Home | History | Annotate | Download | only in parser 
      1 /*
      2  * Copyright (C) 2013 Google, Inc. All Rights Reserved.
      3  *
      4  * Redistribution and use in source and binary forms, with or without
      5  * modification, are permitted provided that the following conditions
      6  * are met:
      7  * 1. Redistributions of source code must retain the above copyright
      8  *    notice, this list of conditions and the following disclaimer.
      9  * 2. Redistributions in binary form must reproduce the above copyright
     10  *    notice, this list of conditions and the following disclaimer in the
     11  *    documentation and/or other materials provided with the distribution.
     12  *
     13  * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
     14  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     15  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     16  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
     17  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
     18  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
     19  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
     20  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
     21  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     24  */
     25 
     26 #include "config.h"
     27 #include "core/html/parser/XSSAuditorDelegate.h"
     28 
     29 #include "core/dom/Document.h"
     30 #include "core/frame/LocalFrame.h"
     31 #include "core/inspector/ConsoleMessage.h"
     32 #include "core/loader/DocumentLoader.h"
     33 #include "core/loader/FrameLoader.h"
     34 #include "core/loader/FrameLoaderClient.h"
     35 #include "core/loader/PingLoader.h"
     36 #include "platform/JSONValues.h"
     37 #include "platform/network/FormData.h"
     38 #include "platform/weborigin/SecurityOrigin.h"
     39 #include "wtf/text/StringBuilder.h"
     40 
     41 namespace blink {
     42 
     43 String XSSInfo::buildConsoleError() const
     44 {
     45     StringBuilder message;
     46     message.appendLiteral("The XSS Auditor ");
     47     message.append(m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in");
     48     message.appendLiteral(" '");
     49     message.append(m_originalURL);
     50     message.appendLiteral("' because ");
     51     message.append(m_didBlockEntirePage ? "the source code of a script" : "its source code");
     52     message.appendLiteral(" was found within the request.");
     53 
     54     if (m_didSendCSPHeader)
     55         message.appendLiteral(" The server sent a 'Content-Security-Policy' header requesting this behavior.");
     56     else if (m_didSendXSSProtectionHeader)
     57         message.appendLiteral(" The server sent an 'X-XSS-Protection' header requesting this behavior.");
     58     else
     59         message.appendLiteral(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header.");
     60 
     61     return message.toString();
     62 }
     63 
     64 bool XSSInfo::isSafeToSendToAnotherThread() const
     65 {
     66     return m_originalURL.isSafeToSendToAnotherThread();
     67 }
     68 
     69 XSSAuditorDelegate::XSSAuditorDelegate(Document* document)
     70     : m_document(document)
     71     , m_didSendNotifications(false)
     72 {
     73     ASSERT(isMainThread());
     74     ASSERT(m_document);
     75 }
     76 
     77 void XSSAuditorDelegate::trace(Visitor* visitor)
     78 {
     79     visitor->trace(m_document);
     80 }
     81 
     82 PassRefPtr<FormData> XSSAuditorDelegate::generateViolationReport(const XSSInfo& xssInfo)
     83 {
     84     ASSERT(isMainThread());
     85 
     86     FrameLoader& frameLoader = m_document->frame()->loader();
     87     String httpBody;
     88     if (frameLoader.documentLoader()) {
     89         if (FormData* formData = frameLoader.documentLoader()->originalRequest().httpBody())
     90             httpBody = formData->flattenToString();
     91     }
     92 
     93     RefPtr<JSONObject> reportDetails = JSONObject::create();
     94     reportDetails->setString("request-url", xssInfo.m_originalURL);
     95     reportDetails->setString("request-body", httpBody);
     96 
     97     RefPtr<JSONObject> reportObject = JSONObject::create();
     98     reportObject->setObject("xss-report", reportDetails.release());
     99 
    100     return FormData::create(reportObject->toJSONString().utf8().data());
    101 }
    102 
    103 void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo)
    104 {
    105     ASSERT(isMainThread());
    106 
    107     m_document->addConsoleMessage(ConsoleMessage::create(JSMessageSource, ErrorMessageLevel, xssInfo.buildConsoleError()));
    108 
    109     // stopAllLoaders can detach the LocalFrame, so protect it.
    110     RefPtrWillBeRawPtr<LocalFrame> protect(m_document->frame());
    111     FrameLoader& frameLoader = m_document->frame()->loader();
    112     if (xssInfo.m_didBlockEntirePage)
    113         frameLoader.stopAllLoaders();
    114 
    115     if (!m_didSendNotifications) {
    116         m_didSendNotifications = true;
    117 
    118         frameLoader.client()->didDetectXSS(m_document->url(), xssInfo.m_didBlockEntirePage);
    119 
    120         if (!m_reportURL.isEmpty())
    121             PingLoader::sendViolationReport(m_document->frame(), m_reportURL, generateViolationReport(xssInfo), PingLoader::XSSAuditorViolationReport);
    122     }
    123 
    124     if (xssInfo.m_didBlockEntirePage)
    125         m_document->frame()->navigationScheduler().schedulePageBlock(m_document, Referrer());
    126 }
    127 
    128 } // namespace blink
    129