OLD | NEW |
---|---|
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "config.h" | 5 #include "config.h" |
6 #include "core/frame/csp/CSPDirectiveList.h" | 6 #include "core/frame/csp/CSPDirectiveList.h" |
7 | 7 |
8 #include "core/dom/Document.h" | 8 #include "core/dom/Document.h" |
9 #include "core/dom/SecurityContext.h" | 9 #include "core/dom/SecurityContext.h" |
10 #include "core/frame/LocalFrame.h" | 10 #include "core/frame/LocalFrame.h" |
(...skipping 563 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
574 return; | 574 return; |
575 } | 575 } |
576 m_strictMixedContentCheckingEnforced = true; | 576 m_strictMixedContentCheckingEnforced = true; |
577 m_policy->enforceStrictMixedContentChecking(); | 577 m_policy->enforceStrictMixedContentChecking(); |
578 if (!value.isEmpty()) | 578 if (!value.isEmpty()) |
579 m_policy->reportValueForEmptyDirective(name, value); | 579 m_policy->reportValueForEmptyDirective(name, value); |
580 } | 580 } |
581 | 581 |
582 void CSPDirectiveList::enableInsecureContentUpgrade(const String& name, const St ring& value) | 582 void CSPDirectiveList::enableInsecureContentUpgrade(const String& name, const St ring& value) |
583 { | 583 { |
584 if (m_reportOnly) { | |
585 m_policy->reportInvalidInReportOnly(name); | |
586 return; | |
587 } | |
Yoav Weiss
2015/03/05 12:06:14
Why is report-only invalid here?
| |
584 if (m_upgradeInsecureRequests) { | 588 if (m_upgradeInsecureRequests) { |
585 m_policy->reportDuplicateDirective(name); | 589 m_policy->reportDuplicateDirective(name); |
586 return; | 590 return; |
587 } | 591 } |
588 m_upgradeInsecureRequests = true; | 592 m_upgradeInsecureRequests = true; |
589 // FIXME: Monitoring insecure content currently has no effect. We'll eventua lly wire it up | 593 |
590 // to the CSP reporting mechanism if we go this route. https://crbug.com/455 674 | 594 m_policy->setInsecureContentPolicy(SecurityContext::InsecureContentUpgrade); |
591 m_policy->setInsecureContentPolicy(m_reportOnly ? SecurityContext::InsecureC ontentMonitor : SecurityContext::InsecureContentUpgrade); | |
592 if (!value.isEmpty()) | 595 if (!value.isEmpty()) |
593 m_policy->reportValueForEmptyDirective(name, value); | 596 m_policy->reportValueForEmptyDirective(name, value); |
594 } | 597 } |
595 | 598 |
596 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value ) | 599 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value ) |
597 { | 600 { |
598 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { | 601 if (m_reflectedXSSDisposition != ReflectedXSSUnset) { |
599 m_policy->reportDuplicateDirective(name); | 602 m_policy->reportDuplicateDirective(name); |
600 m_reflectedXSSDisposition = ReflectedXSSInvalid; | 603 m_reflectedXSSDisposition = ReflectedXSSInvalid; |
601 return; | 604 return; |
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
747 enableInsecureContentUpgrade(name, value); | 750 enableInsecureContentUpgrade(name, value); |
748 else | 751 else |
749 m_policy->reportUnsupportedDirective(name); | 752 m_policy->reportUnsupportedDirective(name); |
750 } else { | 753 } else { |
751 m_policy->reportUnsupportedDirective(name); | 754 m_policy->reportUnsupportedDirective(name); |
752 } | 755 } |
753 } | 756 } |
754 | 757 |
755 | 758 |
756 } // namespace blink | 759 } // namespace blink |
OLD | NEW |