Chromium Code Reviews Chromium Code Reviews
Issue 983533005:
Upgrade insecure request: Drop the reporting functionality. (Closed)
Base URL: svn://svn.chromium.org/blink/trunk| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "config.h" | 5 #include "config.h" |
| 6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
| 7 | 7 |
| 8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
| 9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
| 10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
| (...skipping 563 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 574 return; | 574 return; |
| 575 } | 575 } |
| 576 m_strictMixedContentCheckingEnforced = true; | 576 m_strictMixedContentCheckingEnforced = true; |
| 577 m_policy->enforceStrictMixedContentChecking(); | 577 m_policy->enforceStrictMixedContentChecking(); |
| 578 if (!value.isEmpty()) | 578 if (!value.isEmpty()) |
| 579 m_policy->reportValueForEmptyDirective(name, value); | 579 m_policy->reportValueForEmptyDirective(name, value); |
| 580 } | 580 } |
| 581 | 581 |
| 582 void CSPDirectiveList::enableInsecureContentUpgrade(const String& name, const St ring& value) | 582 void CSPDirectiveList::enableInsecureContentUpgrade(const String& name, const St ring& value) |
| 583 { | 583 { |
| 584 if (m_reportOnly) { | |
| 585 m_policy->reportInvalidInReportOnly(name); | |
| 586 return; | |
| 587 } | |
|
Yoav Weiss
2015/03/05 12:06:14
Why is report-only invalid here?
| |
| 584 if (m_upgradeInsecureRequests) { | 588 if (m_upgradeInsecureRequests) { |
| 585 m_policy->reportDuplicateDirective(name); | 589 m_policy->reportDuplicateDirective(name); |
| 586 return; | 590 return; |
| 587 } | 591 } |
| 588 m_upgradeInsecureRequests = true; | 592 m_upgradeInsecureRequests = true; |
| 589 // FIXME: Monitoring insecure content currently has no effect. We'll eventua lly wire it up | 593 |
| 590 // to the CSP reporting mechanism if we go this route. https://crbug.com/455 674 | 594 m_policy->setInsecureContentPolicy(SecurityContext::InsecureContentUpgrade); |
| 591 m_policy->setInsecureContentPolicy(m_reportOnly ? SecurityContext::InsecureC ontentMonitor : SecurityContext::InsecureContentUpgrade); | |
| 592 if (!value.isEmpty()) | 595 if (!value.isEmpty()) |
| 593 m_policy->reportValueForEmptyDirective(name, value); | 596 m_policy->reportValueForEmptyDirective(name, value); |
| 594 } | 597 } |
| 595 | 598 |
| 596 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value ) | 599 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value ) |
| 597 { | 600 { |
| 598 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { | 601 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { |
| 599 m_policy->reportDuplicateDirective(name); | 602 m_policy->reportDuplicateDirective(name); |
| 600 m_reflectedXSSDisposition = ReflectedXSSInvalid; | 603 m_reflectedXSSDisposition = ReflectedXSSInvalid; |
| 601 return; | 604 return; |
| (...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 747 enableInsecureContentUpgrade(name, value); | 750 enableInsecureContentUpgrade(name, value); |
| 748 else | 751 else |
| 749 m_policy->reportUnsupportedDirective(name); | 752 m_policy->reportUnsupportedDirective(name); |
| 750 } else { | 753 } else { |
| 751 m_policy->reportUnsupportedDirective(name); | 754 m_policy->reportUnsupportedDirective(name); |
| 752 } | 755 } |
| 753 } | 756 } |
| 754 | 757 |
| 755 | 758 |
| 756 } // namespace blink | 759 } // namespace blink |
| OLD | NEW |
