1 /* 2 * Copyright (C) 2013 Google, Inc. All Rights Reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #include "config.h" 27 #include "core/html/parser/XSSAuditorDelegate.h" 28 29 #include "core/dom/Document.h" 30 #include "core/frame/LocalFrame.h" 31 #include "core/inspector/ConsoleMessage.h" 32 #include "core/loader/DocumentLoader.h" 33 #include "core/loader/FrameLoader.h" 34 #include "core/loader/FrameLoaderClient.h" 35 #include "core/loader/PingLoader.h" 36 #include "platform/JSONValues.h" 37 #include "platform/network/FormData.h" 38 #include "platform/weborigin/SecurityOrigin.h" 39 #include "wtf/text/StringBuilder.h" 40 41 namespace blink { 42 43 String XSSInfo::buildConsoleError() const 44 { 45 StringBuilder message; 46 message.appendLiteral("The XSS Auditor "); 47 message.append(m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in"); 48 message.appendLiteral(" '"); 49 message.append(m_originalURL); 50 message.appendLiteral("' because "); 51 message.append(m_didBlockEntirePage ? "the source code of a script" : "its source code"); 52 message.appendLiteral(" was found within the request."); 53 54 if (m_didSendCSPHeader) 55 message.appendLiteral(" The server sent a 'Content-Security-Policy' header requesting this behavior."); 56 else if (m_didSendXSSProtectionHeader) 57 message.appendLiteral(" The server sent an 'X-XSS-Protection' header requesting this behavior."); 58 else 59 message.appendLiteral(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header."); 60 61 return message.toString(); 62 } 63 64 bool XSSInfo::isSafeToSendToAnotherThread() const 65 { 66 return m_originalURL.isSafeToSendToAnotherThread(); 67 } 68 69 XSSAuditorDelegate::XSSAuditorDelegate(Document* document) 70 : m_document(document) 71 , m_didSendNotifications(false) 72 { 73 ASSERT(isMainThread()); 74 ASSERT(m_document); 75 } 76 77 void XSSAuditorDelegate::trace(Visitor* visitor) 78 { 79 visitor->trace(m_document); 80 } 81 82 PassRefPtr<FormData> XSSAuditorDelegate::generateViolationReport(const XSSInfo& xssInfo) 83 { 84 ASSERT(isMainThread()); 85 86 FrameLoader& frameLoader = m_document->frame()->loader(); 87 String httpBody; 88 if (frameLoader.documentLoader()) { 89 if (FormData* formData = frameLoader.documentLoader()->originalRequest().httpBody()) 90 httpBody = formData->flattenToString(); 91 } 92 93 RefPtr<JSONObject> reportDetails = JSONObject::create(); 94 reportDetails->setString("request-url", xssInfo.m_originalURL); 95 reportDetails->setString("request-body", httpBody); 96 97 RefPtr<JSONObject> reportObject = JSONObject::create(); 98 reportObject->setObject("xss-report", reportDetails.release()); 99 100 return FormData::create(reportObject->toJSONString().utf8().data()); 101 } 102 103 void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo) 104 { 105 ASSERT(isMainThread()); 106 107 m_document->addConsoleMessage(ConsoleMessage::create(JSMessageSource, ErrorMessageLevel, xssInfo.buildConsoleError())); 108 109 // stopAllLoaders can detach the LocalFrame, so protect it. 110 RefPtrWillBeRawPtr<LocalFrame> protect(m_document->frame()); 111 FrameLoader& frameLoader = m_document->frame()->loader(); 112 if (xssInfo.m_didBlockEntirePage) 113 frameLoader.stopAllLoaders(); 114 115 if (!m_didSendNotifications) { 116 m_didSendNotifications = true; 117 118 frameLoader.client()->didDetectXSS(m_document->url(), xssInfo.m_didBlockEntirePage); 119 120 if (!m_reportURL.isEmpty()) 121 PingLoader::sendViolationReport(m_document->frame(), m_reportURL, generateViolationReport(xssInfo), PingLoader::XSSAuditorViolationReport); 122 } 123 124 if (xssInfo.m_didBlockEntirePage) 125 m_document->frame()->navigationScheduler().schedulePageBlock(m_document, Referrer()); 126 } 127 128 } // namespace blink 129