| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/common/csp_validator.h" | 5 #include "extensions/common/csp_validator.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/strings/string_split.h" | 9 #include "base/strings/string_split.h" |
| 10 #include "base/strings/string_tokenizer.h" | 10 #include "base/strings/string_tokenizer.h" |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 47 bool should_check_rcd) { | 47 bool should_check_rcd) { |
| 48 if (!StartsWithASCII(url, scheme_and_separator, true)) | 48 if (!StartsWithASCII(url, scheme_and_separator, true)) |
| 49 return false; | 49 return false; |
| 50 | 50 |
| 51 size_t start_of_host = scheme_and_separator.length(); | 51 size_t start_of_host = scheme_and_separator.length(); |
| 52 | 52 |
| 53 size_t end_of_host = url.find("/", start_of_host); | 53 size_t end_of_host = url.find("/", start_of_host); |
| 54 if (end_of_host == std::string::npos) | 54 if (end_of_host == std::string::npos) |
| 55 end_of_host = url.size(); | 55 end_of_host = url.size(); |
| 56 | 56 |
| 57 // A missing host such as "chrome-extension://" is invalid, but for backwards- |
| 58 // compatibility, accept such CSP parts. They will be ignored by Blink anyway. |
| 59 // TODO(robwu): Remove this special case once crbug.com/434773 is fixed. |
| 60 if (start_of_host == end_of_host) |
| 61 return true; |
| 62 |
| 57 // Note: It is sufficient to only compare the first character against '*' | 63 // Note: It is sufficient to only compare the first character against '*' |
| 58 // because the CSP only allows wildcards at the start of a directive, see | 64 // because the CSP only allows wildcards at the start of a directive, see |
| 59 // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax | 65 // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax |
| 60 bool is_wildcard_subdomain = end_of_host > start_of_host + 2 && | 66 bool is_wildcard_subdomain = end_of_host > start_of_host + 2 && |
| 61 url[start_of_host] == '*' && url[start_of_host + 1] == '.'; | 67 url[start_of_host] == '*' && url[start_of_host + 1] == '.'; |
| 62 if (is_wildcard_subdomain) | 68 if (is_wildcard_subdomain) |
| 63 start_of_host += 2; | 69 start_of_host += 2; |
| 64 | 70 |
| 65 size_t start_of_port = url.rfind(":", end_of_host); | 71 size_t start_of_port = url.rfind(":", end_of_host); |
| 66 // The ":" check at the end of the following condition is used to avoid | 72 // The ":" check at the end of the following condition is used to avoid |
| (...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 242 } | 248 } |
| 243 } | 249 } |
| 244 } | 250 } |
| 245 | 251 |
| 246 return seen_sandbox; | 252 return seen_sandbox; |
| 247 } | 253 } |
| 248 | 254 |
| 249 } // namespace csp_validator | 255 } // namespace csp_validator |
| 250 | 256 |
| 251 } // namespace extensions | 257 } // namespace extensions |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 722233004:
Accept invalid chrome-extension:// and chrome:// CSP tokens (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master