| OLD | NEW |
|---|
| 1 /* | 1 /* |
| 2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
| 3 * | 3 * |
| 4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
| 5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
| 6 * are met: | 6 * are met: |
| 7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
| 8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
| 9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
| 10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
| (...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 142 static const char mediaSrc[] = "media-src"; | 142 static const char mediaSrc[] = "media-src"; |
| 143 static const char objectSrc[] = "object-src"; | 143 static const char objectSrc[] = "object-src"; |
| 144 static const char reportURI[] = "report-uri"; | 144 static const char reportURI[] = "report-uri"; |
| 145 static const char sandbox[] = "sandbox"; | 145 static const char sandbox[] = "sandbox"; |
| 146 static const char scriptSrc[] = "script-src"; | 146 static const char scriptSrc[] = "script-src"; |
| 147 static const char styleSrc[] = "style-src"; | 147 static const char styleSrc[] = "style-src"; |
| 148 | 148 |
| 149 // CSP 1.1 Directives | 149 // CSP 1.1 Directives |
| 150 static const char baseURI[] = "base-uri"; | 150 static const char baseURI[] = "base-uri"; |
| 151 static const char formAction[] = "form-action"; | 151 static const char formAction[] = "form-action"; |
| 152 static const char frameAncestors[] = "frame-ancestors"; |
| 152 static const char pluginTypes[] = "plugin-types"; | 153 static const char pluginTypes[] = "plugin-types"; |
| 153 static const char reflectedXSS[] = "reflected-xss"; | 154 static const char reflectedXSS[] = "reflected-xss"; |
| 154 | 155 |
| 155 bool isDirectiveName(const String& name) | 156 bool isDirectiveName(const String& name) |
| 156 { | 157 { |
| 157 return (equalIgnoringCase(name, connectSrc) | 158 return (equalIgnoringCase(name, connectSrc) |
| 158 || equalIgnoringCase(name, defaultSrc) | 159 || equalIgnoringCase(name, defaultSrc) |
| 159 || equalIgnoringCase(name, fontSrc) | 160 || equalIgnoringCase(name, fontSrc) |
| 160 || equalIgnoringCase(name, frameSrc) | 161 || equalIgnoringCase(name, frameSrc) |
| 161 || equalIgnoringCase(name, imgSrc) | 162 || equalIgnoringCase(name, imgSrc) |
| 162 || equalIgnoringCase(name, mediaSrc) | 163 || equalIgnoringCase(name, mediaSrc) |
| 163 || equalIgnoringCase(name, objectSrc) | 164 || equalIgnoringCase(name, objectSrc) |
| 164 || equalIgnoringCase(name, reportURI) | 165 || equalIgnoringCase(name, reportURI) |
| 165 || equalIgnoringCase(name, sandbox) | 166 || equalIgnoringCase(name, sandbox) |
| 166 || equalIgnoringCase(name, scriptSrc) | 167 || equalIgnoringCase(name, scriptSrc) |
| 167 || equalIgnoringCase(name, styleSrc) | 168 || equalIgnoringCase(name, styleSrc) |
| 168 || equalIgnoringCase(name, baseURI) | 169 || equalIgnoringCase(name, baseURI) |
| 169 || equalIgnoringCase(name, formAction) | 170 || equalIgnoringCase(name, formAction) |
| 171 || equalIgnoringCase(name, frameAncestors) |
| 170 || equalIgnoringCase(name, pluginTypes) | 172 || equalIgnoringCase(name, pluginTypes) |
| 171 || equalIgnoringCase(name, reflectedXSS) | 173 || equalIgnoringCase(name, reflectedXSS) |
| 172 ); | 174 ); |
| 173 } | 175 } |
| 174 | 176 |
| 175 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type) | 177 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type) |
| 176 { | 178 { |
| 177 switch (type) { | 179 switch (type) { |
| 178 case ContentSecurityPolicy::Enforce: | 180 case ContentSecurityPolicy::Enforce: |
| 179 return UseCounter::ContentSecurityPolicy; | 181 return UseCounter::ContentSecurityPolicy; |
| (...skipping 693 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 873 bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; | 875 bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; |
| 874 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; | 876 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; |
| 875 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::Reporting
Status) const; | 877 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::Reporting
Status) const; |
