1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CSPDirectiveList_h
6 #define CSPDirectiveList_h
8 #include "core/frame/csp/ContentSecurityPolicy.h"
9 #include "core/frame/csp/MediaListDirective.h"
10 #include "core/frame/csp/SourceListDirective.h"
11 #include "platform/network/ContentSecurityPolicyParsers.h"
12 #include "platform/network/HTTPParsers.h"
13 #include "platform/weborigin/KURL.h"
14 #include "platform/weborigin/ReferrerPolicy.h"
15 #include "wtf/OwnPtr.h"
16 #include "wtf/Vector.h"
17 #include "wtf/text/WTFString.h"
21 class ContentSecurityPolicy;
23 class CSPDirectiveList {
24 WTF_MAKE_FAST_ALLOCATED;
25 WTF_MAKE_NONCOPYABLE(CSPDirectiveList);
27 static PassOwnPtr<CSPDirectiveList> create(ContentSecurityPolicy*, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
29 void parse(const UChar* begin, const UChar* end);
31 const String& header() const { return m_header; }
32 ContentSecurityPolicyHeaderType headerType() const { return m_headerType; }
33 ContentSecurityPolicyHeaderSource headerSource() const { return m_headerSource; }
35 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
36 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
37 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
38 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
39 bool allowEval(ScriptState*, ContentSecurityPolicy::ReportingStatus) const;
40 bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ContentSecurityPolicy::ReportingStatus) const;
42 bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
43 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
44 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
45 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
46 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
47 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
48 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
49 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
50 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
51 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
52 bool allowAncestors(LocalFrame*, const KURL&, ContentSecurityPolicy::ReportingStatus) const;
53 bool allowChildContextFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
54 bool allowScriptNonce(const String&) const;
55 bool allowStyleNonce(const String&) const;
56 bool allowScriptHash(const CSPHashValue&) const;
57 bool allowStyleHash(const CSPHashValue&) const;
59 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
60 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
61 ReferrerPolicy referrerPolicy() const { return m_referrerPolicy; }
62 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; }
63 bool isReportOnly() const { return m_reportOnly; }
64 const Vector<String>& reportEndpoints() const { return m_reportEndpoints; }
67 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
69 bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
70 void parseReportURI(const String& name, const String& value);
71 void parsePluginTypes(const String& name, const String& value);
72 void parseReflectedXSS(const String& name, const String& value);
73 void parseReferrer(const String& name, const String& value);
74 void addDirective(const String& name, const String& value);
75 void applySandboxPolicy(const String& name, const String& sandboxPolicy);
77 template <class CSPDirectiveType>
78 void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&);
80 SourceListDirective* operativeDirective(SourceListDirective*) const;
81 SourceListDirective* operativeDirective(SourceListDirective*, SourceListDirective* override) const;
82 void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL) const;
83 void reportViolationWithFrame(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, LocalFrame*) const;
84 void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
85 void reportViolationWithState(const String& directiveText, const String& effectiveDirective, const String& message, const KURL& blockedURL, ScriptState*) const;
87 bool checkEval(SourceListDirective*) const;
88 bool checkInline(SourceListDirective*) const;
89 bool checkNonce(SourceListDirective*, const String&) const;
90 bool checkHash(SourceListDirective*, const CSPHashValue&) const;
91 bool checkSource(SourceListDirective*, const KURL&) const;
92 bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
93 bool checkAncestors(SourceListDirective*, LocalFrame*) const;
95 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
97 bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, ScriptState*) const;
98 bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const;
100 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective) const;
101 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
102 bool checkAncestorsAndReportViolation(SourceListDirective*, LocalFrame*, const KURL&) const;
104 bool denyIfEnforcingPolicy() const { return m_reportOnly; }
106 ContentSecurityPolicy* m_policy;
109 ContentSecurityPolicyHeaderType m_headerType;
110 ContentSecurityPolicyHeaderSource m_headerSource;
113 bool m_haveSandboxPolicy;
114 ReflectedXSSDisposition m_reflectedXSSDisposition;
116 bool m_didSetReferrerPolicy;
117 ReferrerPolicy m_referrerPolicy;
119 OwnPtr<MediaListDirective> m_pluginTypes;
120 OwnPtr<SourceListDirective> m_baseURI;
121 OwnPtr<SourceListDirective> m_childSrc;
122 OwnPtr<SourceListDirective> m_connectSrc;
123 OwnPtr<SourceListDirective> m_defaultSrc;
124 OwnPtr<SourceListDirective> m_fontSrc;
125 OwnPtr<SourceListDirective> m_formAction;
126 OwnPtr<SourceListDirective> m_frameAncestors;
127 OwnPtr<SourceListDirective> m_frameSrc;
128 OwnPtr<SourceListDirective> m_imgSrc;
129 OwnPtr<SourceListDirective> m_mediaSrc;
130 OwnPtr<SourceListDirective> m_objectSrc;
131 OwnPtr<SourceListDirective> m_scriptSrc;
132 OwnPtr<SourceListDirective> m_styleSrc;
134 Vector<String> m_reportEndpoints;
136 String m_evalDisabledErrorMessage;