| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "core/frame/csp/CSPSourceList.h" | 5 #include "core/frame/csp/CSPSourceList.h" |
| 6 | 6 |
| 7 #include "core/frame/csp/CSPSource.h" | 7 #include "core/frame/csp/CSPSource.h" |
| 8 #include "core/frame/csp/ContentSecurityPolicy.h" | 8 #include "core/frame/csp/ContentSecurityPolicy.h" |
| 9 #include "platform/weborigin/KURL.h" | 9 #include "platform/weborigin/KURL.h" |
| 10 #include "platform/weborigin/SecurityOrigin.h" | 10 #include "platform/weborigin/SecurityOrigin.h" |
| (...skipping 29 matching lines...) Expand all Loading... |
| 40 , m_allowInline(false) | 40 , m_allowInline(false) |
| 41 , m_allowEval(false) | 41 , m_allowEval(false) |
| 42 , m_allowDynamic(false) | 42 , m_allowDynamic(false) |
| 43 , m_allowHashedAttributes(false) | 43 , m_allowHashedAttributes(false) |
| 44 , m_hashAlgorithmsUsed(0) | 44 , m_hashAlgorithmsUsed(0) |
| 45 { | 45 { |
| 46 } | 46 } |
| 47 | 47 |
| 48 bool CSPSourceList::matches(const KURL& url, ResourceRequest::RedirectStatus red
irectStatus) const | 48 bool CSPSourceList::matches(const KURL& url, ResourceRequest::RedirectStatus red
irectStatus) const |
| 49 { | 49 { |
| 50 // The CSP spec specifically states that only http:, https:, ws: and wss: sh
ould | 50 // Wildcards match network schemes ('http', 'https', 'ws', 'wss'), and the s
cheme of the |
| 51 // be captured by a '*" source. | 51 // protected resource: https://w3c.github.io/webappsec-csp/#match-url-to-sou
rce-expression. |
| 52 // (https://w3c.github.io/webappsec-csp/#match-url-to-source-expression). Th
us, | 52 // Other schemes, including custom schemes, must be explicitly listed in a s
ource list. |
| 53 // in the case of a full wildcard, URLs with any other schemes are | |
| 54 // explicitly checked for in the source list before allowing them through. | |
| 55 if (m_allowStar) { | 53 if (m_allowStar) { |
| 56 if (url.protocolIsInHTTPFamily() || url.protocolIs("ws") || url.protocol
Is("wss")) | 54 if (url.protocolIsInHTTPFamily() || url.protocolIs("ws") || url.protocol
Is("wss") || m_policy->protocolMatchesSelf(url)) |
| 57 return true; | 55 return true; |
| 58 | 56 |
| 59 return hasSourceMatchInList(url, redirectStatus); | 57 return hasSourceMatchInList(url, redirectStatus); |
| 60 } | 58 } |
| 61 | 59 |
| 62 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul
dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; | 60 KURL effectiveURL = m_policy->selfMatchesInnerURL() && SecurityOrigin::shoul
dUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; |
| 63 | 61 |
| 64 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) | 62 if (m_allowSelf && m_policy->urlMatchesSelf(effectiveURL)) |
| 65 return true; | 63 return true; |
| 66 | 64 |
| (...skipping 473 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 540 return false; | 538 return false; |
| 541 } | 539 } |
| 542 | 540 |
| 543 DEFINE_TRACE(CSPSourceList) | 541 DEFINE_TRACE(CSPSourceList) |
| 544 { | 542 { |
| 545 visitor->trace(m_policy); | 543 visitor->trace(m_policy); |
| 546 visitor->trace(m_list); | 544 visitor->trace(m_list); |
| 547 } | 545 } |
| 548 | 546 |
| 549 } // namespace blink | 547 } // namespace blink |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2375423002:
Relax '*' in CSPSourceList to match the protected resource's protocol. (Closed)
