OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
7 | 7 |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/frame/LocalFrame.h" | 9 #include "core/frame/LocalFrame.h" |
10 #include "core/inspector/ConsoleMessage.h" | 10 #include "core/inspector/ConsoleMessage.h" |
11 #include "platform/ParsingUtilities.h" | 11 #include "platform/ParsingUtilities.h" |
| 12 #include "platform/RuntimeEnabledFeatures.h" |
12 #include "platform/weborigin/KURL.h" | 13 #include "platform/weborigin/KURL.h" |
13 #include "wtf/text/WTFString.h" | 14 #include "wtf/text/WTFString.h" |
14 | 15 |
15 namespace blink { | 16 namespace blink { |
16 | 17 |
17 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) | 18 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) |
18 : m_policy(policy) | 19 : m_policy(policy) |
19 , m_headerType(type) | 20 , m_headerType(type) |
20 , m_headerSource(source) | 21 , m_headerSource(source) |
21 , m_reportOnly(false) | 22 , m_reportOnly(false) |
(...skipping 178 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
200 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) | 201 else if (ContentSecurityPolicy::FontSrc == effectiveDirective) |
201 prefix = "Refused to load the font '"; | 202 prefix = "Refused to load the font '"; |
202 else if (ContentSecurityPolicy::FormAction == effectiveDirective) | 203 else if (ContentSecurityPolicy::FormAction == effectiveDirective) |
203 prefix = "Refused to send form data to '"; | 204 prefix = "Refused to send form data to '"; |
204 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) | 205 else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) |
205 prefix = "Refused to frame '"; | 206 prefix = "Refused to frame '"; |
206 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) | 207 else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) |
207 prefix = "Refused to load the image '"; | 208 prefix = "Refused to load the image '"; |
208 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) | 209 else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) |
209 prefix = "Refused to load media from '"; | 210 prefix = "Refused to load media from '"; |
| 211 else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) |
| 212 prefix = "Refused to load manifest from '"; |
210 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) | 213 else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) |
211 prefix = "Refused to load plugin data from '"; | 214 prefix = "Refused to load plugin data from '"; |
212 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) | 215 else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) |
213 prefix = "Refused to load the script '"; | 216 prefix = "Refused to load the script '"; |
214 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) | 217 else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) |
215 prefix = "Refused to load the stylesheet '"; | 218 prefix = "Refused to load the stylesheet '"; |
216 | 219 |
217 String suffix = String(); | 220 String suffix = String(); |
218 if (directive == m_defaultSrc) | 221 if (directive == m_defaultSrc) |
219 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; | 222 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; |
(...skipping 118 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
338 checkSource(operativeDirective(m_fontSrc.get()), url); | 341 checkSource(operativeDirective(m_fontSrc.get()), url); |
339 } | 342 } |
340 | 343 |
341 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 344 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
342 { | 345 { |
343 return reportingStatus == ContentSecurityPolicy::SendReport ? | 346 return reportingStatus == ContentSecurityPolicy::SendReport ? |
344 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url,
ContentSecurityPolicy::MediaSrc) : | 347 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url,
ContentSecurityPolicy::MediaSrc) : |
345 checkSource(operativeDirective(m_mediaSrc.get()), url); | 348 checkSource(operativeDirective(m_mediaSrc.get()), url); |
346 } | 349 } |
347 | 350 |
| 351 bool CSPDirectiveList::allowManifestFromSource(const KURL& url, ContentSecurityP
olicy::ReportingStatus reportingStatus) const |
| 352 { |
| 353 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 354 checkSourceAndReportViolation(operativeDirective(m_manifestSrc.get()), u
rl, ContentSecurityPolicy::ManifestSrc) : |
| 355 checkSource(operativeDirective(m_manifestSrc.get()), url); |
| 356 } |
| 357 |
348 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 358 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
349 { | 359 { |
350 return reportingStatus == ContentSecurityPolicy::SendReport ? | 360 return reportingStatus == ContentSecurityPolicy::SendReport ? |
351 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur
l, ContentSecurityPolicy::ConnectSrc) : | 361 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), ur
l, ContentSecurityPolicy::ConnectSrc) : |
352 checkSource(operativeDirective(m_connectSrc.get()), url); | 362 checkSource(operativeDirective(m_connectSrc.get()), url); |
353 } | 363 } |
354 | 364 |
355 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
eportingStatus reportingStatus) const | 365 bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
eportingStatus reportingStatus) const |
356 { | 366 { |
357 return reportingStatus == ContentSecurityPolicy::SendReport ? | 367 return reportingStatus == ContentSecurityPolicy::SendReport ? |
(...skipping 310 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
668 parseReportURI(name, value); | 678 parseReportURI(name, value); |
669 } else if (m_policy->experimentalFeaturesEnabled()) { | 679 } else if (m_policy->experimentalFeaturesEnabled()) { |
670 if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) | 680 if (equalIgnoringCase(name, ContentSecurityPolicy::BaseURI)) |
671 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 681 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
672 else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) | 682 else if (equalIgnoringCase(name, ContentSecurityPolicy::ChildSrc)) |
673 setCSPDirective<SourceListDirective>(name, value, m_childSrc); | 683 setCSPDirective<SourceListDirective>(name, value, m_childSrc); |
674 else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) | 684 else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction)) |
675 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 685 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
676 else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) | 686 else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) |
677 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 687 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
| 688 else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) |
| 689 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
678 else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) | 690 else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) |
679 parseReflectedXSS(name, value); | 691 parseReflectedXSS(name, value); |
680 else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) | 692 else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) |
681 parseReferrer(name, value); | 693 parseReferrer(name, value); |
682 else | 694 else |
683 m_policy->reportUnsupportedDirective(name); | 695 m_policy->reportUnsupportedDirective(name); |
684 } else { | 696 } else { |
685 m_policy->reportUnsupportedDirective(name); | 697 m_policy->reportUnsupportedDirective(name); |
686 } | 698 } |
687 } | 699 } |
688 | 700 |
689 | 701 |
690 } // namespace blink | 702 } // namespace blink |
OLD | NEW |