Home | History | Annotate | Download | only in parser 
      1 /*
      2  * Copyright (C) 2013 Google, Inc. All Rights Reserved.
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions
      6  * are met:
      7  * 1. Redistributions of source code must retain the above copyright
      8  *    notice, this list of conditions and the following disclaimer.
      9  * 2. Redistributions in binary form must reproduce the above copyright
     10  *    notice, this list of conditions and the following disclaimer in the
     11  *    documentation and/or other materials provided with the distribution.
     12  *
     13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
     14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
     17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
     18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
     19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
     20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
     21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     24  */
     25 
     26 #include "config.h"
     27 #include "core/html/parser/XSSAuditorDelegate.h"
     28 
     29 #include "core/dom/Document.h"
     30 #include "core/frame/Frame.h"
     31 #include "core/loader/DocumentLoader.h"
     32 #include "core/loader/FrameLoader.h"
     33 #include "core/loader/FrameLoaderClient.h"
     34 #include "core/loader/PingLoader.h"
     35 #include "platform/JSONValues.h"
     36 #include "platform/network/FormData.h"
     37 #include "platform/weborigin/SecurityOrigin.h"
     38 #include "wtf/text/StringBuilder.h"
     39 
     40 namespace WebCore {
     41 
     42 String XSSInfo::buildConsoleError() const
     43 {
     44     StringBuilder message;
     45     message.append("The XSS Auditor ");
     46     message.append(m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in");
     47     message.append(" '");
     48     message.append(m_originalURL);
     49     message.append("' because ");
     50     message.append(m_didBlockEntirePage ? "the source code of a script" : "its source code");
     51     message.append(" was found within the request.");
     52 
     53     if (m_didSendCSPHeader)
     54         message.append(" The server sent a 'Content-Security-Policy' header requesting this behavior.");
     55     else if (m_didSendXSSProtectionHeader)
     56         message.append(" The server sent an 'X-XSS-Protection' header requesting this behavior.");
     57     else
     58         message.append(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.");
     59 
     60     return message.toString();
     61 }
     62 
     63 bool XSSInfo::isSafeToSendToAnotherThread() const
     64 {
     65     return m_originalURL.isSafeToSendToAnotherThread();
     66 }
     67 
     68 XSSAuditorDelegate::XSSAuditorDelegate(Document* document)
     69     : m_document(document)
     70     , m_didSendNotifications(false)
     71 {
     72     ASSERT(isMainThread());
     73     ASSERT(m_document);
     74 }
     75 
     76 PassRefPtr<FormData> XSSAuditorDelegate::generateViolationReport(const XSSInfo& xssInfo)
     77 {
     78     ASSERT(isMainThread());
     79 
     80     FrameLoader& frameLoader = m_document->frame()->loader();
     81     String httpBody;
     82     if (frameLoader.documentLoader()) {
     83         if (FormData* formData = frameLoader.documentLoader()->originalRequest().httpBody())
     84             httpBody = formData->flattenToString();
     85     }
     86 
     87     RefPtr<JSONObject> reportDetails = JSONObject::create();
     88     reportDetails->setString("request-url", xssInfo.m_originalURL);
     89     reportDetails->setString("request-body", httpBody);
     90 
     91     RefPtr<JSONObject> reportObject = JSONObject::create();
     92     reportObject->setObject("xss-report", reportDetails.release());
     93 
     94     return FormData::create(reportObject->toJSONString().utf8().data());
     95 }
     96 
     97 void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo)
     98 {
     99     ASSERT(isMainThread());
    100 
    101     m_document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, xssInfo.buildConsoleError());
    102 
    103     // stopAllLoaders can detach the Frame, so protect it.
    104     RefPtr<Frame> protect(m_document->frame());
    105     FrameLoader& frameLoader = m_document->frame()->loader();
    106     if (xssInfo.m_didBlockEntirePage)
    107         frameLoader.stopAllLoaders();
    108 
    109     if (!m_didSendNotifications) {
    110         m_didSendNotifications = true;
    111 
    112         frameLoader.client()->didDetectXSS(m_document->url(), xssInfo.m_didBlockEntirePage);
    113 
    114         if (!m_reportURL.isEmpty())
    115             PingLoader::sendViolationReport(m_document->frame(), m_reportURL, generateViolationReport(xssInfo), PingLoader::XSSAuditorViolationReport);
    116     }
    117 
    118     if (xssInfo.m_didBlockEntirePage)
    119         m_document->frame()->navigationScheduler().scheduleLocationChange(m_document, SecurityOrigin::urlWithUniqueSecurityOrigin(), String());
    120 }
    121 
    122 } // namespace WebCore
    123