| 876 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 878 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
| 877 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 879 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
| 878 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus
) const; | 880 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus
) const; |
| 879 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 881 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
| 880 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 882 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
| 881 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co
nst; | 883 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co
nst; |
| 882 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const
; | 884 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const
; |
| 885 bool allowAncestors(Frame*, ContentSecurityPolicy::ReportingStatus) const; |
| 883 bool allowScriptNonce(const String&) const; | 886 bool allowScriptNonce(const String&) const; |
| 884 bool allowStyleNonce(const String&) const; | 887 bool allowStyleNonce(const String&) const; |
| 885 bool allowScriptHash(const SourceHashValue&) const; | 888 bool allowScriptHash(const SourceHashValue&) const; |
| 886 | 889 |
| 887 void gatherReportURIs(DOMStringList&) const; | 890 void gatherReportURIs(DOMStringList&) const; |
| 888 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM
essage; } | 891 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorM
essage; } |
| 889 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflected
XSSDisposition; } | 892 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflected
XSSDisposition; } |
| 890 bool isReportOnly() const { return m_reportOnly; } | 893 bool isReportOnly() const { return m_reportOnly; } |
| 891 const Vector<KURL>& reportURIs() const { return m_reportURIs; } | 894 const Vector<KURL>& reportURIs() const { return m_reportURIs; } |
| 892 | 895 |
| (...skipping 14 matching lines...) Expand all Loading... |
| 907 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL) const; | 910 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL) const; |
| 908 void reportViolationWithLocation(const String& directiveText, const String&
effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const
String& contextURL, const WTF::OrdinalNumber& contextLine) const; | 911 void reportViolationWithLocation(const String& directiveText, const String&
effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const
String& contextURL, const WTF::OrdinalNumber& contextLine) const; |
| 909 void reportViolationWithState(const String& directiveText, const String& eff
ectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptSta
te*) const; | 912 void reportViolationWithState(const String& directiveText, const String& eff
ectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptSta
te*) const; |
| 910 | 913 |
| 911 bool checkEval(SourceListDirective*) const; | 914 bool checkEval(SourceListDirective*) const; |
| 912 bool checkInline(SourceListDirective*) const; | 915 bool checkInline(SourceListDirective*) const; |
| 913 bool checkNonce(SourceListDirective*, const String&) const; | 916 bool checkNonce(SourceListDirective*, const String&) const; |
| 914 bool checkHash(SourceListDirective*, const SourceHashValue&) const; | 917 bool checkHash(SourceListDirective*, const SourceHashValue&) const; |
| 915 bool checkSource(SourceListDirective*, const KURL&) const; | 918 bool checkSource(SourceListDirective*, const KURL&) const; |
| 916 bool checkMediaType(MediaListDirective*, const String& type, const String& t
ypeAttribute) const; | 919 bool checkMediaType(MediaListDirective*, const String& type, const String& t
ypeAttribute) const; |
| 920 bool checkAncestors(SourceListDirective*, Frame*) const; |
| 917 | 921 |
| 918 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisable
dErrorMessage = errorMessage; } | 922 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisable
dErrorMessage = errorMessage; } |
| 919 | 923 |
| 920 bool checkEvalAndReportViolation(SourceListDirective*, const String& console
Message, ScriptState*) const; | 924 bool checkEvalAndReportViolation(SourceListDirective*, const String& console
