OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 71 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
82 | 82 |
83 // CSP 1.1 Directives | 83 // CSP 1.1 Directives |
84 const char ContentSecurityPolicy::BaseURI[] = "base-uri"; | 84 const char ContentSecurityPolicy::BaseURI[] = "base-uri"; |
85 const char ContentSecurityPolicy::ChildSrc[] = "child-src"; | 85 const char ContentSecurityPolicy::ChildSrc[] = "child-src"; |
86 const char ContentSecurityPolicy::FormAction[] = "form-action"; | 86 const char ContentSecurityPolicy::FormAction[] = "form-action"; |
87 const char ContentSecurityPolicy::FrameAncestors[] = "frame-ancestors"; | 87 const char ContentSecurityPolicy::FrameAncestors[] = "frame-ancestors"; |
88 const char ContentSecurityPolicy::PluginTypes[] = "plugin-types"; | 88 const char ContentSecurityPolicy::PluginTypes[] = "plugin-types"; |
89 const char ContentSecurityPolicy::ReflectedXSS[] = "reflected-xss"; | 89 const char ContentSecurityPolicy::ReflectedXSS[] = "reflected-xss"; |
90 const char ContentSecurityPolicy::Referrer[] = "referrer"; | 90 const char ContentSecurityPolicy::Referrer[] = "referrer"; |
91 | 91 |
| 92 // Manifest Directives |
| 93 // https://w3c.github.io/manifest/#content-security-policy |
| 94 const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src"; |
| 95 |
92 bool ContentSecurityPolicy::isDirectiveName(const String& name) | 96 bool ContentSecurityPolicy::isDirectiveName(const String& name) |
93 { | 97 { |
94 return (equalIgnoringCase(name, ConnectSrc) | 98 return (equalIgnoringCase(name, ConnectSrc) |
95 || equalIgnoringCase(name, DefaultSrc) | 99 || equalIgnoringCase(name, DefaultSrc) |
96 || equalIgnoringCase(name, FontSrc) | 100 || equalIgnoringCase(name, FontSrc) |
97 || equalIgnoringCase(name, FrameSrc) | 101 || equalIgnoringCase(name, FrameSrc) |
98 || equalIgnoringCase(name, ImgSrc) | 102 || equalIgnoringCase(name, ImgSrc) |
99 || equalIgnoringCase(name, MediaSrc) | 103 || equalIgnoringCase(name, MediaSrc) |
100 || equalIgnoringCase(name, ObjectSrc) | 104 || equalIgnoringCase(name, ObjectSrc) |
101 || equalIgnoringCase(name, ReportURI) | 105 || equalIgnoringCase(name, ReportURI) |
102 || equalIgnoringCase(name, Sandbox) | 106 || equalIgnoringCase(name, Sandbox) |
103 || equalIgnoringCase(name, ScriptSrc) | 107 || equalIgnoringCase(name, ScriptSrc) |
104 || equalIgnoringCase(name, StyleSrc) | 108 || equalIgnoringCase(name, StyleSrc) |
105 || equalIgnoringCase(name, BaseURI) | 109 || equalIgnoringCase(name, BaseURI) |
106 || equalIgnoringCase(name, ChildSrc) | 110 || equalIgnoringCase(name, ChildSrc) |
107 || equalIgnoringCase(name, FormAction) | 111 || equalIgnoringCase(name, FormAction) |
108 || equalIgnoringCase(name, FrameAncestors) | 112 || equalIgnoringCase(name, FrameAncestors) |
109 || equalIgnoringCase(name, PluginTypes) | 113 || equalIgnoringCase(name, PluginTypes) |
110 || equalIgnoringCase(name, ReflectedXSS) | 114 || equalIgnoringCase(name, ReflectedXSS) |
111 || equalIgnoringCase(name, Referrer) | 115 || equalIgnoringCase(name, Referrer) |
| 116 || equalIgnoringCase(name, ManifestSrc) |
112 ); | 117 ); |
113 } | 118 } |
114 | 119 |
115 static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType typ
e) | 120 static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType typ
e) |
116 { | 121 { |
117 switch (type) { | 122 switch (type) { |
118 case ContentSecurityPolicyHeaderTypeEnforce: | 123 case ContentSecurityPolicyHeaderTypeEnforce: |
