namespace blink {
class ContentSecurityPolicyResponseHeaders;
+class ConsoleMessage;
class CSPDirectiveList;
-class DOMStringList;
+class CSPSource;
class Document;
-class JSONObject;
class KURL;
class SecurityOrigin;
typedef int SandboxFlags;
typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector;
+typedef WillBePersistentHeapVector<RefPtrWillBeMember<ConsoleMessage> > ConsoleMessageVector;
class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> {
WTF_MAKE_FAST_ALLOCATED;
static const char ReflectedXSS[];
static const char Referrer[];
- static PassRefPtr<ContentSecurityPolicy> create(ExecutionContext* executionContext)
+ enum ReportingStatus {
+ SendReport,
+ SuppressReport
+ };
+
+ static PassRefPtr<ContentSecurityPolicy> create()
{
- return adoptRef(new ContentSecurityPolicy(executionContext));
+ return adoptRef(new ContentSecurityPolicy());
}
~ContentSecurityPolicy();
+ void bindToExecutionContext(ExecutionContext*);
void copyStateFrom(const ContentSecurityPolicy*);
- enum ReportingStatus {
- SendReport,
- SuppressReport
- };
-
void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const;
bool allowFormAction(const KURL&, ReportingStatus = SendReport) const;
bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const;
- bool allowAncestors(LocalFrame*, ReportingStatus = SendReport) const;
+ bool allowAncestors(LocalFrame*, const KURL&, ReportingStatus = SendReport) const;
bool allowChildContextFromSource(const KURL&, ReportingStatus = SendReport) const;
bool allowWorkerContextFromSource(const KURL&, ReportingStatus = SendReport) const;
bool didSetReferrerPolicy() const;
void setOverrideAllowInlineStyle(bool);
+ void setOverrideURLForSelf(const KURL&);
bool isActive() const;
- void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression) const;
- void reportDuplicateDirective(const String&) const;
- void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
- void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
- void reportInvalidPluginTypes(const String&) const;
- void reportInvalidSandboxFlags(const String&) const;
- void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
- void reportInvalidReflectedXSS(const String&) const;
- void reportMissingReportURI(const String&) const;
- void reportUnsupportedDirective(const String&) const;
- void reportInvalidInReportOnly(const String&) const;
- void reportInvalidReferrer(const String&) const;
- void reportReportOnlyInMeta(const String&) const;
- void reportMetaOutsideHead(const String&) const;
- void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header);
+ // If a frame is passed in, the message will be logged to its active document's console.
+ // Otherwise, the message will be logged to this object's |m_executionContext|.
+ void logToConsole(PassRefPtrWillBeRawPtr<ConsoleMessage>, LocalFrame* = 0);
+
+ void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression);
+ void reportDuplicateDirective(const String&);
+ void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value);
+ void reportInvalidPathCharacter(const String& directiveName, const String& value, const char);
+ void reportInvalidPluginTypes(const String&);
+ void reportInvalidSandboxFlags(const String&);
+ void reportInvalidSourceExpression(const String& directiveName, const String& source);
+ void reportInvalidReflectedXSS(const String&);
+ void reportMissingReportURI(const String&);
+ void reportUnsupportedDirective(const String&);
+ void reportInvalidInReportOnly(const String&);
+ void reportInvalidReferrer(const String&);
+ void reportReportOnlyInMeta(const String&);
+ void reportMetaOutsideHead(const String&);
+
+ // If a frame is passed in, the report will be sent using it as a context. If no frame is
+ // passed in, the report will be sent via this object's |m_executionContext| (or dropped
+ // on the floor if no such context is available).
+ void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<String>& reportEndpoints, const String& header, LocalFrame* = 0);
void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
const KURL url() const;
- KURL completeURL(const String&) const;
- SecurityOrigin* securityOrigin() const;
- void enforceSandboxFlags(SandboxFlags) const;
+ void enforceSandboxFlags(SandboxFlags);
String evalDisabledErrorMessage() const;
+ bool urlMatchesSelf(const KURL&) const;
+ bool protocolMatchesSelf(const KURL&) const;
+
bool experimentalFeaturesEnabled() const;
static bool shouldBypassMainWorld(ExecutionContext*);
static bool isDirectiveName(const String&);
- ExecutionContext* executionContext() const { return m_executionContext; }
-
private:
- explicit ContentSecurityPolicy(ExecutionContext*);
+ ContentSecurityPolicy();
+
+ void applyPolicySideEffectsToExecutionContext();
Document* document() const;
+ SecurityOrigin* securityOrigin() const;
+ KURL completeURL(const String&) const;
- void logToConsole(const String& message, MessageLevel = ErrorMessageLevel) const;
+ void logToConsole(const String& message, MessageLevel = ErrorMessageLevel);
void addPolicyFromHeaderValue(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
bool shouldSendViolationReport(const String&) const;
ExecutionContext* m_executionContext;
bool m_overrideInlineStyleAllowed;
CSPDirectiveListVector m_policies;
+ ConsoleMessageVector m_consoleMessages;
HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
// for validation.
uint8_t m_scriptHashAlgorithmsUsed;
uint8_t m_styleHashAlgorithmsUsed;
+
+ // State flags used to configure the environment after parsing a policy.
+ SandboxFlags m_sandboxMask;
+ ReferrerPolicy m_referrerPolicy;
+ String m_disableEvalErrorMessage;
+
+ OwnPtr<CSPSource> m_selfSource;
};
}