1 /* 2 * Copyright (C) 2011 Google, Inc. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26 #ifndef ContentSecurityPolicy_h 27 #define ContentSecurityPolicy_h 28 29 #include <wtf/Vector.h> 30 #include <wtf/text/WTFString.h> 31 32 namespace WebCore { 33 34 class CSPDirective; 35 class CSPOptions; 36 class KURL; 37 class SecurityOrigin; 38 39 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> { 40 public: 41 static PassRefPtr<ContentSecurityPolicy> create(SecurityOrigin* origin = 0) 42 { 43 return adoptRef(new ContentSecurityPolicy(origin)); 44 } 45 ~ContentSecurityPolicy(); 46 47 void didReceiveHeader(const String&); 48 49 bool allowJavaScriptURLs() const; 50 bool allowInlineEventHandlers() const; 51 bool allowInlineScript() const; 52 bool allowEval() const; 53 54 bool allowScriptFromSource(const KURL&) const; 55 bool allowObjectFromSource(const KURL&) const; 56 bool allowImageFromSource(const KURL&) const; 57 bool allowStyleFromSource(const KURL&) const; 58 bool allowFontFromSource(const KURL&) const; 59 bool allowMediaFromSource(const KURL&) const; 60 61 private: 62 explicit ContentSecurityPolicy(SecurityOrigin*); 63 64 bool protectAgainstXSS() const; 65 66 void parse(const String&); 67 bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value); 68 void addDirective(const String& name, const String& value); 69 70 bool m_havePolicy; 71 RefPtr<SecurityOrigin> m_origin; 72 OwnPtr<CSPDirective> m_scriptSrc; 73 OwnPtr<CSPDirective> m_objectSrc; 74 OwnPtr<CSPDirective> m_imgSrc; 75 OwnPtr<CSPDirective> m_styleSrc; 76 OwnPtr<CSPDirective> m_fontSrc; 77 OwnPtr<CSPDirective> m_mediaSrc; 78 OwnPtr<CSPOptions> m_options; 79 }; 80 81 } 82 83 #endif 84