OLD | NEW |
1 /* | 1 /* |
2 * Copyright (C) 2011 Google, Inc. All rights reserved. | 2 * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 * | 3 * |
4 * Redistribution and use in source and binary forms, with or without | 4 * Redistribution and use in source and binary forms, with or without |
5 * modification, are permitted provided that the following conditions | 5 * modification, are permitted provided that the following conditions |
6 * are met: | 6 * are met: |
7 * 1. Redistributions of source code must retain the above copyright | 7 * 1. Redistributions of source code must retain the above copyright |
8 * notice, this list of conditions and the following disclaimer. | 8 * notice, this list of conditions and the following disclaimer. |
9 * 2. Redistributions in binary form must reproduce the above copyright | 9 * 2. Redistributions in binary form must reproduce the above copyright |
10 * notice, this list of conditions and the following disclaimer in the | 10 * notice, this list of conditions and the following disclaimer in the |
(...skipping 53 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
64 return isASCIIAlphanumeric(c) || c == '-'; | 64 return isASCIIAlphanumeric(c) || c == '-'; |
65 } | 65 } |
66 | 66 |
67 bool isDirectiveValueCharacter(UChar c) | 67 bool isDirectiveValueCharacter(UChar c) |
68 { | 68 { |
69 return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR | 69 return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR |
70 } | 70 } |
71 | 71 |
72 bool isNonceCharacter(UChar c) | 72 bool isNonceCharacter(UChar c) |
73 { | 73 { |
74 return (c >= 0x21 && c <= 0x7e) && c != ',' && c != ';'; // VCHAR - ',' - ';
' | 74 return isASCIIAlphanumeric(c); |
75 } | 75 } |
76 | 76 |
77 bool isSourceCharacter(UChar c) | 77 bool isSourceCharacter(UChar c) |
78 { | 78 { |
79 return !isASCIISpace(c); | 79 return !isASCIISpace(c); |
80 } | 80 } |
81 | 81 |
82 bool isPathComponentCharacter(UChar c) | 82 bool isPathComponentCharacter(UChar c) |
83 { | 83 { |
84 return c != '?' && c != '#'; | 84 return c != '?' && c != '#'; |
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
119 static const char objectSrc[] = "object-src"; | 119 static const char objectSrc[] = "object-src"; |
120 static const char reportURI[] = "report-uri"; | 120 static const char reportURI[] = "report-uri"; |
121 static const char sandbox[] = "sandbox"; | 121 static const char sandbox[] = "sandbox"; |
122 static const char scriptSrc[] = "script-src"; | 122 static const char scriptSrc[] = "script-src"; |
123 static const char styleSrc[] = "style-src"; | 123 static const char styleSrc[] = "style-src"; |
124 | 124 |
125 // CSP 1.1 Directives | 125 // CSP 1.1 Directives |
126 static const char baseURI[] = "base-uri"; | 126 static const char baseURI[] = "base-uri"; |
127 static const char formAction[] = "form-action"; | 127 static const char formAction[] = "form-action"; |
128 static const char pluginTypes[] = "plugin-types"; | 128 static const char pluginTypes[] = "plugin-types"; |
129 static const char scriptNonce[] = "script-nonce"; | |
130 static const char reflectedXSS[] = "reflected-xss"; | 129 static const char reflectedXSS[] = "reflected-xss"; |
131 | 130 |
132 bool isDirectiveName(const String& name) | 131 bool isDirectiveName(const String& name) |
133 { | 132 { |
134 return (equalIgnoringCase(name, connectSrc) | 133 return (equalIgnoringCase(name, connectSrc) |
135 || equalIgnoringCase(name, defaultSrc) | 134 || equalIgnoringCase(name, defaultSrc) |
136 || equalIgnoringCase(name, fontSrc) | 135 || equalIgnoringCase(name, fontSrc) |
137 || equalIgnoringCase(name, frameSrc) | 136 || equalIgnoringCase(name, frameSrc) |
138 || equalIgnoringCase(name, imgSrc) | 137 || equalIgnoringCase(name, imgSrc) |
139 || equalIgnoringCase(name, mediaSrc) | 138 || equalIgnoringCase(name, mediaSrc) |
140 || equalIgnoringCase(name, objectSrc) | 139 || equalIgnoringCase(name, objectSrc) |
141 || equalIgnoringCase(name, reportURI) | 140 || equalIgnoringCase(name, reportURI) |
142 || equalIgnoringCase(name, sandbox) | 141 || equalIgnoringCase(name, sandbox) |
143 || equalIgnoringCase(name, scriptSrc) | 142 || equalIgnoringCase(name, scriptSrc) |
144 || equalIgnoringCase(name, styleSrc) | 143 || equalIgnoringCase(name, styleSrc) |
145 || equalIgnoringCase(name, baseURI) | 144 || equalIgnoringCase(name, baseURI) |
146 || equalIgnoringCase(name, formAction) | 145 || equalIgnoringCase(name, formAction) |
147 || equalIgnoringCase(name, pluginTypes) | 146 || equalIgnoringCase(name, pluginTypes) |
148 || equalIgnoringCase(name, scriptNonce) | |
149 || equalIgnoringCase(name, reflectedXSS) | 147 || equalIgnoringCase(name, reflectedXSS) |
150 ); | 148 ); |
151 } | 149 } |
152 | 150 |
153 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type) | 151 UseCounter::Feature getUseCounterType(ContentSecurityPolicy::HeaderType type) |
154 { | 152 { |
155 switch (type) { | 153 switch (type) { |
156 case ContentSecurityPolicy::PrefixedEnforce: | 154 case ContentSecurityPolicy::PrefixedEnforce: |
157 return UseCounter::PrefixedContentSecurityPolicy; | 155 return UseCounter::PrefixedContentSecurityPolicy; |
158 case ContentSecurityPolicy::Enforce: | 156 case ContentSecurityPolicy::Enforce: |
(...skipping 147 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
306 }; | 304 }; |
307 | 305 |
308 class CSPSourceList { | 306 class CSPSourceList { |
309 public: | 307 public: |
310 CSPSourceList(ContentSecurityPolicy*, const String& directiveName); | 308 CSPSourceList(ContentSecurityPolicy*, const String& directiveName); |
311 | 309 |
312 void parse(const String&); | 310 void parse(const String&); |
313 bool matches(const KURL&); | 311 bool matches(const KURL&); |
314 bool allowInline() const { return m_allowInline; } | 312 bool allowInline() const { return m_allowInline; } |
315 bool allowEval() const { return m_allowEval; } | 313 bool allowEval() const { return m_allowEval; } |
| 314 bool allowNonce(const String& nonce) const { return !nonce.isNull() && m_non
ces.contains(nonce); } |
316 | 315 |
317 private: | 316 private: |
318 void parse(const UChar* begin, const UChar* end); | 317 void parse(const UChar* begin, const UChar* end); |
319 | 318 |
320 bool parseSource(const UChar* begin, const UChar* end, String& scheme, Strin
