| OLD | NEW |
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 66 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 77 | 77 |
| 78 // CSP 1.1 Directives | 78 // CSP 1.1 Directives |
| 79 static const char BaseURI[]; | 79 static const char BaseURI[]; |
| 80 static const char ChildSrc[]; | 80 static const char ChildSrc[]; |
| 81 static const char FormAction[]; | 81 static const char FormAction[]; |
| 82 static const char FrameAncestors[]; | 82 static const char FrameAncestors[]; |
| 83 static const char PluginTypes[]; | 83 static const char PluginTypes[]; |
| 84 static const char ReflectedXSS[]; | 84 static const char ReflectedXSS[]; |
| 85 static const char Referrer[]; | 85 static const char Referrer[]; |
| 86 | 86 |
| 87 enum ReportingStatus { |
| 88 SendReport, |
| 89 SuppressReport |
| 90 }; |
| 91 |
| 92 enum SideEffectDisposition { |
| 93 ApplySideEffectsToExecutionContext, |
| 94 DoNotApplySideEffectsToExecutionContext |
| 95 }; |
| 96 |
| 87 static PassRefPtr<ContentSecurityPolicy> create(ExecutionContext* executionC
ontext) | 97 static PassRefPtr<ContentSecurityPolicy> create(ExecutionContext* executionC
ontext) |
| 88 { | 98 { |
| 89 return adoptRef(new ContentSecurityPolicy(executionContext)); | 99 return adoptRef(new ContentSecurityPolicy(executionContext)); |
| 90 } | 100 } |
| 91 ~ContentSecurityPolicy(); | 101 ~ContentSecurityPolicy(); |
| 92 | 102 |
| 93 void copyStateFrom(const ContentSecurityPolicy*); | 103 void copyStateFrom(const ContentSecurityPolicy*); |
| 94 | 104 |
| 95 enum ReportingStatus { | |
| 96 SendReport, | |
| 97 SuppressReport | |
| 98 }; | |
| 99 | |
| 100 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); | 105 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); |
| 101 void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, Conten
tSecurityPolicyHeaderSource); | 106 void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, Conten
tSecurityPolicyHeaderSource, SideEffectDisposition = ApplySideEffectsToExecution
Context); |
| 102 | 107 |
| 103 // These functions are wrong because they assume that there is only one head
er. | 108 // These functions are wrong because they assume that there is only one head
er. |
| 104 // FIXME: Replace them with functions that return vectors. | 109 // FIXME: Replace them with functions that return vectors. |
| 105 const String& deprecatedHeader() const; | 110 const String& deprecatedHeader() const; |
| 106 ContentSecurityPolicyHeaderType deprecatedHeaderType() const; | 111 ContentSecurityPolicyHeaderType deprecatedHeaderType() const; |
| 107 | 112 |
| 108 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber&
contextLine, ReportingStatus = SendReport) const; | 113 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber&
contextLine, ReportingStatus = SendReport) const; |
| 109 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu
mber& contextLine, ReportingStatus = SendReport) const; | 114 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu
mber& contextLine, ReportingStatus = SendReport) const; |
| 110 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c
ontextLine, ReportingStatus = SendReport) const; | 115 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c
ontextLine, ReportingStatus = SendReport) const; |
| 111 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co
ntextLine, ReportingStatus = SendReport) const; | 116 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co
ntextLine, ReportingStatus = SendReport) const; |
| (...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 162 void reportInvalidInReportOnly(const String&) const; | 167 void reportInvalidInReportOnly(const String&) const; |
| 163 void reportInvalidReferrer(const String&) const; | 168 void reportInvalidReferrer(const String&) const; |
| 164 void reportReportOnlyInMeta(const String&) const; | 169 void reportReportOnlyInMeta(const String&) const; |
| 165 void reportMetaOutsideHead(const String&) const; | 170 void reportMetaOutsideHead(const String&) const; |
