Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(645)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/frame/csp/CSPDirectiveList.cpp

Issue 570563003: Implement CSP check for manifest fetching (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Fixed nit from mkwst Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « Source/core/frame/csp/CSPDirectiveList.h ('k') | Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "config.h" 5 #include "config.h"
6 #include "core/frame/csp/CSPDirectiveList.h" 6 #include "core/frame/csp/CSPDirectiveList.h"
7 7
8 #include "core/dom/Document.h" 8 #include "core/dom/Document.h"
9 #include "core/frame/LocalFrame.h" 9 #include "core/frame/LocalFrame.h"
10 #include "core/inspector/ConsoleMessage.h" 10 #include "core/inspector/ConsoleMessage.h"
11 #include "platform/ParsingUtilities.h" 11 #include "platform/ParsingUtilities.h"
12 #include "platform/RuntimeEnabledFeatures.h"
12 #include "platform/weborigin/KURL.h" 13 #include "platform/weborigin/KURL.h"
13 #include "wtf/text/WTFString.h" 14 #include "wtf/text/WTFString.h"
14 15
15 namespace blink { 16 namespace blink {
16 17
17 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) 18 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source)
18 : m_policy(policy) 19 : m_policy(policy)
19 , m_headerType(type) 20 , m_headerType(type)
20 , m_headerSource(source) 21 , m_headerSource(source)
21 , m_reportOnly(false) 22 , m_reportOnly(false)
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after
200 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) 201 else if (ContentSecurityPolicy::FontSrc == effectiveDirective)
201 prefix = "Refused to load the font '"; 202 prefix = "Refused to load the font '";
202 else if (ContentSecurityPolicy::FormAction == effectiveDirective) 203 else if (ContentSecurityPolicy::FormAction == effectiveDirective)
203 prefix = "Refused to send form data to '"; 204 prefix = "Refused to send form data to '";
204 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) 205 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective)
205 prefix = "Refused to frame '"; 206 prefix = "Refused to frame '";
206 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) 207 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective)
207 prefix = "Refused to load the image '"; 208 prefix = "Refused to load the image '";
208 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) 209 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective)
209 prefix = "Refused to load media from '"; 210 prefix = "Refused to load media from '";
211 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective)
212 prefix = "Refused to load manifest from '";
210 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) 213 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective)
211 prefix = "Refused to load plugin data from '"; 214 prefix = "Refused to load plugin data from '";
212 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) 215 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective)
213 prefix = "Refused to load the script '"; 216 prefix = "Refused to load the script '";
214 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) 217 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective)
215 prefix = "Refused to load the stylesheet '"; 218 prefix = "Refused to load the stylesheet '";
216 219
217 String suffix = String(); 220 String suffix = String();
218 if (directive == m_defaultSrc) 221 if (directive == m_defaultSrc)
219 suffix = " Note that '" + effectiveDirective + "' was not explicitly set , so 'default-src' is used as a fallback."; 222 suffix = " Note that '" + effectiveDirective + "' was not explicitly set , so 'default-src' is used as a fallback.";
(...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after
333 checkSource(operativeDirective(m_fontSrc.get()), url); 336 checkSource(operativeDirective(m_fontSrc.get()), url);
334 } 337 }
335 338
336 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const 339 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const
337 { 340 {
338 return reportingStatus == ContentSecurityPolicy::SendReport ? 341 return reportingStatus == ContentSecurityPolicy::SendReport ?
339 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, ContentSecurityPolicy::MediaSrc) : 342 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, ContentSecurityPolicy::MediaSrc) :
340 checkSource(operativeDirective(m_mediaSrc.get()), url); 343 checkSource(operativeDirective(m_mediaSrc.get()), url);
341 } 344 }
342 345
346 bool CSPDirectiveList::allowManifestFromSource(const KURL& url, ContentSecurityP olicy::ReportingStatus reportingStatus) const
347 {
348 return reportingStatus == ContentSecurityPolicy::SendReport ?
349 checkSourceAndReportViolation(operativeDirective(m_manifestSrc.get()), u rl, ContentSecurityPolicy::ManifestSrc) :
350 checkSource(operativeDirective(m_manifestSrc.get()), url);
351 }
352
343 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const 353 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli cy::ReportingStatus reportingStatus) const
344 { 354 {
345 return reportingStatus == ContentSecurityPolicy::SendReport ? 355 return reportingStatus == ContentSecurityPolicy::SendReport ?
346 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur l, ContentSecurityPolicy::ConnectSrc) : 356 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur l, ContentSecurityPolicy::ConnectSrc) :
347 checkSource(operativeDirective(m_connectSrc.get()), url); 357 checkSource(operativeDirective(m_connectSrc.get()), url);
348 } 358 }
349 359
350 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R eportingStatus reportingStatus) const 360 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R eportingStatus reportingStatus) const
351 { 361 {
352 return reportingStatus == ContentSecurityPolicy::SendReport ? 362 return reportingStatus == ContentSecurityPolicy::SendReport ?
(...skipping 313 matching lines...) Expand 10 before | Expand all | Expand 10 after
666 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) { 676 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) {
667 setCSPDirective<SourceListDirective>(name, value, m_childSrc); 677 setCSPDirective<SourceListDirective>(name, value, m_childSrc);
668 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) { 678 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) {
669 setCSPDirective<SourceListDirective>(name, value, m_formAction); 679 setCSPDirective<SourceListDirective>(name, value, m_formAction);
670 } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) { 680 } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) {
671 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); 681 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
672 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { 682 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) {
673 parseReflectedXSS(name, value); 683 parseReflectedXSS(name, value);
674 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { 684 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) {
675 parseReferrer(name, value); 685 parseReferrer(name, value);
686 } else if (m_policy->experimentalFeaturesEnabled()) {
687 if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc))
688 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc);
689 else
690 m_policy->reportUnsupportedDirective(name);
676 } else { 691 } else {
677 m_policy->reportUnsupportedDirective(name); 692 m_policy->reportUnsupportedDirective(name);
678 } 693 }
679 } 694 }
680 695
681 696
682 } // namespace blink 697 } // namespace blink
OLDNEW
« no previous file with comments | « Source/core/frame/csp/CSPDirectiveList.h ('k') | Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698