1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CSPDirectiveList_h 6 #define CSPDirectiveList_h 7 8 #include "core/frame/csp/ContentSecurityPolicy.h" 9 #include "core/frame/csp/MediaListDirective.h" 10 #include "core/frame/csp/SourceListDirective.h" 11 #include "platform/network/ContentSecurityPolicyParsers.h" 12 #include "platform/network/HTTPParsers.h" 13 #include "platform/weborigin/KURL.h" 14 #include "platform/weborigin/ReferrerPolicy.h" 15 #include "wtf/OwnPtr.h" 16 #include "wtf/Vector.h" 17 #include "wtf/text/WTFString.h" 18 19 namespace WebCore { 20 21 class ContentSecurityPolicy; 22 23 class CSPDirectiveList { 24 WTF_MAKE_FAST_ALLOCATED; 25 WTF_MAKE_NONCOPYABLE(CSPDirectiveList); 26 public: 27 static PassOwnPtr<CSPDirectiveList> create(ContentSecurityPolicy*, const UChar* begin, const UChar* end, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource); 28 29 void parse(const UChar* begin, const UChar* end); 30 header()31 const String& header() const { return m_header; } headerType()32 ContentSecurityPolicyHeaderType headerType() const { return m_headerType; } headerSource()33 ContentSecurityPolicyHeaderSource headerSource() const { return m_headerSource; } 34 35 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; 36 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; 37 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; 38 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; 39 bool allowEval(ScriptState*, ContentSecurityPolicy::ReportingStatus) const; 40 bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ContentSecurityPolicy::ReportingStatus) const; 41 42 bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 43 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 44 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 45 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 46 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 47 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 48 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 49 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 50 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 51 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 52 bool allowAncestors(LocalFrame*, ContentSecurityPolicy::ReportingStatus) const; 53 bool allowChildContextFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 54 bool allowScriptNonce(const String&) const; 55 bool allowStyleNonce(const String&) const; 56 bool allowScriptHash(const CSPHashValue&) const; 57 bool allowStyleHash(const CSPHashValue&) const; 58 evalDisabledErrorMessage()59 const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; } reflectedXSSDisposition()60 ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; } referrerPolicy()61 ReferrerPolicy referrerPolicy() const { return m_referrerPolicy; } didSetReferrerPolicy()62 bool didSetReferrerPolicy() const { return m_didSetReferrerPolicy; } isReportOnly()63 bool isReportOnly() const { return m_reportOnly; } reportURIs()64 const Vector<KURL>& reportURIs() const { return m_reportURIs; } 65 66 private: 67 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType, ContentSecurityPolicyHeaderSource); 68 69 bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value); 70 void parseReportURI(const String& name, const String& value); 71 void parsePluginTypes(const String& name, const String& value); 72 void parseReflectedXSS(const String& name, const String& value); 73 void parseReferrer(const String& name, const String& value); 74 void addDirective(const String& name, const String& value); 75 void applySandboxPolicy(const String& name, const String& sandboxPolicy); 76 77 template <class CSPDirectiveType> 78 void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&); 79 80 SourceListDirective* operativeDirective(SourceListDirective*) const; 81 SourceListDirective* operativeDirective(SourceListDirective*, SourceListDirective* override) const; 82 void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL) const; 83 void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const; 84 void reportViolationWithState(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptState*) const; 85 86 bool checkEval(SourceListDirective*) const; 87 bool checkInline(SourceListDirective*) const; 88 bool checkNonce(SourceListDirective*, const String&) const; 89 bool checkHash(SourceListDirective*, const CSPHashValue&) const; 90 bool checkSource(SourceListDirective*, const KURL&) const; 91 bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const; 92 bool checkAncestors(SourceListDirective*, LocalFrame*) const; 93 setEvalDisabledErrorMessage(const String & errorMessage)94 void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; } 95 96 bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, ScriptState*) const; 97 bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const; 98 99 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective) const; 100 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const; 101 bool checkAncestorsAndReportViolation(SourceListDirective*, LocalFrame*) const; 102 denyIfEnforcingPolicy()103 bool denyIfEnforcingPolicy() const { return m_reportOnly; } 104 105 ContentSecurityPolicy* m_policy; 106 107 String m_header; 108 ContentSecurityPolicyHeaderType m_headerType; 109 ContentSecurityPolicyHeaderSource m_headerSource; 110 111 bool m_reportOnly; 112 bool m_haveSandboxPolicy; 113 ReflectedXSSDisposition m_reflectedXSSDisposition; 114 115 bool m_didSetReferrerPolicy; 116 ReferrerPolicy m_referrerPolicy; 117 118 OwnPtr<MediaListDirective> m_pluginTypes; 119 OwnPtr<SourceListDirective> m_baseURI; 120 OwnPtr<SourceListDirective> m_childSrc; 121 OwnPtr<SourceListDirective> m_connectSrc; 122 OwnPtr<SourceListDirective> m_defaultSrc; 123 OwnPtr<SourceListDirective> m_fontSrc; 124 OwnPtr<SourceListDirective> m_formAction; 125 OwnPtr<SourceListDirective> m_frameAncestors; 126 OwnPtr<SourceListDirective> m_frameSrc; 127 OwnPtr<SourceListDirective> m_imgSrc; 128 OwnPtr<SourceListDirective> m_mediaSrc; 129 OwnPtr<SourceListDirective> m_objectSrc; 130 OwnPtr<SourceListDirective> m_scriptSrc; 131 OwnPtr<SourceListDirective> m_styleSrc; 132 133 Vector<KURL> m_reportURIs; 134 135 String m_evalDisabledErrorMessage; 136 }; 137 138 139 } // namespace 140 141 #endif 142