g& host, int& port, String& path, bool& hostHasWildcard, bool& portHasWildcard); | 319 bool parseSource(const UChar* begin, const UChar* end, String& scheme, Strin
g& host, int& port, String& path, bool& hostHasWildcard, bool& portHasWildcard); |
321 bool parseScheme(const UChar* begin, const UChar* end, String& scheme); | 320 bool parseScheme(const UChar* begin, const UChar* end, String& scheme); |
322 bool parseHost(const UChar* begin, const UChar* end, String& host, bool& hos
tHasWildcard); | 321 bool parseHost(const UChar* begin, const UChar* end, String& host, bool& hos
tHasWildcard); |
323 bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHa
sWildcard); | 322 bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHa
sWildcard); |
324 bool parsePath(const UChar* begin, const UChar* end, String& path); | 323 bool parsePath(const UChar* begin, const UChar* end, String& path); |
| 324 bool parseNonce(const UChar* begin, const UChar* end, String& nonce); |
325 | 325 |
326 void addSourceSelf(); | 326 void addSourceSelf(); |
327 void addSourceStar(); | 327 void addSourceStar(); |
328 void addSourceUnsafeInline(); | 328 void addSourceUnsafeInline(); |
329 void addSourceUnsafeEval(); | 329 void addSourceUnsafeEval(); |
| 330 void addSourceNonce(const String& nonce); |
330 | 331 |
331 ContentSecurityPolicy* m_policy; | 332 ContentSecurityPolicy* m_policy; |
332 Vector<CSPSource> m_list; | 333 Vector<CSPSource> m_list; |
333 String m_directiveName; | 334 String m_directiveName; |
334 bool m_allowStar; | 335 bool m_allowStar; |
335 bool m_allowInline; | 336 bool m_allowInline; |
336 bool m_allowEval; | 337 bool m_allowEval; |
| 338 HashSet<String> m_nonces; |
337 }; | 339 }; |
338 | 340 |
339 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& direct
iveName) | 341 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& direct
iveName) |
340 : m_policy(policy) | 342 : m_policy(policy) |
341 , m_directiveName(directiveName) | 343 , m_directiveName(directiveName) |
342 , m_allowStar(false) | 344 , m_allowStar(false) |
343 , m_allowInline(false) | 345 , m_allowInline(false) |
344 , m_allowEval(false) | 346 , m_allowEval(false) |
345 { | 347 { |
346 } | 348 } |
(...skipping 84 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
431 if (equalIgnoringCase("'unsafe-inline'", begin, end - begin)) { | 433 if (equalIgnoringCase("'unsafe-inline'", begin, end - begin)) { |
432 addSourceUnsafeInline(); | 434 addSourceUnsafeInline(); |
433 return true; | 435 return true; |
434 } | 436 } |
435 | 437 |
436 if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) { | 438 if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) { |
437 addSourceUnsafeEval(); | 439 addSourceUnsafeEval(); |
438 return true; | 440 return true; |
439 } | 441 } |
440 | 442 |
| 443 String nonce; |
| 444 if (!parseNonce(begin, end, nonce)) |
| 445 return false; |
| 446 |
| 447 if (!nonce.isNull()) { |
| 448 addSourceNonce(nonce); |
| 449 return true; |
| 450 } |
| 451 |
441 const UChar* position = begin; | 452 const UChar* position = begin; |
442 const UChar* beginHost = begin; | 453 const UChar* beginHost = begin; |
443 const UChar* beginPath = end; | 454 const UChar* beginPath = end; |
444 const UChar* beginPort = 0; | 455 const UChar* beginPort = 0; |
445 | 456 |
446 skipWhile<isNotColonOrSlash>(position, end); | 457 skipWhile<isNotColonOrSlash>(position, end); |
447 | 458 |
448 if (position == end) { | 459 if (position == end) { |
449 // host | 460 // host |
450 // ^ | 461 // ^ |
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
510 } | 521 } |
511 | 522 |
512 if (beginPath != end) { | 523 if (beginPath != end) { |
513 if (!parsePath(beginPath, end, path)) | 524 if (!parsePath(beginPath, end, path)) |
514 return false; | 525 return false; |
515 } | 526 } |
516 | 527 |
517 return true; | 528 return true; |
518 } | 529 } |
519 | 530 |
| 531 // nonce-source = "'nonce-" nonce-value "'" |
| 532 // nonce-value = *( ALPHA / DIGIT ) |
| 533 // |
| 534 bool CSPSourceList::parseNonce(const UChar* begin, const UChar* end, String& non
ce) |
| 535 { |
| 536 DEFINE_STATIC_LOCAL(const String, noncePrefix, (ASCIILiteral("'nonce-"))); |
| 537 |
| 538 if (!equalIgnoringCase(noncePrefix.characters(), begin, noncePrefix.length()
)) |
| 539 return true; |
| 540 |
| 541 const UChar* position = begin + noncePrefix.length(); |
| 542 const UChar* nonceBegin = position; |
| 543 |
| 544 skipWhile<isNonceCharacter>(position, end); |
| 545 ASSERT(nonceBegin <= position); |
| 546 nonce = String(nonceBegin, position - nonceBegin); |
| 547 |
| 548 if ((position + 1) != end && *position != '\'') |
| 549 return false; |
| 550 |
| 551 return true; |
| 552 } |
| 553 |
520 // ; <scheme> production from RFC 3986 | 554 // ; <scheme> production from RFC 3986 |
521 // scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." ) | 555 // scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." ) |
522 // | 556 // |
523 bool CSPSourceList::parseScheme(const UChar* begin, const UChar* end, String& sc
heme) | 557 bool CSPSourceList::parseScheme(const UChar* begin, const UChar* end, String& sc
heme) |
524 { | 558 { |
525 ASSERT(begin <= end); | 559 ASSERT(begin <= end); |
526 ASSERT(scheme.isEmpty()); | 560 ASSERT(scheme.isEmpty()); |
527 | 561 |
528 if (begin == end) | 562 if (begin == end) |
529 return false; | 563 return false; |
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
647 void CSPSourceList::addSourceUnsafeInline() | 681 void CSPSourceList::addSourceUnsafeInline() |
648 { | 682 { |
649 m_allowInline = true; | 683 m_allowInline = true; |
650 } | 684 } |
651 | 685 |
652 void CSPSourceList::addSourceUnsafeEval() | 686 void CSPSourceList::addSourceUnsafeEval() |
653 { | 687 { |
654 m_allowEval = true; | 688 m_allowEval = true; |
655 } | 689 } |
656 | 690 |
| 691 void CSPSourceList::addSourceNonce(const String& nonce) |
| 692 { |
| 693 m_nonces.add(nonce); |
| 694 } |
| 695 |
657 class CSPDirective { | 696 class CSPDirective { |
658 public: | 697 public: |
659 CSPDirective(const String& name, const String& value, ContentSecurityPolicy*
policy) | 698 CSPDirective(const String& name, const String& value, ContentSecurityPolicy*
policy) |
660 : m_name(name) | 699 : m_name(name) |
661 , m_text(name + ' ' + value) | 700 , m_text(name + ' ' + value) |
662 , m_policy(policy) | 701 , m_policy(policy) |
