OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
7 | 7 |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" |
9 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
10 #include "core/inspector/ConsoleMessage.h" | 11 #include "core/inspector/ConsoleMessage.h" |
11 #include "platform/Crypto.h" | 12 #include "platform/Crypto.h" |
12 #include "platform/ParsingUtilities.h" | 13 #include "platform/ParsingUtilities.h" |
13 #include "platform/RuntimeEnabledFeatures.h" | 14 #include "platform/RuntimeEnabledFeatures.h" |
14 #include "platform/network/ContentSecurityPolicyParsers.h" | 15 #include "platform/network/ContentSecurityPolicyParsers.h" |
15 #include "platform/weborigin/KURL.h" | 16 #include "platform/weborigin/KURL.h" |
16 #include "wtf/text/Base64.h" | 17 #include "wtf/text/Base64.h" |
17 #include "wtf/text/StringUTF8Adaptor.h" | 18 #include "wtf/text/StringUTF8Adaptor.h" |
18 #include "wtf/text/WTFString.h" | 19 #include "wtf/text/WTFString.h" |
(...skipping 21 matching lines...) Expand all Loading... |
40 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) | 41 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurit
yPolicyHeaderType type, ContentSecurityPolicyHeaderSource source) |
41 : m_policy(policy) | 42 : m_policy(policy) |
42 , m_headerType(type) | 43 , m_headerType(type) |
43 , m_headerSource(source) | 44 , m_headerSource(source) |
44 , m_reportOnly(false) | 45 , m_reportOnly(false) |
45 , m_haveSandboxPolicy(false) | 46 , m_haveSandboxPolicy(false) |
46 , m_reflectedXSSDisposition(ReflectedXSSUnset) | 47 , m_reflectedXSSDisposition(ReflectedXSSUnset) |
47 , m_didSetReferrerPolicy(false) | 48 , m_didSetReferrerPolicy(false) |
48 , m_referrerPolicy(ReferrerPolicyDefault) | 49 , m_referrerPolicy(ReferrerPolicyDefault) |
49 , m_strictMixedContentCheckingEnforced(false) | 50 , m_strictMixedContentCheckingEnforced(false) |
| 51 , m_upgradeInsecureRequests(false) |
50 { | 52 { |
51 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; | 53 m_reportOnly = type == ContentSecurityPolicyHeaderTypeReport; |
52 } | 54 } |
53 | 55 |
54 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol
icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type,
ContentSecurityPolicyHeaderSource source) | 56 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol
icy, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType type,
ContentSecurityPolicyHeaderSource source) |
55 { | 57 { |
56 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy,
type, source)); | 58 OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy,
type, source)); |
57 directives->parse(begin, end); | 59 directives->parse(begin, end); |
58 | 60 |
59 if (!directives->checkEval(directives->operativeDirective(directives->m_scri
ptSrc.get()))) { | 61 if (!directives->checkEval(directives->operativeDirective(directives->m_scri
ptSrc.get()))) { |
(...skipping 510 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
570 if (m_strictMixedContentCheckingEnforced) { | 572 if (m_strictMixedContentCheckingEnforced) { |
571 m_policy->reportDuplicateDirective(name); | 573 m_policy->reportDuplicateDirective(name); |
572 return; | 574 return; |
573 } | 575 } |
574 m_strictMixedContentCheckingEnforced = true; | 576 m_strictMixedContentCheckingEnforced = true; |
575 m_policy->enforceStrictMixedContentChecking(); | 577 m_policy->enforceStrictMixedContentChecking(); |
576 if (!value.isEmpty()) | 578 if (!value.isEmpty()) |
577 m_policy->reportValueForEmptyDirective(name, value); | 579 m_policy->reportValueForEmptyDirective(name, value); |
578 } | 580 } |
579 | 581 |
| 582 void CSPDirectiveList::enableInsecureContentUpgrade(const String& name, const St
ring& value) |
| 583 { |
| 584 if (m_upgradeInsecureRequests) { |
| 585 m_policy->reportDuplicateDirective(name); |
| 586 return; |
| 587 } |
| 588 m_upgradeInsecureRequests = true; |
| 589 // FIXME: Monitoring insecure content currently has no effect. We'll eventua
lly wire it up |
| 590 // to the CSP reporting mechanism if we go this route. https://crbug.com/455
674 |
| 591 m_policy->setInsecureContentPolicy(m_reportOnly ? SecurityContext::InsecureC
ontentMonitor : SecurityContext::InsecureContentUpgrade); |
| 592 if (!value.isEmpty()) |
| 593 m_policy->reportValueForEmptyDirective(name, value); |
| 594 } |
| 595 |
580 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value
) | 596 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value
) |
581 { | 597 { |
582 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { | 598 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { |
583 m_policy->reportDuplicateDirective(name); | 599 m_policy->reportDuplicateDirective(name); |
584 m_reflectedXSSDisposition = ReflectedXSSInvalid; | 600 m_reflectedXSSDisposition = ReflectedXSSInvalid; |
585 return; | 601 return; |
586 } | 602 } |
587 | 603 |
588 if (value.isEmpty()) { | 604 if (value.isEmpty()) { |
589 m_reflectedXSSDisposition = ReflectedXSSInvalid; | 605 m_reflectedXSSDisposition = ReflectedXSSInvalid; |
(...skipping 130 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
720 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 736 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
721 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { | 737 } else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS)) { |
722 parseReflectedXSS(name, value); | 738 parseReflectedXSS(name, value); |
723 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { | 739 } else if (equalIgnoringCase(name, ContentSecurityPolicy::Referrer)) { |
724 parseReferrer(name, value); | 740 parseReferrer(name, value); |
725 } else if (m_policy->experimentalFeaturesEnabled()) { | 741 } else if (m_policy->experimentalFeaturesEnabled()) { |
726 if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) | 742 if (equalIgnoringCase(name, ContentSecurityPolicy::ManifestSrc)) |
727 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); | 743 setCSPDirective<SourceListDirective>(name, value, m_manifestSrc); |
728 else if (equalIgnoringCase(name, ContentSecurityPolicy::BlockAllMixedCon
tent)) | 744 else if (equalIgnoringCase(name, ContentSecurityPolicy::BlockAllMixedCon
tent)) |
729 enforceStrictMixedContentChecking(name, value); | 745 enforceStrictMixedContentChecking(name, value); |
| 746 else if (equalIgnoringCase(name, ContentSecurityPolicy::UpgradeInsecureR
equests)) |
| 747 enableInsecureContentUpgrade(name, value); |
730 else | 748 else |
731 m_policy->reportUnsupportedDirective(name); | 749 m_policy->reportUnsupportedDirective(name); |
732 } else { | 750 } else { |
733 m_policy->reportUnsupportedDirective(name); | 751 m_policy->reportUnsupportedDirective(name); |
734 } | 752 } |
735 } | 753 } |
736 | 754 |
737 | 755 |
738 } // namespace blink | 756 } // namespace blink |
OLD | NEW |