Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(551)

Side by Side Diff: Source/core/frame/csp/ContentSecurityPolicy.h

Issue 811773002: Mixed Content: Implement strict mode. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Tests. Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google, Inc. All rights reserved. 2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after
55 class KURL; 55 class KURL;
56 class SecurityOrigin; 56 class SecurityOrigin;
57 57
58 typedef int SandboxFlags; 58 typedef int SandboxFlags;
59 typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector; 59 typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector;
60 typedef WillBePersistentHeapVector<RefPtrWillBeMember<ConsoleMessage> > ConsoleM essageVector; 60 typedef WillBePersistentHeapVector<RefPtrWillBeMember<ConsoleMessage> > ConsoleM essageVector;
61 61
62 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> { 62 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> {
63 WTF_MAKE_FAST_ALLOCATED; 63 WTF_MAKE_FAST_ALLOCATED;
64 public: 64 public:
65 // CSP 1.0 Directives 65 // CSP Level 1 Directives
66 static const char ConnectSrc[]; 66 static const char ConnectSrc[];
67 static const char DefaultSrc[]; 67 static const char DefaultSrc[];
68 static const char FontSrc[]; 68 static const char FontSrc[];
69 static const char FrameSrc[]; 69 static const char FrameSrc[];
70 static const char ImgSrc[]; 70 static const char ImgSrc[];
71 static const char MediaSrc[]; 71 static const char MediaSrc[];
72 static const char ObjectSrc[]; 72 static const char ObjectSrc[];
73 static const char ReportURI[]; 73 static const char ReportURI[];
74 static const char Sandbox[]; 74 static const char Sandbox[];
75 static const char ScriptSrc[]; 75 static const char ScriptSrc[];
76 static const char StyleSrc[]; 76 static const char StyleSrc[];
77 77
78 // CSP Level 2 Directives 78 // CSP Level 2 Directives
79 static const char BaseURI[]; 79 static const char BaseURI[];
80 static const char ChildSrc[]; 80 static const char ChildSrc[];
81 static const char FormAction[]; 81 static const char FormAction[];
82 static const char FrameAncestors[]; 82 static const char FrameAncestors[];
83 static const char PluginTypes[]; 83 static const char PluginTypes[];
84 static const char ReflectedXSS[]; 84 static const char ReflectedXSS[];
85 static const char Referrer[]; 85 static const char Referrer[];
86 86
87 // Manifest Directives (to be merged into CSP Level 2) 87 // Manifest Directives (to be merged into CSP Level 2)
88 // https://w3c.github.io/manifest/#content-security-policy 88 // https://w3c.github.io/manifest/#content-security-policy
89 static const char ManifestSrc[]; 89 static const char ManifestSrc[];
90 90
91 // Mixed Content Directive
92 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode
93 static const char StrictMixedContentChecking[];
94
91 enum ReportingStatus { 95 enum ReportingStatus {
92 SendReport, 96 SendReport,
93 SuppressReport 97 SuppressReport
94 }; 98 };
95 99
96 static PassRefPtr<ContentSecurityPolicy> create() 100 static PassRefPtr<ContentSecurityPolicy> create()
97 { 101 {
98 return adoptRef(new ContentSecurityPolicy()); 102 return adoptRef(new ContentSecurityPolicy());
99 } 103 }
100 ~ContentSecurityPolicy(); 104 ~ContentSecurityPolicy();
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after
168 void reportInvalidPluginTypes(const String&); 172 void reportInvalidPluginTypes(const String&);
169 void reportInvalidSandboxFlags(const String&); 173 void reportInvalidSandboxFlags(const String&);
170 void reportInvalidSourceExpression(const String& directiveName, const String & source); 174 void reportInvalidSourceExpression(const String& directiveName, const String & source);
171 void reportInvalidReflectedXSS(const String&); 175 void reportInvalidReflectedXSS(const String&);
172 void reportMissingReportURI(const String&); 176 void reportMissingReportURI(const String&);
173 void reportUnsupportedDirective(const String&); 177 void reportUnsupportedDirective(const String&);
174 void reportInvalidInReportOnly(const String&); 178 void reportInvalidInReportOnly(const String&);
175 void reportInvalidReferrer(const String&); 179 void reportInvalidReferrer(const String&);
176 void reportReportOnlyInMeta(const String&); 180 void reportReportOnlyInMeta(const String&);
177 void reportMetaOutsideHead(const String&); 181 void reportMetaOutsideHead(const String&);
182 void reportValueForEmptyDirective(const String& directiveName, const String& value);
178 183
179 // If a frame is passed in, the report will be sent using it as a context. I f no frame is 184 // If a frame is passed in, the report will be sent using it as a context. I f no frame is
180 // passed in, the report will be sent via this object's |m_executionContext| (or dropped 185 // passed in, the report will be sent via this object's |m_executionContext| (or dropped
181 // on the floor if no such context is available). 186 // on the floor if no such context is available).