663 { | 702 { |
664 } | 703 } |
665 | 704 |
666 const String& text() const { return m_text; } | 705 const String& text() const { return m_text; } |
667 | 706 |
668 protected: | 707 protected: |
669 const ContentSecurityPolicy* policy() const { return m_policy; } | 708 const ContentSecurityPolicy* policy() const { return m_policy; } |
670 | 709 |
671 private: | 710 private: |
672 String m_name; | 711 String m_name; |
673 String m_text; | 712 String m_text; |
674 ContentSecurityPolicy* m_policy; | 713 ContentSecurityPolicy* m_policy; |
675 }; | 714 }; |
676 | 715 |
677 class NonceDirective : public CSPDirective { | |
678 public: | |
679 NonceDirective(const String& name, const String& value, ContentSecurityPolic
y* policy) | |
680 : CSPDirective(name, value, policy) | |
681 { | |
682 parse(value); | |
683 } | |
684 | |
685 bool allows(const String& nonce) const | |
686 { | |
687 return (!m_scriptNonce.isEmpty() && nonce.stripWhiteSpace() == m_scriptN
once); | |
688 } | |
689 | |
690 private: | |
691 void parse(const String& value) | |
692 { | |
693 String nonce; | |
694 const UChar* position = value.characters(); | |
695 const UChar* end = position + value.length(); | |
696 | |
697 skipWhile<isASCIISpace>(position, end); | |
698 const UChar* nonceBegin = position; | |
699 if (position == end) { | |
700 policy()->reportInvalidNonce(String()); | |
701 m_scriptNonce = ""; | |
702 return; | |
703 } | |
704 skipWhile<isNonceCharacter>(position, end); | |
705 if (nonceBegin < position) | |
706 nonce = String(nonceBegin, position - nonceBegin); | |
707 | |
708 // Trim off trailing whitespace: If we're not at the end of the string,
log | |
709 // an error. | |
710 skipWhile<isASCIISpace>(position, end); | |
711 if (position < end) { | |
712 policy()->reportInvalidNonce(value); | |
713 m_scriptNonce = ""; | |
714 } else | |
715 m_scriptNonce = nonce; | |
716 } | |
717 | |
718 String m_scriptNonce; | |
719 }; | |
720 | |
721 class MediaListDirective : public CSPDirective { | 716 class MediaListDirective : public CSPDirective { |
722 public: | 717 public: |
723 MediaListDirective(const String& name, const String& value, ContentSecurityP
olicy* policy) | 718 MediaListDirective(const String& name, const String& value, ContentSecurityP
olicy* policy) |
724 : CSPDirective(name, value, policy) | 719 : CSPDirective(name, value, policy) |
725 { | 720 { |
726 parse(value); | 721 parse(value); |
727 } | 722 } |
728 | 723 |
729 bool allows(const String& type) | 724 bool allows(const String& type) |
730 { | 725 { |
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
803 m_sourceList.parse(value); | 798 m_sourceList.parse(value); |
804 } | 799 } |
805 | 800 |
806 bool allows(const KURL& url) | 801 bool allows(const KURL& url) |
807 { | 802 { |
808 return m_sourceList.matches(url.isEmpty() ? policy()->url() : url); | 803 return m_sourceList.matches(url.isEmpty() ? policy()->url() : url); |
809 } | 804 } |
810 | 805 |
811 bool allowInline() const { return m_sourceList.allowInline(); } | 806 bool allowInline() const { return m_sourceList.allowInline(); } |
812 bool allowEval() const { return m_sourceList.allowEval(); } | 807 bool allowEval() const { return m_sourceList.allowEval(); } |
| 808 bool allowNonce(const String& nonce) const { return m_sourceList.allowNonce(
nonce.stripWhiteSpace()); } |
813 | 809 |
814 private: | 810 private: |
815 CSPSourceList m_sourceList; | 811 CSPSourceList m_sourceList; |
816 }; | 812 }; |
817 | 813 |
818 class CSPDirectiveList { | 814 class CSPDirectiveList { |
819 WTF_MAKE_FAST_ALLOCATED; | 815 WTF_MAKE_FAST_ALLOCATED; |
820 public: | 816 public: |
821 static PassOwnPtr<CSPDirectiveList> create(ContentSecurityPolicy*, const Str
ing&, ContentSecurityPolicy::HeaderType); | 817 static PassOwnPtr<CSPDirectiveList> create(ContentSecurityPolicy*, const Str
ing&, ContentSecurityPolicy::HeaderType); |
822 | 818 |
823 const String& header() const { return m_header; } | 819 const String& header() const { return m_header; } |
824 ContentSecurityPolicy::HeaderType headerType() const { return m_headerType;
} | 820 ContentSecurityPolicy::HeaderType headerType() const { return m_headerType;
} |
825 | 821 |
826 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber&
contextLine, ContentSecurityPolicy::ReportingStatus) const; | 822 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber&
contextLine, ContentSecurityPolicy::ReportingStatus) const; |
827 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu
mber& contextLine, ContentSecurityPolicy::ReportingStatus) const; | 823 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNu
mber& contextLine, ContentSecurityPolicy::ReportingStatus) const; |
828 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c
ontextLine, ContentSecurityPolicy::ReportingStatus) const; | 824 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& c
ontextLine, ContentSecurityPolicy::ReportingStatus) const; |
829 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co
ntextLine, ContentSecurityPolicy::ReportingStatus) const; | 825 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& co
ntextLine, ContentSecurityPolicy::ReportingStatus) const; |
830 bool allowEval(ScriptState*, ContentSecurityPolicy::ReportingStatus) const; | 826 bool allowEval(ScriptState*, ContentSecurityPolicy::ReportingStatus) const; |
831 bool allowScriptNonce(const String& nonce, const String& contextURL, const W
TF::OrdinalNumber& contextLine, const KURL&) const; | |
832 bool allowPluginType(const String& type, const String& typeAttribute, const
KURL&, ContentSecurityPolicy::ReportingStatus) const; | 827 bool allowPluginType(const String& type, const String& typeAttribute, const
KURL&, ContentSecurityPolicy::ReportingStatus) const; |
833 | 828 |
834 bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; | 829 bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; |
835 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; | 830 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStat
us) const; |
836 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::Reporting
Status) const; | 831 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::Reporting
Status) const; |
837 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 832 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
