1 /* 2 * Copyright (C) 2013 Google, Inc. All Rights Reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include "config.h" 27 #include "core/html/parser/XSSAuditorDelegate.h" 28 29 #include "core/dom/Document.h" 30 #include "core/loader/DocumentLoader.h" 31 #include "core/loader/FrameLoader.h" 32 #include "core/loader/FrameLoaderClient.h" 33 #include "core/loader/PingLoader.h" 34 #include "core/page/Frame.h" 35 #include "core/platform/JSONValues.h" 36 #include "core/platform/network/FormData.h" 37 #include "weborigin/SecurityOrigin.h" 38 #include "wtf/text/StringBuilder.h" 39 40 namespace WebCore { 41 42 XSSAuditorDelegate::XSSAuditorDelegate(Document* document) 43 : m_document(document) 44 , m_didSendNotifications(false) 45 { 46 ASSERT(isMainThread()); 47 ASSERT(m_document); 48 } 49 50 static inline String buildConsoleError(const XSSInfo& xssInfo, const String& url) 51 { 52 StringBuilder message; 53 message.append("The XSS Auditor "); 54 message.append(xssInfo.m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in"); 55 message.append(" '"); 56 message.append(url); 57 message.append("' because "); 58 message.append(xssInfo.m_didBlockEntirePage ? "the source code of a script" : "its source code"); 59 message.append(" was found within the request."); 60 61 if (xssInfo.m_didSendCSPHeader) 62 message.append(" The server sent a 'Content-Security-Policy' header requesting this behavior."); 63 else if (xssInfo.m_didSendXSSProtectionHeader) 64 message.append(" The server sent an 'X-XSS-Protection' header requesting this behavior."); 65 else 66 message.append(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header."); 67 68 return message.toString(); 69 } 70 71 PassRefPtr<FormData> XSSAuditorDelegate::generateViolationReport() 72 { 73 ASSERT(isMainThread()); 74 75 FrameLoader* frameLoader = m_document->frame()->loader(); 76 String httpBody; 77 if (frameLoader->documentLoader()) { 78 if (FormData* formData = frameLoader->documentLoader()->originalRequest().httpBody()) 79 httpBody = formData->flattenToString(); 80 } 81 82 RefPtr<JSONObject> reportDetails = JSONObject::create(); 83 reportDetails->setString("request-url", m_document->url().string()); 84 reportDetails->setString("request-body", httpBody); 85 86 RefPtr<JSONObject> reportObject = JSONObject::create(); 87 reportObject->setObject("xss-report", reportDetails.release()); 88 89 return FormData::create(reportObject->toJSONString().utf8().data()); 90 } 91 92 void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo) 93 { 94 ASSERT(isMainThread()); 95 96 m_document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, buildConsoleError(xssInfo, m_document->url().string())); 97 98 // stopAllLoaders can detach the Frame, so protect it. 99 RefPtr<Frame> protect(m_document->frame()); 100 FrameLoader* frameLoader = m_document->frame()->loader(); 101 if (xssInfo.m_didBlockEntirePage) 102 frameLoader->stopAllLoaders(); 103 104 if (!m_didSendNotifications) { 105 m_didSendNotifications = true; 106 107 frameLoader->client()->didDetectXSS(m_document->url(), xssInfo.m_didBlockEntirePage); 108 109 if (!m_reportURL.isEmpty()) 110 PingLoader::sendViolationReport(m_document->frame(), m_reportURL, generateViolationReport(), PingLoader::XSSAuditorViolationReport); 111 } 112 113 if (xssInfo.m_didBlockEntirePage) 114 m_document->frame()->navigationScheduler()->scheduleLocationChange(m_document->securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String()); 115 } 116 117 } // namespace WebCore 118