| OLD | NEW |
|---|
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "content/common/content_security_policy/csp_context.h" | 5 #include "content/common/content_security_policy/csp_context.h" |
| 6 | 6 |
| 7 namespace content { | 7 namespace content { |
| 8 | 8 |
| 9 namespace { | 9 namespace { |
| 10 | 10 |
| 11 // Helper function that returns true if |policy| should be checked under | 11 // Helper function that returns true if |policy| should be checked under |
| 12 // |check_csp_disposition|. | 12 // |check_csp_disposition|. |
| 13 bool ShouldCheckPolicy(const ContentSecurityPolicy& policy, | 13 bool ShouldCheckPolicy(const ContentSecurityPolicy& policy, |
| 14 CSPContext::CheckCSPDisposition check_csp_disposition) { | 14 CSPContext::CheckCSPDisposition check_csp_disposition) { |
| 15 switch (check_csp_disposition) { | 15 switch (check_csp_disposition) { |
| 16 case CSPContext::CHECK_REPORT_ONLY_CSP: | 16 case CSPContext::CHECK_REPORT_ONLY_CSP: |
| 17 return policy.header.type == blink::kWebContentSecurityPolicyTypeReport; | 17 return policy.header.type == blink::kWebContentSecurityPolicyTypeReport; |
| 18 case CSPContext::CHECK_ENFORCED_CSP: | 18 case CSPContext::CHECK_ENFORCED_CSP: |
| 19 return policy.header.type == blink::kWebContentSecurityPolicyTypeEnforce; | 19 return policy.header.type == blink::kWebContentSecurityPolicyTypeEnforce; |
| 20 case CSPContext::CHECK_ALL_CSP: | 20 case CSPContext::CHECK_ALL_CSP: |
| 21 return true; | 21 return true; |
| 22 } | 22 } |
| 23 NOTREACHED(); | 23 NOTREACHED(); |
| 24 return true; | 24 return true; |
| 25 } | 25 } |
| 26 | 26 |
| 27 } // namespace | 27 } // namespace |
| 28 | 28 |
| 29 CSPContext::CSPContext() : has_self_(false) {} | 29 CSPContext::CSPContext() {} |
| 30 | |
| 31 CSPContext::~CSPContext() {} | 30 CSPContext::~CSPContext() {} |
| 32 | 31 |
| 33 bool CSPContext::IsAllowedByCsp(CSPDirective::Name directive_name, | 32 bool CSPContext::IsAllowedByCsp(CSPDirective::Name directive_name, |
| 34 const GURL& url, | 33 const GURL& url, |
| 35 bool is_redirect, | 34 bool is_redirect, |
| 36 const SourceLocation& source_location, | 35 const SourceLocation& source_location, |
| 37 CheckCSPDisposition check_csp_disposition) { | 36 CheckCSPDisposition check_csp_disposition) { |
| 38 if (SchemeShouldBypassCSP(url.scheme_piece())) | 37 if (SchemeShouldBypassCSP(url.scheme_piece())) |
| 39 return true; | 38 return true; |
| 40 | 39 |
| (...skipping 21 matching lines...) Expand all Loading... |
| 62 if (url.port() == "80") | 61 if (url.port() == "80") |
| 63 replacements.SetPortStr("443"); | 62 replacements.SetPortStr("443"); |
| 64 *new_url = new_url->ReplaceComponents(replacements); | 63 *new_url = new_url->ReplaceComponents(replacements); |
| 65 return true; | 64 return true; |
| 66 } | 65 } |
| 67 } | 66 } |
| 68 return false; | 67 return false; |
| 69 } | 68 } |
| 70 | 69 |
| 71 void CSPContext::SetSelf(const url::Origin origin) { | 70 void CSPContext::SetSelf(const url::Origin origin) { |
| 72 if (origin.unique()) { | 71 self_source_.reset(); |
| 73 // TODO(arthursonzogni): Decide what to do with unique origins. | 72 |
| 74 has_self_ = false; | 73 // When the origin is unique, no URL should match with 'self'. That's why |
| 74 // |self_source_| stays undefined here. |
| 75 if (origin.unique()) |
| 75 return; | 76 return; |
| 76 } | |
| 77 | 77 |
| 78 if (origin.scheme() == url::kFileScheme) { | 78 if (origin.scheme() == url::kFileScheme) { |
| 79 has_self_ = true; | |
| 80 self_scheme_ = url::kFileScheme; | |