Message, ScriptState*) const; |
| 921 bool checkInlineAndReportViolation(SourceListDirective*, const String& conso
leMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool
isScript) const; | 925 bool checkInlineAndReportViolation(SourceListDirective*, const String& conso
leMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool
isScript) const; |
| 922 | 926 |
| 923 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const
String& effectiveDirective) const; | 927 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const
String& effectiveDirective) const; |
| 924 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& typ
e, const String& typeAttribute, const String& consoleMessage) const; | 928 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& typ
e, const String& typeAttribute, const String& consoleMessage) const; |
| 929 bool checkAncestorsAndReportViolation(SourceListDirective*, Frame*) const; |
| 925 | 930 |
| 926 bool denyIfEnforcingPolicy() const { return m_reportOnly; } | 931 bool denyIfEnforcingPolicy() const { return m_reportOnly; } |
| 927 | 932 |
| 928 ContentSecurityPolicy* m_policy; | 933 ContentSecurityPolicy* m_policy; |
| 929 | 934 |
| 930 String m_header; | 935 String m_header; |
| 931 ContentSecurityPolicy::HeaderType m_headerType; | 936 ContentSecurityPolicy::HeaderType m_headerType; |
| 932 | 937 |
| 933 bool m_reportOnly; | 938 bool m_reportOnly; |
| 934 bool m_haveSandboxPolicy; | 939 bool m_haveSandboxPolicy; |
| 935 ReflectedXSSDisposition m_reflectedXSSDisposition; | 940 ReflectedXSSDisposition m_reflectedXSSDisposition; |
| 936 | 941 |
| 937 OwnPtr<MediaListDirective> m_pluginTypes; | 942 OwnPtr<MediaListDirective> m_pluginTypes; |
| 938 OwnPtr<SourceListDirective> m_baseURI; | 943 OwnPtr<SourceListDirective> m_baseURI; |
| 939 OwnPtr<SourceListDirective> m_connectSrc; | 944 OwnPtr<SourceListDirective> m_connectSrc; |
| 940 OwnPtr<SourceListDirective> m_defaultSrc; | 945 OwnPtr<SourceListDirective> m_defaultSrc; |
| 941 OwnPtr<SourceListDirective> m_fontSrc; | 946 OwnPtr<SourceListDirective> m_fontSrc; |
| 942 OwnPtr<SourceListDirective> m_formAction; | 947 OwnPtr<SourceListDirective> m_formAction; |
| 948 OwnPtr<SourceListDirective> m_frameAncestors; |
| 943 OwnPtr<SourceListDirective> m_frameSrc; | 949 OwnPtr<SourceListDirective> m_frameSrc; |
| 944 OwnPtr<SourceListDirective> m_imgSrc; | 950 OwnPtr<SourceListDirective> m_imgSrc; |
| 945 OwnPtr<SourceListDirective> m_mediaSrc; | 951 OwnPtr<SourceListDirective> m_mediaSrc; |
| 946 OwnPtr<SourceListDirective> m_objectSrc; | 952 OwnPtr<SourceListDirective> m_objectSrc; |
| 947 OwnPtr<SourceListDirective> m_scriptSrc; | 953 OwnPtr<SourceListDirective> m_scriptSrc; |
| 948 OwnPtr<SourceListDirective> m_styleSrc; | 954 OwnPtr<SourceListDirective> m_styleSrc; |
| 949 | 955 |
| 950 Vector<KURL> m_reportURIs; | 956 Vector<KURL> m_reportURIs; |
| 951 | 957 |
| 952 String m_evalDisabledErrorMessage; | 958 String m_evalDisabledErrorMessage; |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1017 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const SourceHas
hValue& hashValue) const | 1023 bool CSPDirectiveList::checkHash(SourceListDirective* directive, const SourceHas
hValue& hashValue) const |
| 1018 { | 1024 { |
| 1019 return !directive || directive->allowHash(hashValue); | 1025 return !directive || directive->allowHash(hashValue); |
| 1020 } | 1026 } |
| 1021 | 1027 |
| 1022 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl) const | 1028 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl) const |
| 1023 { | 1029 { |
| 1024 return !directive || directive->allows(url); | 1030 return !directive || directive->allows(url); |
| 1025 } | 1031 } |
| 1026 | 1032 |
| 1033 bool CSPDirectiveList::checkAncestors(SourceListDirective* directive, Frame* fra
me) const |
| 1034 { |
| 1035 if (!frame || !directive) |
| 1036 return true; |
| 1037 |
| 1038 for (Frame* current = frame->tree().parent(); current; current = current->tr
ee().parent()) { |
| 1039 if (!directive->allows(current->document()->url())) |
| 1040 return false; |
| 1041 } |
| 1042 return true; |
| 1043 } |
| 1044 |
| 1027 bool CSPDirectiveList::checkMediaType(MediaListDirective* directive, const Strin
