Home | History | Annotate | Download | only in parser 
      1 /*
      2  * Copyright (C) 2013 Google, Inc. All Rights Reserved.
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions
      6  * are met:
      7  * 1. Redistributions of source code must retain the above copyright
      8  *    notice, this list of conditions and the following disclaimer.
      9  * 2. Redistributions in binary form must reproduce the above copyright
     10  *    notice, this list of conditions and the following disclaimer in the
     11  *    documentation and/or other materials provided with the distribution.
     12  *
     13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
     14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
     17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
     18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
     19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
     20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
     21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     24  */
     25 
     26 #include "config.h"
     27 #include "core/html/parser/XSSAuditorDelegate.h"
     28 
     29 #include "core/dom/Document.h"
     30 #include "core/loader/DocumentLoader.h"
     31 #include "core/loader/FrameLoader.h"
     32 #include "core/loader/FrameLoaderClient.h"
     33 #include "core/loader/PingLoader.h"
     34 #include "core/page/Frame.h"
     35 #include "core/platform/JSONValues.h"
     36 #include "core/platform/network/FormData.h"
     37 #include "weborigin/SecurityOrigin.h"
     38 #include "wtf/text/StringBuilder.h"
     39 
     40 namespace WebCore {
     41 
     42 XSSAuditorDelegate::XSSAuditorDelegate(Document* document)
     43     : m_document(document)
     44     , m_didSendNotifications(false)
     45 {
     46     ASSERT(isMainThread());
     47     ASSERT(m_document);
     48 }
     49 
     50 static inline String buildConsoleError(const XSSInfo& xssInfo, const String& url)
     51 {
     52     StringBuilder message;
     53     message.append("The XSS Auditor ");
     54     message.append(xssInfo.m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in");
     55     message.append(" '");
     56     message.append(url);
     57     message.append("' because ");
     58     message.append(xssInfo.m_didBlockEntirePage ? "the source code of a script" : "its source code");
     59     message.append(" was found within the request.");
     60 
     61     if (xssInfo.m_didSendCSPHeader)
     62         message.append(" The server sent a 'Content-Security-Policy' header requesting this behavior.");
     63     else if (xssInfo.m_didSendXSSProtectionHeader)
     64         message.append(" The server sent an 'X-XSS-Protection' header requesting this behavior.");
     65     else
     66         message.append(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.");
     67 
     68     return message.toString();
     69 }
     70 
     71 PassRefPtr<FormData> XSSAuditorDelegate::generateViolationReport()
     72 {
     73     ASSERT(isMainThread());
     74 
     75     FrameLoader* frameLoader = m_document->frame()->loader();
     76     String httpBody;
     77     if (frameLoader->documentLoader()) {
     78         if (FormData* formData = frameLoader->documentLoader()->originalRequest().httpBody())
     79             httpBody = formData->flattenToString();
     80     }
     81 
     82     RefPtr<JSONObject> reportDetails = JSONObject::create();
     83     reportDetails->setString("request-url", m_document->url().string());
     84     reportDetails->setString("request-body", httpBody);
     85 
     86     RefPtr<JSONObject> reportObject = JSONObject::create();
     87     reportObject->setObject("xss-report", reportDetails.release());
     88 
     89     return FormData::create(reportObject->toJSONString().utf8().data());
     90 }
     91 
     92 void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo)
     93 {
     94     ASSERT(isMainThread());
     95 
     96     m_document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, buildConsoleError(xssInfo, m_document->url().string()));
     97 
     98     // stopAllLoaders can detach the Frame, so protect it.
     99     RefPtr<Frame> protect(m_document->frame());
    100     FrameLoader* frameLoader = m_document->frame()->loader();
    101     if (xssInfo.m_didBlockEntirePage)
    102         frameLoader->stopAllLoaders();
    103 
    104     if (!m_didSendNotifications) {
    105         m_didSendNotifications = true;
    106 
    107         frameLoader->client()->didDetectXSS(m_document->url(), xssInfo.m_didBlockEntirePage);
    108 
    109         if (!m_reportURL.isEmpty())
    110             PingLoader::sendViolationReport(m_document->frame(), m_reportURL, generateViolationReport(), PingLoader::XSSAuditorViolationReport);
    111     }
    112 
    113     if (xssInfo.m_didBlockEntirePage)
    114         m_document->frame()->navigationScheduler()->scheduleLocationChange(m_document->securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String());
    115 }
    116 
    117 } // namespace WebCore
    118