| 81 self_source_ = CSPSource(url::kFileScheme, "", false, url::PORT_UNSPECIFIED, | 79 self_source_ = CSPSource(url::kFileScheme, "", false, url::PORT_UNSPECIFIED, |
| 82 false, ""); | 80 false, ""); |
| 83 return; | 81 return; |
| 84 } | 82 } |
| 85 | 83 |
| 86 has_self_ = true; | |
| 87 self_scheme_ = origin.scheme(); | |
| 88 self_source_ = CSPSource( | 84 self_source_ = CSPSource( |
| 89 origin.scheme(), origin.host(), false, | 85 origin.scheme(), origin.host(), false, |
| 90 origin.port() == 0 ? url::PORT_UNSPECIFIED : origin.port(), // port | 86 origin.port() == 0 ? url::PORT_UNSPECIFIED : origin.port(), false, ""); |
| 91 false, ""); | |
| 92 } | |
| 93 | 87 |
| 94 bool CSPContext::AllowSelf(const GURL& url) { | 88 DCHECK_NE("", self_source_->scheme); |
| 95 return has_self_ && CSPSource::Allow(self_source_, url, this); | |
| 96 } | |
| 97 | |
| 98 bool CSPContext::ProtocolIsSelf(const GURL& url) { | |
| 99 if (!has_self_) | |
| 100 return false; | |
| 101 return url.SchemeIs(self_scheme_); | |
| 102 } | |
| 103 | |
| 104 const std::string& CSPContext::GetSelfScheme() { | |
| 105 return self_scheme_; | |
| 106 } | 89 } |
| 107 | 90 |
| 108 bool CSPContext::SchemeShouldBypassCSP(const base::StringPiece& scheme) { | 91 bool CSPContext::SchemeShouldBypassCSP(const base::StringPiece& scheme) { |
| 109 return false; | 92 return false; |
| 110 } | 93 } |
| 111 | 94 |
| 112 void CSPContext::SanitizeDataForUseInCspViolation( | 95 void CSPContext::SanitizeDataForUseInCspViolation( |
| 113 bool is_redirect, | 96 bool is_redirect, |
| 114 CSPDirective::Name directive, | 97 CSPDirective::Name directive, |
| 115 GURL* blocked_url, | 98 GURL* blocked_url, |
| 116 SourceLocation* source_location) const { | 99 SourceLocation* source_location) const { |
| 117 return; | 100 return; |
| 118 } | 101 } |
| 119 | 102 |
| 120 bool CSPContext::SelfSchemeShouldBypassCsp() { | |
| 121 if (!has_self_) | |
| 122 return false; | |
| 123 return SchemeShouldBypassCSP(self_scheme_); | |
| 124 } | |
| 125 | |
| 126 void CSPContext::ReportContentSecurityPolicyViolation( | 103 void CSPContext::ReportContentSecurityPolicyViolation( |
| 127 const CSPViolationParams& violation_params) { | 104 const CSPViolationParams& violation_params) { |
| 128 return; | 105 return; |
| 129 } | 106 } |
| 130 | 107 |
| 131 CSPViolationParams::CSPViolationParams() = default; | 108 CSPViolationParams::CSPViolationParams() = default; |
| 132 | 109 |
| 133 CSPViolationParams::CSPViolationParams( | 110 CSPViolationParams::CSPViolationParams( |
| 134 const std::string& directive, | 111 const std::string& directive, |
| 135 const std::string& effective_directive, | 112 const std::string& effective_directive, |
| (...skipping 13 matching lines...) Expand all Loading... |
| 149 disposition(disposition), | 126 disposition(disposition), |
| 150 after_redirect(after_redirect), | 127 after_redirect(after_redirect), |
| 151 source_location(source_location) {} | 128 source_location(source_location) {} |
| 152 | 129 |
| 153 CSPViolationParams::CSPViolationParams(const CSPViolationParams& other) = | 130 CSPViolationParams::CSPViolationParams(const CSPViolationParams& other) = |
| 154 default; | 131 default; |
| 155 | 132 |
| 156 CSPViolationParams::~CSPViolationParams() {} | 133 CSPViolationParams::~CSPViolationParams() {} |
| 157 | 134 |
| 158 } // namespace content | 135 } // namespace content |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2937503002:
CSP, PlzNavigate: make clear what happens with unique origins. (Closed)
