Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(50)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/csp/ContentSecurityPolicy.h

Issue 550223002: CSP: Separate side-effects of parsing from the parsing code. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Feedback. Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google, Inc. All rights reserved. 2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after
77 77
78 // CSP 1.1 Directives 78 // CSP 1.1 Directives
79 static const char BaseURI[]; 79 static const char BaseURI[];
80 static const char ChildSrc[]; 80 static const char ChildSrc[];
81 static const char FormAction[]; 81 static const char FormAction[];
82 static const char FrameAncestors[]; 82 static const char FrameAncestors[];
83 static const char PluginTypes[]; 83 static const char PluginTypes[];
84 static const char ReflectedXSS[]; 84 static const char ReflectedXSS[];
85 static const char Referrer[]; 85 static const char Referrer[];
86 86
87 enum ReportingStatus {
88 SendReport,
89 SuppressReport
90 };
91
92 enum SideEffectDisposition {
93 ApplySideEffectsToExecutionContext,
94 DoNotApplySideEffectsToExecutionContext
95 };
96
87 static PassRefPtr<ContentSecurityPolicy> create(ExecutionContext* executionC ontext) 97 static PassRefPtr<ContentSecurityPolicy> create(ExecutionContext* executionC ontext)
88 { 98 {
89 return adoptRef(new ContentSecurityPolicy(executionContext)); 99 return adoptRef(new ContentSecurityPolicy(executionContext));
90 } 100 }
91 ~ContentSecurityPolicy(); 101 ~ContentSecurityPolicy();
92 102
93 void copyStateFrom(const ContentSecurityPolicy*); 103 void copyStateFrom(const ContentSecurityPolicy*);
94 104
95 enum ReportingStatus {
96 SendReport,
97 SuppressReport
98 };
99
100 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); 105 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
101 void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, Conten tSecurityPolicyHeaderSource); 106 void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, Conten tSecurityPolicyHeaderSource, SideEffectDisposition = ApplySideEffectsToExecution Context);
102 107
103 // These functions are wrong because they assume that there is only one head er. 108 // These functions are wrong because they assume that there is only one head er.
104 // FIXME: Replace them with functions that return vectors. 109 // FIXME: Replace them with functions that return vectors.
105 const String& deprecatedHeader() const; 110 const String& deprecatedHeader() const;
106 ContentSecurityPolicyHeaderType deprecatedHeaderType() const; 111 ContentSecurityPolicyHeaderType deprecatedHeaderType() const;
107 112
108 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 113 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
109 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu mber& contextLine, ReportingStatus = SendReport) const; 114 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu mber& contextLine, ReportingStatus = SendReport) const;
110 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c ontextLine, ReportingStatus = SendReport) const; 115 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c ontextLine, ReportingStatus = SendReport) const;
111 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co ntextLine, ReportingStatus = SendReport) const; 116 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co ntextLine, ReportingStatus = SendReport) const;
(...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after
162 void reportInvalidInReportOnly(const String&) const; 167 void reportInvalidInReportOnly(const String&) const;
163 void reportInvalidReferrer(const String&) const; 168 void reportInvalidReferrer(const String&) const;
164 void reportReportOnlyInMeta(const String&) const; 169 void reportReportOnlyInMeta(const String&) const;
165 void reportMetaOutsideHead(const String&) const; 170 void reportMetaOutsideHead(const String&) const;
166 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL> & reportURIs, const String& header); 171 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL> & reportURIs, const String& header);
167 172
168 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst; 173 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst;
169 174
170 const KURL url() const; 175 const KURL url() const;
171 KURL completeURL(const String&) const; 176 KURL completeURL(const String&) const;
172 void enforceSandboxFlags(SandboxFlags) const; 177 void enforceSandboxFlags(SandboxFlags);
173 String evalDisabledErrorMessage() const; 178 String evalDisabledErrorMessage() const;
174 179
175 bool urlMatchesSelf(const KURL&) const; 180 bool urlMatchesSelf(const KURL&) const;
176 bool protocolMatchesSelf(const KURL&) const; 181 bool protocolMatchesSelf(const KURL&) const;
177 182
178 bool experimentalFeaturesEnabled() const; 183 bool experimentalFeaturesEnabled() const;
179 184
180 static bool shouldBypassMainWorld(ExecutionContext*); 185 static bool shouldBypassMainWorld(ExecutionContext*);
181 186
182 static bool isDirectiveName(const String&); 187 static bool isDirectiveName(const String&);
183 188
184 ExecutionContext* executionContext() const { return m_executionContext; } 189 ExecutionContext* executionContext() const { return m_executionContext; }
185 190
186 private: 191 private:
187 explicit ContentSecurityPolicy(ExecutionContext*); 192 explicit ContentSecurityPolicy(ExecutionContext*);
188 193
194 void applyPolicySideEffectsToExecutionContext();
195
189 Document* document() const; 196 Document* document() const;
190 SecurityOrigin* securityOrigin() const; 197 SecurityOrigin* securityOrigin() const;
191 198
192 void logToConsole(const String& message, MessageLevel = ErrorMessageLevel) c onst; 199 void logToConsole(const String& message, MessageLevel = ErrorMessageLevel) c onst;
193 void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType , ContentSecurityPolicyHeaderSource); 200 void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType , ContentSecurityPolicyHeaderSource);
194 201
195 bool shouldSendViolationReport(const String&) const; 202 bool shouldSendViolationReport(const String&) const;
196 void didSendViolationReport(const String&); 203 void didSendViolationReport(const String&);
197 204
198 ExecutionContext* m_executionContext; 205 ExecutionContext* m_executionContext;
199 bool m_overrideInlineStyleAllowed; 206 bool m_overrideInlineStyleAllowed;
200 CSPDirectiveListVector m_policies; 207 CSPDirectiveListVector m_policies;
201 208
202 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; 209 HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
203 210
204 // We put the hash functions used on the policy object so that we only need 211 // We put the hash functions used on the policy object so that we only need
205 // to calculate a hash once and then distribute it to all of the directives 212 // to calculate a hash once and then distribute it to all of the directives
206 // for validation. 213 // for validation.
207 uint8_t m_scriptHashAlgorithmsUsed; 214 uint8_t m_scriptHashAlgorithmsUsed;
208 uint8_t m_styleHashAlgorithmsUsed; 215 uint8_t m_styleHashAlgorithmsUsed;
209 216
217 // State flags used to configure the environment after parsing a policy.
218 SandboxFlags m_sandboxMask;
219 ReferrerPolicy m_referrerPolicy;
220 String m_disableEvalErrorMessage;
221
210 OwnPtr<CSPSource> m_selfSource; 222 OwnPtr<CSPSource> m_selfSource;
211 }; 223 };
212 224
213 } 225 }
214 226
215 #endif 227 #endif
OLDNEW
« no previous file with comments | « no previous file | Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698