| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "config.h" | 5 #include "config.h" |
| 6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
| 7 | 7 |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/frame/LocalFrame.h" | 9 #include "core/frame/LocalFrame.h" |
| 10 #include "core/inspector/ConsoleMessage.h" | 10 #include "core/inspector/ConsoleMessage.h" |
| 11 #include "platform/ParsingUtilities.h" | 11 #include "platform/ParsingUtilities.h" |
| 12 #include "platform/RuntimeEnabledFeatures.h" |
| 12 #include "platform/weborigin/KURL.h" | 13 #include "platform/weborigin/KURL.h" |
| 13 #include "wtf/text/WTFString.h" | 14 #include "wtf/text/WTFString.h" |
| 14 | 15 |
| 15 namespace blink { | 16 namespace blink { |
| 16 | 17 |
| 17 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) | 18 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) |
| 18 : m_policy(policy) | 19 : m_policy(policy) |
| 19 , m_headerType(type) | 20 , m_headerType(type) |
| 20 , m_headerSource(source) | 21 , m_headerSource(source) |
| 21 , m_reportOnly(false) | 22 , m_reportOnly(false) |
| (...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 200 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) | 201 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) |
| 201 prefix = "Refused to load the font '"; | 202 prefix = "Refused to load the font '"; |
| 202 else if (ContentSecurityPolicy::FormAction == effectiveDirective) | 203 else if (ContentSecurityPolicy::FormAction == effectiveDirective) |
| 203 prefix = "Refused to send form data to '"; | 204 prefix = "Refused to send form data to '"; |
| 204 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) | 205 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) |
| 205 prefix = "Refused to frame '"; | 206 prefix = "Refused to frame '"; |
| 206 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) | 207 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) |
| 207 prefix = "Refused to load the image '"; | 208 prefix = "Refused to load the image '"; |
| 208 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) | 209 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) |
| 209 prefix = "Refused to load media from '"; | 210 prefix = "Refused to load media from '"; |
| 211 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) |
| 212 prefix = "Refused to load manifest from '"; |
| 210 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) | 213 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) |
| 211 prefix = "Refused to load plugin data from '"; | 214 prefix = "Refused to load plugin data from '"; |
| 212 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) | 215 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) |
| 213 prefix = "Refused to load the script '"; | 216 prefix = "Refused to load the script '"; |
| 214 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) | 217 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) |
| 215 prefix = "Refused to load the stylesheet '"; | 218 prefix = "Refused to load the stylesheet '"; |
| 216 | 219 |
| 217 String suffix = String(); | 220 String suffix = String(); |
| 218 if (directive == m_defaultSrc) | 221 if (directive == m_defaultSrc) |
| 219 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; | 222 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; |
| (...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 338 checkSource(operativeDirective(m_fontSrc.get()), url); | 341 checkSource(operativeDirective(m_fontSrc.get()), url); |
| 339 } | 342 } |
| 340 | 343 |
| 341 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 344 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
| 342 { | 345 { |
| 343 return reportingStatus == ContentSecurityPolicy::SendReport ? | 346 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 344 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url,
ContentSecurityPolicy::MediaSrc) : | 347 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url,
ContentSecurityPolicy::MediaSrc) : |
| 345 checkSource(operativeDirective(m_mediaSrc.get()), url); | 348 checkSource(operativeDirective(m_mediaSrc.get()), url); |
| 346 } | 349 } |
| 347 | 350 |
| 351 bool CSPDirectiveList::allowManifestFromSource(const KURL& url, ContentSecurityP
olicy::ReportingStatus reportingStatus) const |
| 352 { |
| 353 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 354 checkSourceAndReportViolation(operativeDirective(m_manifestSrc.get()), u
rl, ContentSecurityPolicy::ManifestSrc) : |
| 355 checkSource(operativeDirective(m_manifestSrc.get()), url); |
| 356 } |
| 357 |
| 348 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 358 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
| 349 { | 359 { |
| 350 return reportingStatus == ContentSecurityPolicy::SendReport ? | 360 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 351 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur
l, ContentSecurityPolicy::ConnectSrc) : | 361 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur
l, ContentSecurityPolicy::ConnectSrc) : |
| 352 checkSource(operativeDirective(m_connectSrc.get()), url); | 362 checkSource(operativeDirective(m_connectSrc.get()), url); |
| 353 } | 363 } |
| 354 | 364 |
| 355 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
eportingStatus reportingStatus) const | 365 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
eportingStatus reportingStatus) const |
| 356 { | 366 { |
| 357 return reportingStatus == ContentSecurityPolicy::SendReport ? | 367 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| (...skipping 310 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 668 parseReportURI(name, value); | 678 parseReportURI(name, value); |
| 669 } else if (m_policy->experimentalFeaturesEnabled()) { | 679 } else if (m_policy->experimentalFeaturesEnabled()) { |
| 670 if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) | 680 if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) |
| 671 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 681 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
| 672 else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) | 682 else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) |
| 673 setCSPDirective<SourceListDirective>(name, value, m_childSrc); | 683 setCSPDirective<SourceListDirective>(name, value, m_childSrc); |
| 674 else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) | 684 else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) |
| 675 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 685 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
| 676 else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) | 686 else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) |
| 677 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 687 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
| 688 else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) |
| 689 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
| 678 else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) | 690 else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) |
| 679 parseReflectedXSS(name, value); | 691 parseReflectedXSS(name, value); |
| 680 else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) | 692 else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) |
| 681 parseReferrer(name, value); | 693 parseReferrer(name, value); |
| 682 else | 694 else |
| 683 m_policy->reportUnsupportedDirective(name); | 695 m_policy->reportUnsupportedDirective(name); |
| 684 } else { | 696 } else { |
| 685 m_policy->reportUnsupportedDirective(name); | 697 m_policy->reportUnsupportedDirective(name); |
| 686 } | 698 } |
| 687 } | 699 } |
| 688 | 700 |
| 689 | 701 |
| 690 } // namespace blink | 702 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 570563003:
Implement CSP check for manifest fetching (Closed)
Base URL: svn://svn.chromium.org/blink/trunk