838 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 833 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
839 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus
) const; | 834 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus
) const; |
840 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 835 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
841 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; | 836 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatu
s) const; |
842 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co
nst; | 837 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) co
nst; |
843 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const
; | 838 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const
; |
| 839 bool allowScriptNonce(const String&) const; |
844 | 840 |
845 void gatherReportURIs(DOMStringList&) const; | 841 void gatherReportURIs(DOMStringList&) const; |
846 const String& evalDisabledErrorMessage() { return m_evalDisabledErrorMessage
; } | 842 const String& evalDisabledErrorMessage() { return m_evalDisabledErrorMessage
; } |
847 ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() con
st { return m_reflectedXSSDisposition; } | 843 ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() con
st { return m_reflectedXSSDisposition; } |
848 bool isReportOnly() const { return m_reportOnly; } | 844 bool isReportOnly() const { return m_reportOnly; } |
849 const Vector<KURL>& reportURIs() const { return m_reportURIs; } | 845 const Vector<KURL>& reportURIs() const { return m_reportURIs; } |
850 | 846 |
851 private: | 847 private: |
852 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType); | 848 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType); |
853 | 849 |
854 void parse(const String&); | 850 void parse(const String&); |
855 | 851 |
856 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri
ng& value); | 852 bool parseDirective(const UChar* begin, const UChar* end, String& name, Stri
ng& value); |
857 void parseReportURI(const String& name, const String& value); | 853 void parseReportURI(const String& name, const String& value); |
858 void parseScriptNonce(const String& name, const String& value); | |
859 void parsePluginTypes(const String& name, const String& value); | 854 void parsePluginTypes(const String& name, const String& value); |
860 void parseReflectedXSS(const String& name, const String& value); | 855 void parseReflectedXSS(const String& name, const String& value); |
861 void addDirective(const String& name, const String& value); | 856 void addDirective(const String& name, const String& value); |
862 void applySandboxPolicy(const String& name, const String& sandboxPolicy); | 857 void applySandboxPolicy(const String& name, const String& sandboxPolicy); |
863 | 858 |
864 template <class CSPDirectiveType> | 859 template <class CSPDirectiveType> |
865 void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDire
ctiveType>&); | 860 void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDire
ctiveType>&); |
866 | 861 |
867 SourceListDirective* operativeDirective(SourceListDirective*) const; | 862 SourceListDirective* operativeDirective(SourceListDirective*) const; |
868 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL = KURL(), const Str
ing& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::Ordinal
Number::beforeFirst(), ScriptState* = 0) const; | 863 void reportViolation(const String& directiveText, const String& effectiveDir
ective, const String& consoleMessage, const KURL& blockedURL = KURL(), const Str
ing& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::Ordinal
Number::beforeFirst(), ScriptState* = 0) const; |
869 | 864 |
870 bool checkEval(SourceListDirective*) const; | 865 bool checkEval(SourceListDirective*) const; |
871 bool checkInline(SourceListDirective*) const; | 866 bool checkInline(SourceListDirective*) const; |
872 bool checkNonce(NonceDirective*, const String&) const; | 867 bool checkNonce(SourceListDirective*, const String&) const; |
873 bool checkSource(SourceListDirective*, const KURL&) const; | 868 bool checkSource(SourceListDirective*, const KURL&) const; |
874 bool checkMediaType(MediaListDirective*, const String& type, const String& t
ypeAttribute) const; | 869 bool checkMediaType(MediaListDirective*, const String& type, const String& t
ypeAttribute) const; |
875 | 870 |
876 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisable
dErrorMessage = errorMessage; } | 871 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisable
dErrorMessage = errorMessage; } |
877 | 872 |
878 bool checkEvalAndReportViolation(SourceListDirective*, const String& console
Message, const String& contextURL = String(), const WTF::OrdinalNumber& contextL
ine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const; | 873 bool checkEvalAndReportViolation(SourceListDirective*, const String& console
Message, const String& contextURL = String(), const WTF::OrdinalNumber& contextL
ine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const; |
879 bool checkInlineAndReportViolation(SourceListDirective*, const String& conso
leMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool
isScript) const; | 874 bool checkInlineAndReportViolation(SourceListDirective*, const String& conso
leMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool
isScript) const; |
880 bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, cons
t String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& co
ntextLine) const; | |
881 | 875 |
882 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const
String& effectiveDirective) const; | 876 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const
String& effectiveDirective) const; |
883 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& typ
e, const String& typeAttribute, const String& consoleMessage) const; | 877 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& typ
e, const String& typeAttribute, const String& consoleMessage) const; |
884 | 878 |
885 bool denyIfEnforcingPolicy() const { return m_reportOnly; } | 879 bool denyIfEnforcingPolicy() const { return m_reportOnly; } |
886 | 880 |
887 ContentSecurityPolicy* m_policy; | 881 ContentSecurityPolicy* m_policy; |
888 | 882 |
889 String m_header; | 883 String m_header; |
890 ContentSecurityPolicy::HeaderType m_headerType; | 884 ContentSecurityPolicy::HeaderType m_headerType; |
