projects / platform / framework / web / crosswalk.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Upstream version 10.39.225.0
[platform/framework/web/crosswalk.git] / src / third_party / WebKit / Source / core / frame / csp / ContentSecurityPolicy.h
diff --git a/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h b/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
index 203b433..55690b5 100644 (file)
--- a/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
+++ b/src/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.h
@@ -48,15 +48,16 @@ class OrdinalNumber;
 namespace blink {
 
 class ContentSecurityPolicyResponseHeaders;
+class ConsoleMessage;
 class CSPDirectiveList;
-class DOMStringList;
+class CSPSource;
 class Document;
-class JSONObject;
 class KURL;
 class SecurityOrigin;
 
 typedef int SandboxFlags;
 typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector;
+typedef WillBePersistentHeapVector<RefPtrWillBeMember<ConsoleMessage> > ConsoleMessageVector;
 
 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> {
     WTF_MAKE_FAST_ALLOCATED;
@@ -83,19 +84,20 @@ public:
     static const char ReflectedXSS[];
     static const char Referrer[];
 
-    static PassRefPtr<ContentSecurityPolicy> create(ExecutionContext* executionContext)
+    enum ReportingStatus {
+        SendReport,
+        SuppressReport
+    };
+
+    static PassRefPtr<ContentSecurityPolicy> create()
     {
-        return adoptRef(new ContentSecurityPolicy(executionContext));
+        return adoptRef(new ContentSecurityPolicy());
     }
     ~ContentSecurityPolicy();
 
+    void bindToExecutionContext(ExecutionContext*);
     void copyStateFrom(const ContentSecurityPolicy*);
 
-    enum ReportingStatus {
-        SendReport,
-        SuppressReport
-    };
-
     void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
     void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
 
@@ -121,7 +123,7 @@ public:
     bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const;
     bool allowFormAction(const KURL&, ReportingStatus = SendReport) const;
     bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const;
-    bool allowAncestors(LocalFrame*, ReportingStatus = SendReport) const;
+    bool allowAncestors(LocalFrame*, const KURL&, ReportingStatus = SendReport) const;
     bool allowChildContextFromSource(const KURL&, ReportingStatus = SendReport) const;
     bool allowWorkerContextFromSource(const KURL&, ReportingStatus = SendReport) const;
 
@@ -145,47 +147,59 @@ public:
     bool didSetReferrerPolicy() const;
 
     void setOverrideAllowInlineStyle(bool);
+    void setOverrideURLForSelf(const KURL&);
 
     bool isActive() const;
 
-    void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression) const;
-    void reportDuplicateDirective(const String&) const;
-    void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
-    void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
-    void reportInvalidPluginTypes(const String&) const;
-    void reportInvalidSandboxFlags(const String&) const;
-    void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
-    void reportInvalidReflectedXSS(const String&) const;
-    void reportMissingReportURI(const String&) const;
-    void reportUnsupportedDirective(const String&) const;
-    void reportInvalidInReportOnly(const String&) const;
-    void reportInvalidReferrer(const String&) const;
-    void reportReportOnlyInMeta(const String&) const;
-    void reportMetaOutsideHead(const String&) const;
-    void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header);
+    // If a frame is passed in, the message will be logged to its active document's console.
+    // Otherwise, the message will be logged to this object's |m_executionContext|.
+    void logToConsole(PassRefPtrWillBeRawPtr<ConsoleMessage>, LocalFrame* = 0);
+
+    void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression);
+    void reportDuplicateDirective(const String&);
+    void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value);
+    void reportInvalidPathCharacter(const String& directiveName, const String& value, const char);
+    void reportInvalidPluginTypes(const String&);
+    void reportInvalidSandboxFlags(const String&);
+    void reportInvalidSourceExpression(const String& directiveName, const String& source);
+    void reportInvalidReflectedXSS(const String&);
+    void reportMissingReportURI(const String&);
+    void reportUnsupportedDirective(const String&);
+    void reportInvalidInReportOnly(const String&);
+    void reportInvalidReferrer(const String&);
+    void reportReportOnlyInMeta(const String&);
+    void reportMetaOutsideHead(const String&);
+
+    // If a frame is passed in, the report will be sent using it as a context. If no frame is
+    // passed in, the report will be sent via this object's |m_executionContext| (or dropped
+    // on the floor if no such context is available).
+    void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<String>& reportEndpoints, const String& header, LocalFrame* = 0);
 
     void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
 
     const KURL url() const;
-    KURL completeURL(const String&) const;
-    SecurityOrigin* securityOrigin() const;
-    void enforceSandboxFlags(SandboxFlags) const;
+    void enforceSandboxFlags(SandboxFlags);
     String evalDisabledErrorMessage() const;
 
+    bool urlMatchesSelf(const KURL&) const;
+    bool protocolMatchesSelf(const KURL&) const;
+
     bool experimentalFeaturesEnabled() const;
 
     static bool shouldBypassMainWorld(ExecutionContext*);
 
     static bool isDirectiveName(const String&);
 
-    ExecutionContext* executionContext() const { return m_executionContext; }
-
 private:
-    explicit ContentSecurityPolicy(ExecutionContext*);
+    ContentSecurityPolicy();
+
+    void applyPolicySideEffectsToExecutionContext();
 
     Document* document() const;
+    SecurityOrigin* securityOrigin() const;
+    KURL completeURL(const String&) const;
 
-    void logToConsole(const String& message, MessageLevel = ErrorMessageLevel) const;
+    void logToConsole(const String& message, MessageLevel = ErrorMessageLevel);
     void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
 
     bool shouldSendViolationReport(const String&) const;
@@ -194,6 +208,7 @@ private:
     ExecutionContext* m_executionContext;
     bool m_overrideInlineStyleAllowed;
     CSPDirectiveListVector m_policies;
+    ConsoleMessageVector m_consoleMessages;
 
     HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
 
@@ -202,6 +217,13 @@ private:
     // for validation.
     uint8_t m_scriptHashAlgorithmsUsed;
     uint8_t m_styleHashAlgorithmsUsed;
+
+    // State flags used to configure the environment after parsing a policy.
+    SandboxFlags m_sandboxMask;
+    ReferrerPolicy m_referrerPolicy;
+    String m_disableEvalErrorMessage;
+
+    OwnPtr<CSPSource> m_selfSource;
 };
 
 }
Domain: Web Framework / Uncategorized;