OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 403 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
414 void ContentSecurityPolicy::usesScriptHashAlgorithms(uint8_t algorithms) | 414 void ContentSecurityPolicy::usesScriptHashAlgorithms(uint8_t algorithms) |
415 { | 415 { |
416 m_scriptHashAlgorithmsUsed |= algorithms; | 416 m_scriptHashAlgorithmsUsed |= algorithms; |
417 } | 417 } |
418 | 418 |
419 void ContentSecurityPolicy::usesStyleHashAlgorithms(uint8_t algorithms) | 419 void ContentSecurityPolicy::usesStyleHashAlgorithms(uint8_t algorithms) |
420 { | 420 { |
421 m_styleHashAlgorithmsUsed |= algorithms; | 421 m_styleHashAlgorithmsUsed |= algorithms; |
422 } | 422 } |
423 | 423 |
| 424 bool ContentSecurityPolicy::allowFromSource(const KURL& url, blink::WebURLReques
t::RequestContext requestContext, ContentSecurityPolicy::ReportingStatus reporti
ngStatus) const |
| 425 { |
| 426 switch (requestContext) { |
| 427 case blink::WebURLRequest::RequestContextFrame: |
| 428 case blink::WebURLRequest::RequestContextIframe: |
| 429 return allowChildFrameFromSource(url, reportingStatus); |
| 430 |
| 431 case blink::WebURLRequest::RequestContextEmbed: |
| 432 case blink::WebURLRequest::RequestContextObject: |
| 433 return allowObjectFromSource(url, reportingStatus); |
| 434 |
| 435 case blink::WebURLRequest::RequestContextFont: |
| 436 return allowFontFromSource(url, reportingStatus); |
| 437 |
| 438 case blink::WebURLRequest::RequestContextStyle: |
| 439 return allowStyleFromSource(url, reportingStatus); |
| 440 |
| 441 case blink::WebURLRequest::RequestContextBeacon: |
| 442 case blink::WebURLRequest::RequestContextForm: |
| 443 case blink::WebURLRequest::RequestContextPing: |
| 444 return allowFormAction(url, reportingStatus); |
| 445 |
| 446 case blink::WebURLRequest::RequestContextFavicon: |
| 447 case blink::WebURLRequest::RequestContextImage: |
| 448 return allowImageFromSource(url, reportingStatus); |
| 449 |
| 450 case blink::WebURLRequest::RequestContextAudio: |
| 451 case blink::WebURLRequest::RequestContextVideo: |
| 452 case blink::WebURLRequest::RequestContextTrack: |
| 453 return allowMediaFromSource(url, reportingStatus); |
| 454 |
| 455 case blink::WebURLRequest::RequestContextXSLT: |
| 456 ASSERT(RuntimeEnabledFeatures::xsltEnabled()); |
| 457 case blink::WebURLRequest::RequestContextScript: |
| 458 return allowScriptFromSource(url, reportingStatus); |
| 459 |
| 460 case blink::WebURLRequest::RequestContextServiceWorker: |
| 461 case blink::WebURLRequest::RequestContextSharedWorker: |
| 462 case blink::WebURLRequest::RequestContextWorker: |
| 463 return allowWorkerContextFromSource(url, reportingStatus); |
| 464 |
| 465 case blink::WebURLRequest::RequestContextEventSource: |
| 466 case blink::WebURLRequest::RequestContextFetch: |
| 467 case blink::WebURLRequest::RequestContextXMLHttpRequest: |
| 468 return allowConnectToSource(url, reportingStatus); |
| 469 |
| 470 // FIXME: Evaluate whether or not we can start applying 'object-src' restric
tions to PPAPI requests, now that we can distinguish them. |
| 471 case blink::WebURLRequest::RequestContextPlugin: |
| 472 if (Document* document = this->document()) { |
| 473 UseCounter::count(*document, allowObjectFromSource(url, SuppressRepo
rt) ? UseCounter::PPAPIRequestAllowedByObjectSrc : UseCounter::PPAPIRequestBypas
sedObjectSrc); |
| 474 } |
| 475 return true; |
| 476 |
| 477 // FIXME: We should implement 'manifest-src' or something similar: http://w3
c.github.io/manifest/#content-security-policy |
| 478 case blink::WebURLRequest::RequestContextManifest: |
| 479 return true; |
| 480 |
| 481 // These resource types aren't directly affected by CSP: |
| 482 case blink::WebURLRequest::RequestContextCSPReport: |
| 483 case blink::WebURLRequest::RequestContextDownload: |
| 484 case blink::WebURLRequest::RequestContextHyperlink: |
| 485 case blink::WebURLRequest::RequestContextInternal: |
| 486 case blink::WebURLRequest::RequestContextLocation: |
| 487 case blink::WebURLRequest::RequestContextPrefetch: |
| 488 case blink::WebURLRequest::RequestContextSubresource: |
| 489 case blink::WebURLRequest::RequestContextUnspecified: |
| 490 return true; |
| 491 } |
| 492 ASSERT_NOT_REACHED(); |
| 493 return false; |
| 494 } |
| 495 |
424 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecuri
tyPolicy::ReportingStatus reportingStatus) const | 496 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecuri
tyPolicy::ReportingStatus reportingStatus) const |
425 { | 497 { |
426 return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_pol
icies, url, reportingStatus); | 498 return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_pol
icies, url, reportingStatus); |
427 } | 499 } |
428 | 500 |
429 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url, ContentSe
curityPolicy::ReportingStatus reportingStatus) const | 501 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url, ContentSe
curityPolicy::ReportingStatus reportingStatus) const |
430 { | 502 { |
431 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildFrameFromSource>(m
_policies, url, reportingStatus); | 503 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildFrameFromSource>(m
_policies, url, reportingStatus); |
432 } | 504 } |
433 | 505 |
(...skipping 347 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
781 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. | 853 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. |
782 return !m_violationReportsSent.contains(report.impl()->hash()); | 854 return !m_violationReportsSent.contains(report.impl()->hash()); |
783 } | 855 } |
784 | 856 |
785 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 857 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
786 { | 858 { |
787 m_violationReportsSent.add(report.impl()->hash()); | 859 m_violationReportsSent.add(report.impl()->hash()); |
788 } | 860 } |
789 | 861 |
790 } // namespace blink | 862 } // namespace blink |
OLD | NEW |