Home | History | Annotate | Download | only in csp 
      1 // Copyright 2014 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CSPDirectiveList_h
      6 #define CSPDirectiveList_h
      7 
      8 #include "core/frame/csp/ContentSecurityPolicy.h"
      9 #include "core/frame/csp/MediaListDirective.h"
     10 #include "core/frame/csp/SourceListDirective.h"
     11 #include "platform/network/ContentSecurityPolicyParsers.h"
     12 #include "platform/network/HTTPParsers.h"
     13 #include "platform/weborigin/KURL.h"
     14 #include "platform/weborigin/ReferrerPolicy.h"
     15 #include "wtf/OwnPtr.h"
     16 #include "wtf/Vector.h"
     17 #include "wtf/text/WTFString.h"
     18 
     19 namespace blink {
     20 
     21 class ContentSecurityPolicy;
     22 
     23 class CSPDirectiveList {
     24     WTF_MAKE_FAST_ALLOCATED;
     25     WTF_MAKE_NONCOPYABLE(CSPDirectiveList);
     26 public:
     27     static PassOwnPtr<CSPDirectiveList> create(ContentSecurityPolicy*, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
     28 
     29     void parse(const UChar* begin, const UChar* end);
     30 
     31     const String& header() const { return m_header; }
     32     ContentSecurityPolicyHeaderType headerType() const { return m_headerType; }
     33     ContentSecurityPolicyHeaderSource headerSource() const { return m_headerSource; }
     34 
     35     bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
     36     bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
     37     bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
     38     bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
     39     bool allowEval(ScriptState*, ContentSecurityPolicy::ReportingStatus) const;
     40     bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     41 
     42     bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     43     bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     44     bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     45     bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     46     bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     47     bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     48     bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     49     bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     50     bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     51     bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     52     bool allowAncestors(LocalFrame*, const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     53     bool allowChildContextFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     54     bool allowScriptNonce(const String&) const;
     55     bool allowStyleNonce(const String&) const;
     56     bool allowScriptHash(const CSPHashValue&) const;
     57     bool allowStyleHash(const CSPHashValue&) const;
     58 
     59     const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
     60     ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
     61     ReferrerPolicy referrerPolicy() const { return m_referrerPolicy; }
     62     bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; }
     63     bool isReportOnly() const { return m_reportOnly; }
     64     const Vector<String>& reportEndpoints() const { return m_reportEndpoints; }
     65 
     66 private:
     67     CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource);
     68 
     69     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
     70     void parseReportURI(const String& name, const String& value);
     71     void parsePluginTypes(const String& name, const String& value);
     72     void parseReflectedXSS(const String& name, const String& value);
     73     void parseReferrer(const String& name, const String& value);
     74     void addDirective(const String& name, const String& value);
     75     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
     76 
     77     template <class CSPDirectiveType>
     78     void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&);
     79 
     80     SourceListDirective* operativeDirective(SourceListDirective*) const;
     81     SourceListDirective* operativeDirective(SourceListDirective*, SourceListDirective* override) const;
     82     void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL) const;
     83     void reportViolationWithFrame(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, LocalFrame*) const;
     84     void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     85     void reportViolationWithState(const String& directiveText, const String& effectiveDirective, const String& message, const KURL& blockedURL, ScriptState*) const;
     86 
     87     bool checkEval(SourceListDirective*) const;
     88     bool checkInline(SourceListDirective*) const;
     89     bool checkNonce(SourceListDirective*, const String&) const;
     90     bool checkHash(SourceListDirective*, const CSPHashValue&) const;
     91     bool checkSource(SourceListDirective*, const KURL&) const;
     92     bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
     93     bool checkAncestors(SourceListDirective*, LocalFrame*) const;
     94 
     95     void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
     96 
     97     bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, ScriptState*) const;
     98     bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const;
     99 
    100     bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective) const;
    101     bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
    102     bool checkAncestorsAndReportViolation(SourceListDirective*, LocalFrame*, const KURL&) const;
    103 
    104     bool denyIfEnforcingPolicy() const { return m_reportOnly; }
    105 
    106     ContentSecurityPolicy* m_policy;
    107 
    108     String m_header;
    109     ContentSecurityPolicyHeaderType m_headerType;
    110     ContentSecurityPolicyHeaderSource m_headerSource;
    111 
    112     bool m_reportOnly;
    113     bool m_haveSandboxPolicy;
    114     ReflectedXSSDisposition m_reflectedXSSDisposition;
    115 
    116     bool m_didSetReferrerPolicy;
    117     ReferrerPolicy m_referrerPolicy;
    118 
    119     OwnPtr<MediaListDirective> m_pluginTypes;
    120     OwnPtr<SourceListDirective> m_baseURI;
    121     OwnPtr<SourceListDirective> m_childSrc;
    122     OwnPtr<SourceListDirective> m_connectSrc;
    123     OwnPtr<SourceListDirective> m_defaultSrc;
    124     OwnPtr<SourceListDirective> m_fontSrc;
    125     OwnPtr<SourceListDirective> m_formAction;
    126     OwnPtr<SourceListDirective> m_frameAncestors;
    127     OwnPtr<SourceListDirective> m_frameSrc;
    128     OwnPtr<SourceListDirective> m_imgSrc;
    129     OwnPtr<SourceListDirective> m_mediaSrc;
    130     OwnPtr<SourceListDirective> m_objectSrc;
    131     OwnPtr<SourceListDirective> m_scriptSrc;
    132     OwnPtr<SourceListDirective> m_styleSrc;
    133 
    134     Vector<String> m_reportEndpoints;
    135 
    136     String m_evalDisabledErrorMessage;
    137 };
    138 
    139 
    140 } // namespace
    141 
    142 #endif
    143