119 return UseCounter::ContentSecurityPolicy; | 124 return UseCounter::ContentSecurityPolicy; |
120 case ContentSecurityPolicyHeaderTypeReport: | 125 case ContentSecurityPolicyHeaderTypeReport: |
121 return UseCounter::ContentSecurityPolicyReportOnly; | 126 return UseCounter::ContentSecurityPolicyReportOnly; |
(...skipping 404 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
526 UseCounter::count(*document, UseCounter::WorkerSubjectToCSP); | 531 UseCounter::count(*document, UseCounter::WorkerSubjectToCSP); |
527 if (isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource
>(m_policies, url, SuppressReport) && !isAllowedByAllWithURL<&CSPDirectiveList::
allowScriptFromSource>(m_policies, url, SuppressReport)) | 532 if (isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource
>(m_policies, url, SuppressReport) && !isAllowedByAllWithURL<&CSPDirectiveList::
allowScriptFromSource>(m_policies, url, SuppressReport)) |
528 UseCounter::count(*document, UseCounter::WorkerAllowedByChildBlocked
ByScript); | 533 UseCounter::count(*document, UseCounter::WorkerAllowedByChildBlocked
ByScript); |
529 } | 534 } |
530 | 535 |
531 return experimentalFeaturesEnabled() ? | 536 return experimentalFeaturesEnabled() ? |
532 isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource>(m_
policies, url, reportingStatus) : | 537 isAllowedByAllWithURL<&CSPDirectiveList::allowChildContextFromSource>(m_
policies, url, reportingStatus) : |
533 isAllowedByAllWithURL<&CSPDirectiveList::allowScriptFromSource>(m_polici
es, url, reportingStatus); | 538 isAllowedByAllWithURL<&CSPDirectiveList::allowScriptFromSource>(m_polici
es, url, reportingStatus); |
534 } | 539 } |
535 | 540 |
| 541 bool ContentSecurityPolicy::allowManifestFromSource(const KURL& url, ContentSecu
rityPolicy::ReportingStatus reportingStatus) const |
| 542 { |
| 543 return isAllowedByAllWithURL<&CSPDirectiveList::allowManifestFromSource>(m_p
olicies, url, reportingStatus); |
| 544 } |
| 545 |
536 bool ContentSecurityPolicy::isActive() const | 546 bool ContentSecurityPolicy::isActive() const |
537 { | 547 { |
538 return !m_policies.isEmpty(); | 548 return !m_policies.isEmpty(); |
539 } | 549 } |
540 | 550 |
541 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const | 551 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const |
542 { | 552 { |
543 ReflectedXSSDisposition disposition = ReflectedXSSUnset; | 553 ReflectedXSSDisposition disposition = ReflectedXSSUnset; |
544 for (size_t i = 0; i < m_policies.size(); ++i) { | 554 for (size_t i = 0; i < m_policies.size(); ++i) { |
545 if (m_policies[i]->reflectedXSSDisposition() > disposition) | 555 if (m_policies[i]->reflectedXSSDisposition() > disposition) |
(...skipping 322 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
868 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. | 878 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. |
869 return !m_violationReportsSent.contains(report.impl()->hash()); | 879 return !m_violationReportsSent.contains(report.impl()->hash()); |
870 } | 880 } |
871 | 881 |
872 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 882 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
873 { | 883 { |
874 m_violationReportsSent.add(report.impl()->hash()); | 884 m_violationReportsSent.add(report.impl()->hash()); |
875 } | 885 } |
876 | 886 |
877 } // namespace blink | 887 } // namespace blink |
OLD | NEW |