891 | 885 |
892 bool m_reportOnly; | 886 bool m_reportOnly; |
893 bool m_haveSandboxPolicy; | 887 bool m_haveSandboxPolicy; |
894 ContentSecurityPolicy::ReflectedXSSDisposition m_reflectedXSSDisposition; | 888 ContentSecurityPolicy::ReflectedXSSDisposition m_reflectedXSSDisposition; |
895 | 889 |
896 OwnPtr<MediaListDirective> m_pluginTypes; | 890 OwnPtr<MediaListDirective> m_pluginTypes; |
897 OwnPtr<NonceDirective> m_scriptNonce; | |
898 OwnPtr<SourceListDirective> m_baseURI; | 891 OwnPtr<SourceListDirective> m_baseURI; |
899 OwnPtr<SourceListDirective> m_connectSrc; | 892 OwnPtr<SourceListDirective> m_connectSrc; |
900 OwnPtr<SourceListDirective> m_defaultSrc; | 893 OwnPtr<SourceListDirective> m_defaultSrc; |
901 OwnPtr<SourceListDirective> m_fontSrc; | 894 OwnPtr<SourceListDirective> m_fontSrc; |
902 OwnPtr<SourceListDirective> m_formAction; | 895 OwnPtr<SourceListDirective> m_formAction; |
903 OwnPtr<SourceListDirective> m_frameSrc; | 896 OwnPtr<SourceListDirective> m_frameSrc; |
904 OwnPtr<SourceListDirective> m_imgSrc; | 897 OwnPtr<SourceListDirective> m_imgSrc; |
905 OwnPtr<SourceListDirective> m_mediaSrc; | 898 OwnPtr<SourceListDirective> m_mediaSrc; |
906 OwnPtr<SourceListDirective> m_objectSrc; | 899 OwnPtr<SourceListDirective> m_objectSrc; |
907 OwnPtr<SourceListDirective> m_scriptSrc; | 900 OwnPtr<SourceListDirective> m_scriptSrc; |
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
947 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const | 940 bool CSPDirectiveList::checkEval(SourceListDirective* directive) const |
948 { | 941 { |
949 return !directive || directive->allowEval(); | 942 return !directive || directive->allowEval(); |
950 } | 943 } |
951 | 944 |
952 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const | 945 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const |
953 { | 946 { |
954 return !directive || directive->allowInline(); | 947 return !directive || directive->allowInline(); |
955 } | 948 } |
956 | 949 |
957 bool CSPDirectiveList::checkNonce(NonceDirective* directive, const String& nonce
) const | 950 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String&
nonce) const |
958 { | 951 { |
959 return !directive || directive->allows(nonce); | 952 return !directive || directive->allowNonce(nonce); |
960 } | 953 } |
961 | 954 |
962 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl) const | 955 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& u
rl) const |
963 { | 956 { |
964 return !directive || directive->allows(url); | 957 return !directive || directive->allows(url); |
965 } | 958 } |
966 | 959 |
967 bool CSPDirectiveList::checkMediaType(MediaListDirective* directive, const Strin
g& type, const String& typeAttribute) const | 960 bool CSPDirectiveList::checkMediaType(MediaListDirective* directive, const Strin
g& type, const String& typeAttribute) const |
968 { | 961 { |
969 if (!directive) | 962 if (!directive) |
(...skipping 18 matching lines...) Expand all Loading... |
988 suffix = " Note that 'script-src' was not explicitly set, so 'default-sr
c' is used as a fallback."; | 981 suffix = " Note that 'script-src' was not explicitly set, so 'default-sr
c' is used as a fallback."; |
989 | 982 |
990 reportViolation(directive->text(), scriptSrc, consoleMessage + "\"" + direct
ive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, state); | 983 reportViolation(directive->text(), scriptSrc, consoleMessage + "\"" + direct
ive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, state); |
991 if (!m_reportOnly) { | 984 if (!m_reportOnly) { |
992 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); | 985 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); |
993 return false; | 986 return false; |
994 } | 987 } |
995 return true; | 988 return true; |
996 } | 989 } |
997 | 990 |
998 bool CSPDirectiveList::checkNonceAndReportViolation(NonceDirective* directive, c
onst String& nonce, const String& consoleMessage, const String& contextURL, cons
t WTF::OrdinalNumber& contextLine) const | |
999 { | |
1000 if (checkNonce(directive, nonce)) | |
1001 return true; | |
1002 reportViolation(directive->text(), scriptNonce, consoleMessage + "\"" + dire
ctive->text() + "\".\n", KURL(), contextURL, contextLine); | |
1003 return denyIfEnforcingPolicy(); | |
1004 } | |
1005 | |
1006 bool CSPDirectiveList::checkMediaTypeAndReportViolation(MediaListDirective* dire
ctive, const String& type, const String& typeAttribute, const String& consoleMes
sage) const | 991 bool CSPDirectiveList::checkMediaTypeAndReportViolation(MediaListDirective* dire
ctive, const String& type, const String& typeAttribute, const String& consoleMes
sage) const |
1007 { | 992 { |
1008 if (checkMediaType(directive, type, typeAttribute)) | 993 if (checkMediaType(directive, type, typeAttribute)) |
1009 return true; | 994 return true; |
1010 | 995 |
1011 String message = makeString(consoleMessage, "\'", directive->text(), "\'."); | 996 String message = makeString(consoleMessage, "\'", directive->text(), "\'."); |
1012 if (typeAttribute.isEmpty()) | 997 if (typeAttribute.isEmpty()) |
1013 message = message + " When enforcing the 'plugin-types' directive, the p
lugin's media type must be explicitly declared with a 'type' attribute on the co
ntaining element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>')."; | 998 message = message + " When enforcing the 'plugin-types' directive, the p
lugin's media type must be explicitly declared with a 'type' attribute on the co
ntaining element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>')."; |
1014 | 999 |
1015 reportViolation(directive->text(), pluginTypes, message + "\n", KURL()); | 1000 reportViolation(directive->text(), pluginTypes, message + "\n", KURL()); |
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1067 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; | 1052 suffix = " Note that '" + effectiveDirective + "' was not explicitly set
, so 'default-src' is used as a fallback."; |
1068 | 1053 |
1069 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); | 1054 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt
ring() + "' because it violates the following Content Security Policy directive:
\"" + directive->text() + "\"." + suffix + "\n", url); |
