Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(975)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 398313002: Teach ContentSecurityPolicy about WebURLRequest::RequestContext. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: UseCounter Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/frame/csp/ContentSecurityPolicy.h ('k') | Source/core/html/parser/HTMLResourcePreloader.cpp » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/Source/core/frame/csp/ContentSecurityPolicy.cpp b/Source/core/frame/csp/ContentSecurityPolicy.cpp
index cf1c94cf846f772b625a9bfa429f4db05b5a3846..35b96b303ac186e8cb3213cb7f2fbb82c698217f 100644
--- a/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -421,6 +421,78 @@ void ContentSecurityPolicy::usesStyleHashAlgorithms(uint8_t algorithms)
m_styleHashAlgorithmsUsed |= algorithms;
}
+bool ContentSecurityPolicy::allowFromSource(const KURL& url, blink::WebURLRequest::RequestContext requestContext, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+ switch (requestContext) {
+ case blink::WebURLRequest::RequestContextFrame:
+ case blink::WebURLRequest::RequestContextIframe:
+ return allowChildFrameFromSource(url, reportingStatus);
+
+ case blink::WebURLRequest::RequestContextEmbed:
+ case blink::WebURLRequest::RequestContextObject:
+ return allowObjectFromSource(url, reportingStatus);
+
+ case blink::WebURLRequest::RequestContextFont:
+ return allowFontFromSource(url, reportingStatus);
+
+ case blink::WebURLRequest::RequestContextStyle:
+ return allowStyleFromSource(url, reportingStatus);
+
+ case blink::WebURLRequest::RequestContextBeacon:
+ case blink::WebURLRequest::RequestContextForm:
+ case blink::WebURLRequest::RequestContextPing:
+ return allowFormAction(url, reportingStatus);
+
+ case blink::WebURLRequest::RequestContextFavicon:
+ case blink::WebURLRequest::RequestContextImage:
+ return allowImageFromSource(url, reportingStatus);
+
+ case blink::WebURLRequest::RequestContextAudio:
+ case blink::WebURLRequest::RequestContextVideo:
+ case blink::WebURLRequest::RequestContextTrack:
+ return allowMediaFromSource(url, reportingStatus);
+
+ case blink::WebURLRequest::RequestContextXSLT:
+ ASSERT(RuntimeEnabledFeatures::xsltEnabled());
+ case blink::WebURLRequest::RequestContextScript:
+ return allowScriptFromSource(url, reportingStatus);
+
+ case blink::WebURLRequest::RequestContextServiceWorker:
+ case blink::WebURLRequest::RequestContextSharedWorker:
+ case blink::WebURLRequest::RequestContextWorker:
+ return allowWorkerContextFromSource(url, reportingStatus);
+
+ case blink::WebURLRequest::RequestContextEventSource:
+ case blink::WebURLRequest::RequestContextFetch:
+ case blink::WebURLRequest::RequestContextXMLHttpRequest:
+ return allowConnectToSource(url, reportingStatus);
+
+ // FIXME: Evaluate whether or not we can start applying 'object-src' restrictions to PPAPI requests, now that we can distinguish them.
+ case blink::WebURLRequest::RequestContextPlugin:
+ if (Document* document = this->document()) {
+ UseCounter::count(*document, allowObjectFromSource(url, SuppressReport) ? UseCounter::PPAPIRequestAllowedByObjectSrc : UseCounter::PPAPIRequestBypassedObjectSrc);
+ }
+ return true;
+
+ // FIXME: We should implement 'manifest-src' or something similar: http://w3c.github.io/manifest/#content-security-policy
+ case blink::WebURLRequest::RequestContextManifest:
+ return true;
+
+ // These resource types aren't directly affected by CSP:
+ case blink::WebURLRequest::RequestContextCSPReport:
+ case blink::WebURLRequest::RequestContextDownload:
+ case blink::WebURLRequest::RequestContextHyperlink:
+ case blink::WebURLRequest::RequestContextInternal:
+ case blink::WebURLRequest::RequestContextLocation:
+ case blink::WebURLRequest::RequestContextPrefetch:
+ case blink::WebURLRequest::RequestContextSubresource:
+ case blink::WebURLRequest::RequestContextUnspecified:
+ return true;
+ }
+ ASSERT_NOT_REACHED();
+ return false;
+}
+
bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_policies, url, reportingStatus);
« no previous file with comments | « Source/core/frame/csp/ContentSecurityPolicy.h ('k') | Source/core/html/parser/HTMLResourcePreloader.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698