| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/common/extensions/csp_validator.h" | 5 #include "chrome/common/extensions/csp_validator.h" |
| 6 | 6 |
| 7 #include "base/string_split.h" | 7 #include "base/string_split.h" |
| 8 #include "base/string_tokenizer.h" | 8 #include "base/string_tokenizer.h" |
| 9 #include "base/string_util.h" | 9 #include "base/string_util.h" |
| 10 | 10 |
| 11 namespace extensions { | 11 namespace extensions { |
| 12 | 12 |
| 13 namespace csp_validator { | 13 namespace csp_validator { |
| 14 | 14 |
| 15 namespace { | 15 namespace { |
| 16 | 16 |
| 17 const char kDefaultSrc[] = "default-src"; | 17 const char kDefaultSrc[] = "default-src"; |
| 18 const char kScriptSrc[] = "script-src"; | 18 const char kScriptSrc[] = "script-src"; |
| 19 const char kObjectSrc[] = "object-src"; | 19 const char kObjectSrc[] = "object-src"; |
| 20 | 20 |
| 21 const char kSandboxDirectiveName[] = "sandbox"; |
| 22 const char kAllowSameOriginToken[] = "allow-same-origin"; |
| 23 const char kAllowTopNavigation[] = "allow-top-navigation"; |
| 24 const char kAllowPopups[] = "allow-popups"; |
| 25 |
| 21 struct DirectiveStatus { | 26 struct DirectiveStatus { |
| 22 explicit DirectiveStatus(const char* name) | 27 explicit DirectiveStatus(const char* name) |
| 23 : directive_name(name) | 28 : directive_name(name) |
| 24 , seen_in_policy(false) | 29 , seen_in_policy(false) |
| 25 , is_secure(false) { | 30 , is_secure(false) { |
| 26 } | 31 } |
| 27 | 32 |
| 28 const char* directive_name; | 33 const char* directive_name; |
| 29 bool seen_in_policy; | 34 bool seen_in_policy; |
| 30 bool is_secure; | 35 bool is_secure; |
| (...skipping 81 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 112 | 117 |
| 113 if (default_src_status.seen_in_policy && !default_src_status.is_secure) { | 118 if (default_src_status.seen_in_policy && !default_src_status.is_secure) { |
| 114 return script_src_status.seen_in_policy && | 119 return script_src_status.seen_in_policy && |
| 115 object_src_status.seen_in_policy; | 120 object_src_status.seen_in_policy; |
| 116 } | 121 } |
| 117 | 122 |
| 118 return default_src_status.seen_in_policy || | 123 return default_src_status.seen_in_policy || |
| 119 (script_src_status.seen_in_policy && object_src_status.seen_in_policy); | 124 (script_src_status.seen_in_policy && object_src_status.seen_in_policy); |
| 120 } | 125 } |
| 121 | 126 |
| 127 bool ContentSecurityPolicyIsSandboxed( |
| 128 const std::string& policy, Extension::Type type) { |
| 129 // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm. |
| 130 std::vector<std::string> directives; |
| 131 base::SplitString(policy, ';', &directives); |
| 132 |
| 133 bool seen_sandbox = false; |
| 134 |
| 135 for (size_t i = 0; i < directives.size(); ++i) { |
| 136 std::string& input = directives[i]; |
| 137 StringTokenizer tokenizer(input, " \t\r\n"); |
| 138 if (!tokenizer.GetNext()) |
| 139 continue; |
| 140 |
| 141 std::string directive_name = tokenizer.token(); |
| 142 StringToLowerASCII(&directive_name); |
| 143 |
| 144 if (directive_name != kSandboxDirectiveName) |
| 145 continue; |
| 146 |
| 147 seen_sandbox = true; |
| 148 |
| 149 while (tokenizer.GetNext()) { |
| 150 std::string token = tokenizer.token(); |
| 151 StringToLowerASCII(&token); |
| 152 |
| 153 // The same origin token negates the sandboxing. |
| 154 if (token == kAllowSameOriginToken) |
| 155 return false; |
| 156 |
| 157 // Platform apps don't allow navigation (and have a separate windowing |
| 158 // API that should be used for popups) |
| 159 if (type == Extension::TYPE_PLATFORM_APP) { |
| 160 if (token == kAllowTopNavigation || token == kAllowPopups) |
| 161 return false; |
| 162 } |
| 163 } |
| 164 } |
| 165 |
| 166 return seen_sandbox; |
| 167 } |
| 168 |
| 122 } // csp_validator | 169 } // csp_validator |
| 123 | 170 |
| 124 } // extensions | 171 } // extensions |
| OLD | NEW |