1070 return denyIfEnforcingPolicy(); | 1055 return denyIfEnforcingPolicy(); |
1071 } | 1056 } |
1072 | 1057 |
1073 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::
OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStat
us) const | 1058 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::
OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStat
us) const |
1074 { | 1059 { |
1075 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execut
e JavaScript URL because it violates the following Content Security Policy direc
tive: "))); | 1060 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execut
e JavaScript URL because it violates the following Content Security Policy direc
tive: "))); |
1076 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 1061 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
1077 return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get
()), consoleMessage, contextURL, contextLine, true) | 1062 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get(
)), consoleMessage, contextURL, contextLine, true); |
1078 && checkNonceAndReportViolation(m_scriptNonce.get(), String(), c
onsoleMessage, contextURL, contextLine)); | |
1079 } else { | 1063 } else { |
1080 return (checkInline(operativeDirective(m_scriptSrc.get())) | 1064 return checkInline(operativeDirective(m_scriptSrc.get())); |
1081 && checkNonce(m_scriptNonce.get(), String())); | |
1082 } | 1065 } |
1083 } | 1066 } |
1084 | 1067 |
1085 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const
WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin
gStatus) const | 1068 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const
WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin
gStatus) const |
1086 { | 1069 { |
1087 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execut
e inline event handler because it violates the following Content Security Policy
directive: "))); | 1070 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execut
e inline event handler because it violates the following Content Security Policy
directive: "))); |
1088 if (reportingStatus == ContentSecurityPolicy::SendReport) { | 1071 if (reportingStatus == ContentSecurityPolicy::SendReport) { |
1089 return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get
()), consoleMessage, contextURL, contextLine, true) | 1072 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get(
)), consoleMessage, contextURL, contextLine, true); |
1090 && checkNonceAndReportViolation(m_scriptNonce.get(), String(), c
onsoleMessage, contextURL, contextLine)); | |
1091 } else { | 1073 } else { |
1092 return (checkInline(operativeDirective(m_scriptSrc.get())) | 1074 return checkInline(operativeDirective(m_scriptSrc.get())); |
1093 && checkNonce(m_scriptNonce.get(), String())); | |
1094 } | 1075 } |
1095 } | 1076 } |
1096 | 1077 |
1097 bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::Or
dinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus
) const | 1078 bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::Or
dinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus
) const |
1098 { | 1079 { |
1099 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execut
e inline script because it violates the following Content Security Policy direct
ive: "))); | 1080 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execut
e inline script because it violates the following Content Security Policy direct
ive: "))); |
1100 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1081 return reportingStatus == ContentSecurityPolicy::SendReport ? |
1101 checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), con
soleMessage, contextURL, contextLine, true) : | 1082 checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), con
soleMessage, contextURL, contextLine, true) : |
1102 checkInline(operativeDirective(m_scriptSrc.get())); | 1083 checkInline(operativeDirective(m_scriptSrc.get())); |
1103 } | 1084 } |
1104 | 1085 |
1105 bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::Ord
inalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus)
const | 1086 bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::Ord
inalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus)
const |
1106 { | 1087 { |
1107 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to apply
inline style because it violates the following Content Security Policy directive
: "))); | 1088 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to apply
inline style because it violates the following Content Security Policy directive
: "))); |
1108 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1089 return reportingStatus == ContentSecurityPolicy::SendReport ? |
1109 checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), cons
oleMessage, contextURL, contextLine, false) : | 1090 checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), cons
oleMessage, contextURL, contextLine, false) : |
1110 checkInline(operativeDirective(m_styleSrc.get())); | 1091 checkInline(operativeDirective(m_styleSrc.get())); |
1111 } | 1092 } |
1112 | 1093 |
1113 bool CSPDirectiveList::allowEval(ScriptState* state, ContentSecurityPolicy::Repo
rtingStatus reportingStatus) const | 1094 bool CSPDirectiveList::allowEval(ScriptState* state, ContentSecurityPolicy::Repo
rtingStatus reportingStatus) const |
1114 { | 1095 { |
1115 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to evalua
te script because it violates the following Content Security Policy directive: "
))); | 1096 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to evalua
te script because it violates the following Content Security Policy directive: "
))); |
1116 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1097 return reportingStatus == ContentSecurityPolicy::SendReport ? |
1117 checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), conso
leMessage, String(), WTF::OrdinalNumber::beforeFirst(), state) : | 1098 checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), conso
leMessage, String(), WTF::OrdinalNumber::beforeFirst(), state) : |
1118 checkEval(operativeDirective(m_scriptSrc.get())); | 1099 checkEval(operativeDirective(m_scriptSrc.get())); |
1119 } | 1100 } |
1120 | 1101 |
1121 bool CSPDirectiveList::allowScriptNonce(const String& nonce, const String& conte
xtURL, const WTF::OrdinalNumber& contextLine, const KURL& url) const | |
1122 { | |
