Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1001)

Unified Diff: Source/core/frame/csp/CSPDirectiveList.cpp

Issue 570563003: Implement CSP check for manifest fetching (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: Rebased Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: Source/core/frame/csp/CSPDirectiveList.cpp
diff --git a/Source/core/frame/csp/CSPDirectiveList.cpp b/Source/core/frame/csp/CSPDirectiveList.cpp
index b27df1588cfc263a34456f7421e411a42fee0637..31421611b5d55480bf0bdc59c5e1c966cea1051e 100644
--- a/Source/core/frame/csp/CSPDirectiveList.cpp
+++ b/Source/core/frame/csp/CSPDirectiveList.cpp
@@ -9,6 +9,7 @@
#include "core/frame/LocalFrame.h"
#include "core/inspector/ConsoleMessage.h"
#include "platform/ParsingUtilities.h"
+#include "platform/RuntimeEnabledFeatures.h"
#include "platform/weborigin/KURL.h"
#include "wtf/text/WTFString.h"
@@ -207,6 +208,8 @@ bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct
prefix = "Refused to load the image '";
else if (ContentSecurityPolicy::MediaSrc == effectiveDirective)
prefix = "Refused to load media from '";
+ else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective)
+ prefix = "Refused to load manifest from '";
else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective)
prefix = "Refused to load plugin data from '";
else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective)
@@ -345,6 +348,13 @@ bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPoli
checkSource(operativeDirective(m_mediaSrc.get()), url);
}
+bool CSPDirectiveList::allowManifestFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+ return reportingStatus == ContentSecurityPolicy::SendReport ?
+ checkSourceAndReportViolation(operativeDirective(m_manifestSrc.get()), url, ContentSecurityPolicy::ManifestSrc) :
+ checkSource(operativeDirective(m_manifestSrc.get()), url);
+}
+
bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
return reportingStatus == ContentSecurityPolicy::SendReport ?
@@ -675,6 +685,8 @@ void CSPDirectiveList::addDirective(const String& name, const String& value)
setCSPDirective<SourceListDirective>(name, value, m_formAction);
else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes))
setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
+ else if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc))
+ setCSPDirective<SourceListDirective>(name, value, m_manifestSrc);
else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS))
parseReflectedXSS(name, value);
else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer))

Powered by Google App Engine
This is Rietveld 408576698