Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(346)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/page/ContentSecurityPolicy.cpp

Issue 22572005: Remove all uses of the ASCIILiteral class. (Closed) Base URL: svn://svn.chromium.org/blink/trunk
Patch Set: rm it from wtf Created 7 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « Source/core/loader/cache/ScriptResource.cpp ('k') | Source/core/page/DiagnosticLoggingKeys.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 2011 Google, Inc. All rights reserved. 2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
6 * are met: 6 * are met:
7 * 1. Redistributions of source code must retain the above copyright 7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer. 8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright 9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the 10 * notice, this list of conditions and the following disclaimer in the
(...skipping 503 matching lines...) Expand 10 before | Expand all | Expand 10 after
514 } 514 }
515 515
516 return true; 516 return true;
517 } 517 }
518 518
519 // nonce-source = "'nonce-" nonce-value "'" 519 // nonce-source = "'nonce-" nonce-value "'"
520 // nonce-value = 1*( ALPHA / DIGIT / "+" / "/" ) 520 // nonce-value = 1*( ALPHA / DIGIT / "+" / "/" )
521 // 521 //
522 bool CSPSourceList::parseNonce(const UChar* begin, const UChar* end, String& non ce) 522 bool CSPSourceList::parseNonce(const UChar* begin, const UChar* end, String& non ce)
523 { 523 {
524 DEFINE_STATIC_LOCAL(const String, noncePrefix, (ASCIILiteral("'nonce-"))); 524 DEFINE_STATIC_LOCAL(const String, noncePrefix, ("'nonce-"));
525 525
526 if (!equalIgnoringCase(noncePrefix.characters8(), begin, noncePrefix.length( ))) 526 if (!equalIgnoringCase(noncePrefix.characters8(), begin, noncePrefix.length( )))
527 return true; 527 return true;
528 528
529 const UChar* position = begin + noncePrefix.length(); 529 const UChar* position = begin + noncePrefix.length();
530 const UChar* nonceBegin = position; 530 const UChar* nonceBegin = position;
531 531
532 skipWhile<isNonceCharacter>(position, end); 532 skipWhile<isNonceCharacter>(position, end);
533 ASSERT(nonceBegin <= position); 533 ASSERT(nonceBegin <= position);
534 534
(...skipping 506 matching lines...) Expand 10 before | Expand all | Expand 10 after
1041 String suffix = String(); 1041 String suffix = String();
1042 if (directive == m_defaultSrc) 1042 if (directive == m_defaultSrc)
1043 suffix = " Note that '" + effectiveDirective + "' was not explicitly set , so 'default-src' is used as a fallback."; 1043 suffix = " Note that '" + effectiveDirective + "' was not explicitly set , so 'default-src' is used as a fallback.";
1044 1044
1045 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt ring() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\"." + suffix + "\n", url); 1045 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedSt ring() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\"." + suffix + "\n", url);
1046 return denyIfEnforcingPolicy(); 1046 return denyIfEnforcingPolicy();
1047 } 1047 }
1048 1048
1049 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF:: OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStat us) const 1049 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF:: OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStat us) const
1050 { 1050 {
1051 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execut e JavaScript URL because it violates the following Content Security Policy direc tive: "))); 1051 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "));
1052 if (reportingStatus == ContentSecurityPolicy::SendReport) { 1052 if (reportingStatus == ContentSecurityPolicy::SendReport) {
1053 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get( )), consoleMessage, contextURL, contextLine, true); 1053 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get( )), consoleMessage, contextURL, contextLine, true);
1054 } else { 1054 } else {
1055 return checkInline(operativeDirective(m_scriptSrc.get())); 1055 return checkInline(operativeDirective(m_scriptSrc.get()));
1056 } 1056 }
1057 } 1057 }
1058 1058
1059 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin gStatus) const 1059 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportin gStatus) const
1060 { 1060 {
1061 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execut e inline event handler because it violates the following Content Security Policy directive: "))); 1061 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline even t handler because it violates the following Content Security Policy directive: " ));
1062 if (reportingStatus == ContentSecurityPolicy::SendReport) { 1062 if (reportingStatus == ContentSecurityPolicy::SendReport) {
1063 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get( )), consoleMessage, contextURL, contextLine, true); 1063 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get( )), consoleMessage, contextURL, contextLine, true);
1064 } else { 1064 } else {
1065 return checkInline(operativeDirective(m_scriptSrc.get())); 1065 return checkInline(operativeDirective(m_scriptSrc.get()));
1066 } 1066 }
1067 } 1067 }
1068 1068
1069 bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::Or dinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus ) const 1069 bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::Or dinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus ) const
1070 { 1070 {
1071 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execut e inline script because it violates the following Content Security Policy direct ive: "))); 1071 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline scri pt because it violates the following Content Security Policy directive: "));
1072 return reportingStatus == ContentSecurityPolicy::SendReport ? 1072 return reportingStatus == ContentSecurityPolicy::SendReport ?