| 166 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>
& reportURIs, const String& header); | 171 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>
& reportURIs, const String& header); |
| 167 | 172 |
| 168 void reportBlockedScriptExecutionToInspector(const String& directiveText) co
nst; | 173 void reportBlockedScriptExecutionToInspector(const String& directiveText) co
nst; |
| 169 | 174 |
| 170 const KURL url() const; | 175 const KURL url() const; |
| 171 KURL completeURL(const String&) const; | 176 KURL completeURL(const String&) const; |
| 172 void enforceSandboxFlags(SandboxFlags) const; | 177 void enforceSandboxFlags(SandboxFlags); |
| 173 String evalDisabledErrorMessage() const; | 178 String evalDisabledErrorMessage() const; |
| 174 | 179 |
| 175 bool urlMatchesSelf(const KURL&) const; | 180 bool urlMatchesSelf(const KURL&) const; |
| 176 bool protocolMatchesSelf(const KURL&) const; | 181 bool protocolMatchesSelf(const KURL&) const; |
| 177 | 182 |
| 178 bool experimentalFeaturesEnabled() const; | 183 bool experimentalFeaturesEnabled() const; |
| 179 | 184 |
| 180 static bool shouldBypassMainWorld(ExecutionContext*); | 185 static bool shouldBypassMainWorld(ExecutionContext*); |
| 181 | 186 |
| 182 static bool isDirectiveName(const String&); | 187 static bool isDirectiveName(const String&); |
| 183 | 188 |
| 184 ExecutionContext* executionContext() const { return m_executionContext; } | 189 ExecutionContext* executionContext() const { return m_executionContext; } |
| 185 | 190 |
| 186 private: | 191 private: |
| 187 explicit ContentSecurityPolicy(ExecutionContext*); | 192 explicit ContentSecurityPolicy(ExecutionContext*); |
| 188 | 193 |
| 194 void applyPolicySideEffectsToExecutionContext(); |
| 195 |
| 189 Document* document() const; | 196 Document* document() const; |
| 190 SecurityOrigin* securityOrigin() const; | 197 SecurityOrigin* securityOrigin() const; |
| 191 | 198 |
| 192 void logToConsole(const String& message, MessageLevel = ErrorMessageLevel) c
onst; | 199 void logToConsole(const String& message, MessageLevel = ErrorMessageLevel) c
onst; |
| 193 void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType
, ContentSecurityPolicyHeaderSource); | 200 void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType
, ContentSecurityPolicyHeaderSource); |
| 194 | 201 |
| 195 bool shouldSendViolationReport(const String&) const; | 202 bool shouldSendViolationReport(const String&) const; |
| 196 void didSendViolationReport(const String&); | 203 void didSendViolationReport(const String&); |
| 197 | 204 |
| 198 ExecutionContext* m_executionContext; | 205 ExecutionContext* m_executionContext; |
| 199 bool m_overrideInlineStyleAllowed; | 206 bool m_overrideInlineStyleAllowed; |
| 200 CSPDirectiveListVector m_policies; | 207 CSPDirectiveListVector m_policies; |
| 201 | 208 |
| 202 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; | 209 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; |
| 203 | 210 |
| 204 // We put the hash functions used on the policy object so that we only need | 211 // We put the hash functions used on the policy object so that we only need |
| 205 // to calculate a hash once and then distribute it to all of the directives | 212 // to calculate a hash once and then distribute it to all of the directives |
| 206 // for validation. | 213 // for validation. |
| 207 uint8_t m_scriptHashAlgorithmsUsed; | 214 uint8_t m_scriptHashAlgorithmsUsed; |
| 208 uint8_t m_styleHashAlgorithmsUsed; | 215 uint8_t m_styleHashAlgorithmsUsed; |
| 209 | 216 |
| 217 // State flags used to configure the environment after parsing a policy. |
| 218 SandboxFlags m_sandboxMask; |
| 219 ReferrerPolicy m_referrerPolicy; |
| 220 String m_disableEvalErrorMessage; |
| 221 |
| 210 OwnPtr<CSPSource> m_selfSource; | 222 OwnPtr<CSPSource> m_selfSource; |
| 211 }; | 223 }; |
| 212 | 224 |
| 213 } | 225 } |
| 214 | 226 |
| 215 #endif | 227 #endif |
| OLD | NEW |