OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
82 | 82 |
83 // CSP 1.1 Directives | 83 // CSP 1.1 Directives |
84 const char ContentSecurityPolicy::BaseURI[] = "base-uri"; | 84 const char ContentSecurityPolicy::BaseURI[] = "base-uri"; |
85 const char ContentSecurityPolicy::ChildSrc[] = "child-src"; | 85 const char ContentSecurityPolicy::ChildSrc[] = "child-src"; |
86 const char ContentSecurityPolicy::FormAction[] = "form-action"; | 86 const char ContentSecurityPolicy::FormAction[] = "form-action"; |
87 const char ContentSecurityPolicy::FrameAncestors[] = "frame-ancestors"; | 87 const char ContentSecurityPolicy::FrameAncestors[] = "frame-ancestors"; |
88 const char ContentSecurityPolicy::PluginTypes[] = "plugin-types"; | 88 const char ContentSecurityPolicy::PluginTypes[] = "plugin-types"; |
89 const char ContentSecurityPolicy::ReflectedXSS[] = "reflected-xss"; | 89 const char ContentSecurityPolicy::ReflectedXSS[] = "reflected-xss"; |
90 const char ContentSecurityPolicy::Referrer[] = "referrer"; | 90 const char ContentSecurityPolicy::Referrer[] = "referrer"; |
91 | 91 |
| 92 // Manifest Directives |
| 93 // https://w3c.github.io/manifest/#content-security-policy |
| 94 const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src"; |
| 95 |
92 bool ContentSecurityPolicy::isDirectiveName(const String& name) | 96 bool ContentSecurityPolicy::isDirectiveName(const String& name) |
93 { | 97 { |
94 return (equalIgnoringCase(name, ConnectSrc) | 98 return (equalIgnoringCase(name, ConnectSrc) |
95 || equalIgnoringCase(name, DefaultSrc) | 99 || equalIgnoringCase(name, DefaultSrc) |
96 || equalIgnoringCase(name, FontSrc) | 100 || equalIgnoringCase(name, FontSrc) |
97 || equalIgnoringCase(name, FrameSrc) | 101 || equalIgnoringCase(name, FrameSrc) |
98 || equalIgnoringCase(name, ImgSrc) | 102 || equalIgnoringCase(name, ImgSrc) |
99 || equalIgnoringCase(name, MediaSrc) | 103 || equalIgnoringCase(name, MediaSrc) |
100 || equalIgnoringCase(name, ObjectSrc) | 104 || equalIgnoringCase(name, ObjectSrc) |
101 || equalIgnoringCase(name, ReportURI) | 105 || equalIgnoringCase(name, ReportURI) |
102 || equalIgnoringCase(name, Sandbox) | 106 || equalIgnoringCase(name, Sandbox) |
103 || equalIgnoringCase(name, ScriptSrc) | 107 || equalIgnoringCase(name, ScriptSrc) |
104 || equalIgnoringCase(name, StyleSrc) | 108 || equalIgnoringCase(name, StyleSrc) |
105 || equalIgnoringCase(name, BaseURI) | 109 || equalIgnoringCase(name, BaseURI) |
106 || equalIgnoringCase(name, ChildSrc) | 110 || equalIgnoringCase(name, ChildSrc) |
107 || equalIgnoringCase(name, FormAction) | 111 || equalIgnoringCase(name, FormAction) |
108 || equalIgnoringCase(name, FrameAncestors) | 112 || equalIgnoringCase(name, FrameAncestors) |
109 || equalIgnoringCase(name, PluginTypes) | 113 || equalIgnoringCase(name, PluginTypes) |
110 || equalIgnoringCase(name, ReflectedXSS) | 114 || equalIgnoringCase(name, ReflectedXSS) |
111 || equalIgnoringCase(name, Referrer) | 115 || equalIgnoringCase(name, Referrer) |
| 116 || equalIgnoringCase(name, ManifestSrc) |
112 ); | 117 ); |
113 } | 118 } |
114 | 119 |
115 static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType typ
e) | 120 static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType typ
e) |
116 { | 121 { |
117 switch (type) { | 122 switch (type) { |
118 case ContentSecurityPolicyHeaderTypeEnforce: | 123 case ContentSecurityPolicyHeaderTypeEnforce: |
119 return UseCounter::ContentSecurityPolicy; | 124 return UseCounter::ContentSecurityPolicy; |
120 case ContentSecurityPolicyHeaderTypeReport: | 125 case ContentSecurityPolicyHeaderTypeReport: |
121 return UseCounter::ContentSecurityPolicyReportOnly; | 126 return UseCounter::ContentSecurityPolicyReportOnly; |
(...skipping 402 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
524 // CSP 1.1 moves workers from 'script-src' to the new 'child-src'. Measure t
he impact of this backwards-incompatible change. | 529 // CSP 1.1 moves workers from 'script-src' to the new 'child-src'. Measure t
he impact of this backwards-incompatible change. |
525 if (Document* document = this->document()) { | 530 if (Document* document = this->document()) { |
526 UseCounter::count(*document, UseCounter::WorkerSubjectToCSP); | 531 UseCounter::count(*document, UseCounter::WorkerSubjectToCSP); |
527 if (isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource
>(m_policies, url, SuppressReport) && !isAllowedByAllWithURL<&CSPDirectiveList::
allowScriptFromSource>(m_policies, url, SuppressReport)) | 532 if (isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource
>(m_policies, url, SuppressReport) && !isAllowedByAllWithURL<&CSPDirectiveList::
allowScriptFromSource>(m_policies, url, SuppressReport)) |
528 UseCounter::count(*document, UseCounter::WorkerAllowedByChildBlocked
ByScript); | 533 UseCounter::count(*document, UseCounter::WorkerAllowedByChildBlocked
ByScript); |
529 } | 534 } |
530 | 535 |
531 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource>
(m_policies, url, reportingStatus); | 536 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource>
(m_policies, url, reportingStatus); |
532 } | 537 } |
533 | 538 |
| 539 bool ContentSecurityPolicy::allowManifestFromSource(const KURL& url, ContentSecu
rityPolicy::ReportingStatus reportingStatus) const |
| 540 { |
| 541 return isAllowedByAllWithURL<&CSPDirectiveList::allowManifestFromSource>(m_p
olicies, url, reportingStatus); |
| 542 } |
| 543 |
534 bool ContentSecurityPolicy::isActive() const | 544 bool ContentSecurityPolicy::isActive() const |
535 { | 545 { |
536 return !m_policies.isEmpty(); | 546 return !m_policies.isEmpty(); |
537 } | 547 } |
538 | 548 |
539 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const | 549 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const |
540 { | 550 { |
541 ReflectedXSSDisposition disposition = ReflectedXSSUnset; | 551 ReflectedXSSDisposition disposition = ReflectedXSSUnset; |
542 for (size_t i = 0; i < m_policies.size(); ++i) { | 552 for (size_t i = 0; i < m_policies.size(); ++i) { |
543 if (m_policies[i]->reflectedXSSDisposition() > disposition) | 553 if (m_policies[i]->reflectedXSSDisposition() > disposition) |
(...skipping 320 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
864 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. | 874 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. |
865 return !m_violationReportsSent.contains(report.impl()->hash()); | 875 return !m_violationReportsSent.contains(report.impl()->hash()); |
866 } | 876 } |
867 | 877 |
868 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 878 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
869 { | 879 { |
870 m_violationReportsSent.add(report.impl()->hash()); | 880 m_violationReportsSent.add(report.impl()->hash()); |
871 } | 881 } |
872 | 882 |
873 } // namespace blink | 883 } // namespace blink |
OLD | NEW |