OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 44 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
55 class KURL; | 55 class KURL; |
56 class SecurityOrigin; | 56 class SecurityOrigin; |
57 | 57 |
58 typedef int SandboxFlags; | 58 typedef int SandboxFlags; |
59 typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector; | 59 typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector; |
60 typedef WillBePersistentHeapVector<RefPtrWillBeMember<ConsoleMessage> > ConsoleM
essageVector; | 60 typedef WillBePersistentHeapVector<RefPtrWillBeMember<ConsoleMessage> > ConsoleM
essageVector; |
61 | 61 |
62 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> { | 62 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> { |
63 WTF_MAKE_FAST_ALLOCATED; | 63 WTF_MAKE_FAST_ALLOCATED; |
64 public: | 64 public: |
65 // CSP 1.0 Directives | 65 // CSP Level 1 Directives |
66 static const char ConnectSrc[]; | 66 static const char ConnectSrc[]; |
67 static const char DefaultSrc[]; | 67 static const char DefaultSrc[]; |
68 static const char FontSrc[]; | 68 static const char FontSrc[]; |
69 static const char FrameSrc[]; | 69 static const char FrameSrc[]; |
70 static const char ImgSrc[]; | 70 static const char ImgSrc[]; |
71 static const char MediaSrc[]; | 71 static const char MediaSrc[]; |
72 static const char ObjectSrc[]; | 72 static const char ObjectSrc[]; |
73 static const char ReportURI[]; | 73 static const char ReportURI[]; |
74 static const char Sandbox[]; | 74 static const char Sandbox[]; |
75 static const char ScriptSrc[]; | 75 static const char ScriptSrc[]; |
76 static const char StyleSrc[]; | 76 static const char StyleSrc[]; |
77 | 77 |
78 // CSP Level 2 Directives | 78 // CSP Level 2 Directives |
79 static const char BaseURI[]; | 79 static const char BaseURI[]; |
80 static const char ChildSrc[]; | 80 static const char ChildSrc[]; |
81 static const char FormAction[]; | 81 static const char FormAction[]; |
82 static const char FrameAncestors[]; | 82 static const char FrameAncestors[]; |
83 static const char PluginTypes[]; | 83 static const char PluginTypes[]; |
84 static const char ReflectedXSS[]; | 84 static const char ReflectedXSS[]; |
85 static const char Referrer[]; | 85 static const char Referrer[]; |
86 | 86 |
87 // Manifest Directives (to be merged into CSP Level 2) | 87 // Manifest Directives (to be merged into CSP Level 2) |
88 // https://w3c.github.io/manifest/#content-security-policy | 88 // https://w3c.github.io/manifest/#content-security-policy |
89 static const char ManifestSrc[]; | 89 static const char ManifestSrc[]; |
90 | 90 |
| 91 // Mixed Content Directive |
| 92 // https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode |
| 93 static const char StrictMixedContentChecking[]; |
| 94 |
91 enum ReportingStatus { | 95 enum ReportingStatus { |
92 SendReport, | 96 SendReport, |
93 SuppressReport | 97 SuppressReport |
94 }; | 98 }; |
95 | 99 |
96 static PassRefPtr<ContentSecurityPolicy> create() | 100 static PassRefPtr<ContentSecurityPolicy> create() |
97 { | 101 { |
98 return adoptRef(new ContentSecurityPolicy()); | 102 return adoptRef(new ContentSecurityPolicy()); |
99 } | 103 } |
100 ~ContentSecurityPolicy(); | 104 ~ContentSecurityPolicy(); |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
168 void reportInvalidPluginTypes(const String&); | 172 void reportInvalidPluginTypes(const String&); |
169 void reportInvalidSandboxFlags(const String&); | 173 void reportInvalidSandboxFlags(const String&); |
170 void reportInvalidSourceExpression(const String& directiveName, const String
& source); | 174 void reportInvalidSourceExpression(const String& directiveName, const String
& source); |
171 void reportInvalidReflectedXSS(const String&); | 175 void reportInvalidReflectedXSS(const String&); |
172 void reportMissingReportURI(const String&); | 176 void reportMissingReportURI(const String&); |
