OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
7 | 7 |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/frame/LocalFrame.h" | 9 #include "core/frame/LocalFrame.h" |
10 #include "core/inspector/ConsoleMessage.h" | 10 #include "core/inspector/ConsoleMessage.h" |
11 #include "platform/ParsingUtilities.h" | 11 #include "platform/ParsingUtilities.h" |
12 #include "platform/RuntimeEnabledFeatures.h" | 12 #include "platform/RuntimeEnabledFeatures.h" |
13 #include "platform/weborigin/KURL.h" | 13 #include "platform/weborigin/KURL.h" |
14 #include "wtf/text/WTFString.h" | 14 #include "wtf/text/WTFString.h" |
15 | 15 |
16 namespace blink { | 16 namespace blink { |
17 | 17 |
18 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) | 18 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) |
19 : m_policy(policy) | 19 : m_policy(policy) |
20 , m_headerType(type) | 20 , m_headerType(type) |
21 , m_headerSource(source) | 21 , m_headerSource(source) |
22 , m_reportOnly(false) | 22 , m_reportOnly(false) |
23 , m_haveSandboxPolicy(false) | 23 , m_haveSandboxPolicy(false) |
24 , m_reflectedXSSDisposition(ReflectedXSSUnset) | 24 , m_reflectedXSSDisposition(ReflectedXSSUnset) |
25 , m_didSetReferrerPolicy(false) | 25 , m_didSetReferrerPolicy(false) |
26 , m_referrerPolicy(ReferrerPolicyDefault) | 26 , m_referrerPolicy(ReferrerPolicyDefault) |
| 27 , m_strictMixedContentCheckingEnforced(false) |
27 { | 28 { |
28 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; | 29 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; |
29 } | 30 } |
30 | 31 |
31 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol
icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type,
ContentSecurityPolicyHeaderSource source) | 32 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol
icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type,
ContentSecurityPolicyHeaderSource source) |
32 { | 33 { |
33 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy,
type, source)); | 34 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy,
type, source)); |
34 directives->parse(begin, end); | 35 directives->parse(begin, end); |
35 | 36 |
36 if (!directives->checkEval(directives->operativeDirective(directives->m_scri
ptSrc.get()))) { | 37 if (!directives->checkEval(directives->operativeDirective(directives->m_scri
ptSrc.get()))) { |
(...skipping 496 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
533 m_policy->reportDuplicateDirective(name); | 534 m_policy->reportDuplicateDirective(name); |
534 return; | 535 return; |
535 } | 536 } |
536 m_haveSandboxPolicy = true; | 537 m_haveSandboxPolicy = true; |
537 String invalidTokens; | 538 String invalidTokens; |
538 m_policy->enforceSandboxFlags(parseSandboxPolicy(sandboxPolicy, invalidToken
s)); | 539 m_policy->enforceSandboxFlags(parseSandboxPolicy(sandboxPolicy, invalidToken
s)); |
539 if (!invalidTokens.isNull()) | 540 if (!invalidTokens.isNull()) |
540 m_policy->reportInvalidSandboxFlags(invalidTokens); | 541 m_policy->reportInvalidSandboxFlags(invalidTokens); |
541 } | 542 } |
542 | 543 |
| 544 void CSPDirectiveList::enforceStrictMixedContentChecking(const String& name, con
st String& value) |
| 545 { |
| 546 if (m_reportOnly) { |
| 547 m_policy->reportInvalidInReportOnly(name); |
| 548 return; |
| 549 } |
| 550 if (m_strictMixedContentCheckingEnforced) { |
| 551 m_policy->reportDuplicateDirective(name); |
| 552 return; |
| 553 } |
| 554 m_strictMixedContentCheckingEnforced = true; |
| 555 m_policy->enforceStrictMixedContentChecking(); |
| 556 if (!value.isEmpty()) |
| 557 m_policy->reportValueForEmptyDirective(name, value); |
| 558 } |
| 559 |
543 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value
) | 560 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value
) |
544 { | 561 { |
545 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { | 562 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { |
546 m_policy->reportDuplicateDirective(name); | 563 m_policy->reportDuplicateDirective(name); |
547 m_reflectedXSSDisposition = ReflectedXSSInvalid; | 564 m_reflectedXSSDisposition = ReflectedXSSInvalid; |
548 return; | 565 return; |
549 } | 566 } |
550 | 567 |
551 if (value.isEmpty()) { | 568 if (value.isEmpty()) { |
552 m_reflectedXSSDisposition = ReflectedXSSInvalid; | 569 m_reflectedXSSDisposition = ReflectedXSSInvalid; |
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
681 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 698 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
682 } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) { | 699 } else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes)) { |
683 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 700 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
684 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { | 701 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { |
685 parseReflectedXSS(name, value); | 702 parseReflectedXSS(name, value); |
686 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { | 703 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { |
687 parseReferrer(name, value); | 704 parseReferrer(name, value); |
688 } else if (m_policy->experimentalFeaturesEnabled()) { | 705 } else if (m_policy->experimentalFeaturesEnabled()) { |
689 if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) | 706 if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) |
690 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | 707 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
| 708 else if (equalIgnoringCase(name, ContentSecurityPolicy::StrictMixedConte
ntChecking)) |
| 709 enforceStrictMixedContentChecking(name, value); |
691 else | 710 else |
692 m_policy->reportUnsupportedDirective(name); | 711 m_policy->reportUnsupportedDirective(name); |
693 } else { | 712 } else { |
694 m_policy->reportUnsupportedDirective(name); | 713 m_policy->reportUnsupportedDirective(name); |
695 } | 714 } |
696 } | 715 } |
697 | 716 |
698 | 717 |
699 } // namespace blink | 718 } // namespace blink |
OLD | NEW |