Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(702)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/csp/CSPDirectiveList.cpp

Issue 570563003: Implement CSP check for manifest fetching (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Fixed comments and added tests Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « Source/core/frame/csp/CSPDirectiveList.h ('k') | Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | Source/platform/RuntimeEnabledFeatures.in » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "config.h" 5 #include "config.h"
6 #include "core/frame/csp/CSPDirectiveList.h" 6 #include "core/frame/csp/CSPDirectiveList.h"
7 7
8 #include "core/dom/Document.h" 8 #include "core/dom/Document.h"
9 #include "core/frame/LocalFrame.h" 9 #include "core/frame/LocalFrame.h"
10 #include "core/inspector/ConsoleMessage.h" 10 #include "core/inspector/ConsoleMessage.h"
11 #include "platform/ParsingUtilities.h" 11 #include "platform/ParsingUtilities.h"
12 #include "platform/RuntimeEnabledFeatures.h"
12 #include "platform/weborigin/KURL.h" 13 #include "platform/weborigin/KURL.h"
13 #include "wtf/text/WTFString.h" 14 #include "wtf/text/WTFString.h"
14 15
15 namespace blink { 16 namespace blink {
16 17
17 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) 18 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source)
18 : m_policy(policy) 19 : m_policy(policy)
19 , m_headerType(type) 20 , m_headerType(type)
20 , m_headerSource(source) 21 , m_headerSource(source)
21 , m_reportOnly(false) 22 , m_reportOnly(false)
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after
200 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) 201 else if (ContentSecurityPolicy::FontSrc == effectiveDirective)
201 prefix = "Refused to load the font '"; 202 prefix = "Refused to load the font '";
202 else if (ContentSecurityPolicy::FormAction == effectiveDirective) 203 else if (ContentSecurityPolicy::FormAction == effectiveDirective)
203 prefix = "Refused to send form data to '"; 204 prefix = "Refused to send form data to '";
204 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) 205 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective)
205 prefix = "Refused to frame '"; 206 prefix = "Refused to frame '";
206 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) 207 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective)
207 prefix = "Refused to load the image '"; 208 prefix = "Refused to load the image '";
208 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) 209 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective)
209 prefix = "Refused to load media from '"; 210 prefix = "Refused to load media from '";
211 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective)
212 prefix = "Refused to load manifest from '";
210 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) 213 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective)
211 prefix = "Refused to load plugin data from '"; 214 prefix = "Refused to load plugin data from '";
212 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) 215 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective)
213 prefix = "Refused to load the script '"; 216 prefix = "Refused to load the script '";
214 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) 217 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective)
215 prefix = "Refused to load the stylesheet '"; 218 prefix = "Refused to load the stylesheet '";
216 219
217 String suffix = String(); 220 String suffix = String();
218 if (directive == m_defaultSrc) 221 if (directive == m_defaultSrc)
219 suffix = " Note that '" + effectiveDirective + "' was not explicitly set , so 'default-src' is used as a fallback."; 222 suffix = " Note that '" + effectiveDirective + "' was not explicitly set , so 'default-src' is used as a fallback.";
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after
338 checkSource(operativeDirective(m_fontSrc.get()), url); 341 checkSource(operativeDirective(m_fontSrc.get()), url);
339 } 342 }
340 343
341 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const 344 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const
342 { 345 {
343 return reportingStatus == ContentSecurityPolicy::SendReport ? 346 return reportingStatus == ContentSecurityPolicy::SendReport ?
344 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, ContentSecurityPolicy::MediaSrc) : 347 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, ContentSecurityPolicy::MediaSrc) :
345 checkSource(operativeDirective(m_mediaSrc.get()), url); 348 checkSource(operativeDirective(m_mediaSrc.get()), url);
346 } 349 }
347 350
351 bool CSPDirectiveList::allowManifestFromSource(const KURL& url, ContentSecurityP olicy::ReportingStatus reportingStatus) const
352 {
353 return reportingStatus == ContentSecurityPolicy::SendReport ?
354 checkSourceAndReportViolation(operativeDirective(m_manifestSrc.get()), u rl, ContentSecurityPolicy::ManifestSrc) :
355 checkSource(operativeDirective(m_manifestSrc.get()), url);
356 }
357
348 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const 358 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const
349 { 359 {
350 return reportingStatus == ContentSecurityPolicy::SendReport ? 360 return reportingStatus == ContentSecurityPolicy::SendReport ?