1123 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execut
e script because it violates the following Content Security Policy directive: ")
)); | |
1124 if (url.isEmpty()) | |
1125 return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, consoleM
essage, contextURL, contextLine); | |
1126 return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, "Refused to
load '" + url.elidedString() + "' because it violates the following Content Secu
rity Policy directive: ", contextURL, contextLine); | |
1127 } | |
1128 | |
1129 bool CSPDirectiveList::allowPluginType(const String& type, const String& typeAtt
ribute, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
const | 1102 bool CSPDirectiveList::allowPluginType(const String& type, const String& typeAtt
ribute, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
const |
1130 { | 1103 { |
1131 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1104 return reportingStatus == ContentSecurityPolicy::SendReport ? |
1132 checkMediaTypeAndReportViolation(m_pluginTypes.get(), type, typeAttribut
e, "Refused to load '" + url.elidedString() + "' (MIME type '" + typeAttribute +
"') because it violates the following Content Security Policy Directive: ") : | 1105 checkMediaTypeAndReportViolation(m_pluginTypes.get(), type, typeAttribut
e, "Refused to load '" + url.elidedString() + "' (MIME type '" + typeAttribute +
"') because it violates the following Content Security Policy Directive: ") : |
1133 checkMediaType(m_pluginTypes.get(), type, typeAttribute); | 1106 checkMediaType(m_pluginTypes.get(), type, typeAttribute); |
1134 } | 1107 } |
1135 | 1108 |
1136 bool CSPDirectiveList::allowScriptFromSource(const KURL& url, ContentSecurityPol
icy::ReportingStatus reportingStatus) const | 1109 bool CSPDirectiveList::allowScriptFromSource(const KURL& url, ContentSecurityPol
icy::ReportingStatus reportingStatus) const |
1137 { | 1110 { |
1138 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1111 return reportingStatus == ContentSecurityPolicy::SendReport ? |
(...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1206 checkSource(m_formAction.get(), url); | 1179 checkSource(m_formAction.get(), url); |
1207 } | 1180 } |
1208 | 1181 |
1209 bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::Repo
rtingStatus reportingStatus) const | 1182 bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::Repo
rtingStatus reportingStatus) const |
1210 { | 1183 { |
1211 return reportingStatus == ContentSecurityPolicy::SendReport ? | 1184 return reportingStatus == ContentSecurityPolicy::SendReport ? |
1212 checkSourceAndReportViolation(m_baseURI.get(), url, baseURI) : | 1185 checkSourceAndReportViolation(m_baseURI.get(), url, baseURI) : |
1213 checkSource(m_baseURI.get(), url); | 1186 checkSource(m_baseURI.get(), url); |
1214 } | 1187 } |
1215 | 1188 |
| 1189 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const |
| 1190 { |
| 1191 return checkNonce(operativeDirective(m_scriptSrc.get()), nonce); |
| 1192 } |
| 1193 |
1216 // policy = directive-list | 1194 // policy = directive-list |
1217 // directive-list = [ directive *( ";" [ directive ] ) ] | 1195 // directive-list = [ directive *( ";" [ directive ] ) ] |
1218 // | 1196 // |
1219 void CSPDirectiveList::parse(const String& policy) | 1197 void CSPDirectiveList::parse(const String& policy) |
1220 { | 1198 { |
1221 m_header = policy; | 1199 m_header = policy; |
1222 if (policy.isEmpty()) | 1200 if (policy.isEmpty()) |
1223 return; | 1201 return; |
1224 | 1202 |
1225 const UChar* position = policy.characters(); | 1203 const UChar* position = policy.characters(); |
(...skipping 186 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1412 applySandboxPolicy(name, value); | 1390 applySandboxPolicy(name, value); |
1413 else if (equalIgnoringCase(name, reportURI)) | 1391 else if (equalIgnoringCase(name, reportURI)) |
1414 parseReportURI(name, value); | 1392 parseReportURI(name, value); |
1415 else if (m_policy->experimentalFeaturesEnabled()) { | 1393 else if (m_policy->experimentalFeaturesEnabled()) { |
1416 if (equalIgnoringCase(name, baseURI)) | 1394 if (equalIgnoringCase(name, baseURI)) |
1417 setCSPDirective<SourceListDirective>(name, value, m_baseURI); | 1395 setCSPDirective<SourceListDirective>(name, value, m_baseURI); |
1418 else if (equalIgnoringCase(name, formAction)) | 1396 else if (equalIgnoringCase(name, formAction)) |
1419 setCSPDirective<SourceListDirective>(name, value, m_formAction); | 1397 setCSPDirective<SourceListDirective>(name, value, m_formAction); |
1420 else if (equalIgnoringCase(name, pluginTypes)) | 1398 else if (equalIgnoringCase(name, pluginTypes)) |
1421 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); | 1399 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); |
1422 else if (equalIgnoringCase(name, scriptNonce)) | |
1423 setCSPDirective<NonceDirective>(name, value, m_scriptNonce); | |
1424 else if (equalIgnoringCase(name, reflectedXSS)) | 1400 else if (equalIgnoringCase(name, reflectedXSS)) |
1425 parseReflectedXSS(name, value); | 1401 parseReflectedXSS(name, value); |
1426 else | 1402 else |
1427 m_policy->reportUnsupportedDirective(name); | 1403 m_policy->reportUnsupportedDirective(name); |
1428 } | 1404 } |
1429 else | 1405 else |
1430 m_policy->reportUnsupportedDirective(name); | 1406 m_policy->reportUnsupportedDirective(name); |
1431 } | 1407 } |
1432 | 1408 |
1433 ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecu
tionContext) | 1409 ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecu
tionContext) |
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1519 template<bool (CSPDirectiveList::*allowed)(const String&, const WTF::OrdinalNumb
er&, ContentSecurityPolicy::ReportingStatus) const> | 1495 template<bool (CSPDirectiveList::*allowed)(const String&, const WTF::OrdinalNumb
er&, ContentSecurityPolicy::ReportingStatus) const> |
1520 bool isAllowedByAllWithContext(const CSPDirectiveListVector& policies, const Str
ing& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::R
eportingStatus reportingStatus) | 1496 bool isAllowedByAllWithContext(const CSPDirectiveListVector& policies, const Str
ing& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::R
eportingStatus reportingStatus) |
1521 { | 1497 { |
1522 for (size_t i = 0; i < policies.size(); ++i) { | 1498 for (size_t i = 0; i < policies.size(); ++i) { |