g& type, const String& typeAttribute) const | 1045 bool CSPDirectiveList::checkMediaType(MediaListDirective* directive, const Strin
g& type, const String& typeAttribute) const |
| 1028 { | 1046 { |
| 1029 if (!directive) | 1047 if (!directive) |
| 1030 return true; | 1048 return true; |
| 1031 if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type) | 1049 if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type) |
| 1032 return false; | 1050 return false; |
| 1033 return directive->allows(type); | 1051 return directive->allows(type); |
| 1034 } | 1052 } |
| 1035 | 1053 |
| 1036 SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d
irective) const | 1054 SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d
irective) const |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1115 prefix = "Refused to load the stylesheet '"; | 1133 prefix = "Refused to load the stylesheet '"; |
| 1116 | 1134 |
| 1117 String suffix = String(); | 1135 String suffix = String(); |
| 1118 if (directive == m_defaultSrc) | 1136 if (directive == m_defaultSrc) |
| 1119 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; | 1137 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; |
| 1120 | 1138 |
| 1121 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); | 1139 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); |
| 1122 return denyIfEnforcingPolicy(); | 1140 return denyIfEnforcingPolicy(); |
| 1123 } | 1141 } |
| 1124 | 1142 |
| 1143 bool CSPDirectiveList::checkAncestorsAndReportViolation(SourceListDirective* dir
ective, Frame* frame) const |
| 1144 { |
| 1145 if (checkAncestors(directive, frame)) |
| 1146 return true; |
| 1147 |
| 1148 reportViolation(directive->text(), "frame-ancestors", "Refused to display '"
+ frame->document()->url().elidedString() + " in a frame because an ancestor vi
olates the following Content Security Policy directive: \"" + directive->text()
+ "\".", frame->document()->url()); |
| 1149 return denyIfEnforcingPolicy(); |
| 1150 } |
| 1151 |
| 1125 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::
OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStat
us) const | 1152 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::
OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStat
us) const |
| 1126 { | 1153 { |
| 1127 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript
URL because it violates the following Content Security Policy directive: ")); | 1154 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript
URL because it violates the following Content Security Policy directive: ")); |
| 1128 if (reportingStatus == ContentSecurityPolicy::SendReport) | 1155 if (reportingStatus == ContentSecurityPolicy::SendReport) |
| 1129 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get(
)), consoleMessage, contextURL, contextLine, true); | 1156 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get(
)), consoleMessage, contextURL, contextLine, true); |
| 1130 | 1157 |
| 1131 return checkInline(operativeDirective(m_scriptSrc.get())); | 1158 return checkInline(operativeDirective(m_scriptSrc.get())); |
| 1132 } | 1159 } |
| 1133 | 1160 |
| 1134 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const
WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin
gStatus) const | 1161 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const
WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin
gStatus) const |
| (...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1244 checkSource(m_formAction.get(), url); | 1271 checkSource(m_formAction.get(), url); |
| 1245 } | 1272 } |
| 1246 | 1273 |
| 1247 bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::Repo
rtingStatus reportingStatus) const | 1274 bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::Repo
rtingStatus reportingStatus) const |
| 1248 { | 1275 { |
| 1249 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1276 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 1250 checkSourceAndReportViolation(m_baseURI.get(), url, baseURI) : | 1277 checkSourceAndReportViolation(m_baseURI.get(), url, baseURI) : |
| 1251 checkSource(m_baseURI.get(), url); | 1278 checkSource(m_baseURI.get(), url); |
| 1252 } | 1279 } |
| 1253 | 1280 |
