OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
7 | 7 |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/frame/LocalFrame.h" | 9 #include "core/frame/LocalFrame.h" |
10 #include "core/inspector/ConsoleMessage.h" | 10 #include "core/inspector/ConsoleMessage.h" |
(...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
193 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) | 193 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) |
194 prefix = "Refused to load the font '"; | 194 prefix = "Refused to load the font '"; |
195 else if (ContentSecurityPolicy::FormAction == effectiveDirective) | 195 else if (ContentSecurityPolicy::FormAction == effectiveDirective) |
196 prefix = "Refused to send form data to '"; | 196 prefix = "Refused to send form data to '"; |
197 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) | 197 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) |
198 prefix = "Refused to frame '"; | 198 prefix = "Refused to frame '"; |
199 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) | 199 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) |
200 prefix = "Refused to load the image '"; | 200 prefix = "Refused to load the image '"; |
201 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) | 201 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) |
202 prefix = "Refused to load media from '"; | 202 prefix = "Refused to load media from '"; |
203 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) | |
204 prefix = "Refused to load manifest from '"; | |
203 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) | 205 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) |
204 prefix = "Refused to load plugin data from '"; | 206 prefix = "Refused to load plugin data from '"; |
205 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) | 207 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) |
206 prefix = "Refused to load the script '"; | 208 prefix = "Refused to load the script '"; |
207 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) | 209 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) |
208 prefix = "Refused to load the stylesheet '"; | 210 prefix = "Refused to load the stylesheet '"; |
209 | 211 |
210 String suffix = String(); | 212 String suffix = String(); |
211 if (directive == m_defaultSrc) | 213 if (directive == m_defaultSrc) |
212 suffix = " Note that '" + effectiveDirective + "' was not explicitly set , so 'default-src' is used as a fallback."; | 214 suffix = " Note that '" + effectiveDirective + "' was not explicitly set , so 'default-src' is used as a fallback."; |
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
331 checkSource(operativeDirective(m_fontSrc.get()), url); | 333 checkSource(operativeDirective(m_fontSrc.get()), url); |
332 } | 334 } |
333 | 335 |
334 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const | 336 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const |
335 { | 337 { |
336 return reportingStatus == ContentSecurityPolicy::SendReport ? | 338 return reportingStatus == ContentSecurityPolicy::SendReport ? |
337 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, ContentSecurityPolicy::MediaSrc) : | 339 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, ContentSecurityPolicy::MediaSrc) : |
338 checkSource(operativeDirective(m_mediaSrc.get()), url); | 340 checkSource(operativeDirective(m_mediaSrc.get()), url); |
339 } | 341 } |
340 | 342 |
343 bool CSPDirectiveList::allowManifestFromSource(const KURL& url, ContentSecurityP olicy::ReportingStatus reportingStatus) const | |
344 { | |
345 return reportingStatus == ContentSecurityPolicy::SendReport ? | |
346 checkSourceAndReportViolation(operativeDirective(m_manifestSrc.get()), u rl, ContentSecurityPolicy::ManifestSrc) : | |
347 checkSource(operativeDirective(m_manifestSrc.get()), url); | |
348 } | |
349 | |
341 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const | 350 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const |
342 { | 351 { |
343 return reportingStatus == ContentSecurityPolicy::SendReport ? | 352 return reportingStatus == ContentSecurityPolicy::SendReport ? |
344 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur l, ContentSecurityPolicy::ConnectSrc) : | 353 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur l, ContentSecurityPolicy::ConnectSrc) : |
345 checkSource(operativeDirective(m_connectSrc.get()), url); | 354 checkSource(operativeDirective(m_connectSrc.get()), url); |
346 } | 355 } |
347 | 356 |
348 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R eportingStatus reportingStatus) const | 357 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R eportingStatus reportingStatus) const |
349 { | 358 { |
350 return reportingStatus == ContentSecurityPolicy::SendReport ? | 359 return reportingStatus == ContentSecurityPolicy::SendReport ? |
(...skipping 295 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
646 setCSPDirective<SourceListDirective>(name, value, m_frameSrc); | 655 setCSPDirective<SourceListDirective>(name, value, m_frameSrc); |
647 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ImgSrc)) { | 656 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ImgSrc)) { |
648 setCSPDirective<SourceListDirective>(name, value, m_imgSrc); | 657 setCSPDirective<SourceListDirective>(name, value, m_imgSrc); |
649 } else if (equalIgnoringCase(name, ContentSecurityPolicy::StyleSrc)) { | 658 } else if (equalIgnoringCase(name, ContentSecurityPolicy::StyleSrc)) { |
650 setCSPDirective<SourceListDirective>(name, value, m_styleSrc); | 659 setCSPDirective<SourceListDirective>(name, value, m_styleSrc); |
651 m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed()); | 660 m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed()); |
652 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FontSrc)) { | 661 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FontSrc)) { |
653 setCSPDirective<SourceListDirective>(name, value, m_fontSrc); | 662 setCSPDirective<SourceListDirective>(name, value, m_fontSrc); |
654 } else if (equalIgnoringCase(name, ContentSecurityPolicy::MediaSrc)) { | 663 } else if (equalIgnoringCase(name, ContentSecurityPolicy::MediaSrc)) { |
655 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); | 664 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); |
665 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) { | |
666 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | |
Mike West
2014/09/16 11:46:20
This needs to be gated on a runtime flag. I think
| |
656 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) { | 667 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) { |
657 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); | 668 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); |
658 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) { | 669 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) { |
659 applySandboxPolicy(name, value); | 670 applySandboxPolicy(name, value); |
660 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) { | 671 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) { |
661 parseReportURI(name, value); | 672 parseReportURI(name, value); |
662 } else if (m_policy->experimentalFeaturesEnabled()) { | 673 } else if (m_policy->experimentalFeaturesEnabled()) { |
663 if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) | 674 if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) |
664 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 675 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
665 else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) | 676 else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) |
666 setCSPDirective<SourceListDirective>(name, value, m_childSrc); | 677 setCSPDirective<SourceListDirective>(name, value, m_childSrc); |
667 else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) | 678 else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) |
668 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 679 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
669 else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) | 680 else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) |
670 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 681 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
671 else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) | 682 else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) |
672 parseReflectedXSS(name, value); | 683 parseReflectedXSS(name, value); |
673 else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) | 684 else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) |
674 parseReferrer(name, value); | 685 parseReferrer(name, value); |
675 else | 686 else |
676 m_policy->reportUnsupportedDirective(name); | 687 m_policy->reportUnsupportedDirective(name); |
677 } else { | 688 } else { |
678 m_policy->reportUnsupportedDirective(name); | 689 m_policy->reportUnsupportedDirective(name); |
679 } | 690 } |
680 } | 691 } |
681 | 692 |
682 | 693 |
683 } // namespace blink | 694 } // namespace blink |
OLD | NEW |