2 * Copyright (C) 2011 Google, Inc. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #ifndef ContentSecurityPolicy_h
27 #define ContentSecurityPolicy_h
29 #include "bindings/core/v8/ScriptState.h"
30 #include "core/dom/ExecutionContext.h"
31 #include "core/frame/ConsoleTypes.h"
32 #include "platform/network/ContentSecurityPolicyParsers.h"
33 #include "platform/network/HTTPParsers.h"
34 #include "platform/weborigin/ReferrerPolicy.h"
35 #include "wtf/HashSet.h"
36 #include "wtf/PassOwnPtr.h"
37 #include "wtf/PassRefPtr.h"
38 #include "wtf/RefCounted.h"
39 #include "wtf/Vector.h"
40 #include "wtf/text/StringHash.h"
41 #include "wtf/text/TextPosition.h"
42 #include "wtf/text/WTFString.h"
50 class ContentSecurityPolicyResponseHeaders;
52 class CSPDirectiveList;
58 typedef int SandboxFlags;
59 typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector;
60 typedef WillBePersistentHeapVector<RefPtrWillBeMember<ConsoleMessage> > ConsoleMessageVector;
62 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> {
63 WTF_MAKE_FAST_ALLOCATED;
66 static const char ConnectSrc[];
67 static const char DefaultSrc[];
68 static const char FontSrc[];
69 static const char FrameSrc[];
70 static const char ImgSrc[];
71 static const char MediaSrc[];
72 static const char ObjectSrc[];
73 static const char ReportURI[];
74 static const char Sandbox[];
75 static const char ScriptSrc[];
76 static const char StyleSrc[];
78 // CSP Level 2 Directives
79 static const char BaseURI[];
80 static const char ChildSrc[];
81 static const char FormAction[];
82 static const char FrameAncestors[];
83 static const char PluginTypes[];
84 static const char ReflectedXSS[];
85 static const char Referrer[];
87 // Manifest Directives (to be merged into CSP Level 2)
88 // https://w3c.github.io/manifest/#content-security-policy
89 static const char ManifestSrc[];
91 enum ReportingStatus {
96 static PassRefPtr<ContentSecurityPolicy> create()
98 return adoptRef(new ContentSecurityPolicy());
100 ~ContentSecurityPolicy();
102 void bindToExecutionContext(ExecutionContext*);
103 void copyStateFrom(const ContentSecurityPolicy*);
105 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
106 void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
108 // These functions are wrong because they assume that there is only one header.
109 // FIXME: Replace them with functions that return vectors.
110 const String& deprecatedHeader() const;
111 ContentSecurityPolicyHeaderType deprecatedHeaderType() const;
113 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
114 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
115 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
116 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
117 bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const;
118 bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const;
120 bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const;
121 bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const;
122 bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) const;
123 bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const;
124 bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const;
125 bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const;
126 bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const;
127 bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const;
128 bool allowFormAction(const KURL&, ReportingStatus = SendReport) const;
129 bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const;
130 bool allowAncestors(LocalFrame*, const KURL&, ReportingStatus = SendReport) const;
131 bool allowChildContextFromSource(const KURL&, ReportingStatus = SendReport) const;
132 bool allowWorkerContextFromSource(const KURL&, ReportingStatus = SendReport) const;
134 bool allowManifestFromSource(const KURL&, ReportingStatus = SendReport) const;
136 // The nonce and hash allow functions are guaranteed to not have any side
137 // effects, including reporting.
138 // Nonce/Hash functions check all policies relating to use of a script/style
139 // with the given nonce/hash and return true all CSP policies allow it.
140 // If these return true, callers can then process the content or
141 // issue a load and be safe disabling any further CSP checks.
142 bool allowScriptWithNonce(const String& nonce) const;
143 bool allowStyleWithNonce(const String& nonce) const;
144 bool allowScriptWithHash(const String& source) const;
145 bool allowStyleWithHash(const String& source) const;
147 void usesScriptHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm);
148 void usesStyleHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm);
150 ReflectedXSSDisposition reflectedXSSDisposition() const;
152 ReferrerPolicy referrerPolicy() const;
153 bool didSetReferrerPolicy() const;
155 void setOverrideAllowInlineStyle(bool);
156 void setOverrideURLForSelf(const KURL&);
158 bool isActive() const;
160 // If a frame is passed in, the message will be logged to its active document's console.
161 // Otherwise, the message will be logged to this object's |m_executionContext|.
162 void logToConsole(PassRefPtrWillBeRawPtr<ConsoleMessage>, LocalFrame* = 0);
164 void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression);
165 void reportDuplicateDirective(const String&);
166 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value);
167 void reportInvalidPathCharacter(const String& directiveName, const String& value, const char);
168 void reportInvalidPluginTypes(const String&);
169 void reportInvalidSandboxFlags(const String&);
170 void reportInvalidSourceExpression(const String& directiveName, const String& source);
171 void reportInvalidReflectedXSS(const String&);
172 void reportMissingReportURI(const String&);
173 void reportUnsupportedDirective(const String&);
174 void reportInvalidInReportOnly(const String&);
175 void reportInvalidReferrer(const String&);
176 void reportReportOnlyInMeta(const String&);
177 void reportMetaOutsideHead(const String&);
179 // If a frame is passed in, the report will be sent using it as a context. If no frame is
180 // passed in, the report will be sent via this object's |m_executionContext| (or dropped
181 // on the floor if no such context is available).
182 void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<String>& reportEndpoints, const String& header, LocalFrame* = 0);
184 void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
186 const KURL url() const;
187 void enforceSandboxFlags(SandboxFlags);
188 String evalDisabledErrorMessage() const;
190 bool urlMatchesSelf(const KURL&) const;
191 bool protocolMatchesSelf(const KURL&) const;
193 bool experimentalFeaturesEnabled() const;
195 static bool shouldBypassMainWorld(ExecutionContext*);
197 static bool isDirectiveName(const String&);
200 ContentSecurityPolicy();
202 void applyPolicySideEffectsToExecutionContext();
204 Document* document() const;
205 SecurityOrigin* securityOrigin() const;
206 KURL completeURL(const String&) const;
208 void logToConsole(const String& message, MessageLevel = ErrorMessageLevel);
209 void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
211 bool shouldSendViolationReport(const String&) const;
212 void didSendViolationReport(const String&);
214 ExecutionContext* m_executionContext;
215 bool m_overrideInlineStyleAllowed;
216 CSPDirectiveListVector m_policies;
217 ConsoleMessageVector m_consoleMessages;
219 HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
221 // We put the hash functions used on the policy object so that we only need
222 // to calculate a hash once and then distribute it to all of the directives
224 uint8_t m_scriptHashAlgorithmsUsed;
225 uint8_t m_styleHashAlgorithmsUsed;
227 // State flags used to configure the environment after parsing a policy.
228 SandboxFlags m_sandboxMask;
229 ReferrerPolicy m_referrerPolicy;
230 String m_disableEvalErrorMessage;
232 OwnPtr<CSPSource> m_selfSource;
233 String m_selfProtocol;