Index: Source/core/frame/csp/ContentSecurityPolicy.cpp |
diff --git a/Source/core/frame/csp/ContentSecurityPolicy.cpp b/Source/core/frame/csp/ContentSecurityPolicy.cpp |
index cf1c94cf846f772b625a9bfa429f4db05b5a3846..35b96b303ac186e8cb3213cb7f2fbb82c698217f 100644 |
--- a/Source/core/frame/csp/ContentSecurityPolicy.cpp |
+++ b/Source/core/frame/csp/ContentSecurityPolicy.cpp |
@@ -421,6 +421,78 @@ void ContentSecurityPolicy::usesStyleHashAlgorithms(uint8_t algorithms) |
m_styleHashAlgorithmsUsed |= algorithms; |
} |
+bool ContentSecurityPolicy::allowFromSource(const KURL& url, blink::WebURLRequest::RequestContext requestContext, ContentSecurityPolicy::ReportingStatus reportingStatus) const |
+{ |
+ switch (requestContext) { |
+ case blink::WebURLRequest::RequestContextFrame: |
+ case blink::WebURLRequest::RequestContextIframe: |
+ return allowChildFrameFromSource(url, reportingStatus); |
+ |
+ case blink::WebURLRequest::RequestContextEmbed: |
+ case blink::WebURLRequest::RequestContextObject: |
+ return allowObjectFromSource(url, reportingStatus); |
+ |
+ case blink::WebURLRequest::RequestContextFont: |
+ return allowFontFromSource(url, reportingStatus); |
+ |
+ case blink::WebURLRequest::RequestContextStyle: |
+ return allowStyleFromSource(url, reportingStatus); |
+ |
+ case blink::WebURLRequest::RequestContextBeacon: |
+ case blink::WebURLRequest::RequestContextForm: |
+ case blink::WebURLRequest::RequestContextPing: |
+ return allowFormAction(url, reportingStatus); |
+ |
+ case blink::WebURLRequest::RequestContextFavicon: |
+ case blink::WebURLRequest::RequestContextImage: |
+ return allowImageFromSource(url, reportingStatus); |
+ |
+ case blink::WebURLRequest::RequestContextAudio: |
+ case blink::WebURLRequest::RequestContextVideo: |
+ case blink::WebURLRequest::RequestContextTrack: |
+ return allowMediaFromSource(url, reportingStatus); |
+ |
+ case blink::WebURLRequest::RequestContextXSLT: |
+ ASSERT(RuntimeEnabledFeatures::xsltEnabled()); |
+ case blink::WebURLRequest::RequestContextScript: |
+ return allowScriptFromSource(url, reportingStatus); |
+ |
+ case blink::WebURLRequest::RequestContextServiceWorker: |
+ case blink::WebURLRequest::RequestContextSharedWorker: |
+ case blink::WebURLRequest::RequestContextWorker: |
+ return allowWorkerContextFromSource(url, reportingStatus); |
+ |
+ case blink::WebURLRequest::RequestContextEventSource: |
+ case blink::WebURLRequest::RequestContextFetch: |
+ case blink::WebURLRequest::RequestContextXMLHttpRequest: |
+ return allowConnectToSource(url, reportingStatus); |
+ |
+ // FIXME: Evaluate whether or not we can start applying 'object-src' restrictions to PPAPI requests, now that we can distinguish them. |
+ case blink::WebURLRequest::RequestContextPlugin: |
+ if (Document* document = this->document()) { |
+ UseCounter::count(*document, allowObjectFromSource(url, SuppressReport) ? UseCounter::PPAPIRequestAllowedByObjectSrc : UseCounter::PPAPIRequestBypassedObjectSrc); |
+ } |
+ return true; |
+ |
+ // FIXME: We should implement 'manifest-src' or something similar: http://w3c.github.io/manifest/#content-security-policy |
+ case blink::WebURLRequest::RequestContextManifest: |
+ return true; |
+ |
+ // These resource types aren't directly affected by CSP: |
+ case blink::WebURLRequest::RequestContextCSPReport: |
+ case blink::WebURLRequest::RequestContextDownload: |
+ case blink::WebURLRequest::RequestContextHyperlink: |
+ case blink::WebURLRequest::RequestContextInternal: |
+ case blink::WebURLRequest::RequestContextLocation: |
+ case blink::WebURLRequest::RequestContextPrefetch: |
+ case blink::WebURLRequest::RequestContextSubresource: |
+ case blink::WebURLRequest::RequestContextUnspecified: |
+ return true; |
+ } |
+ ASSERT_NOT_REACHED(); |
+ return false; |
+} |
+ |
bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const |
{ |
return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_policies, url, reportingStatus); |