1073 checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), con soleMessage, contextURL, contextLine, true) : 1073 checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), con soleMessage, contextURL, contextLine, true) :
1074 checkInline(operativeDirective(m_scriptSrc.get())); 1074 checkInline(operativeDirective(m_scriptSrc.get()));
1075 } 1075 }
1076 1076
1077 bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::Ord inalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1077 bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::Ord inalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
1078 { 1078 {
1079 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to apply inline style because it violates the following Content Security Policy directive : "))); 1079 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because it violates the following Content Security Policy directive: "));
1080 return reportingStatus == ContentSecurityPolicy::SendReport ? 1080 return reportingStatus == ContentSecurityPolicy::SendReport ?
1081 checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), cons oleMessage, contextURL, contextLine, false) : 1081 checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), cons oleMessage, contextURL, contextLine, false) :
1082 checkInline(operativeDirective(m_styleSrc.get())); 1082 checkInline(operativeDirective(m_styleSrc.get()));
1083 } 1083 }
1084 1084
1085 bool CSPDirectiveList::allowEval(ScriptState* state, ContentSecurityPolicy::Repo rtingStatus reportingStatus) const 1085 bool CSPDirectiveList::allowEval(ScriptState* state, ContentSecurityPolicy::Repo rtingStatus reportingStatus) const
1086 { 1086 {
1087 DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to evalua te a string as JavaScript because 'unsafe-eval' is not an allowed source of scri pt in the following Content Security Policy directive: "))); 1087 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate a string a s JavaScript because 'unsafe-eval' is not an allowed source of script in the fol lowing Content Security Policy directive: "));
1088 1088
1089 return reportingStatus == ContentSecurityPolicy::SendReport ? 1089 return reportingStatus == ContentSecurityPolicy::SendReport ?
1090 checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), conso leMessage, String(), WTF::OrdinalNumber::beforeFirst(), state) : 1090 checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), conso leMessage, String(), WTF::OrdinalNumber::beforeFirst(), state) :
1091 checkEval(operativeDirective(m_scriptSrc.get())); 1091 checkEval(operativeDirective(m_scriptSrc.get()));
1092 } 1092 }
1093 1093
1094 bool CSPDirectiveList::allowPluginType(const String& type, const String& typeAtt ribute, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1094 bool CSPDirectiveList::allowPluginType(const String& type, const String& typeAtt ribute, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
1095 { 1095 {
1096 return reportingStatus == ContentSecurityPolicy::SendReport ? 1096 return reportingStatus == ContentSecurityPolicy::SendReport ?
