Chromium Code Reviews Chromium Code Reviews
Issue 549163003:
CSP: Change 'self' to ask the policy object whether a URL matches. (Closed)
Base URL: svn://svn.chromium.org/blink/trunk| OLD | NEW |
|---|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 130 return ReferrerPolicyNever; | 130 return ReferrerPolicyNever; |
| 131 return a; | 131 return a; |
| 132 } | 132 } |
| 133 | 133 |
| 134 ContentSecurityPolicy::ContentSecurityPolicy(ExecutionContext* executionContext) | 134 ContentSecurityPolicy::ContentSecurityPolicy(ExecutionContext* executionContext) |
| 135 : m_executionContext(executionContext) | 135 : m_executionContext(executionContext) |
| 136 , m_overrideInlineStyleAllowed(false) | 136 , m_overrideInlineStyleAllowed(false) |
| 137 , m_scriptHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone) | 137 , m_scriptHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone) |
| 138 , m_styleHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone) | 138 , m_styleHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone) |
| 139 { | 139 { |
| 140 m_selfSource = adoptPtr(new CSPSource(this, securityOrigin()->protocol(), se curityOrigin()->host(), securityOrigin()->port(), String(), false, false)); | |
| 140 } | 141 } |
| 141 | 142 |
| 142 ContentSecurityPolicy::~ContentSecurityPolicy() | 143 ContentSecurityPolicy::~ContentSecurityPolicy() |
| 143 { | 144 { |
| 144 } | 145 } |
| 145 | 146 |
| 146 Document* ContentSecurityPolicy::document() const | 147 Document* ContentSecurityPolicy::document() const |
| 147 { | 148 { |
| 148 return m_executionContext->isDocument() ? toDocument(m_executionContext) : 0 ; | 149 return m_executionContext->isDocument() ? toDocument(m_executionContext) : 0 ; |
| 149 } | 150 } |
| (...skipping 615 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 765 void ContentSecurityPolicy::reportBlockedScriptExecutionToInspector(const String & directiveText) const | 766 void ContentSecurityPolicy::reportBlockedScriptExecutionToInspector(const String & directiveText) const |
| 766 { | 767 { |
| 767 m_executionContext->reportBlockedScriptExecutionToInspector(directiveText); | 768 m_executionContext->reportBlockedScriptExecutionToInspector(directiveText); |
| 768 } | 769 } |
| 769 | 770 |
| 770 bool ContentSecurityPolicy::experimentalFeaturesEnabled() const | 771 bool ContentSecurityPolicy::experimentalFeaturesEnabled() const |
| 771 { | 772 { |
| 772 return RuntimeEnabledFeatures::experimentalContentSecurityPolicyFeaturesEnab led(); | 773 return RuntimeEnabledFeatures::experimentalContentSecurityPolicyFeaturesEnab led(); |
| 773 } | 774 } |
| 774 | 775 |
| 776 bool ContentSecurityPolicy::urlMatchesSelf(const KURL& url) const | |
| 777 { | |
| 778 return m_selfSource->matches(url); | |
| 779 } | |
| 780 | |
| 781 bool ContentSecurityPolicy::protocolMatchesSelf(const KURL& url) const | |
| 782 { | |
| 783 String protectedResourceScheme(securityOrigin()->protocol()); | |
| 784 if (equalIgnoringCase("http", protectedResourceScheme)) | |
| 785 return url.protocolIs("http") || url.protocolIs("https"); | |
|
jochen (gone - plz use gerrit)
2014/09/09 08:11:14
isn't there some protocolIsInHTTPFamily() method?
| |
| 786 return equalIgnoringCase(url.protocol(), protectedResourceScheme); | |
| 787 } | |
| 788 | |
| 775 bool ContentSecurityPolicy::shouldBypassMainWorld(ExecutionContext* context) | 789 bool ContentSecurityPolicy::shouldBypassMainWorld(ExecutionContext* context) |
| 776 { | 790 { |
| 777 if (context && context->isDocument()) { | 791 if (context && context->isDocument()) { |
| 778 Document* document = toDocument(context); | 792 Document* document = toDocument(context); |
| 779 if (document->frame()) | 793 if (document->frame()) |
| 780 return document->frame()->script().shouldBypassMainWorldCSP(); | 794 return document->frame()->script().shouldBypassMainWorldCSP(); |
| 781 } | 795 } |
| 782 return false; | 796 return false; |
| 783 } | 797 } |
| 784 | 798 |
| 785 bool ContentSecurityPolicy::shouldSendViolationReport(const String& report) cons t | 799 bool ContentSecurityPolicy::shouldSendViolationReport(const String& report) cons t |
| 786 { | 800 { |
| 787 // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report. | 801 // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report. |
| 788 return !m_violationReportsSent.contains(report.impl()->hash()); | 802 return !m_violationReportsSent.contains(report.impl()->hash()); |
| 789 } | 803 } |
| 790 | 804 |
| 791 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 805 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
| 792 { | 806 { |
| 793 m_violationReportsSent.add(report.impl()->hash()); | 807 m_violationReportsSent.add(report.impl()->hash()); |
| 794 } | 808 } |
| 795 | 809 |
| 796 } // namespace blink | 810 } // namespace blink |
| OLD | NEW |
