OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
142 static const char mediaSrc[] = "media-src"; | 142 static const char mediaSrc[] = "media-src"; |
143 static const char objectSrc[] = "object-src"; | 143 static const char objectSrc[] = "object-src"; |
144 static const char reportURI[] = "report-uri"; | 144 static const char reportURI[] = "report-uri"; |
145 static const char sandbox[] = "sandbox"; | 145 static const char sandbox[] = "sandbox"; |
146 static const char scriptSrc[] = "script-src"; | 146 static const char scriptSrc[] = "script-src"; |
147 static const char styleSrc[] = "style-src"; | 147 static const char styleSrc[] = "style-src"; |
148 | 148 |
149 // CSP 1.1 Directives | 149 // CSP 1.1 Directives |
150 static const char baseURI[] = "base-uri"; | 150 static const char baseURI[] = "base-uri"; |
151 static const char formAction[] = "form-action"; | 151 static const char formAction[] = "form-action"; |
| 152 static const char frameAncestors[] = "frame-ancestors"; |
152 static const char pluginTypes[] = "plugin-types"; | 153 static const char pluginTypes[] = "plugin-types"; |
153 static const char reflectedXSS[] = "reflected-xss"; | 154 static const char reflectedXSS[] = "reflected-xss"; |
154 static const char referrer[] = "referrer"; | 155 static const char referrer[] = "referrer"; |
155 | 156 |
156 bool isDirectiveName(const String& name) | 157 bool isDirectiveName(const String& name) |
157 { | 158 { |
158 return (equalIgnoringCase(name, connectSrc) | 159 return (equalIgnoringCase(name, connectSrc) |
159 || equalIgnoringCase(name, defaultSrc) | 160 || equalIgnoringCase(name, defaultSrc) |
160 || equalIgnoringCase(name, fontSrc) | 161 || equalIgnoringCase(name, fontSrc) |
161 || equalIgnoringCase(name, frameSrc) | 162 || equalIgnoringCase(name, frameSrc) |
162 || equalIgnoringCase(name, imgSrc) | 163 || equalIgnoringCase(name, imgSrc) |
163 || equalIgnoringCase(name, mediaSrc) | 164 || equalIgnoringCase(name, mediaSrc) |
164 || equalIgnoringCase(name, objectSrc) | 165 || equalIgnoringCase(name, objectSrc) |
165 || equalIgnoringCase(name, reportURI) | 166 || equalIgnoringCase(name, reportURI) |
166 || equalIgnoringCase(name, sandbox) | 167 || equalIgnoringCase(name, sandbox) |
167 || equalIgnoringCase(name, scriptSrc) | 168 || equalIgnoringCase(name, scriptSrc) |
168 || equalIgnoringCase(name, styleSrc) | 169 || equalIgnoringCase(name, styleSrc) |
169 || equalIgnoringCase(name, baseURI) | 170 || equalIgnoringCase(name, baseURI) |
170 || equalIgnoringCase(name, formAction) | 171 || equalIgnoringCase(name, formAction) |
| 172 || equalIgnoringCase(name, frameAncestors) |
171 || equalIgnoringCase(name, pluginTypes) | 173 || equalIgnoringCase(name, pluginTypes) |
172 || equalIgnoringCase(name, reflectedXSS) | 174 || equalIgnoringCase(name, reflectedXSS) |
173 || equalIgnoringCase(name, referrer) | 175 || equalIgnoringCase(name, referrer) |
174 ); | 176 ); |
175 } | 177 } |
176 | 178 |
177 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type) | 179 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type) |
178 { | 180 { |
179 switch (type) { | 181 switch (type) { |
180 case ContentSecurityPolicy::Enforce: | 182 case ContentSecurityPolicy::Enforce: |
(...skipping 705 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
886 bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; | 888 bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; |
887 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; | 889 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; |
888 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::Reporting
Status) const; | 890 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::Reporting
Status) const; |
889 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 891 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
890 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 892 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
891 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus
) const; | 893 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus
) const; |
892 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 894 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
893 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 895 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
894 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co
nst; | 896 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co
nst; |
895 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const
; | 897 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const
; |
| 898 bool allowAncestors(Frame*, ContentSecurityPolicy::ReportingStatus) const; |
896 bool allowScriptNonce(const String&) const; | 899 bool allowScriptNonce(const String&) const; |
897 bool allowStyleNonce(const String&) const; | 900 bool allowStyleNonce(const String&) const; |
898 bool allowScriptHash(const SourceHashValue&) const; | 901 bool allowScriptHash(const SourceHashValue&) const; |
