Chromium Code Reviews Chromium Code Reviews
Issue 901903003:
CSP: Adding the 'upgrade-insecure-requests' directive. (Closed)
Base URL: https://chromium.googlesource.com/chromium/blink.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "config.h" | 5 #include "config.h" |
| 6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
| 7 | 7 |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" | |
| 9 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
| 10 #include "core/inspector/ConsoleMessage.h" | 11 #include "core/inspector/ConsoleMessage.h" |
| 11 #include "platform/Crypto.h" | 12 #include "platform/Crypto.h" |
| 12 #include "platform/ParsingUtilities.h" | 13 #include "platform/ParsingUtilities.h" |
| 13 #include "platform/RuntimeEnabledFeatures.h" | 14 #include "platform/RuntimeEnabledFeatures.h" |
| 14 #include "platform/network/ContentSecurityPolicyParsers.h" | 15 #include "platform/network/ContentSecurityPolicyParsers.h" |
| 15 #include "platform/weborigin/KURL.h" | 16 #include "platform/weborigin/KURL.h" |
| 16 #include "wtf/text/Base64.h" | 17 #include "wtf/text/Base64.h" |
| 17 #include "wtf/text/StringUTF8Adaptor.h" | 18 #include "wtf/text/StringUTF8Adaptor.h" |
| 18 #include "wtf/text/WTFString.h" | 19 #include "wtf/text/WTFString.h" |
| (...skipping 21 matching lines...) Expand all Loading... | |
| 40 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) | 41 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) |
| 41 : m_policy(policy) | 42 : m_policy(policy) |
| 42 , m_headerType(type) | 43 , m_headerType(type) |
| 43 , m_headerSource(source) | 44 , m_headerSource(source) |
| 44 , m_reportOnly(false) | 45 , m_reportOnly(false) |
| 45 , m_haveSandboxPolicy(false) | 46 , m_haveSandboxPolicy(false) |
| 46 , m_reflectedXSSDisposition(ReflectedXSSUnset) | 47 , m_reflectedXSSDisposition(ReflectedXSSUnset) |
| 47 , m_didSetReferrerPolicy(false) | 48 , m_didSetReferrerPolicy(false) |
| 48 , m_referrerPolicy(ReferrerPolicyDefault) | 49 , m_referrerPolicy(ReferrerPolicyDefault) |
| 49 , m_strictMixedContentCheckingEnforced(false) | 50 , m_strictMixedContentCheckingEnforced(false) |
| 51 , m_upgradeInsecureContent(false) | |
| 50 { | 52 { |
| 51 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; | 53 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; |
| 52 } | 54 } |
| 53 | 55 |
| 54 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) | 56 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) |
| 55 { | 57 { |
| 56 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy, type, source)); | 58 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy, type, source)); |
| 57 directives->parse(begin, end); | 59 directives->parse(begin, end); |
| 58 | 60 |
| 59 if (!directives->checkEval(directives->operativeDirective(directives->m_scri ptSrc.get()))) { | 61 if (!directives->checkEval(directives->operativeDirective(directives->m_scri ptSrc.get()))) { |
| (...skipping 510 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 570 if (m_strictMixedContentCheckingEnforced) { | 572 if (m_strictMixedContentCheckingEnforced) { |
| 571 m_policy->reportDuplicateDirective(name); | 573 m_policy->reportDuplicateDirective(name); |
| 572 return; | 574 return; |
| 573 } | 575 } |
| 574 m_strictMixedContentCheckingEnforced = true; | 576 m_strictMixedContentCheckingEnforced = true; |
| 575 m_policy->enforceStrictMixedContentChecking(); | 577 m_policy->enforceStrictMixedContentChecking(); |
| 576 if (!value.isEmpty()) | 578 if (!value.isEmpty()) |
| 577 m_policy->reportValueForEmptyDirective(name, value); | 579 m_policy->reportValueForEmptyDirective(name, value); |
| 578 } | 580 } |
| 579 | 581 |
| 582 void CSPDirectiveList::enableInsecureContentUpgrade(const String& name, const St ring& value) | |
| 583 { | |
| 584 if (m_upgradeInsecureContent) { | |
| 585 m_policy->reportDuplicateDirective(name); | |
| 586 return; | |
| 587 } | |
| 588 m_upgradeInsecureContent = true; | |
| 589 m_policy->setInsecureContentPolicy(m_reportOnly ? SecurityContext::InsecureC ontentMonitor : SecurityContext::InsecureContentUpgrade); | |
| 590 if (!value.isEmpty()) | |
| 591 m_policy->reportValueForEmptyDirective(name, value); | |
| 592 } | |
| 593 | |
| 580 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value ) | 594 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value ) |
| 581 { | 595 { |
| 582 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { | 596 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { |
| 583 m_policy->reportDuplicateDirective(name); | 597 m_policy->reportDuplicateDirective(name); |
| 584 m_reflectedXSSDisposition = ReflectedXSSInvalid; | 598 m_reflectedXSSDisposition = ReflectedXSSInvalid; |
| 585 return; | 599 return; |
| 586 } | 600 } |
| 587 | 601 |
| 588 if (value.isEmpty()) { | 602 if (value.isEmpty()) { |
| 589 m_reflectedXSSDisposition = ReflectedXSSInvalid; | 603 m_reflectedXSSDisposition = ReflectedXSSInvalid; |
| (...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 720 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 734 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
| 721 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { | 735 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { |
| 722 parseReflectedXSS(name, value); | 736 parseReflectedXSS(name, value); |
| 723 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { | 737 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { |
| 724 parseReferrer(name, value); | 738 parseReferrer(name, value); |
| 725 } else if (m_policy->experimentalFeaturesEnabled()) { | 739 } else if (m_policy->experimentalFeaturesEnabled()) { |
| 726 if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) | 740 if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) |
| 727 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | 741 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
| 728 else if (equalIgnoringCase(name, ContentSecurityPolicy::BlockAllMixedCon tent)) | 742 else if (equalIgnoringCase(name, ContentSecurityPolicy::BlockAllMixedCon tent)) |
| 729 enforceStrictMixedContentChecking(name, value); | 743 enforceStrictMixedContentChecking(name, value); |
| 744 else if (equalIgnoringCase(name, ContentSecurityPolicy::UpgradeInsecureC ontent)) | |
|
Mike West
2015/02/05 13:39:34
This probably wasn't clear from the diff, but we o
Yoav Weiss
2015/02/05 13:49:13
Yeah, missed that :)
| |
| 745 enableInsecureContentUpgrade(name, value); | |
| 730 else | 746 else |
| 731 m_policy->reportUnsupportedDirective(name); | 747 m_policy->reportUnsupportedDirective(name); |
| 732 } else { | 748 } else { |
| 733 m_policy->reportUnsupportedDirective(name); | 749 m_policy->reportUnsupportedDirective(name); |
| 734 } | 750 } |
| 735 } | 751 } |
| 736 | 752 |
| 737 | 753 |
| 738 } // namespace blink | 754 } // namespace blink |
| OLD | NEW |
