OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
7 | 7 |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/frame/LocalFrame.h" | 9 #include "core/frame/LocalFrame.h" |
10 #include "core/inspector/ConsoleMessage.h" | 10 #include "core/inspector/ConsoleMessage.h" |
11 #include "platform/ParsingUtilities.h" | 11 #include "platform/ParsingUtilities.h" |
| 12 #include "platform/RuntimeEnabledFeatures.h" |
12 #include "platform/weborigin/KURL.h" | 13 #include "platform/weborigin/KURL.h" |
13 #include "wtf/text/WTFString.h" | 14 #include "wtf/text/WTFString.h" |
14 | 15 |
15 namespace blink { | 16 namespace blink { |
16 | 17 |
17 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) | 18 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) |
18 : m_policy(policy) | 19 : m_policy(policy) |
19 , m_headerType(type) | 20 , m_headerType(type) |
20 , m_headerSource(source) | 21 , m_headerSource(source) |
21 , m_reportOnly(false) | 22 , m_reportOnly(false) |
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
200 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) | 201 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) |
201 prefix = "Refused to load the font '"; | 202 prefix = "Refused to load the font '"; |
202 else if (ContentSecurityPolicy::FormAction == effectiveDirective) | 203 else if (ContentSecurityPolicy::FormAction == effectiveDirective) |
203 prefix = "Refused to send form data to '"; | 204 prefix = "Refused to send form data to '"; |
204 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) | 205 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) |
205 prefix = "Refused to frame '"; | 206 prefix = "Refused to frame '"; |
206 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) | 207 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) |
207 prefix = "Refused to load the image '"; | 208 prefix = "Refused to load the image '"; |
208 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) | 209 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) |
209 prefix = "Refused to load media from '"; | 210 prefix = "Refused to load media from '"; |
| 211 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) |
| 212 prefix = "Refused to load manifest from '"; |
210 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) | 213 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) |
211 prefix = "Refused to load plugin data from '"; | 214 prefix = "Refused to load plugin data from '"; |
212 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) | 215 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) |
213 prefix = "Refused to load the script '"; | 216 prefix = "Refused to load the script '"; |
214 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) | 217 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) |
215 prefix = "Refused to load the stylesheet '"; | 218 prefix = "Refused to load the stylesheet '"; |
216 | 219 |
217 String suffix = String(); | 220 String suffix = String(); |
218 if (directive == m_defaultSrc) | 221 if (directive == m_defaultSrc) |
219 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; | 222 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; |
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
338 checkSource(operativeDirective(m_fontSrc.get()), url); | 341 checkSource(operativeDirective(m_fontSrc.get()), url); |
339 } | 342 } |
340 | 343 |
341 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 344 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
342 { | 345 { |
343 return reportingStatus == ContentSecurityPolicy::SendReport ? | 346 return reportingStatus == ContentSecurityPolicy::SendReport ? |
344 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url,
ContentSecurityPolicy::MediaSrc) : | 347 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url,
ContentSecurityPolicy::MediaSrc) : |
345 checkSource(operativeDirective(m_mediaSrc.get()), url); | 348 checkSource(operativeDirective(m_mediaSrc.get()), url); |
346 } | 349 } |
347 | 350 |
| 351 bool CSPDirectiveList::allowManifestFromSource(const KURL& url, ContentSecurityP
olicy::ReportingStatus reportingStatus) const |
| 352 { |
| 353 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 354 checkSourceAndReportViolation(operativeDirective(m_manifestSrc.get()), u
rl, ContentSecurityPolicy::ManifestSrc) : |
| 355 checkSource(operativeDirective(m_manifestSrc.get()), url); |
| 356 } |
| 357 |
348 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 358 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
349 { | 359 { |
350 return reportingStatus == ContentSecurityPolicy::SendReport ? | 360 return reportingStatus == ContentSecurityPolicy::SendReport ? |
351 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur
l, ContentSecurityPolicy::ConnectSrc) : | 361 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur
l, ContentSecurityPolicy::ConnectSrc) : |
352 checkSource(operativeDirective(m_connectSrc.get()), url); | 362 checkSource(operativeDirective(m_connectSrc.get()), url); |
353 } | 363 } |
354 | 364 |
355 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
eportingStatus reportingStatus) const | 365 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
eportingStatus reportingStatus) const |
356 { | 366 { |
357 return reportingStatus == ContentSecurityPolicy::SendReport ? | 367 return reportingStatus == ContentSecurityPolicy::SendReport ? |
(...skipping 295 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
653 setCSPDirective<SourceListDirective>(name, value, m_frameSrc); | 663 setCSPDirective<SourceListDirective>(name, value, m_frameSrc); |
654 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ImgSrc)) { | 664 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ImgSrc)) { |
655 setCSPDirective<SourceListDirective>(name, value, m_imgSrc); | 665 setCSPDirective<SourceListDirective>(name, value, m_imgSrc); |
656 } else if (equalIgnoringCase(name, ContentSecurityPolicy::StyleSrc)) { | 666 } else if (equalIgnoringCase(name, ContentSecurityPolicy::StyleSrc)) { |
657 setCSPDirective<SourceListDirective>(name, value, m_styleSrc); | 667 setCSPDirective<SourceListDirective>(name, value, m_styleSrc); |
658 m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed()); | 668 m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed()); |
659 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FontSrc)) { | 669 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FontSrc)) { |
660 setCSPDirective<SourceListDirective>(name, value, m_fontSrc); | 670 setCSPDirective<SourceListDirective>(name, value, m_fontSrc); |
661 } else if (equalIgnoringCase(name, ContentSecurityPolicy::MediaSrc)) { | 671 } else if (equalIgnoringCase(name, ContentSecurityPolicy::MediaSrc)) { |
662 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); | 672 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); |
| 673 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc) |
| 674 && RuntimeEnabledFeatures::manifestEnabled()) { |
| 675 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
663 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) { | 676 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) { |
664 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); | 677 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); |
665 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) { | 678 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) { |
666 applySandboxPolicy(name, value); | 679 applySandboxPolicy(name, value); |
667 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) { | 680 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) { |
668 parseReportURI(name, value); | 681 parseReportURI(name, value); |
669 } else if (m_policy->experimentalFeaturesEnabled()) { | 682 } else if (m_policy->experimentalFeaturesEnabled()) { |
670 if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) | 683 if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) |
671 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 684 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
672 else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) | 685 else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) |
673 setCSPDirective<SourceListDirective>(name, value, m_childSrc); | 686 setCSPDirective<SourceListDirective>(name, value, m_childSrc); |
674 else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) | 687 else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) |
675 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 688 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
676 else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) | 689 else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) |
677 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 690 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
678 else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) | 691 else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) |
679 parseReflectedXSS(name, value); | 692 parseReflectedXSS(name, value); |
680 else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) | 693 else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) |
681 parseReferrer(name, value); | 694 parseReferrer(name, value); |
682 else | 695 else |
683 m_policy->reportUnsupportedDirective(name); | 696 m_policy->reportUnsupportedDirective(name); |
684 } else { | 697 } else { |
685 m_policy->reportUnsupportedDirective(name); | 698 m_policy->reportUnsupportedDirective(name); |
686 } | 699 } |
687 } | 700 } |
688 | 701 |
689 | 702 |
690 } // namespace blink | 703 } // namespace blink |
OLD | NEW |