1 /* 2 * Copyright (C) 2011 Google, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #ifndef ContentSecurityPolicy_h 27 #define ContentSecurityPolicy_h 28 29 #include "bindings/v8/ScriptState.h" 30 #include "wtf/HashSet.h" 31 #include "wtf/PassOwnPtr.h" 32 #include "wtf/Vector.h" 33 #include "wtf/text/StringHash.h" 34 #include "wtf/text/TextPosition.h" 35 #include "wtf/text/WTFString.h" 36 37 namespace WTF { 38 class OrdinalNumber; 39 } 40 41 namespace WebCore { 42 43 class ContentSecurityPolicyResponseHeaders; 44 class CSPDirectiveList; 45 class DOMStringList; 46 class JSONObject; 47 class KURL; 48 class ScriptExecutionContext; 49 class SecurityOrigin; 50 51 typedef int SandboxFlags; 52 typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector; 53 54 class ContentSecurityPolicy { 55 WTF_MAKE_FAST_ALLOCATED; 56 public: 57 static PassOwnPtr<ContentSecurityPolicy> create(ScriptExecutionContext* scriptExecutionContext) 58 { 59 return adoptPtr(new ContentSecurityPolicy(scriptExecutionContext)); 60 } 61 ~ContentSecurityPolicy(); 62 63 void copyStateFrom(const ContentSecurityPolicy*); 64 65 enum HeaderType { 66 Report, 67 Enforce, 68 PrefixedReport, 69 PrefixedEnforce 70 }; 71 72 enum ReportingStatus { 73 SendReport, 74 SuppressReport 75 }; 76 77 // Be sure to update the behavior of XSSAuditor::combineXSSProtectionHeaderAndCSP whenever you change this enum's content or ordering. 78 enum ReflectedXSSDisposition { 79 ReflectedXSSUnset = 0, 80 AllowReflectedXSS, 81 ReflectedXSSInvalid, 82 FilterReflectedXSS, 83 BlockReflectedXSS 84 }; 85 86 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); 87 void didReceiveHeader(const String&, HeaderType); 88 89 // These functions are wrong because they assume that there is only one header. 90 // FIXME: Replace them with functions that return vectors. 91 const String& deprecatedHeader() const; 92 HeaderType deprecatedHeaderType() const; 93 94 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 95 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 96 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 97 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 98 bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const; 99 bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const; 100 101 bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const; 102 bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const; 103 bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) const; 104 bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const; 105 bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const; 106 bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const; 107 bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const; 108 bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const; 109 bool allowFormAction(const KURL&, ReportingStatus = SendReport) const; 110 bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const; 111 bool allowScriptNonce(const String& nonce) const; 112 113 ReflectedXSSDisposition reflectedXSSDisposition() const; 114 115 void setOverrideAllowInlineStyle(bool); 116 117 bool isActive() const; 118 void gatherReportURIs(DOMStringList&) const; 119 120 void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression) const; 121 void reportDuplicateDirective(const String&) const; 122 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const; 123 void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const; 124 void reportInvalidNonce(const String&) const; 125 void reportInvalidPluginTypes(const String&) const; 126 void reportInvalidSandboxFlags(const String&) const; 127 void reportInvalidSourceExpression(const String& directiveName, const String& source) const; 128 void reportInvalidReflectedXSS(const String&) const; 129 void reportMissingReportURI(const String&) const; 130 void reportUnsupportedDirective(const String&) const; 131 void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0); 132 133 void reportBlockedScriptExecutionToInspector(const String& directiveText) const; 134 135 const KURL& url() const; 136 KURL completeURL(const String&) const; 137 SecurityOrigin* securityOrigin() const; 138 void enforceSandboxFlags(SandboxFlags) const; 139 String evalDisabledErrorMessage() const; 140 141 bool experimentalFeaturesEnabled() const; 142 143 static bool shouldBypassMainWorld(ScriptExecutionContext*); 144 145 private: 146 explicit ContentSecurityPolicy(ScriptExecutionContext*); 147 148 void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const; 149 void addPolicyFromHeaderValue(const String&, HeaderType); 150 151 bool shouldSendViolationReport(const String&) const; 152 void didSendViolationReport(const String&); 153 154 ScriptExecutionContext* m_scriptExecutionContext; 155 bool m_overrideInlineStyleAllowed; 156 CSPDirectiveListVector m_policies; 157 158 HashSet<unsigned, AlreadyHashed> m_violationReportsSent; 159 }; 160 161 } 162 163 #endif 164