| 1281 bool CSPDirectiveList::allowAncestors(Frame* frame, ContentSecurityPolicy::Repor
tingStatus reportingStatus) const |
| 1282 { |
| 1283 return reportingStatus == ContentSecurityPolicy::SendReport ? |
| 1284 checkAncestorsAndReportViolation(m_frameAncestors.get(), frame) : |
| 1285 checkAncestors(m_frameAncestors.get(), frame); |
| 1286 } |
| 1287 |
| 1254 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const | 1288 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const |
| 1255 { | 1289 { |
| 1256 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); | 1290 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); |
| 1257 } | 1291 } |
| 1258 | 1292 |
| 1259 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const | 1293 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const |
| 1260 { | 1294 { |
| 1261 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); | 1295 return checkNonce(operativeDirective(m_styleSrc.get()), nonce); |
| 1262 } | 1296 } |
| 1263 | 1297 |
| (...skipping 206 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1470 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); | 1504 setCSPDirective<SourceListDirective>(name, value, m_connectSrc); |
| 1471 } else if (equalIgnoringCase(name, sandbox)) { | 1505 } else if (equalIgnoringCase(name, sandbox)) { |
| 1472 applySandboxPolicy(name, value); | 1506 applySandboxPolicy(name, value); |
| 1473 } else if (equalIgnoringCase(name, reportURI)) { | 1507 } else if (equalIgnoringCase(name, reportURI)) { |
| 1474 parseReportURI(name, value); | 1508 parseReportURI(name, value); |
| 1475 } else if (m_policy->experimentalFeaturesEnabled()) { | 1509 } else if (m_policy->experimentalFeaturesEnabled()) { |
| 1476 if (equalIgnoringCase(name, baseURI)) | 1510 if (equalIgnoringCase(name, baseURI)) |
| 1477 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 1511 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
| 1478 else if (equalIgnoringCase(name, formAction)) | 1512 else if (equalIgnoringCase(name, formAction)) |
| 1479 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 1513 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
| 1514 else if (equalIgnoringCase(name, frameAncestors)) |
| 1515 setCSPDirective<SourceListDirective>(name, value, m_frameAncestors); |
| 1480 else if (equalIgnoringCase(name, pluginTypes)) | 1516 else if (equalIgnoringCase(name, pluginTypes)) |
| 1481 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 1517 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
| 1482 else if (equalIgnoringCase(name, reflectedXSS)) | 1518 else if (equalIgnoringCase(name, reflectedXSS)) |
| 1483 parseReflectedXSS(name, value); | 1519 parseReflectedXSS(name, value); |
| 1484 else | 1520 else |
| 1485 m_policy->reportUnsupportedDirective(name); | 1521 m_policy->reportUnsupportedDirective(name); |
| 1486 } else { | 1522 } else { |
| 1487 m_policy->reportUnsupportedDirective(name); | 1523 m_policy->reportUnsupportedDirective(name); |
| 1488 } | 1524 } |
| 1489 } | 1525 } |
| (...skipping 146 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1636 if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol())) | 1672 if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol())) |
| 1637 return true; | 1673 return true; |
| 1638 | 1674 |
| 1639 for (size_t i = 0; i < policies.size(); ++i) { | 1675 for (size_t i = 0; i < policies.size(); ++i) { |
| 1640 if (!(policies[i].get()->*allowFromURL)(url, reportingStatus)) | 1676 if (!(policies[i].get()->*allowFromURL)(url, reportingStatus)) |
| 1641 return false; | 1677 return false; |
| 1642 } | 1678 } |
| 1643 return true; | 1679 return true; |
| 1644 } | 1680 } |
| 1645 | 1681 |
| 1682 template<bool (CSPDirectiveList::*allowed)(Frame*, ContentSecurityPolicy::Report
ingStatus) const> |
| 1683 bool isAllowedByAllWithFrame(const CSPDirectiveListVector& policies, Frame* fram
e, ContentSecurityPolicy::ReportingStatus reportingStatus) |
| 1684 { |
| 1685 for (size_t i = 0; i < policies.size(); ++i) { |
| 1686 if (!(policies[i].get()->*allowed)(frame, reportingStatus)) |
| 1687 return false; |
| 1688 } |
| 1689 return true; |
| 1690 } |
| 1691 |
| 1646 bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const
WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin
