OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "core/frame/csp/CSPSourceList.h" | 5 #include "core/frame/csp/CSPSourceList.h" |
6 | 6 |
7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
9 #include "platform/weborigin/KURL.h" | 9 #include "platform/weborigin/KURL.h" |
10 #include "platform/weborigin/SecurityOrigin.h" | 10 #include "platform/weborigin/SecurityOrigin.h" |
(...skipping 29 matching lines...) Expand all Loading... |
40 , m_allowInline(false) | 40 , m_allowInline(false) |
41 , m_allowEval(false) | 41 , m_allowEval(false) |
42 , m_allowDynamic(false) | 42 , m_allowDynamic(false) |
43 , m_allowHashedAttributes(false) | 43 , m_allowHashedAttributes(false) |
44 , m_hashAlgorithmsUsed(0) | 44 , m_hashAlgorithmsUsed(0) |
45 { | 45 { |
46 } | 46 } |
47 | 47 |
48 bool CSPSourceList::matches(const KURL& url, ResourceRequest::RedirectStatus red
irectStatus) const | 48 bool CSPSourceList::matches(const KURL& url, ResourceRequest::RedirectStatus red
irectStatus) const |
49 { | 49 { |
50 // The CSP spec specifically states that only http:, https:, ws: and wss: sh
ould | 50 // Wildcards match network schemes ('http', 'https', 'ws', 'wss'), and the s
cheme of the |
51 // be captured by a '*" source. | 51 // protected resource: https://w3c.github.io/webappsec-csp/#match-url-to-sou
rce-expression. |
52 // (https://w3c.github.io/webappsec-csp/#match-url-to-source-expression). Th
us, | 52 // Other schemes, including custom schemes, must be explicitly listed in a s
ource list. |
53 // in the case of a full wildcard, URLs with any other schemes are | |
54 // explicitly checked for in the source list before allowing them through. | |
55 if (m_allowStar) { | 53 if (m_allowStar) { |
56 if (url.protocolIsInHTTPFamily() || url.protocolIs("ws") || url.protocol
Is("wss")) | 54 if (url.protocolIsInHTTPFamily() || url.protocolIs("ws") || url.protocol
Is("wss") || m_policy->protocolMatchesSelf(url)) |
57 return true; | 55 return true; |
58 | 56 |
59 return hasSourceMatchInList(url, redirectStatus); | 57 return hasSourceMatchInList(url, redirectStatus); |
60 } | 58 } |
61 | 59 |
62 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul
dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; | 60 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul
dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; |
63 | 61 |
64 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) | 62 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) |
65 return true; | 63 return true; |
66 | 64 |
(...skipping 473 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
540 return false; | 538 return false; |
541 } | 539 } |
542 | 540 |
543 DEFINE_TRACE(CSPSourceList) | 541 DEFINE_TRACE(CSPSourceList) |
544 { | 542 { |
545 visitor->trace(m_policy); | 543 visitor->trace(m_policy); |
546 visitor->trace(m_list); | 544 visitor->trace(m_list); |
547 } | 545 } |
548 | 546 |
549 } // namespace blink | 547 } // namespace blink |
OLD | NEW |