OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
7 | 7 |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | |
9 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
10 #include "core/inspector/ConsoleMessage.h" | 11 #include "core/inspector/ConsoleMessage.h" |
11 #include "platform/Crypto.h" | 12 #include "platform/Crypto.h" |
12 #include "platform/ParsingUtilities.h" | 13 #include "platform/ParsingUtilities.h" |
13 #include "platform/RuntimeEnabledFeatures.h" | 14 #include "platform/RuntimeEnabledFeatures.h" |
14 #include "platform/network/ContentSecurityPolicyParsers.h" | 15 #include "platform/network/ContentSecurityPolicyParsers.h" |
15 #include "platform/weborigin/KURL.h" | 16 #include "platform/weborigin/KURL.h" |
16 #include "wtf/text/Base64.h" | 17 #include "wtf/text/Base64.h" |
17 #include "wtf/text/StringUTF8Adaptor.h" | 18 #include "wtf/text/StringUTF8Adaptor.h" |
18 #include "wtf/text/WTFString.h" | 19 #include "wtf/text/WTFString.h" |
(...skipping 21 matching lines...) Expand all Loading... | |
40 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) | 41 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) |
41 : m_policy(policy) | 42 : m_policy(policy) |
42 , m_headerType(type) | 43 , m_headerType(type) |
43 , m_headerSource(source) | 44 , m_headerSource(source) |
44 , m_reportOnly(false) | 45 , m_reportOnly(false) |
45 , m_haveSandboxPolicy(false) | 46 , m_haveSandboxPolicy(false) |
46 , m_reflectedXSSDisposition(ReflectedXSSUnset) | 47 , m_reflectedXSSDisposition(ReflectedXSSUnset) |
47 , m_didSetReferrerPolicy(false) | 48 , m_didSetReferrerPolicy(false) |
48 , m_referrerPolicy(ReferrerPolicyDefault) | 49 , m_referrerPolicy(ReferrerPolicyDefault) |
49 , m_strictMixedContentCheckingEnforced(false) | 50 , m_strictMixedContentCheckingEnforced(false) |
51 , m_upgradeInsecureContent(false) | |
50 { | 52 { |
51 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; | 53 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; |
52 } | 54 } |
53 | 55 |
54 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) | 56 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) |
55 { | 57 { |
56 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy, type, source)); | 58 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy, type, source)); |
57 directives->parse(begin, end); | 59 directives->parse(begin, end); |
58 | 60 |
59 if (!directives->checkEval(directives->operativeDirective(directives->m_scri ptSrc.get()))) { | 61 if (!directives->checkEval(directives->operativeDirective(directives->m_scri ptSrc.get()))) { |
(...skipping 510 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
570 if (m_strictMixedContentCheckingEnforced) { | 572 if (m_strictMixedContentCheckingEnforced) { |
571 m_policy->reportDuplicateDirective(name); | 573 m_policy->reportDuplicateDirective(name); |
572 return; | 574 return; |
573 } | 575 } |
574 m_strictMixedContentCheckingEnforced = true; | 576 m_strictMixedContentCheckingEnforced = true; |
575 m_policy->enforceStrictMixedContentChecking(); | 577 m_policy->enforceStrictMixedContentChecking(); |
576 if (!value.isEmpty()) | 578 if (!value.isEmpty()) |
577 m_policy->reportValueForEmptyDirective(name, value); | 579 m_policy->reportValueForEmptyDirective(name, value); |
578 } | 580 } |
579 | 581 |
582 void CSPDirectiveList::enableInsecureContentUpgrade(const String& name, const St ring& value) | |
583 { | |
584 if (m_upgradeInsecureContent) { | |
585 m_policy->reportDuplicateDirective(name); | |
586 return; | |
587 } | |
588 m_upgradeInsecureContent = true; | |
589 m_policy->setInsecureContentPolicy(m_reportOnly ? SecurityContext::InsecureC ontentMonitor : SecurityContext::InsecureContentUpgrade); | |
590 if (!value.isEmpty()) | |
591 m_policy->reportValueForEmptyDirective(name, value); | |
592 } | |
593 | |
580 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value ) | 594 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value ) |
581 { | 595 { |
582 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { | 596 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { |
583 m_policy->reportDuplicateDirective(name); | 597 m_policy->reportDuplicateDirective(name); |
584 m_reflectedXSSDisposition = ReflectedXSSInvalid; | 598 m_reflectedXSSDisposition = ReflectedXSSInvalid; |
585 return; | 599 return; |
586 } | 600 } |
587 | 601 |
588 if (value.isEmpty()) { | 602 if (value.isEmpty()) { |
589 m_reflectedXSSDisposition = ReflectedXSSInvalid; | 603 m_reflectedXSSDisposition = ReflectedXSSInvalid; |
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
720 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 734 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
721 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { | 735 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { |
722 parseReflectedXSS(name, value); | 736 parseReflectedXSS(name, value); |
723 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { | 737 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { |
724 parseReferrer(name, value); | 738 parseReferrer(name, value); |
725 } else if (m_policy->experimentalFeaturesEnabled()) { | 739 } else if (m_policy->experimentalFeaturesEnabled()) { |
726 if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) | 740 if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) |
727 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | 741 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
728 else if (equalIgnoringCase(name, ContentSecurityPolicy::BlockAllMixedCon tent)) | 742 else if (equalIgnoringCase(name, ContentSecurityPolicy::BlockAllMixedCon tent)) |
729 enforceStrictMixedContentChecking(name, value); | 743 enforceStrictMixedContentChecking(name, value); |
744 else if (equalIgnoringCase(name, ContentSecurityPolicy::UpgradeInsecureC ontent)) | |
Mike West
2015/02/05 13:39:34
This probably wasn't clear from the diff, but we o
Yoav Weiss
2015/02/05 13:49:13
Yeah, missed that :)
| |
745 enableInsecureContentUpgrade(name, value); | |
730 else | 746 else |
731 m_policy->reportUnsupportedDirective(name); | 747 m_policy->reportUnsupportedDirective(name); |
732 } else { | 748 } else { |
733 m_policy->reportUnsupportedDirective(name); | 749 m_policy->reportUnsupportedDirective(name); |
734 } | 750 } |
735 } | 751 } |
736 | 752 |
737 | 753 |
738 } // namespace blink | 754 } // namespace blink |
OLD | NEW |