182 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin g>& reportEndpoints, const String& header, LocalFrame* = 0); 187 void reportViolation(const String& directiveText, const String& effectiveDir ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin g>& reportEndpoints, const String& header, LocalFrame* = 0);
183 188
184 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst; 189 void reportBlockedScriptExecutionToInspector(const String& directiveText) co nst;
185 190
186 const KURL url() const; 191 const KURL url() const;
187 void enforceSandboxFlags(SandboxFlags); 192 void enforceSandboxFlags(SandboxFlags);
193 void enforceStrictMixedContentChecking();
188 String evalDisabledErrorMessage() const; 194 String evalDisabledErrorMessage() const;
189 195
190 bool urlMatchesSelf(const KURL&) const; 196 bool urlMatchesSelf(const KURL&) const;
191 bool protocolMatchesSelf(const KURL&) const; 197 bool protocolMatchesSelf(const KURL&) const;
192 198
193 bool experimentalFeaturesEnabled() const; 199 bool experimentalFeaturesEnabled() const;
194 200
195 static bool shouldBypassMainWorld(const ExecutionContext*); 201 static bool shouldBypassMainWorld(const ExecutionContext*);
196 202
197 static bool isDirectiveName(const String&); 203 static bool isDirectiveName(const String&);
(...skipping 21 matching lines...) Expand all
219 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; 225 HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
220 226
221 // We put the hash functions used on the policy object so that we only need 227 // We put the hash functions used on the policy object so that we only need
222 // to calculate a hash once and then distribute it to all of the directives 228 // to calculate a hash once and then distribute it to all of the directives
223 // for validation. 229 // for validation.
224 uint8_t m_scriptHashAlgorithmsUsed; 230 uint8_t m_scriptHashAlgorithmsUsed;
225 uint8_t m_styleHashAlgorithmsUsed; 231 uint8_t m_styleHashAlgorithmsUsed;
226 232
227 // State flags used to configure the environment after parsing a policy. 233 // State flags used to configure the environment after parsing a policy.
228 SandboxFlags m_sandboxMask; 234 SandboxFlags m_sandboxMask;
235 bool m_enforceStrictMixedContentChecking;
229 ReferrerPolicy m_referrerPolicy; 236 ReferrerPolicy m_referrerPolicy;
230 String m_disableEvalErrorMessage; 237 String m_disableEvalErrorMessage;
231 238
232 OwnPtr<CSPSource> m_selfSource; 239 OwnPtr<CSPSource> m_selfSource;
233 String m_selfProtocol; 240 String m_selfProtocol;
234 }; 241 };
235 242
236 } 243 }
237 244
238 #endif 245 #endif
OLDNEW
« no previous file with comments | « Source/core/frame/csp/CSPDirectiveList.cpp ('k') | Source/core/frame/csp/ContentSecurityPolicy.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698