #include "content/common/content_security_policy_header.h" |
13 #include "content/common/navigation_params.h" | 13 #include "content/common/navigation_params.h" |
14 #include "url/gurl.h" | 14 #include "url/gurl.h" |
15 #include "url/origin.h" | 15 #include "url/origin.h" |
16 | 16 |
17 namespace content { | 17 namespace content { |
18 | 18 |
19 struct CSPViolationParams; | 19 struct CSPViolationParams; |
20 | 20 |
21 // A CSPContext represents the system on which the Content-Security-Policy are | 21 // A CSPContext represents the system on which the Content-Security-Policy are |
22 // enforced. One must define via its virtual methods how to report violations | 22 // enforced. One must define via its virtual methods how to report violations |
23 // and what is the set of scheme that bypass the CSP. Its main implementation | 23 // and what is the set of scheme that bypass the CSP. Its main implementation |
24 // is in content/browser/frame_host/render_frame_host_impl.h | 24 // is in content/browser/frame_host/render_frame_host_impl.h |
25 class CONTENT_EXPORT CSPContext { | 25 class CONTENT_EXPORT CSPContext { |
26 public: | 26 public: |
| 27 // This enum represents what set of policies should be checked by |
| 28 // IsAllowedByCsp(). |
| 29 enum CheckCSPDisposition { |
| 30 // Only check report-only policies. |
| 31 CHECK_REPORT_ONLY_CSP, |
| 32 // Only check enforced policies. (Note that enforced policies can still |
| 33 // trigger reports.) |
| 34 CHECK_ENFORCED_CSP, |
| 35 // Check all policies. |
| 36 CHECK_ALL_CSP, |
| 37 }; |
| 38 |
27 CSPContext(); | 39 CSPContext(); |
28 virtual ~CSPContext(); | 40 virtual ~CSPContext(); |
29 | 41 |
30 // Check if an |url| is allowed by the set of Content-Security-Policy. It will | 42 // Check if an |url| is allowed by the set of Content-Security-Policy. It will |
31 // report any violation by: | 43 // report any violation by: |
32 // * displaying a console message. | 44 // * displaying a console message. |
33 // * triggering the "SecurityPolicyViolation" javascript event. | 45 // * triggering the "SecurityPolicyViolation" javascript event. |
34 // * sending a JSON report to any uri defined with the "report-uri" directive. | 46 // * sending a JSON report to any uri defined with the "report-uri" directive. |
35 // Returns true when the request can proceed, false otherwise. | 47 // Returns true when the request can proceed, false otherwise. |
36 bool IsAllowedByCsp(CSPDirective::Name directive_name, | 48 bool IsAllowedByCsp(CSPDirective::Name directive_name, |
37 const GURL& url, | 49 const GURL& url, |
38 bool is_redirect, | 50 bool is_redirect, |
39 const SourceLocation& source_location); | 51 const SourceLocation& source_location, |
| 52 CheckCSPDisposition check_csp_disposition); |
| 53 |
| 54 // Returns true if the request URL needs to be modified (e.g. upgraded to |
| 55 // HTTPS) according to the CSP. If true, |new_url| will contain the new URL |
| 56 // that should be used instead of |url|. |
| 57 bool ShouldModifyRequestUrlForCsp(const GURL& url, |
| 58 bool is_suresource_or_form_submssion, |
| 59 GURL* new_url); |
40 | 60 |
41 void SetSelf(const url::Origin origin); | 61 void SetSelf(const url::Origin origin); |
42 bool AllowSelf(const GURL& url); | 62 bool AllowSelf(const GURL& url); |
43 bool ProtocolIsSelf(const GURL& url); | 63 bool ProtocolIsSelf(const GURL& url); |
44 const std::string& GetSelfScheme(); | 64 const std::string& GetSelfScheme(); |
45 | 65 |
46 virtual void ReportContentSecurityPolicyViolation( | 66 virtual void ReportContentSecurityPolicyViolation( |
47 const CSPViolationParams& violation_params); | 67 const CSPViolationParams& violation_params); |
48 | 68 |
49 bool SelfSchemeShouldBypassCsp(); | 69 bool SelfSchemeShouldBypassCsp(); |
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
120 | 140 |
121 // Whether or not the violation happens after a redirect. | 141 // Whether or not the violation happens after a redirect. |
122 bool after_redirect; | 142 bool after_redirect; |
123 | 143 |
124 // The source code location that triggered the blocked navigation. | 144 // The source code location that triggered the blocked navigation. |
125 SourceLocation source_location; | 145 SourceLocation source_location; |
126 }; | 146 }; |
127 | 147 |
128 } // namespace content | 148 } // namespace content |
129 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 149 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
OLD | NEW |