OLD | NEW |
1 // Copyright 2017 The Chromium Authors. All rights reserved. | 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "content/common/content_security_policy/csp_context.h" | 5 #include "content/common/content_security_policy/csp_context.h" |
6 | 6 |
7 namespace content { | 7 namespace content { |
8 | 8 |
9 namespace { | 9 namespace { |
10 | 10 |
11 bool AllowFromSources(const GURL& url, | 11 bool AllowFromSources(const GURL& url, |
12 const std::vector<CSPSource>& sources, | 12 const std::vector<CSPSource>& sources, |
13 CSPContext* context, | 13 CSPContext* context, |
14 bool is_redirect) { | 14 bool is_redirect) { |
15 for (const CSPSource& source : sources) { | 15 for (const CSPSource& source : sources) { |
16 if (CSPSource::Allow(source, url, context, is_redirect)) | 16 if (CSPSource::Allow(source, url, context, is_redirect)) |
17 return true; | 17 return true; |
18 } | 18 } |
19 return false; | 19 return false; |
20 } | 20 } |
21 | 21 |
22 }; // namespace | 22 }; // namespace |
23 | 23 |
24 CSPSourceList::CSPSourceList() | 24 CSPSourceList::CSPSourceList() |
25 : allow_self(false), allow_star(false), sources() {} | 25 : allow_self(false), allow_star(false), sources() {} |
26 | 26 |
27 CSPSourceList::CSPSourceList(bool allow_self, | 27 CSPSourceList::CSPSourceList(bool allow_self, |
28 bool allow_star, | 28 bool allow_star, |
29 std::vector<CSPSource> sources) | 29 std::vector<CSPSource> sources) |
30 : allow_self(allow_self), allow_star(allow_star), sources(sources) {} | 30 : allow_self(allow_self), allow_star(allow_star), sources(sources) { |
| 31 // When the '*' source is used, it must be the only one. |
| 32 DCHECK(!allow_star || (!allow_self && sources.empty())); |
| 33 } |
31 | 34 |
32 CSPSourceList::CSPSourceList(const CSPSourceList&) = default; | 35 CSPSourceList::CSPSourceList(const CSPSourceList&) = default; |
33 CSPSourceList::~CSPSourceList() = default; | 36 CSPSourceList::~CSPSourceList() = default; |
34 | 37 |
35 // static | 38 // static |
36 bool CSPSourceList::Allow(const CSPSourceList& source_list, | 39 bool CSPSourceList::Allow(const CSPSourceList& source_list, |
37 const GURL& url, | 40 const GURL& url, |
38 CSPContext* context, | 41 CSPContext* context, |
39 bool is_redirect) { | 42 bool is_redirect) { |
40 // Wildcards match network schemes ('http', 'https', 'ftp', 'ws', 'wss'), and | 43 // Wildcards match network schemes ('http', 'https', 'ftp', 'ws', 'wss'), and |
41 // the scheme of the protected resource: | 44 // the scheme of the protected resource: |
42 // https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. Other | 45 // https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. Other |
43 // schemes, including custom schemes, must be explicitly listed in a source | 46 // schemes, including custom schemes, must be explicitly listed in a source |
44 // list. | 47 // list. |
45 if (source_list.allow_star) { | 48 if (source_list.allow_star) { |
46 if (url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin() || | 49 if (url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin() || |
47 url.SchemeIsWSOrWSS() || url.SchemeIs("ftp") || | 50 url.SchemeIsWSOrWSS() || url.SchemeIs("ftp")) { |
48 context->ProtocolIsSelf(url)) | |
49 return true; | 51 return true; |
50 | 52 } |
51 return AllowFromSources(url, source_list.sources, context, is_redirect); | 53 if (context->self_source() && url.SchemeIs(context->self_source()->scheme)) |
| 54 return true; |
52 } | 55 } |
53 | 56 |
54 if (source_list.allow_self && context->AllowSelf(url)) return true; | 57 if (source_list.allow_self && context->self_source() && |
| 58 CSPSource::Allow(context->self_source().value(), url, context, |
| 59 is_redirect)) { |
| 60 return true; |
| 61 } |
55 | 62 |
56 return AllowFromSources(url, source_list.sources, context, is_redirect); | 63 return AllowFromSources(url, source_list.sources, context, is_redirect); |
57 } | 64 } |
58 | 65 |
59 std::string CSPSourceList::ToString() const { | 66 std::string CSPSourceList::ToString() const { |
60 if (IsNone()) | 67 if (IsNone()) |
61 return "'none'"; | 68 return "'none'"; |
62 if (allow_star) | 69 if (allow_star) |
63 return "*"; | 70 return "*"; |
64 | 71 |
(...skipping 12 matching lines...) Expand all Loading... |
77 } | 84 } |
78 | 85 |
79 return text.str(); | 86 return text.str(); |
80 } | 87 } |
81 | 88 |
82 bool CSPSourceList::IsNone() const { | 89 bool CSPSourceList::IsNone() const { |
83 return !allow_self && !allow_star && sources.empty(); | 90 return !allow_self && !allow_star && sources.empty(); |
84 } | 91 } |
85 | 92 |
86 } // namespace content | 93 } // namespace content |
OLD | NEW |