899 bool allowStyleHash(const SourceHashValue&) const; | 902 bool allowStyleHash(const SourceHashValue&) const; |
900 | 903 |
901 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM
essage; } | 904 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM
essage; } |
902 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflected
XSSDisposition; } | 905 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflected
XSSDisposition; } |
903 ReferrerPolicy referrerPolicy() const { return m_referrerPolicy; } | 906 ReferrerPolicy referrerPolicy() const { return m_referrerPolicy; } |
904 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; } | 907 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; } |
905 bool isReportOnly() const { return m_reportOnly; } | 908 bool isReportOnly() const { return m_reportOnly; } |
(...skipping 17 matching lines...) Expand all Loading... |
923 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL) const; | 926 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL) const; |
924 void reportViolationWithLocation(const String& directiveText, const String&
effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const
String& contextURL, const WTF::OrdinalNumber& contextLine) const; | 927 void reportViolationWithLocation(const String& directiveText, const String&
effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const
String& contextURL, const WTF::OrdinalNumber& contextLine) const; |
925 void reportViolationWithState(const String& directiveText, const String& eff
ectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptSta
te*) const; | 928 void reportViolationWithState(const String& directiveText, const String& eff
ectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptSta
te*) const; |
926 | 929 |
927 bool checkEval(SourceListDirective*) const; | 930 bool checkEval(SourceListDirective*) const; |
928 bool checkInline(SourceListDirective*) const; | 931 bool checkInline(SourceListDirective*) const; |
929 bool checkNonce(SourceListDirective*, const String&) const; | 932 bool checkNonce(SourceListDirective*, const String&) const; |
930 bool checkHash(SourceListDirective*, const SourceHashValue&) const; | 933 bool checkHash(SourceListDirective*, const SourceHashValue&) const; |
931 bool checkSource(SourceListDirective*, const KURL&) const; | 934 bool checkSource(SourceListDirective*, const KURL&) const; |
932 bool checkMediaType(MediaListDirective*, const String& type, const String& t
ypeAttribute) const; | 935 bool checkMediaType(MediaListDirective*, const String& type, const String& t
ypeAttribute) const; |
| 936 bool checkAncestors(SourceListDirective*, Frame*) const; |
933 | 937 |
934 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisable
dErrorMessage = errorMessage; } | 938 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisable
dErrorMessage = errorMessage; } |
935 | 939 |
936 bool checkEvalAndReportViolation(SourceListDirective*, const String& console
Message, ScriptState*) const; | 940 bool checkEvalAndReportViolation(SourceListDirective*, const String& console
Message, ScriptState*) const; |
937 bool checkInlineAndReportViolation(SourceListDirective*, const String& conso
leMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool
isScript) const; | 941 bool checkInlineAndReportViolation(SourceListDirective*, const String& conso
leMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool
isScript) const; |
938 | 942 |
939 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const
String& effectiveDirective) const; | 943 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const
String& effectiveDirective) const; |
940 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& typ
e, const String& typeAttribute, const String& consoleMessage) const; | 944 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& typ
e, const String& typeAttribute, const String& consoleMessage) const; |
| 945 bool checkAncestorsAndReportViolation(SourceListDirective*, Frame*) const; |
941 | 946 |
942 bool denyIfEnforcingPolicy() const { return m_reportOnly; } | 947 bool denyIfEnforcingPolicy() const { return m_reportOnly; } |
943 | 948 |
944 ContentSecurityPolicy* m_policy; | 949 ContentSecurityPolicy* m_policy; |
945 | 950 |
946 String m_header; | 951 String m_header; |
947 ContentSecurityPolicy::HeaderType m_headerType; | 952 ContentSecurityPolicy::HeaderType m_headerType; |
948 ContentSecurityPolicy::HeaderSource m_headerSource; | 953 ContentSecurityPolicy::HeaderSource m_headerSource; |
949 | 954 |
950 bool m_reportOnly; | 955 bool m_reportOnly; |
951 bool m_haveSandboxPolicy; | 956 bool m_haveSandboxPolicy; |
952 ReflectedXSSDisposition m_reflectedXSSDisposition; | 957 ReflectedXSSDisposition m_reflectedXSSDisposition; |
953 | 958 |
954 bool m_didSetReferrerPolicy; | 959 bool m_didSetReferrerPolicy; |
955 ReferrerPolicy m_referrerPolicy; | 960 ReferrerPolicy m_referrerPolicy; |
956 | 961 |
