#include "config.h"
#include "core/frame/csp/CSPDirectiveList.h"
+#include "core/dom/Document.h"
#include "core/frame/LocalFrame.h"
+#include "core/inspector/ConsoleMessage.h"
#include "platform/ParsingUtilities.h"
#include "platform/weborigin/KURL.h"
#include "wtf/text/WTFString.h"
-namespace WebCore {
+namespace blink {
CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurityPolicyHeaderType type, ContentSecurityPolicyHeaderSource source)
: m_policy(policy)
directives->setEvalDisabledErrorMessage(message);
}
- if (directives->isReportOnly() && directives->reportURIs().isEmpty())
+ if (directives->isReportOnly() && directives->reportEndpoints().isEmpty())
policy->reportMissingReportURI(String(begin, end - begin));
return directives.release();
void CSPDirectiveList::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL) const
{
String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
- m_policy->client()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message);
- m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header);
+ m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message));
+ m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header);
}
-void CSPDirectiveList::reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
+void CSPDirectiveList::reportViolationWithFrame(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, LocalFrame* frame) const
{
String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
- m_policy->client()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message, contextURL, contextLine.oneBasedInt());
- m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header);
+ m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message), frame);
+ m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header, frame);
}
-void CSPDirectiveList::reportViolationWithState(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptState* state) const
+void CSPDirectiveList::reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
{
String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
- m_policy->client()->addConsoleMessage(SecurityMessageSource, ErrorMessageLevel, message, state);
- m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header);
+ m_policy->logToConsole(ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, message, contextURL, contextLine.oneBasedInt()));
+ m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header);
+}
+
+void CSPDirectiveList::reportViolationWithState(const String& directiveText, const String& effectiveDirective, const String& message, const KURL& blockedURL, ScriptState* scriptState) const
+{
+ String reportMessage = m_reportOnly ? "[Report Only] " + message : message;
+ RefPtrWillBeRawPtr<ConsoleMessage> consoleMessage = ConsoleMessage::create(SecurityMessageSource, ErrorMessageLevel, reportMessage);
+ consoleMessage->setScriptState(scriptState);
+ m_policy->logToConsole(consoleMessage.release());
+ m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportEndpoints, m_header);
}
bool CSPDirectiveList::checkEval(SourceListDirective* directive) const
if (!frame || !directive)
return true;
- for (LocalFrame* current = frame->tree().parent(); current; current = current->tree().parent()) {
- if (!directive->allows(current->document()->url()))
+ for (Frame* current = frame->tree().parent(); current; current = current->tree().parent()) {
+ // FIXME: To make this work for out-of-process iframes, we need to propagate URL information of ancestor frames across processes.
+ if (!current->isLocalFrame() || !directive->allows(toLocalFrame(current)->document()->url()))
return false;
}
return true;
return directive ? directive : override;
}
-bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directive, const String& consoleMessage, ScriptState* state) const
+bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directive, const String& consoleMessage, ScriptState* scriptState) const
{
if (checkEval(directive))
return true;
if (directive == m_defaultSrc)
suffix = " Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.";
- reportViolationWithState(directive->text(), ContentSecurityPolicy::ScriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), state);
+ reportViolationWithState(directive->text(), ContentSecurityPolicy::ScriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), scriptState);
if (!m_reportOnly) {
m_policy->reportBlockedScriptExecutionToInspector(directive->text());
return false;
return denyIfEnforcingPolicy();
}
-bool CSPDirectiveList::checkAncestorsAndReportViolation(SourceListDirective* directive, LocalFrame* frame) const
+bool CSPDirectiveList::checkAncestorsAndReportViolation(SourceListDirective* directive, LocalFrame* frame, const KURL& url) const
{
if (checkAncestors(directive, frame))
return true;
- reportViolation(directive->text(), "frame-ancestors", "Refused to display '" + frame->document()->url().elidedString() + " in a frame because an ancestor violates the following Content Security Policy directive: \"" + directive->text() + "\".", frame->document()->url());
+ reportViolationWithFrame(directive->text(), "frame-ancestors", "Refused to display '" + url.elidedString() + "' in a frame because an ancestor violates the following Content Security Policy directive: \"" + directive->text() + "\".", url, frame);
return denyIfEnforcingPolicy();
}
checkInline(operativeDirective(m_styleSrc.get()));
}
-bool CSPDirectiveList::allowEval(ScriptState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool CSPDirectiveList::allowEval(ScriptState* scriptState, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "));
return reportingStatus == ContentSecurityPolicy::SendReport ?
- checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, state) :
+ checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, scriptState) :
checkEval(operativeDirective(m_scriptSrc.get()));
}
bool CSPDirectiveList::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- if (url.isBlankURL())
+ if (url.protocolIsAbout())
return true;
return reportingStatus == ContentSecurityPolicy::SendReport ?
checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, ContentSecurityPolicy::ObjectSrc) :
bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- if (url.isBlankURL())
+ if (url.protocolIsAbout())
return true;
// 'frame-src' is the only directive which overrides something other than the default sources.
checkSource(m_baseURI.get(), url);
}
-bool CSPDirectiveList::allowAncestors(LocalFrame* frame, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool CSPDirectiveList::allowAncestors(LocalFrame* frame, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
return reportingStatus == ContentSecurityPolicy::SendReport ?
- checkAncestorsAndReportViolation(m_frameAncestors.get(), frame) :
+ checkAncestorsAndReportViolation(m_frameAncestors.get(), frame, url) :
checkAncestors(m_frameAncestors.get(), frame);
}
void CSPDirectiveList::parseReportURI(const String& name, const String& value)
{
- if (!m_reportURIs.isEmpty()) {
+ if (!m_reportEndpoints.isEmpty()) {
m_policy->reportDuplicateDirective(name);
return;
}
if (urlBegin < position) {
String url = String(urlBegin, position - urlBegin);
- m_reportURIs.append(m_policy->completeURL(url));
+ m_reportEndpoints.append(url);
}
}
}
m_policy->usesScriptHashAlgorithms(m_scriptSrc->hashAlgorithmsUsed());
} else if (equalIgnoringCase(name, ContentSecurityPolicy::ObjectSrc)) {
setCSPDirective<SourceListDirective>(name, value, m_objectSrc);
+ } else if (equalIgnoringCase(name, ContentSecurityPolicy::FrameAncestors)) {
+ setCSPDirective<SourceListDirective>(name, value, m_frameAncestors);
} else if (equalIgnoringCase(name, ContentSecurityPolicy::FrameSrc)) {
setCSPDirective<SourceListDirective>(name, value, m_frameSrc);
} else if (equalIgnoringCase(name, ContentSecurityPolicy::ImgSrc)) {
setCSPDirective<SourceListDirective>(name, value, m_childSrc);
else if (equalIgnoringCase(name, ContentSecurityPolicy::FormAction))
setCSPDirective<SourceListDirective>(name, value, m_formAction);
- else if (equalIgnoringCase(name, ContentSecurityPolicy::FrameAncestors))
- setCSPDirective<SourceListDirective>(name, value, m_frameAncestors);
else if (equalIgnoringCase(name, ContentSecurityPolicy::PluginTypes))
setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
else if (equalIgnoringCase(name, ContentSecurityPolicy::ReflectedXSS))
}
-} // namespace WebCore
-
+} // namespace blink
projects / platform / framework / web / crosswalk.git / blobdiff