1097 checkMediaTypeAndReportViolation(m_pluginTypes.get(), type, typeAttribut e, "Refused to load '" + url.elidedString() + "' (MIME type '" + typeAttribute + "') because it violates the following Content Security Policy Directive: ") : 1097 checkMediaTypeAndReportViolation(m_pluginTypes.get(), type, typeAttribut e, "Refused to load '" + url.elidedString() + "' (MIME type '" + typeAttribute + "') because it violates the following Content Security Policy Directive: ") :
(...skipping 684 matching lines...) Expand 10 before | Expand all | Expand 10 after
1782 RefPtr<FormData> report = FormData::create(stringifiedReport.utf8()); 1782 RefPtr<FormData> report = FormData::create(stringifiedReport.utf8());
1783 1783
1784 for (size_t i = 0; i < reportURIs.size(); ++i) 1784 for (size_t i = 0; i < reportURIs.size(); ++i)
1785 PingLoader::sendViolationReport(frame, reportURIs[i], report, PingLoader ::ContentSecurityPolicyViolationReport); 1785 PingLoader::sendViolationReport(frame, reportURIs[i], report, PingLoader ::ContentSecurityPolicyViolationReport);
1786 1786
1787 didSendViolationReport(stringifiedReport); 1787 didSendViolationReport(stringifiedReport);
1788 } 1788 }
1789 1789
1790 void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) const 1790 void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) const
1791 { 1791 {
1792 DEFINE_STATIC_LOCAL(String, allow, (ASCIILiteral("allow"))); 1792 DEFINE_STATIC_LOCAL(String, allow, ("allow"));
1793 DEFINE_STATIC_LOCAL(String, options, (ASCIILiteral("options"))); 1793 DEFINE_STATIC_LOCAL(String, options, ("options"));
1794 DEFINE_STATIC_LOCAL(String, policyURI, (ASCIILiteral("policy-uri"))); 1794 DEFINE_STATIC_LOCAL(String, policyURI, ("policy-uri"));
1795 DEFINE_STATIC_LOCAL(String, allowMessage, (ASCIILiteral("The 'allow' directi ve has been replaced with 'default-src'. Please use that directive instead, as ' allow' has no effect."))); 1795 DEFINE_STATIC_LOCAL(String, allowMessage, ("The 'allow' directive has been r eplaced with 'default-src'. Please use that directive instead, as 'allow' has no effect."));
1796 DEFINE_STATIC_LOCAL(String, optionsMessage, (ASCIILiteral("The 'options' dir ective has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressio ns for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect."))); 1796 DEFINE_STATIC_LOCAL(String, optionsMessage, ("The 'options' directive has be en replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 's cript-src' and 'style-src' directives. Please use those directives instead, as ' options' has no effect."));
1797 DEFINE_STATIC_LOCAL(String, policyURIMessage, (ASCIILiteral("The 'policy-uri ' directive has been removed from the specification. Please specify a complete p olicy via the Content-Security-Policy header."))); 1797 DEFINE_STATIC_LOCAL(String, policyURIMessage, ("The 'policy-uri' directive h as been removed from the specification. Please specify a complete policy via the Content-Security-Policy header."));
1798 1798
1799 String message = "Unrecognized Content-Security-Policy directive '" + name + "'.\n"; 1799 String message = "Unrecognized Content-Security-Policy directive '" + name + "'.\n";
1800 if (equalIgnoringCase(name, allow)) 1800 if (equalIgnoringCase(name, allow))
1801 message = allowMessage; 1801 message = allowMessage;
1802 else if (equalIgnoringCase(name, options)) 1802 else if (equalIgnoringCase(name, options))
1803 message = optionsMessage; 1803 message = optionsMessage;
1804 else if (equalIgnoringCase(name, policyURI)) 1804 else if (equalIgnoringCase(name, policyURI))
1805 message = policyURIMessage; 1805 message = policyURIMessage;
1806 1806
1807 logToConsole(message); 1807 logToConsole(message);
(...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after
1905 // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report. 1905 // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
1906 return !m_violationReportsSent.contains(report.impl()->hash()); 1906 return !m_violationReportsSent.contains(report.impl()->hash());
1907 } 1907 }
1908 1908
1909 void ContentSecurityPolicy::didSendViolationReport(const String& report) 1909 void ContentSecurityPolicy::didSendViolationReport(const String& report)
1910 { 1910 {
1911 m_violationReportsSent.add(report.impl()->hash()); 1911 m_violationReportsSent.add(report.impl()->hash());
1912 } 1912 }
1913 1913
1914 } // namespace WebCore 1914 } // namespace WebCore
OLDNEW
« no previous file with comments | « Source/core/loader/cache/ScriptResource.cpp ('k') | Source/core/page/DiagnosticLoggingKeys.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698