173 void reportUnsupportedDirective(const String&); | 177 void reportUnsupportedDirective(const String&); |
174 void reportInvalidInReportOnly(const String&); | 178 void reportInvalidInReportOnly(const String&); |
175 void reportInvalidReferrer(const String&); | 179 void reportInvalidReferrer(const String&); |
176 void reportReportOnlyInMeta(const String&); | 180 void reportReportOnlyInMeta(const String&); |
177 void reportMetaOutsideHead(const String&); | 181 void reportMetaOutsideHead(const String&); |
| 182 void reportValueForEmptyDirective(const String& directiveName, const String&
value); |
178 | 183 |
179 // If a frame is passed in, the report will be sent using it as a context. I
f no frame is | 184 // If a frame is passed in, the report will be sent using it as a context. I
f no frame is |
180 // passed in, the report will be sent via this object's |m_executionContext|
(or dropped | 185 // passed in, the report will be sent via this object's |m_executionContext|
(or dropped |
181 // on the floor if no such context is available). | 186 // on the floor if no such context is available). |
182 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin
g>& reportEndpoints, const String& header, LocalFrame* = 0); | 187 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL, const Vector<Strin
g>& reportEndpoints, const String& header, LocalFrame* = 0); |
183 | 188 |
184 void reportBlockedScriptExecutionToInspector(const String& directiveText) co
nst; | 189 void reportBlockedScriptExecutionToInspector(const String& directiveText) co
nst; |
185 | 190 |
186 const KURL url() const; | 191 const KURL url() const; |
187 void enforceSandboxFlags(SandboxFlags); | 192 void enforceSandboxFlags(SandboxFlags); |
| 193 void enforceStrictMixedContentChecking(); |
188 String evalDisabledErrorMessage() const; | 194 String evalDisabledErrorMessage() const; |
189 | 195 |
190 bool urlMatchesSelf(const KURL&) const; | 196 bool urlMatchesSelf(const KURL&) const; |
191 bool protocolMatchesSelf(const KURL&) const; | 197 bool protocolMatchesSelf(const KURL&) const; |
192 | 198 |
193 bool experimentalFeaturesEnabled() const; | 199 bool experimentalFeaturesEnabled() const; |
194 | 200 |
195 static bool shouldBypassMainWorld(const ExecutionContext*); | 201 static bool shouldBypassMainWorld(const ExecutionContext*); |
196 | 202 |
197 static bool isDirectiveName(const String&); | 203 static bool isDirectiveName(const String&); |
(...skipping 21 matching lines...) Expand all Loading... |
219 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; | 225 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; |
220 | 226 |
221 // We put the hash functions used on the policy object so that we only need | 227 // We put the hash functions used on the policy object so that we only need |
222 // to calculate a hash once and then distribute it to all of the directives | 228 // to calculate a hash once and then distribute it to all of the directives |
223 // for validation. | 229 // for validation. |
224 uint8_t m_scriptHashAlgorithmsUsed; | 230 uint8_t m_scriptHashAlgorithmsUsed; |
225 uint8_t m_styleHashAlgorithmsUsed; | 231 uint8_t m_styleHashAlgorithmsUsed; |
226 | 232 |
227 // State flags used to configure the environment after parsing a policy. | 233 // State flags used to configure the environment after parsing a policy. |
228 SandboxFlags m_sandboxMask; | 234 SandboxFlags m_sandboxMask; |
| 235 bool m_enforceStrictMixedContentChecking; |
229 ReferrerPolicy m_referrerPolicy; | 236 ReferrerPolicy m_referrerPolicy; |
230 String m_disableEvalErrorMessage; | 237 String m_disableEvalErrorMessage; |
231 | 238 |
232 OwnPtr<CSPSource> m_selfSource; | 239 OwnPtr<CSPSource> m_selfSource; |
233 String m_selfProtocol; | 240 String m_selfProtocol; |
234 }; | 241 }; |
235 | 242 |
236 } | 243 } |
237 | 244 |
238 #endif | 245 #endif |
OLD | NEW |