#ifndef ContentSecurityPolicy_h
#define ContentSecurityPolicy_h
-#include "bindings/v8/ScriptState.h"
-#include "core/dom/Document.h"
+#include "bindings/core/v8/ScriptState.h"
+#include "core/dom/ExecutionContext.h"
+#include "core/frame/ConsoleTypes.h"
#include "platform/network/ContentSecurityPolicyParsers.h"
#include "platform/network/HTTPParsers.h"
#include "platform/weborigin/ReferrerPolicy.h"
class OrdinalNumber;
}
-namespace WebCore {
+namespace blink {
class ContentSecurityPolicyResponseHeaders;
class CSPDirectiveList;
class DOMStringList;
+class Document;
class JSONObject;
class KURL;
-class ExecutionContextClient;
class SecurityOrigin;
typedef int SandboxFlags;
static const char ReflectedXSS[];
static const char Referrer[];
- static PassRefPtr<ContentSecurityPolicy> create(ExecutionContextClient* client)
+ static PassRefPtr<ContentSecurityPolicy> create(ExecutionContext* executionContext)
{
- return adoptRef(new ContentSecurityPolicy(client));
+ return adoptRef(new ContentSecurityPolicy(executionContext));
}
~ContentSecurityPolicy();
// The nonce and hash allow functions are guaranteed to not have any side
// effects, including reporting.
- bool allowScriptNonce(const String& nonce) const;
- bool allowStyleNonce(const String& nonce) const;
- bool allowScriptHash(const String& source) const;
- bool allowStyleHash(const String& source) const;
+ // Nonce/Hash functions check all policies relating to use of a script/style
+ // with the given nonce/hash and return true all CSP policies allow it.
+ // If these return true, callers can then process the content or
+ // issue a load and be safe disabling any further CSP checks.
+ bool allowScriptWithNonce(const String& nonce) const;
+ bool allowStyleWithNonce(const String& nonce) const;
+ bool allowScriptWithHash(const String& source) const;
+ bool allowStyleWithHash(const String& source) const;
void usesScriptHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm);
void usesStyleHashAlgorithms(uint8_t ContentSecurityPolicyHashAlgorithm);
static bool isDirectiveName(const String&);
- ExecutionContextClient* client() const { return m_client; }
- Document* document() const { return client()->isDocument() ? toDocument(client()) : 0; }
+ ExecutionContext* executionContext() const { return m_executionContext; }
private:
- explicit ContentSecurityPolicy(ExecutionContextClient*);
+ explicit ContentSecurityPolicy(ExecutionContext*);
- void logToConsole(const String& message) const;
+ Document* document() const;
+
+ void logToConsole(const String& message, MessageLevel = ErrorMessageLevel) const;
void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
bool shouldSendViolationReport(const String&) const;
void didSendViolationReport(const String&);
- ExecutionContextClient* m_client;
+ ExecutionContext* m_executionContext;
bool m_overrideInlineStyleAllowed;
CSPDirectiveListVector m_policies;