| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 55 class KURL; | 55 class KURL; |
| 56 class SecurityOrigin; | 56 class SecurityOrigin; |
| 57 | 57 |
| 58 typedef int SandboxFlags; | 58 typedef int SandboxFlags; |
| 59 typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector; | 59 typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector; |
| 60 typedef WillBePersistentHeapVector<RefPtrWillBeMember<ConsoleMessage> > ConsoleM
essageVector; | 60 typedef WillBePersistentHeapVector<RefPtrWillBeMember<ConsoleMessage> > ConsoleM
essageVector; |
| 61 | 61 |
| 62 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> { | 62 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> { |
| 63 WTF_MAKE_FAST_ALLOCATED; | 63 WTF_MAKE_FAST_ALLOCATED; |
| 64 public: | 64 public: |
| 65 // CSP 1.0 Directives | 65 // CSP Level 1 Directives |
| 66 static const char ConnectSrc[]; | 66 static const char ConnectSrc[]; |
| 67 static const char DefaultSrc[]; | 67 static const char DefaultSrc[]; |
| 68 static const char FontSrc[]; | 68 static const char FontSrc[]; |
| 69 static const char FrameSrc[]; | 69 static const char FrameSrc[]; |
| 70 static const char ImgSrc[]; | 70 static const char ImgSrc[]; |
| 71 static const char MediaSrc[]; | 71 static const char MediaSrc[]; |
| 72 static const char ObjectSrc[]; | 72 static const char ObjectSrc[]; |
| 73 static const char ReportURI[]; | 73 static const char ReportURI[]; |
| 74 static const char Sandbox[]; | 74 static const char Sandbox[]; |
| 75 static const char ScriptSrc[]; | 75 static const char ScriptSrc[]; |
| 76 static const char StyleSrc[]; | 76 static const char StyleSrc[]; |
| 77 | 77 |
| 78 // CSP Level 2 Directives | 78 // CSP Level 2 Directives |
| 79 static const char BaseURI[]; | 79 static const char BaseURI[]; |
| 80 static const char ChildSrc[]; | 80 static const char ChildSrc[]; |
| 81 static const char FormAction[]; | 81 static const char FormAction[]; |
| 82 static const char FrameAncestors[]; | 82 static const char FrameAncestors[]; |
| 83 static const char PluginTypes[]; | 83 static const char PluginTypes[]; |
| 84 static const char ReflectedXSS[]; | 84 static const char ReflectedXSS[]; |
| 85 static const char Referrer[]; | 85 static const char Referrer[]; |
| 86 | 86 |
| 87 // Manifest Directives (to be merged into CSP Level 2) | 87 // Manifest Directives (to be merged into CSP Level 2) |
| 88 // https://w3c.github.io/manifest/#content-security-policy | 88 // https://w3c.github.io/manifest/#content-security-policy |
| 89 static const char ManifestSrc[]; | 89 static const char ManifestSrc[]; |
| 90 | 90 |
| 91 // Mixed Content Directive |
| 92 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode |
| 93 static const char StrictMixedContentChecking[]; |
| 94 |
| 91 enum ReportingStatus { | 95 enum ReportingStatus { |
| 92 SendReport, | 96 SendReport, |
| 93 SuppressReport | 97 SuppressReport |
| 94 }; | 98 }; |
| 95 | 99 |
| 96 static PassRefPtr<ContentSecurityPolicy> create() | 100 static PassRefPtr<ContentSecurityPolicy> create() |
| 97 { | 101 { |
| 98 return adoptRef(new ContentSecurityPolicy()); | 102 return adoptRef(new ContentSecurityPolicy()); |
| 99 } | 103 } |
| 100 ~ContentSecurityPolicy(); | 104 ~ContentSecurityPolicy(); |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 168 void reportInvalidPluginTypes(const String&); | 172 void reportInvalidPluginTypes(const String&); |
| 169 void reportInvalidSandboxFlags(const String&); | 173 void reportInvalidSandboxFlags(const String&); |
| 170 void reportInvalidSourceExpression(const String& directiveName, const String
& source); | 174 void reportInvalidSourceExpression(const String& directiveName, const String
& source); |
| 171 void reportInvalidReflectedXSS(const String&); | 175 void reportInvalidReflectedXSS(const String&); |
| 172 void reportMissingReportURI(const String&); | 176 void reportMissingReportURI(const String&); |
| 173 void reportUnsupportedDirective(const String&); | 177 void reportUnsupportedDirective(const String&); |
