Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1017)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: Source/core/frame/csp/ContentSecurityPolicy.cpp

Issue 811773002: Mixed Content: Implement strict mode. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Tests. Created 6 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Source/core/frame/csp/ContentSecurityPolicy.h ('k') | Source/core/loader/FrameLoader.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/Source/core/frame/csp/ContentSecurityPolicy.cpp b/Source/core/frame/csp/ContentSecurityPolicy.cpp
index 79942f6c40e6c4cf79efb91459ad7d5d7367a08e..ba5235d9515eaadf96442b21c6efc137753c865a 100644
--- a/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -62,7 +62,7 @@
namespace blink {
-// CSP 1.0 Directives
+// CSP Level 1 Directives
const char ContentSecurityPolicy::ConnectSrc[] = "connect-src";
const char ContentSecurityPolicy::DefaultSrc[] = "default-src";
const char ContentSecurityPolicy::FontSrc[] = "font-src";
@@ -75,7 +75,7 @@ const char ContentSecurityPolicy::Sandbox[] = "sandbox";
const char ContentSecurityPolicy::ScriptSrc[] = "script-src";
const char ContentSecurityPolicy::StyleSrc[] = "style-src";
-// CSP 1.1 Directives
+// CSP Level 2 Directives
const char ContentSecurityPolicy::BaseURI[] = "base-uri";
const char ContentSecurityPolicy::ChildSrc[] = "child-src";
const char ContentSecurityPolicy::FormAction[] = "form-action";
@@ -88,6 +88,10 @@ const char ContentSecurityPolicy::Referrer[] = "referrer";
// https://w3c.github.io/manifest/#content-security-policy
const char ContentSecurityPolicy::ManifestSrc[] = "manifest-src";
+// Mixed Content Directive
+// https://w3c.github.io/webappsec/specs/mixedcontent/#strict-mode
+const char ContentSecurityPolicy::StrictMixedContentChecking[] = "strict-mixed-content-checking";
+
bool ContentSecurityPolicy::isDirectiveName(const String& name)
{
return (equalIgnoringCase(name, ConnectSrc)
@@ -109,7 +113,7 @@ bool ContentSecurityPolicy::isDirectiveName(const String& name)
|| equalIgnoringCase(name, ReflectedXSS)
|| equalIgnoringCase(name, Referrer)
|| equalIgnoringCase(name, ManifestSrc)
- );
+ || equalIgnoringCase(name, StrictMixedContentChecking));
}
static UseCounter::Feature getUseCounterType(ContentSecurityPolicyHeaderType type)
@@ -137,6 +141,7 @@ ContentSecurityPolicy::ContentSecurityPolicy()
, m_scriptHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone)
, m_styleHashAlgorithmsUsed(ContentSecurityPolicyHashAlgorithmNone)
, m_sandboxMask(0)
+ , m_enforceStrictMixedContentChecking(false)
, m_referrerPolicy(ReferrerPolicyDefault)
{
}
@@ -154,10 +159,12 @@ void ContentSecurityPolicy::applyPolicySideEffectsToExecutionContext()
m_selfProtocol = securityOrigin()->protocol();
m_selfSource = adoptPtr(new CSPSource(this, m_selfProtocol, securityOrigin()->host(), securityOrigin()->port(), String(), CSPSource::NoWildcard, CSPSource::NoWildcard));
- // If we're in a Document, set the referrer policy and sandbox flags, then dump all the
- // parsing error messages, then poke at histograms.
+ // If we're in a Document, set the referrer policy, mixed content checking, and sandbox
+ // flags, then dump all the parsing error messages, then poke at histograms.
if (Document* document = this->document()) {
document->enforceSandboxFlags(m_sandboxMask);
+ if (m_enforceStrictMixedContentChecking)
+ document->enforceStrictMixedContentChecking();
if (didSetReferrerPolicy())
document->setReferrerPolicy(m_referrerPolicy);
@@ -599,6 +606,11 @@ void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask)
m_sandboxMask |= mask;
}
+void ContentSecurityPolicy::enforceStrictMixedContentChecking()
+{
+ m_enforceStrictMixedContentChecking = true;
+}
+
static String stripURLForUseInReport(Document* document, const KURL& url)
{
if (!url.isValid())
@@ -728,6 +740,11 @@ void ContentSecurityPolicy::reportMetaOutsideHead(const String& header)
logToConsole("The Content Security Policy '" + header + "' was delivered via a <meta> element outside the document's <head>, which is disallowed. The policy has been ignored.");
}
+void ContentSecurityPolicy::reportValueForEmptyDirective(const String& name, const String& value)
+{
+ logToConsole("The Content Security Policy directive '" + name + "' should be empty, but was delivered with a value of '" + value + "'. The directive has been applied, and the value ignored.");
+}
+
void ContentSecurityPolicy::reportInvalidInReportOnly(const String& name)
{
logToConsole("The Content Security Policy directive '" + name + "' is ignored when delivered in a report-only policy.");
« no previous file with comments | « Source/core/frame/csp/ContentSecurityPolicy.h ('k') | Source/core/loader/FrameLoader.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698