gStatus) const | 1692 bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const
WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin
gStatus) const |
| 1647 { | 1693 { |
| 1648 return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_p
olicies, contextURL, contextLine, reportingStatus); | 1694 return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_p
olicies, contextURL, contextLine, reportingStatus); |
| 1649 } | 1695 } |
| 1650 | 1696 |
| 1651 bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, c
onst WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus rep
ortingStatus) const | 1697 bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, c
onst WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus rep
ortingStatus) const |
| 1652 { | 1698 { |
| 1653 return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers
>(m_policies, contextURL, contextLine, reportingStatus); | 1699 return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers
>(m_policies, contextURL, contextLine, reportingStatus); |
| 1654 } | 1700 } |
| 1655 | 1701 |
| (...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1763 bool ContentSecurityPolicy::allowFormAction(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const | 1809 bool ContentSecurityPolicy::allowFormAction(const KURL& url, ContentSecurityPoli
cy::ReportingStatus reportingStatus) const |
| 1764 { | 1810 { |
| 1765 return isAllowedByAllWithURL<&CSPDirectiveList::allowFormAction>(m_policies,
url, reportingStatus); | 1811 return isAllowedByAllWithURL<&CSPDirectiveList::allowFormAction>(m_policies,
url, reportingStatus); |
| 1766 } | 1812 } |
| 1767 | 1813 |
| 1768 bool ContentSecurityPolicy::allowBaseURI(const KURL& url, ContentSecurityPolicy:
:ReportingStatus reportingStatus) const | 1814 bool ContentSecurityPolicy::allowBaseURI(const KURL& url, ContentSecurityPolicy:
:ReportingStatus reportingStatus) const |
| 1769 { | 1815 { |
| 1770 return isAllowedByAllWithURL<&CSPDirectiveList::allowBaseURI>(m_policies, ur
l, reportingStatus); | 1816 return isAllowedByAllWithURL<&CSPDirectiveList::allowBaseURI>(m_policies, ur
l, reportingStatus); |
| 1771 } | 1817 } |
| 1772 | 1818 |
| 1819 bool ContentSecurityPolicy::allowAncestors(Frame* frame, ContentSecurityPolicy::
ReportingStatus reportingStatus) const |
| 1820 { |
| 1821 return isAllowedByAllWithFrame<&CSPDirectiveList::allowAncestors>(m_policies
, frame, reportingStatus); |
| 1822 } |
| 1823 |
| 1773 bool ContentSecurityPolicy::isActive() const | 1824 bool ContentSecurityPolicy::isActive() const |
| 1774 { | 1825 { |
| 1775 return !m_policies.isEmpty(); | 1826 return !m_policies.isEmpty(); |
| 1776 } | 1827 } |
| 1777 | 1828 |
| 1778 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const | 1829 ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const |
| 1779 { | 1830 { |
| 1780 ReflectedXSSDisposition disposition = ReflectedXSSUnset; | 1831 ReflectedXSSDisposition disposition = ReflectedXSSUnset; |
| 1781 for (size_t i = 0; i < m_policies.size(); ++i) { | 1832 for (size_t i = 0; i < m_policies.size(); ++i) { |
| 1782 if (m_policies[i]->reflectedXSSDisposition() > disposition) | 1833 if (m_policies[i]->reflectedXSSDisposition() > disposition) |
| (...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 2023 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. | 2074 // Collisions have no security impact, so we can save space by storing only
the string's hash rather than the whole report. |
| 2024 return !m_violationReportsSent.contains(report.impl()->hash()); | 2075 return !m_violationReportsSent.contains(report.impl()->hash()); |
| 2025 } | 2076 } |
| 2026 | 2077 |
| 2027 void ContentSecurityPolicy::didSendViolationReport(const String& report) | 2078 void ContentSecurityPolicy::didSendViolationReport(const String& report) |
| 2028 { | 2079 { |
| 2029 m_violationReportsSent.add(report.impl()->hash()); | 2080 m_violationReportsSent.add(report.impl()->hash()); |
| 2030 } | 2081 } |
| 2031 | 2082 |
| 2032 } // namespace WebCore | 2083 } // namespace WebCore |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 91353002:
CSP 1.1: Implement the 'frame-ancestors' directive. (Closed)
Base URL: svn://svn.chromium.org/blink/trunk