OLD | NEW |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 5 #ifndef CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 6 #define CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
7 | 7 |
8 #include <vector> | 8 #include <vector> |
9 | 9 |
| 10 #include "base/optional.h" |
10 #include "content/common/content_export.h" | 11 #include "content/common/content_export.h" |
11 #include "content/common/content_security_policy/content_security_policy.h" | 12 #include "content/common/content_security_policy/content_security_policy.h" |
12 #include "content/common/content_security_policy_header.h" | 13 #include "content/common/content_security_policy_header.h" |
13 #include "content/common/navigation_params.h" | 14 #include "content/common/navigation_params.h" |
14 #include "url/gurl.h" | 15 #include "url/gurl.h" |
15 #include "url/origin.h" | 16 #include "url/origin.h" |
16 | 17 |
17 namespace content { | 18 namespace content { |
18 | 19 |
19 struct CSPViolationParams; | 20 struct CSPViolationParams; |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
52 CheckCSPDisposition check_csp_disposition); | 53 CheckCSPDisposition check_csp_disposition); |
53 | 54 |
54 // Returns true if the request URL needs to be modified (e.g. upgraded to | 55 // Returns true if the request URL needs to be modified (e.g. upgraded to |
55 // HTTPS) according to the CSP. If true, |new_url| will contain the new URL | 56 // HTTPS) according to the CSP. If true, |new_url| will contain the new URL |
56 // that should be used instead of |url|. | 57 // that should be used instead of |url|. |
57 bool ShouldModifyRequestUrlForCsp(const GURL& url, | 58 bool ShouldModifyRequestUrlForCsp(const GURL& url, |
58 bool is_suresource_or_form_submssion, | 59 bool is_suresource_or_form_submssion, |
59 GURL* new_url); | 60 GURL* new_url); |
60 | 61 |
61 void SetSelf(const url::Origin origin); | 62 void SetSelf(const url::Origin origin); |
62 bool AllowSelf(const GURL& url); | 63 |
63 bool ProtocolIsSelf(const GURL& url); | 64 // When a CSPSourceList contains 'self', the url is allowed when it match the |
64 const std::string& GetSelfScheme(); | 65 // CSPSource returned by this function. |
| 66 // Sometimes there is no 'self' source. It means that the current origin is |
| 67 // unique and no urls will match 'self' whatever they are. |
| 68 // Note: When there is a 'self' source, its scheme is guaranteed to be |
| 69 // non-empty. |
| 70 const base::Optional<CSPSource>& self_source() { return self_source_; } |
65 | 71 |
66 virtual void ReportContentSecurityPolicyViolation( | 72 virtual void ReportContentSecurityPolicyViolation( |
67 const CSPViolationParams& violation_params); | 73 const CSPViolationParams& violation_params); |
68 | 74 |
69 bool SelfSchemeShouldBypassCsp(); | |
70 | |
71 void ResetContentSecurityPolicies() { policies_.clear(); } | 75 void ResetContentSecurityPolicies() { policies_.clear(); } |
72 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { | 76 void AddContentSecurityPolicy(const ContentSecurityPolicy& policy) { |
73 policies_.push_back(policy); | 77 policies_.push_back(policy); |
74 } | 78 } |
75 | 79 |
76 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); | 80 virtual bool SchemeShouldBypassCSP(const base::StringPiece& scheme); |
77 | 81 |
78 // For security reasons, some urls must not be disclosed cross-origin in | 82 // For security reasons, some urls must not be disclosed cross-origin in |
79 // violation reports. This includes the blocked url and the url of the | 83 // violation reports. This includes the blocked url and the url of the |
80 // initiator of the navigation. This information is potentially transmitted | 84 // initiator of the navigation. This information is potentially transmitted |
81 // between different renderer processes. | 85 // between different renderer processes. |
82 // TODO(arthursonzogni): Stop hiding sensitive parts of URLs in console error | 86 // TODO(arthursonzogni): Stop hiding sensitive parts of URLs in console error |
83 // messages as soon as there is a way to send them to the devtools process | 87 // messages as soon as there is a way to send them to the devtools process |
84 // without the round trip in the renderer process. | 88 // without the round trip in the renderer process. |
85 // See https://crbug.com/721329 | 89 // See https://crbug.com/721329 |
86 virtual void SanitizeDataForUseInCspViolation( | 90 virtual void SanitizeDataForUseInCspViolation( |
87 bool is_redirect, | 91 bool is_redirect, |
88 CSPDirective::Name directive, | 92 CSPDirective::Name directive, |
89 GURL* blocked_url, | 93 GURL* blocked_url, |
90 SourceLocation* source_location) const; | 94 SourceLocation* source_location) const; |
91 | 95 |
92 private: | 96 private: |
93 bool has_self_ = false; | 97 base::Optional<CSPSource> self_source_; |
94 std::string self_scheme_; | |
95 CSPSource self_source_; | |
96 | |
97 std::vector<ContentSecurityPolicy> policies_; | 98 std::vector<ContentSecurityPolicy> policies_; |
98 | 99 |
99 DISALLOW_COPY_AND_ASSIGN(CSPContext); | 100 DISALLOW_COPY_AND_ASSIGN(CSPContext); |
100 }; | 101 }; |
101 | 102 |
102 // Used in CSPContext::ReportViolation() | 103 // Used in CSPContext::ReportViolation() |
103 struct CONTENT_EXPORT CSPViolationParams { | 104 struct CONTENT_EXPORT CSPViolationParams { |
104 CSPViolationParams(); | 105 CSPViolationParams(); |
105 CSPViolationParams(const std::string& directive, | 106 CSPViolationParams(const std::string& directive, |
106 const std::string& effective_directive, | 107 const std::string& effective_directive, |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
140 | 141 |
141 // Whether or not the violation happens after a redirect. | 142 // Whether or not the violation happens after a redirect. |
142 bool after_redirect; | 143 bool after_redirect; |
143 | 144 |
144 // The source code location that triggered the blocked navigation. | 145 // The source code location that triggered the blocked navigation. |
145 SourceLocation source_location; | 146 SourceLocation source_location; |
146 }; | 147 }; |
147 | 148 |
148 } // namespace content | 149 } // namespace content |
149 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ | 150 #endif // CONTENT_COMMON_CONTENT_SECURITY_POLICY_CSP_CONTEXT_H_ |
OLD | NEW |