| 174 void reportInvalidInReportOnly(const String&); | 178 void reportInvalidInReportOnly(const String&); |
| 175 void reportInvalidReferrer(const String&); | 179 void reportInvalidReferrer(const String&); |
| 176 void reportReportOnlyInMeta(const String&); | 180 void reportReportOnlyInMeta(const String&); |
| 177 void reportMetaOutsideHead(const String&); | 181 void reportMetaOutsideHead(const String&); |
| 182 void reportValueForEmptyDirective(const String& directiveName, const String&
value); |
| 178 | 183 |
| 179 // If a frame is passed in, the report will be sent using it as a context. I
f no frame is | 184 // If a frame is passed in, the report will be sent using it as a context. I
f no frame is |
| 180 // passed in, the report will be sent via this object's |m_executionContext|
(or dropped | 185 // passed in, the report will be sent via this object's |m_executionContext|
(or dropped |
| 181 // on the floor if no such context is available). | 186 // on the floor if no such context is available). |
| 182 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin
g>& reportEndpoints, const String& header, LocalFrame* = 0); | 187 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin
g>& reportEndpoints, const String& header, LocalFrame* = 0); |
| 183 | 188 |
| 184 void reportBlockedScriptExecutionToInspector(const String& directiveText) co
nst; | 189 void reportBlockedScriptExecutionToInspector(const String& directiveText) co
nst; |
| 185 | 190 |
| 186 const KURL url() const; | 191 const KURL url() const; |
| 187 void enforceSandboxFlags(SandboxFlags); | 192 void enforceSandboxFlags(SandboxFlags); |
| 193 void enforceStrictMixedContentChecking(); |
| 188 String evalDisabledErrorMessage() const; | 194 String evalDisabledErrorMessage() const; |
| 189 | 195 |
| 190 bool urlMatchesSelf(const KURL&) const; | 196 bool urlMatchesSelf(const KURL&) const; |
| 191 bool protocolMatchesSelf(const KURL&) const; | 197 bool protocolMatchesSelf(const KURL&) const; |
| 192 | 198 |
| 193 bool experimentalFeaturesEnabled() const; | 199 bool experimentalFeaturesEnabled() const; |
| 194 | 200 |
| 195 static bool shouldBypassMainWorld(const ExecutionContext*); | 201 static bool shouldBypassMainWorld(const ExecutionContext*); |
| 196 | 202 |
| 197 static bool isDirectiveName(const String&); | 203 static bool isDirectiveName(const String&); |
| (...skipping 21 matching lines...) Expand all Loading... |
| 219 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; | 225 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; |
| 220 | 226 |
| 221 // We put the hash functions used on the policy object so that we only need | 227 // We put the hash functions used on the policy object so that we only need |
| 222 // to calculate a hash once and then distribute it to all of the directives | 228 // to calculate a hash once and then distribute it to all of the directives |
| 223 // for validation. | 229 // for validation. |
| 224 uint8_t m_scriptHashAlgorithmsUsed; | 230 uint8_t m_scriptHashAlgorithmsUsed; |
| 225 uint8_t m_styleHashAlgorithmsUsed; | 231 uint8_t m_styleHashAlgorithmsUsed; |
| 226 | 232 |
| 227 // State flags used to configure the environment after parsing a policy. | 233 // State flags used to configure the environment after parsing a policy. |
| 228 SandboxFlags m_sandboxMask; | 234 SandboxFlags m_sandboxMask; |
| 235 bool m_enforceStrictMixedContentChecking; |
| 229 ReferrerPolicy m_referrerPolicy; | 236 ReferrerPolicy m_referrerPolicy; |
| 230 String m_disableEvalErrorMessage; | 237 String m_disableEvalErrorMessage; |
| 231 | 238 |
| 232 OwnPtr<CSPSource> m_selfSource; | 239 OwnPtr<CSPSource> m_selfSource; |
| 233 String m_selfProtocol; | 240 String m_selfProtocol; |
| 234 }; | 241 }; |
| 235 | 242 |
| 236 } | 243 } |
| 237 | 244 |
| 238 #endif | 245 #endif |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 811773002:
Mixed Content: Implement strict mode. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master