1523 if (!(policies[i].get()->*allowed)(contextURL, contextLine, reportingSta
tus)) | 1499 if (!(policies[i].get()->*allowed)(contextURL, contextLine, reportingSta
tus)) |
1524 return false; | 1500 return false; |
1525 } | 1501 } |
1526 return true; | 1502 return true; |
1527 } | 1503 } |
1528 | 1504 |
1529 template<bool (CSPDirectiveList::*allowed)(const String&, const String&, const W
TF::OrdinalNumber&, const KURL&) const> | 1505 template<bool (CSPDirectiveList::*allowed)(const String&) const> |
1530 bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const Strin
g& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const
KURL& url) | 1506 bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const Strin
g& nonce) |
1531 { | 1507 { |
1532 for (size_t i = 0; i < policies.size(); ++i) { | 1508 for (size_t i = 0; i < policies.size(); ++i) { |
1533 if (!(policies[i].get()->*allowed)(nonce, contextURL, contextLine, url)) | 1509 if (!(policies[i].get()->*allowed)(nonce)) |
1534 return false; | 1510 return false; |
1535 } | 1511 } |
1536 return true; | 1512 return true; |
1537 } | 1513 } |
1538 | |
1539 template<bool (CSPDirectiveList::*allowFromURL)(const KURL&, ContentSecurityPoli
cy::ReportingStatus) const> | 1514 template<bool (CSPDirectiveList::*allowFromURL)(const KURL&, ContentSecurityPoli
cy::ReportingStatus) const> |
1540 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& u
rl, ContentSecurityPolicy::ReportingStatus reportingStatus) | 1515 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& u
rl, ContentSecurityPolicy::ReportingStatus reportingStatus) |
1541 { | 1516 { |
1542 if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol())) | 1517 if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol())) |
1543 return true; | 1518 return true; |
1544 | 1519 |
1545 for (size_t i = 0; i < policies.size(); ++i) { | 1520 for (size_t i = 0; i < policies.size(); ++i) { |
1546 if (!(policies[i].get()->*allowFromURL)(url, reportingStatus)) | 1521 if (!(policies[i].get()->*allowFromURL)(url, reportingStatus)) |
1547 return false; | 1522 return false; |
1548 } | 1523 } |
(...skipping 29 matching lines...) Expand all Loading... |
1578 | 1553 |
1579 String ContentSecurityPolicy::evalDisabledErrorMessage() const | 1554 String ContentSecurityPolicy::evalDisabledErrorMessage() const |
1580 { | 1555 { |
1581 for (size_t i = 0; i < m_policies.size(); ++i) { | 1556 for (size_t i = 0; i < m_policies.size(); ++i) { |
1582 if (!m_policies[i]->allowEval(0, SuppressReport)) | 1557 if (!m_policies[i]->allowEval(0, SuppressReport)) |
1583 return m_policies[i]->evalDisabledErrorMessage(); | 1558 return m_policies[i]->evalDisabledErrorMessage(); |
1584 } | 1559 } |
1585 return String(); | 1560 return String(); |
1586 } | 1561 } |
1587 | 1562 |
1588 bool ContentSecurityPolicy::allowScriptNonce(const String& nonce, const String&
contextURL, const WTF::OrdinalNumber& contextLine, const KURL& url) const | |
1589 { | |
1590 return isAllowedByAllWithNonce<&CSPDirectiveList::allowScriptNonce>(m_polici
es, nonce, contextURL, contextLine, url); | |
1591 } | |
1592 | |
1593 bool ContentSecurityPolicy::allowPluginType(const String& type, const String& ty
peAttribute, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingSt
atus) const | 1563 bool ContentSecurityPolicy::allowPluginType(const String& type, const String& ty
peAttribute, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingSt
atus) const |
1594 { | 1564 { |
1595 for (size_t i = 0; i < m_policies.size(); ++i) { | 1565 for (size_t i = 0; i < m_policies.size(); ++i) { |
1596 if (!m_policies[i]->allowPluginType(type, typeAttribute, url, reportingS
tatus)) | 1566 if (!m_policies[i]->allowPluginType(type, typeAttribute, url, reportingS
tatus)) |
1597 return false; | 1567 return false; |
1598 } | 1568 } |
1599 return true; | 1569 return true; |
1600 } | 1570 } |
1601 | 1571 |
1602 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url, ContentSecuri
tyPolicy::ReportingStatus reportingStatus) const | 1572 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url, ContentSecuri
tyPolicy::ReportingStatus reportingStatus) const |
1603 { | 1573 { |
1604 return isAllowedByAllWithURL<&CSPDirectiveList::allowScriptFromSource>(m_pol
icies, url, reportingStatus); | 1574 return isAllowedByAllWithURL<&CSPDirectiveList::allowScriptFromSource>(m_pol
icies, url, reportingStatus); |
1605 } | 1575 } |
1606 | 1576 |
| 1577 bool ContentSecurityPolicy::allowScriptNonce(const String& nonce) const |
| 1578 { |
| 1579 return isAllowedByAllWithNonce<&CSPDirectiveList::allowScriptNonce>(m_polici
es, nonce); |
| 1580 } |
| 1581 |
1607 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecuri
tyPolicy::ReportingStatus reportingStatus) const | 1582 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecuri
tyPolicy::ReportingStatus reportingStatus) const |
1608 { | 1583 { |
1609 return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_pol
icies, url, reportingStatus); | 1584 return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_pol
icies, url, reportingStatus); |
1610 } | 1585 } |
1611 | 1586 |
1612 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url, ContentSe
curityPolicy::ReportingStatus reportingStatus) const | 1587 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url, ContentSe
curityPolicy::ReportingStatus reportingStatus) const |
1613 { | 1588 { |
1614 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildFrameFromSource>(m
_policies, url, reportingStatus); | 1589 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildFrameFromSource>(m
_policies, url, reportingStatus); |
1615 } | 1590 } |
1616 | 1591 |
(...skipping 270 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1887 { | 1862 { |
1888 if (context && context->isDocument()) { | 1863 if (context && context->isDocument()) { |
1889 Document* document = toDocument(context); | 1864 Document* document = toDocument(context); |
1890 if (document->frame()) | 1865 if (document->frame()) |
1891 return document->frame()->script()->shouldBypassMainWorldContentSecu
rityPolicy(); | 1866 return document->frame()->script()->shouldBypassMainWorldContentSecu
rityPolicy(); |
1892 } | 1867 } |
1893 return false; | 1868 return false; |
1894 } | 1869 } |
1895 | 1870 |
1896 } | 1871 } |
OLD | NEW |