351 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur l, ContentSecurityPolicy::ConnectSrc) : 361 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur l, ContentSecurityPolicy::ConnectSrc) :
352 checkSource(operativeDirective(m_connectSrc.get()), url); 362 checkSource(operativeDirective(m_connectSrc.get()), url);
353 } 363 }
354 364
355 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R eportingStatus reportingStatus) const 365 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R eportingStatus reportingStatus) const
356 { 366 {
357 return reportingStatus == ContentSecurityPolicy::SendReport ? 367 return reportingStatus == ContentSecurityPolicy::SendReport ?
(...skipping 295 matching lines...) Expand 10 before | Expand all | Expand 10 after
653 setCSPDirective<SourceListDirective>(name, value, m_frameSrc); 663 setCSPDirective<SourceListDirective>(name, value, m_frameSrc);
654 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ImgSrc)) { 664 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ImgSrc)) {
655 setCSPDirective<SourceListDirective>(name, value, m_imgSrc); 665 setCSPDirective<SourceListDirective>(name, value, m_imgSrc);
656 } else if (equalIgnoringCase(name, ContentSecurityPolicy::StyleSrc)) { 666 } else if (equalIgnoringCase(name, ContentSecurityPolicy::StyleSrc)) {
657 setCSPDirective<SourceListDirective>(name, value, m_styleSrc); 667 setCSPDirective<SourceListDirective>(name, value, m_styleSrc);
658 m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed()); 668 m_policy->usesStyleHashAlgorithms(m_styleSrc->hashAlgorithmsUsed());
659 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FontSrc)) { 669 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FontSrc)) {
660 setCSPDirective<SourceListDirective>(name, value, m_fontSrc); 670 setCSPDirective<SourceListDirective>(name, value, m_fontSrc);
661 } else if (equalIgnoringCase(name, ContentSecurityPolicy::MediaSrc)) { 671 } else if (equalIgnoringCase(name, ContentSecurityPolicy::MediaSrc)) {
662 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc); 672 setCSPDirective<SourceListDirective>(name, value, m_mediaSrc);
673 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)
674 && RuntimeEnabledFeatures::manifestEnabled()) {
675 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc);
663 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) { 676 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) {
664 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); 677 setCSPDirective<SourceListDirective>(name, value, m_connectSrc);
665 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) { 678 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) {
666 applySandboxPolicy(name, value); 679 applySandboxPolicy(name, value);
667 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) { 680 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReportURI)) {
668 parseReportURI(name, value); 681 parseReportURI(name, value);
669 } else if (m_policy->experimentalFeaturesEnabled()) { 682 } else if (m_policy->experimentalFeaturesEnabled()) {
670 if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) 683 if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI))
671 setCSPDirective<SourceListDirective>(name, value, m_baseURI); 684 setCSPDirective<SourceListDirective>(name, value, m_baseURI);
672 else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) 685 else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc))
673 setCSPDirective<SourceListDirective>(name, value, m_childSrc); 686 setCSPDirective<SourceListDirective>(name, value, m_childSrc);
674 else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) 687 else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction))
675 setCSPDirective<SourceListDirective>(name, value, m_formAction); 688 setCSPDirective<SourceListDirective>(name, value, m_formAction);
676 else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) 689 else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes))
677 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); 690 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
678 else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) 691 else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS))
679 parseReflectedXSS(name, value); 692 parseReflectedXSS(name, value);
680 else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) 693 else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer))
681 parseReferrer(name, value); 694 parseReferrer(name, value);
682 else 695 else
683 m_policy->reportUnsupportedDirective(name); 696 m_policy->reportUnsupportedDirective(name);
684 } else { 697 } else {
685 m_policy->reportUnsupportedDirective(name); 698 m_policy->reportUnsupportedDirective(name);
686 } 699 }
687 } 700 }
688 701
689 702
690 } // namespace blink 703 } // namespace blink
OLDNEW
« no previous file with comments | « Source/core/frame/csp/CSPDirectiveList.h ('k') | Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | Source/platform/RuntimeEnabledFeatures.in » ('J')

Powered by Google App Engine
This is Rietveld 408576698