OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 15 matching lines...) Expand all Loading... |
26 #include "config.h" | 26 #include "config.h" |
27 #include "core/frame/csp/ContentSecurityPolicy.h" | 27 #include "core/frame/csp/ContentSecurityPolicy.h" |
28 | 28 |
29 #include "bindings/core/v8/ScriptCallStackFactory.h" | 29 #include "bindings/core/v8/ScriptCallStackFactory.h" |
30 #include "bindings/core/v8/ScriptController.h" | 30 #include "bindings/core/v8/ScriptController.h" |
31 #include "core/dom/DOMStringList.h" | 31 #include "core/dom/DOMStringList.h" |
32 #include "core/dom/Document.h" | 32 #include "core/dom/Document.h" |
33 #include "core/events/SecurityPolicyViolationEvent.h" | 33 #include "core/events/SecurityPolicyViolationEvent.h" |
34 #include "core/frame/LocalDOMWindow.h" | 34 #include "core/frame/LocalDOMWindow.h" |
35 #include "core/frame/LocalFrame.h" | 35 #include "core/frame/LocalFrame.h" |
| 36 #include "core/frame/Settings.h" |
36 #include "core/frame/UseCounter.h" | 37 #include "core/frame/UseCounter.h" |
37 #include "core/frame/csp/CSPDirectiveList.h" | 38 #include "core/frame/csp/CSPDirectiveList.h" |
38 #include "core/frame/csp/CSPSource.h" | 39 #include "core/frame/csp/CSPSource.h" |
39 #include "core/frame/csp/CSPSourceList.h" | 40 #include "core/frame/csp/CSPSourceList.h" |
40 #include "core/frame/csp/MediaListDirective.h" | 41 #include "core/frame/csp/MediaListDirective.h" |
41 #include "core/frame/csp/SourceListDirective.h" | 42 #include "core/frame/csp/SourceListDirective.h" |
42 #include "core/inspector/ConsoleMessage.h" | 43 #include "core/inspector/ConsoleMessage.h" |
43 #include "core/inspector/InspectorInstrumentation.h" | 44 #include "core/inspector/InspectorInstrumentation.h" |
44 #include "core/inspector/ScriptCallStack.h" | 45 #include "core/inspector/ScriptCallStack.h" |
45 #include "core/loader/DocumentLoader.h" | 46 #include "core/loader/DocumentLoader.h" |
(...skipping 605 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
651 LocalFrame* frame = document->frame(); | 652 LocalFrame* frame = document->frame(); |
652 if (!frame) | 653 if (!frame) |
653 return; | 654 return; |
654 | 655 |
655 SecurityPolicyViolationEventInit violationData; | 656 SecurityPolicyViolationEventInit violationData; |
656 gatherSecurityPolicyViolationEventData(violationData, document, directiveTex
t, effectiveDirective, blockedURL, header); | 657 gatherSecurityPolicyViolationEventData(violationData, document, directiveTex
t, effectiveDirective, blockedURL, header); |
657 | 658 |
658 if (experimentalFeaturesEnabled()) | 659 if (experimentalFeaturesEnabled()) |
659 frame->domWindow()->enqueueDocumentEvent(SecurityPolicyViolationEvent::c
reate(EventTypeNames::securitypolicyviolation, violationData)); | 660 frame->domWindow()->enqueueDocumentEvent(SecurityPolicyViolationEvent::c
reate(EventTypeNames::securitypolicyviolation, violationData)); |
660 | 661 |
661 if (reportEndpoints.isEmpty()) | 662 if (!document->settings()->CSPViolationReportsEnabled() || reportEndpoints.i
sEmpty()) |
662 return; | 663 return; |
663 | 664 |
664 // We need to be careful here when deciding what information to send to the | 665 // We need to be careful here when deciding what information to send to the |
665 // report-uri. Currently, we send only the current document's URL and the | 666 // report-uri. Currently, we send only the current document's URL and the |
666 // directive that was violated. The document's URL is safe to send because | 667 // directive that was violated. The document's URL is safe to send because |
667 // it's the document itself that's requesting that it be sent. You could | 668 // it's the document itself that's requesting that it be sent. You could |
668 // make an argument that we shouldn't send HTTPS document URLs to HTTP | 669 // make an argument that we shouldn't send HTTPS document URLs to HTTP |
669 // report-uris (for the same reasons that we supress the Referer in that | 670 // report-uris (for the same reasons that we supress the Referer in that |
670 // case), but the Referer is sent implicitly whereas this request is only | 671 // case), but the Referer is sent implicitly whereas this request is only |
671 // sent explicitly. As for which directive was violated, that's pretty | 672 // sent explicitly. As for which directive was violated, that's pretty |
(...skipping 196 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
868 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. | 869 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. |
869 return !m_violationReportsSent.contains(report.impl()->hash()); | 870 return !m_violationReportsSent.contains(report.impl()->hash()); |
870 } | 871 } |
871 | 872 |
872 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 873 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
873 { | 874 { |
874 m_violationReportsSent.add(report.impl()->hash()); | 875 m_violationReportsSent.add(report.impl()->hash()); |
875 } | 876 } |
876 | 877 |
877 } // namespace blink | 878 } // namespace blink |
OLD | NEW |