957 OwnPtr<MediaListDirective> m_pluginTypes; | 962 OwnPtr<MediaListDirective> m_pluginTypes; |
958 OwnPtr<SourceListDirective> m_baseURI; | 963 OwnPtr<SourceListDirective> m_baseURI; |
959 OwnPtr<SourceListDirective> m_connectSrc; | 964 OwnPtr<SourceListDirective> m_connectSrc; |
960 OwnPtr<SourceListDirective> m_defaultSrc; | 965 OwnPtr<SourceListDirective> m_defaultSrc; |
961 OwnPtr<SourceListDirective> m_fontSrc; | 966 OwnPtr<SourceListDirective> m_fontSrc; |
962 OwnPtr<SourceListDirective> m_formAction; | 967 OwnPtr<SourceListDirective> m_formAction; |
| 968 OwnPtr<SourceListDirective> m_frameAncestors; |
963 OwnPtr<SourceListDirective> m_frameSrc; | 969 OwnPtr<SourceListDirective> m_frameSrc; |
964 OwnPtr<SourceListDirective> m_imgSrc; | 970 OwnPtr<SourceListDirective> m_imgSrc; |
965 OwnPtr<SourceListDirective> m_mediaSrc; | 971 OwnPtr<SourceListDirective> m_mediaSrc; |
966 OwnPtr<SourceListDirective> m_objectSrc; | 972 OwnPtr<SourceListDirective> m_objectSrc; |
967 OwnPtr<SourceListDirective> m_scriptSrc; | 973 OwnPtr<SourceListDirective> m_scriptSrc; |
968 OwnPtr<SourceListDirective> m_styleSrc; | 974 OwnPtr<SourceListDirective> m_styleSrc; |
969 | 975 |
970 Vector<KURL> m_reportURIs; | 976 Vector<KURL> m_reportURIs; |
971 | 977 |
972 String m_evalDisabledErrorMessage; | 978 String m_evalDisabledErrorMessage; |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1040 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const SourceHas
hValue& hashValue) const | 1046 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const SourceHas
hValue& hashValue) const |
1041 { | 1047 { |
1042 return !directive || directive->allowHash(hashValue); | 1048 return !directive || directive->allowHash(hashValue); |
1043 } | 1049 } |
1044 | 1050 |
1045 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl) const | 1051 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl) const |
1046 { | 1052 { |
1047 return !directive || directive->allows(url); | 1053 return !directive || directive->allows(url); |
1048 } | 1054 } |
1049 | 1055 |
| 1056 bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, Frame* fra
me) const |
| 1057 { |
| 1058 if (!frame || !directive) |
| 1059 return true; |
| 1060 |
| 1061 for (Frame* current = frame->tree().parent(); current; current = current->tr
ee().parent()) { |
| 1062 if (!directive->allows(current->document()->url())) |
| 1063 return false; |
| 1064 } |
| 1065 return true; |
| 1066 } |
| 1067 |
1050 bool CSPDirectiveList::checkMediaType(MediaListDirective* directive, const Strin
g& type, const String& typeAttribute) const | 1068 bool CSPDirectiveList::checkMediaType(MediaListDirective* directive, const Strin
g& type, const String& typeAttribute) const |
1051 { | 1069 { |
1052 if (!directive) | 1070 if (!directive) |
1053 return true; | 1071 return true; |
1054 if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type) | 1072 if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type) |
1055 return false; | 1073 return false; |
1056 return directive->allows(type); | 1074 return directive->allows(type); |
1057 } | 1075 } |
1058 | 1076 |
1059 SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d
irective) const | 1077 SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d
irective) const |
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1144 prefix = "Refused to load the stylesheet '"; | 1162 prefix = "Refused to load the stylesheet '"; |
1145 | 1163 |
1146 String suffix = String(); | 1164 String suffix = String(); |
1147 if (directive == m_defaultSrc) | 1165 if (directive == m_defaultSrc) |
1148 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; | 1166 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; |
1149 | 1167 |
1150 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); | 1168 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); |
1151 return denyIfEnforcingPolicy(); | 1169 return denyIfEnforcingPolicy(); |
1152 } | 1170 } |
1153 | 1171 |
| 1172 bool CSPDirectiveList::checkAncestorsAndReportViolation(SourceListDirective* dir
ective, Frame* frame) const |
| 1173 { |
| 1174 if (checkAncestors(directive, frame)) |
| 1175 return true; |
| 1176 |
| 1177 reportViolation(directive->text(), "frame-ancestors", "Refused to display '"
+ frame->document()->url().elidedString() + " in a frame because an ancestor vi
olates the following Content Security Policy directive: \"" + directive->text()
+ "\".", frame->document()->url()); |
| 1178 return denyIfEnforcingPolicy(); |
| 1179 } |
| 1180 |
1154 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::
OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStat
us) const | 1181 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::
OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStat
us) const |
1155 { | 1182 { |
1156 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript
URL because it violates the following Content Security Policy directive: ")); | 1183 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript
