Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1029)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/frame/csp/CSPDirectiveList.cpp

Issue 570563003: Implement CSP check for manifest fetching (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Fixed comments and added tests Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/frame/csp/CSPDirectiveList.h ('k') | Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | Source/platform/RuntimeEnabledFeatures.in » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/frame/csp/CSPDirectiveList.cpp
diff --git a/Source/core/frame/csp/CSPDirectiveList.cpp b/Source/core/frame/csp/CSPDirectiveList.cpp
index b27df1588cfc263a34456f7421e411a42fee0637..1d33e3e7977fb64abf487378ca908c63b248d33b 100644
--- a/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -9,6 +9,7 @@
#include "core/frame/LocalFrame.h"
#include "core/inspector/ConsoleMessage.h"
#include "platform/ParsingUtilities.h"
+#include "platform/RuntimeEnabledFeatures.h"
#include "platform/weborigin/KURL.h"
#include "wtf/text/WTFString.h"
@@ -207,6 +208,8 @@ bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct
prefix = "Refused to load the image '";
else if (ContentSecurityPolicy::MediaSrc == effectiveDirective)
prefix = "Refused to load media from '";
+ else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective)
+ prefix = "Refused to load manifest from '";
else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective)
prefix = "Refused to load plugin data from '";
else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective)
@@ -345,6 +348,13 @@ bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli
checkSource(operativeDirective(m_mediaSrc.get()), url);
}
+bool CSPDirectiveList::allowManifestFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+ return reportingStatus == ContentSecurityPolicy::SendReport ?
+ checkSourceAndReportViolation(operativeDirective(m_manifestSrc.get()), url, ContentSecurityPolicy::ManifestSrc) :
+ checkSource(operativeDirective(m_manifestSrc.get()), url);
+}
+
bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
return reportingStatus == ContentSecurityPolicy::SendReport ?
@@ -660,6 +670,9 @@ void CSPDirectiveList::addDirective(const String& name, const String& value)
setCSPDirective<SourceListDirective>(name, value, m_fontSrc);
} else if (equalIgnoringCase(name, ContentSecurityPolicy::MediaSrc)) {
setCSPDirective<SourceListDirective>(name, value, m_mediaSrc);
+ } else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)
+ && RuntimeEnabledFeatures::manifestEnabled()) {
+ setCSPDirective<SourceListDirective>(name, value, m_manifestSrc);
} else if (equalIgnoringCase(name, ContentSecurityPolicy::ConnectSrc)) {
setCSPDirective<SourceListDirective>(name, value, m_connectSrc);
} else if (equalIgnoringCase(name, ContentSecurityPolicy::Sandbox)) {
« no previous file with comments | « Source/core/frame/csp/CSPDirectiveList.h ('k') | Source/core/frame/csp/ContentSecurityPolicy.h » ('j') | Source/platform/RuntimeEnabledFeatures.in » ('J')

Powered by Google App Engine
This is Rietveld 408576698