OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
7 | 7 |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/frame/LocalFrame.h" | 9 #include "core/frame/LocalFrame.h" |
10 #include "core/inspector/ConsoleMessage.h" | 10 #include "core/inspector/ConsoleMessage.h" |
11 #include "platform/ParsingUtilities.h" | 11 #include "platform/ParsingUtilities.h" |
| 12 #include "platform/RuntimeEnabledFeatures.h" |
12 #include "platform/weborigin/KURL.h" | 13 #include "platform/weborigin/KURL.h" |
13 #include "wtf/text/WTFString.h" | 14 #include "wtf/text/WTFString.h" |
14 | 15 |
15 namespace blink { | 16 namespace blink { |
16 | 17 |
17 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) | 18 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) |
18 : m_policy(policy) | 19 : m_policy(policy) |
19 , m_headerType(type) | 20 , m_headerType(type) |
20 , m_headerSource(source) | 21 , m_headerSource(source) |
21 , m_reportOnly(false) | 22 , m_reportOnly(false) |
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
200 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) | 201 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) |
201 prefix = "Refused to load the font '"; | 202 prefix = "Refused to load the font '"; |
202 else if (ContentSecurityPolicy::FormAction == effectiveDirective) | 203 else if (ContentSecurityPolicy::FormAction == effectiveDirective) |
203 prefix = "Refused to send form data to '"; | 204 prefix = "Refused to send form data to '"; |
204 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) | 205 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) |
205 prefix = "Refused to frame '"; | 206 prefix = "Refused to frame '"; |
206 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) | 207 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) |
207 prefix = "Refused to load the image '"; | 208 prefix = "Refused to load the image '"; |
208 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) | 209 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) |
209 prefix = "Refused to load media from '"; | 210 prefix = "Refused to load media from '"; |
| 211 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) |
| 212 prefix = "Refused to load manifest from '"; |
210 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) | 213 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) |
211 prefix = "Refused to load plugin data from '"; | 214 prefix = "Refused to load plugin data from '"; |
212 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) | 215 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) |
213 prefix = "Refused to load the script '"; | 216 prefix = "Refused to load the script '"; |
214 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) | 217 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) |
215 prefix = "Refused to load the stylesheet '"; | 218 prefix = "Refused to load the stylesheet '"; |
216 | 219 |
217 String suffix = String(); | 220 String suffix = String(); |
218 if (directive == m_defaultSrc) | 221 if (directive == m_defaultSrc) |
219 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; | 222 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; |
(...skipping 113 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
333 checkSource(operativeDirective(m_fontSrc.get()), url); | 336 checkSource(operativeDirective(m_fontSrc.get()), url); |
334 } | 337 } |
335 | 338 |
336 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 339 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
337 { | 340 { |
338 return reportingStatus == ContentSecurityPolicy::SendReport ? | 341 return reportingStatus == ContentSecurityPolicy::SendReport ? |
339 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url,
ContentSecurityPolicy::MediaSrc) : | 342 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url,
ContentSecurityPolicy::MediaSrc) : |
340 checkSource(operativeDirective(m_mediaSrc.get()), url); | 343 checkSource(operativeDirective(m_mediaSrc.get()), url); |
341 } | 344 } |
342 | 345 |
| 346 bool CSPDirectiveList::allowManifestFromSource(const KURL& url, ContentSecurityP
olicy::ReportingStatus reportingStatus) const |
| 347 { |
| 348 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 349 checkSourceAndReportViolation(operativeDirective(m_manifestSrc.get()), u
rl, ContentSecurityPolicy::ManifestSrc) : |
| 350 checkSource(operativeDirective(m_manifestSrc.get()), url); |
| 351 } |
| 352 |
343 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 353 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
344 { | 354 { |
345 return reportingStatus == ContentSecurityPolicy::SendReport ? | 355 return reportingStatus == ContentSecurityPolicy::SendReport ? |
346 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur
l, ContentSecurityPolicy::ConnectSrc) : | 356 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur
l, ContentSecurityPolicy::ConnectSrc) : |
347 checkSource(operativeDirective(m_connectSrc.get()), url); | 357 checkSource(operativeDirective(m_connectSrc.get()), url); |
348 } | 358 } |
349 | 359 |
350 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
eportingStatus reportingStatus) const | 360 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
eportingStatus reportingStatus) const |
351 { | 361 { |
352 return reportingStatus == ContentSecurityPolicy::SendReport ? | 362 return reportingStatus == ContentSecurityPolicy::SendReport ? |
(...skipping 313 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
666 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) { | 676 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) { |
667 setCSPDirective<SourceListDirective>(name, value, m_childSrc); | 677 setCSPDirective<SourceListDirective>(name, value, m_childSrc); |
668 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) { | 678 } else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) { |
669 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 679 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
670 } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) { | 680 } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) { |
671 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 681 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
672 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { | 682 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { |
673 parseReflectedXSS(name, value); | 683 parseReflectedXSS(name, value); |
674 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { | 684 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { |
675 parseReferrer(name, value); | 685 parseReferrer(name, value); |
| 686 } else if (m_policy->experimentalFeaturesEnabled()) { |
| 687 if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) |
| 688 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
| 689 else |
| 690 m_policy->reportUnsupportedDirective(name); |
676 } else { | 691 } else { |
677 m_policy->reportUnsupportedDirective(name); | 692 m_policy->reportUnsupportedDirective(name); |
678 } | 693 } |
679 } | 694 } |
680 | 695 |
681 | 696 |
682 } // namespace blink | 697 } // namespace blink |
OLD | NEW |