URL because it violates the following Content Security Policy directive: ")); |
1157 if (reportingStatus == ContentSecurityPolicy::SendReport) | 1184 if (reportingStatus == ContentSecurityPolicy::SendReport) |
1158 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get(
)), consoleMessage, contextURL, contextLine, true); | 1185 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get(
)), consoleMessage, contextURL, contextLine, true); |
1159 | 1186 |
1160 return checkInline(operativeDirective(m_scriptSrc.get())); | 1187 return checkInline(operativeDirective(m_scriptSrc.get())); |
1161 } | 1188 } |
1162 | 1189 |
1163 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const
WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin
gStatus) const | 1190 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const
WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin
gStatus) const |
(...skipping 103 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1267 checkSource(m_formAction.get(), url); | 1294 checkSource(m_formAction.get(), url); |
1268 } | 1295 } |
1269 | 1296 |
1270 bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::Repo
rtingStatus reportingStatus) const | 1297 bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::Repo
rtingStatus reportingStatus) const |
1271 { | 1298 { |
1272 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1299 return reportingStatus == ContentSecurityPolicy::SendReport ? |
1273 checkSourceAndReportViolation(m_baseURI.get(), url, baseURI) : | 1300 checkSourceAndReportViolation(m_baseURI.get(), url, baseURI) : |
1274 checkSource(m_baseURI.get(), url); | 1301 checkSource(m_baseURI.get(), url); |
1275 } | 1302 } |
1276 | 1303 |
| 1304 bool CSPDirectiveList::allowAncestors(Frame* frame, ContentSecurityPolicy::Repor
tingStatus reportingStatus) const |
| 1305 { |
| 1306 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 1307 checkAncestorsAndReportViolation(m_frameAncestors.get(), frame) : |
| 1308 checkAncestors(m_frameAncestors.get(), frame); |
| 1309 } |
| 1310 |
1277 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const | 1311 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const |
1278 { | 1312 { |
1279 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); | 1313 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); |
1280 } | 1314 } |
1281 | 1315 |
1282 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const | 1316 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const |
1283 { | 1317 { |
1284 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); | 1318 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); |
1285 } | 1319 } |
1286 | 1320 |
(...skipping 269 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1556 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); | 1590 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); |
1557 } else if (equalIgnoringCase(name, sandbox)) { | 1591 } else if (equalIgnoringCase(name, sandbox)) { |
1558 applySandboxPolicy(name, value); | 1592 applySandboxPolicy(name, value); |
1559 } else if (equalIgnoringCase(name, reportURI)) { | 1593 } else if (equalIgnoringCase(name, reportURI)) { |
1560 parseReportURI(name, value); | 1594 parseReportURI(name, value); |
1561 } else if (m_policy->experimentalFeaturesEnabled()) { | 1595 } else if (m_policy->experimentalFeaturesEnabled()) { |
1562 if (equalIgnoringCase(name, baseURI)) | 1596 if (equalIgnoringCase(name, baseURI)) |
1563 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 1597 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
1564 else if (equalIgnoringCase(name, formAction)) | 1598 else if (equalIgnoringCase(name, formAction)) |
1565 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 1599 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
| 1600 else if (equalIgnoringCase(name, frameAncestors)) |
| 1601 setCSPDirective<SourceListDirective>(name, value, m_frameAncestors); |
1566 else if (equalIgnoringCase(name, pluginTypes)) | 1602 else if (equalIgnoringCase(name, pluginTypes)) |
1567 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 1603 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
1568 else if (equalIgnoringCase(name, reflectedXSS)) | 1604 else if (equalIgnoringCase(name, reflectedXSS)) |
1569 parseReflectedXSS(name, value); | 1605 parseReflectedXSS(name, value); |
1570 else if (equalIgnoringCase(name, referrer)) | 1606 else if (equalIgnoringCase(name, referrer)) |
1571 parseReferrer(name, value); | 1607 parseReferrer(name, value); |
1572 else | 1608 else |
1573 m_policy->reportUnsupportedDirective(name); | 1609 m_policy->reportUnsupportedDirective(name); |
1574 } else { | 1610 } else { |
1575 m_policy->reportUnsupportedDirective(name); | 1611 m_policy->reportUnsupportedDirective(name); |
(...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1739 if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol())) | 1775 if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol())) |
