| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/common/csp_validator.h" | 5 #include "extensions/common/csp_validator.h" |
| 6 | 6 |
| 7 #include <vector> | 7 #include <vector> |
| 8 | 8 |
| 9 #include "base/strings/string_split.h" | 9 #include "base/strings/string_split.h" |
| 10 #include "base/strings/string_tokenizer.h" | 10 #include "base/strings/string_tokenizer.h" |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 47 bool should_check_rcd) { | 47 bool should_check_rcd) { |
| 48 if (!StartsWithASCII(url, scheme_and_separator, true)) | 48 if (!StartsWithASCII(url, scheme_and_separator, true)) |
| 49 return false; | 49 return false; |
| 50 | 50 |
| 51 size_t start_of_host = scheme_and_separator.length(); | 51 size_t start_of_host = scheme_and_separator.length(); |
| 52 | 52 |
| 53 size_t end_of_host = url.find("/", start_of_host); | 53 size_t end_of_host = url.find("/", start_of_host); |
| 54 if (end_of_host == std::string::npos) | 54 if (end_of_host == std::string::npos) |
| 55 end_of_host = url.size(); | 55 end_of_host = url.size(); |
| 56 | 56 |
| 57 // A missing host such as "chrome-extension://" is invalid, but for backwards- | |
| 58 // compatibility, accept such CSP parts. They will be ignored by Blink anyway. | |
| 59 if (start_of_host == end_of_host) | |
| 60 return true; | |
| 61 | |
| 62 // Note: It is sufficient to only compare the first character against '*' | 57 // Note: It is sufficient to only compare the first character against '*' |
| 63 // because the CSP only allows wildcards at the start of a directive, see | 58 // because the CSP only allows wildcards at the start of a directive, see |
| 64 // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax | 59 // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax |
| 65 bool is_wildcard_subdomain = end_of_host > start_of_host + 2 && | 60 bool is_wildcard_subdomain = end_of_host > start_of_host + 2 && |
| 66 url[start_of_host] == '*' && url[start_of_host + 1] == '.'; | 61 url[start_of_host] == '*' && url[start_of_host + 1] == '.'; |
| 67 if (is_wildcard_subdomain) | 62 if (is_wildcard_subdomain) |
| 68 start_of_host += 2; | 63 start_of_host += 2; |
| 69 | 64 |
| 70 size_t start_of_port = url.rfind(":", end_of_host); | 65 size_t start_of_port = url.rfind(":", end_of_host); |
| 71 // The ":" check at the end of the following condition is used to avoid | 66 // The ":" check at the end of the following condition is used to avoid |
| (...skipping 175 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 247 } | 242 } |
| 248 } | 243 } |
| 249 } | 244 } |
| 250 | 245 |
| 251 return seen_sandbox; | 246 return seen_sandbox; |
| 252 } | 247 } |
| 253 | 248 |
| 254 } // namespace csp_validator | 249 } // namespace csp_validator |
| 255 | 250 |
| 256 } // namespace extensions | 251 } // namespace extensions |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 739133003:
Revert of Accept invalid chrome-extension:// and chrome:// CSP tokens (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master