Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(852)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/content_security_policy/csp_source_list.cc

Issue 2937503002: CSP, PlzNavigate: make clear what happens with unique origins. (Closed)
Patch Set: Add web platform tests. Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/common/content_security_policy/csp_source.cc ('k') | content/common/content_security_policy/csp_source_list_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The Chromium Authors. All rights reserved. 1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/content_security_policy/csp_context.h" 5 #include "content/common/content_security_policy/csp_context.h"
6 6
7 namespace content { 7 namespace content {
8 8
9 namespace { 9 namespace {
10 10
11 bool AllowFromSources(const GURL& url, 11 bool AllowFromSources(const GURL& url,
12 const std::vector<CSPSource>& sources, 12 const std::vector<CSPSource>& sources,
13 CSPContext* context, 13 CSPContext* context,
14 bool is_redirect) { 14 bool is_redirect) {
15 for (const CSPSource& source : sources) { 15 for (const CSPSource& source : sources) {
16 if (CSPSource::Allow(source, url, context, is_redirect)) 16 if (CSPSource::Allow(source, url, context, is_redirect))
17 return true; 17 return true;
18 } 18 }
19 return false; 19 return false;
20 } 20 }
21 21
22 }; // namespace 22 }; // namespace
23 23
24 CSPSourceList::CSPSourceList() 24 CSPSourceList::CSPSourceList()
25 : allow_self(false), allow_star(false), sources() {} 25 : allow_self(false), allow_star(false), sources() {}
26 26
27 CSPSourceList::CSPSourceList(bool allow_self, 27 CSPSourceList::CSPSourceList(bool allow_self,
28 bool allow_star, 28 bool allow_star,
29 std::vector<CSPSource> sources) 29 std::vector<CSPSource> sources)
30 : allow_self(allow_self), allow_star(allow_star), sources(sources) {} 30 : allow_self(allow_self), allow_star(allow_star), sources(sources) {
31 // When the '*' source is used, it must be the only one.
32 DCHECK(!allow_star || (!allow_self && sources.empty()));
33 }
31 34
32 CSPSourceList::CSPSourceList(const CSPSourceList&) = default; 35 CSPSourceList::CSPSourceList(const CSPSourceList&) = default;
33 CSPSourceList::~CSPSourceList() = default; 36 CSPSourceList::~CSPSourceList() = default;
34 37
35 // static 38 // static
36 bool CSPSourceList::Allow(const CSPSourceList& source_list, 39 bool CSPSourceList::Allow(const CSPSourceList& source_list,
37 const GURL& url, 40 const GURL& url,
38 CSPContext* context, 41 CSPContext* context,
39 bool is_redirect) { 42 bool is_redirect) {
40 // Wildcards match network schemes ('http', 'https', 'ftp', 'ws', 'wss'), and 43 // Wildcards match network schemes ('http', 'https', 'ftp', 'ws', 'wss'), and
41 // the scheme of the protected resource: 44 // the scheme of the protected resource:
42 // https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. Other 45 // https://w3c.github.io/webappsec-csp/#match-url-to-source-expression. Other
43 // schemes, including custom schemes, must be explicitly listed in a source 46 // schemes, including custom schemes, must be explicitly listed in a source
44 // list. 47 // list.
45 if (source_list.allow_star) { 48 if (source_list.allow_star) {
46 if (url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin() || 49 if (url.SchemeIsHTTPOrHTTPS() || url.SchemeIsSuborigin() ||
47 url.SchemeIsWSOrWSS() || url.SchemeIs("ftp") || 50 url.SchemeIsWSOrWSS() || url.SchemeIs("ftp")) {
48 context->ProtocolIsSelf(url))
49 return true; 51 return true;
50 52 }
51 return AllowFromSources(url, source_list.sources, context, is_redirect); 53 if (context->self_source() && url.SchemeIs(context->self_source()->scheme))
54 return true;
52 } 55 }
53 56
54 if (source_list.allow_self && context->AllowSelf(url)) return true; 57 if (source_list.allow_self && context->self_source() &&
58 CSPSource::Allow(context->self_source().value(), url, context,
59 is_redirect)) {
60 return true;
61 }
55 62
56 return AllowFromSources(url, source_list.sources, context, is_redirect); 63 return AllowFromSources(url, source_list.sources, context, is_redirect);
57 } 64 }
58 65
59 std::string CSPSourceList::ToString() const { 66 std::string CSPSourceList::ToString() const {
60 if (IsNone()) 67 if (IsNone())
61 return "'none'"; 68 return "'none'";
62 if (allow_star) 69 if (allow_star)
63 return "*"; 70 return "*";
64 71
(...skipping 12 matching lines...) Expand all
77 } 84 }
78 85
79 return text.str(); 86 return text.str();
80 } 87 }
81 88
82 bool CSPSourceList::IsNone() const { 89 bool CSPSourceList::IsNone() const {
83 return !allow_self && !allow_star && sources.empty(); 90 return !allow_self && !allow_star && sources.empty();
84 } 91 }
85 92
86 } // namespace content 93 } // namespace content
OLDNEW
« no previous file with comments | « content/common/content_security_policy/csp_source.cc ('k') | content/common/content_security_policy/csp_source_list_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698