1740 return true; | 1776 return true; |
1741 | 1777 |
1742 for (size_t i = 0; i < policies.size(); ++i) { | 1778 for (size_t i = 0; i < policies.size(); ++i) { |
1743 if (!(policies[i].get()->*allowFromURL)(url, reportingStatus)) | 1779 if (!(policies[i].get()->*allowFromURL)(url, reportingStatus)) |
1744 return false; | 1780 return false; |
1745 } | 1781 } |
1746 return true; | 1782 return true; |
1747 } | 1783 } |
1748 | 1784 |
| 1785 template<bool (CSPDirectiveList::*allowed)(Frame*, ContentSecurityPolicy::Report
ingStatus) const> |
| 1786 bool isAllowedByAllWithFrame(const CSPDirectiveListVector& policies, Frame* fram
e, ContentSecurityPolicy::ReportingStatus reportingStatus) |
| 1787 { |
| 1788 for (size_t i = 0; i < policies.size(); ++i) { |
| 1789 if (!(policies[i].get()->*allowed)(frame, reportingStatus)) |
| 1790 return false; |
| 1791 } |
| 1792 return true; |
| 1793 } |
| 1794 |
1749 bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const
WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin
gStatus) const | 1795 bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const
WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin
gStatus) const |
1750 { | 1796 { |
1751 return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_p
olicies, contextURL, contextLine, reportingStatus); | 1797 return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_p
olicies, contextURL, contextLine, reportingStatus); |
1752 } | 1798 } |
1753 | 1799 |
1754 bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, c
onst WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus rep
ortingStatus) const | 1800 bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, c
onst WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus rep
ortingStatus) const |
1755 { | 1801 { |
1756 return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers
>(m_policies, contextURL, contextLine, reportingStatus); | 1802 return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers
>(m_policies, contextURL, contextLine, reportingStatus); |
1757 } | 1803 } |
1758 | 1804 |
(...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1887 bool ContentSecurityPolicy::allowFormAction(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 1933 bool ContentSecurityPolicy::allowFormAction(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
1888 { | 1934 { |
1889 return isAllowedByAllWithURL<&CSPDirectiveList::allowFormAction>(m_policies,
url, reportingStatus); | 1935 return isAllowedByAllWithURL<&CSPDirectiveList::allowFormAction>(m_policies,
url, reportingStatus); |
1890 } | 1936 } |
1891 | 1937 |
1892 bool ContentSecurityPolicy::allowBaseURI(const KURL& url, ContentSecurityPolicy:
:ReportingStatus reportingStatus) const | 1938 bool ContentSecurityPolicy::allowBaseURI(const KURL& url, ContentSecurityPolicy:
:ReportingStatus reportingStatus) const |
1893 { | 1939 { |
1894 return isAllowedByAllWithURL<&CSPDirectiveList::allowBaseURI>(m_policies, ur
l, reportingStatus); | 1940 return isAllowedByAllWithURL<&CSPDirectiveList::allowBaseURI>(m_policies, ur
l, reportingStatus); |
1895 } | 1941 } |
1896 | 1942 |
| 1943 bool ContentSecurityPolicy::allowAncestors(Frame* frame, ContentSecurityPolicy::
ReportingStatus reportingStatus) const |
| 1944 { |
| 1945 return isAllowedByAllWithFrame<&CSPDirectiveList::allowAncestors>(m_policies
, frame, reportingStatus); |
| 1946 } |
| 1947 |
1897 bool ContentSecurityPolicy::isActive() const | 1948 bool ContentSecurityPolicy::isActive() const |
1898 { | 1949 { |
1899 return !m_policies.isEmpty(); | 1950 return !m_policies.isEmpty(); |
1900 } | 1951 } |
1901 | 1952 |
1902 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const | 1953 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const |
1903 { | 1954 { |
1904 ReflectedXSSDisposition disposition = ReflectedXSSUnset; | 1955 ReflectedXSSDisposition disposition = ReflectedXSSUnset; |
1905 for (size_t i = 0; i < m_policies.size(); ++i) { | 1956 for (size_t i = 0; i < m_policies.size(); ++i) { |
1906 if (m_policies[i]->reflectedXSSDisposition() > disposition) | 1957 if (m_policies[i]->reflectedXSSDisposition() > disposition) |
(...skipping 273 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
2180 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. | 2231 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. |
2181 return !m_violationReportsSent.contains(report.impl()->hash()); | 2232 return !m_violationReportsSent.contains(report.impl()->hash()); |
2182 } | 2233 } |
2183 | 2234 |
2184 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 2235 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
2185 { | 2236 { |
2186 m_violationReportsSent.add(report.impl()->hash()); | 2237 m_violationReportsSent.add(report.impl()->hash()); |
2187 } | 2238 } |
2188 | 2239 |
2189 } // namespace WebCore | 2240 } // namespace WebCore |
OLD | NEW |