Diff
Modified: trunk/Source/WebCore/ChangeLog (198378 => 198379)
--- trunk/Source/WebCore/ChangeLog 2016-03-18 06:12:42 UTC (rev 198378)
+++ trunk/Source/WebCore/ChangeLog 2016-03-18 06:32:24 UTC (rev 198379)
@@ -1,3 +1,88 @@
+2016-03-17 Daniel Bates <[email protected]>
+
+ Cleanup: Remove the need to pass reporting status to ContentSecurityPolicy functions
+ https://bugs.webkit.org/show_bug.cgi?id=155623
+
+ Reviewed by Andy Estes and Alex Christensen.
+
+ ScriptController::initScript() is the only function that passes ContentSecurityPolicy::ReportingStatus::SuppressReport
+ following the removal of the SecurityPolicy script interface in <http://trac.webkit.org/changeset/197142>. It
+ passes this reporting status to prevent sending a violation report when determining whether the CSP policy allows
+ use of the _javascript_ eval()/operator eval so that it enable or disable this capability as appropriate. We
+ should teach ScriptController::initScript() to delegate the responsibility of enabling/disabling this capability
+ to the ContentSecurityPolicy. Then we can remove the need to expose ContentSecurityPolicy::ReportingStatus as
+ part of the ContentSecurityPolicy interface.
+
+ No functionality changed. So, no new tests.
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::createWindowShell): Return a reference to a JSDOMWindowShell object
+ instead of a pointer as the pointer is always non-null.
+ (WebCore::ScriptController::initScript): Updated as needed now that ScriptController::createWindowShell()
+ returns a reference. Moved logic to enable/disable _javascript_ eval() and operator eval from here into
+ ContentSecurityPolicy::didCreateWindowShell() and make use of this member function.
+ * bindings/js/ScriptController.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::didCreateWindowShell): Added. Moved logic from to enable/disable _javascript_
+ eval() and operator eval from ScriptController::initScript() to here.
+ (WebCore::ContentSecurityPolicy::didReceiveHeader): Substitute ContentSecurityPolicyDirectiveList::ReportingStatus::SuppressReport
+ for ContentSecurityPolicy::ReportingStatus::SuppressReport as the enum has moved from class ContentSecurityPolicy
+ to ContentSecurityPolicyDirectiveList. Fix minor code style nit; substitute nullptr for 0 in the first argument
+ to ContentSecurityPolicyDirectiveList::allowEval().
+ (WebCore::isAllowedByAllWithFrame): Substitute ContentSecurityPolicyDirectiveList::ReportingStatus::SuppressReport
+ for ContentSecurityPolicy::ReportingStatus::SuppressReport as the enum has moved from class ContentSecurityPolicy
+ to ContentSecurityPolicyDirectiveList.
+ (WebCore::isAllowedByAll): Substitute ContentSecurityPolicyDirectiveList::ReportingStatus::SuppressReport
+ for ContentSecurityPolicy::ReportingStatus::SuppressReport as the enum has moved from class ContentSecurityPolicy
+ to ContentSecurityPolicyDirectiveList. Also make this function static so that it has internal linkage.
+ (WebCore::isAllowedByAllWithState): Ditto.
+ (WebCore::isAllowedByAllWithContext): Ditto.
+ (WebCore::isAllowedByAllWithHashFromContent): Ditto.
+ (WebCore::isAllowedByAllWithURL): Ditto.
+ (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): Remove argument reportingStatus and always pass
+ ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport to the directive list member function. In a
+ subsequent patch we will remove the need to pass the reporting status to the directive list member function.
+ (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): Ditto.
+ (WebCore::ContentSecurityPolicy::allowInlineScript): Ditto.
+ (WebCore::ContentSecurityPolicy::allowInlineStyle): Ditto.
+ (WebCore::ContentSecurityPolicy::allowEval): Ditto.
+ (WebCore::ContentSecurityPolicy::allowFrameAncestors): Ditto.
+ (WebCore::ContentSecurityPolicy::allowPluginType): Ditto.
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowObjectFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowImageFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowFontFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowMediaFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowConnectToSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowFormAction): Ditto.
+ (WebCore::ContentSecurityPolicy::allowBaseURI): Ditto.
+ (WebCore::ContentSecurityPolicy::evalDisabledErrorMessage): Deleted.
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::allowJavaScriptURLs): Substitute ReportingStatus for
+ ContentSecurityPolicy::ReportingStatus as the enum has moved from class ContentSecurityPolicy to this class.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowInlineEventHandlers): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowInlineScript): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowInlineStyle): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowEval): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowPluginType): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowScriptFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowObjectFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowChildContextFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowChildFrameFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowImageFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowStyleFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowFontFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowMediaFromSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowConnectToSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowFormAction): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowBaseURI): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowFrameAncestors): Ditto.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+
2016-03-17 Brent Fulgham <[email protected]>
[XSS Auditor] Off by one in XSSAuditor::canonicalizedSnippetForJavaScript()
Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (198378 => 198379)
--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2016-03-18 06:12:42 UTC (rev 198378)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2016-03-18 06:32:24 UTC (rev 198379)
@@ -123,7 +123,7 @@
world.didDestroyWindowShell(this);
}
-JSDOMWindowShell* ScriptController::createWindowShell(DOMWrapperWorld& world)
+JSDOMWindowShell& ScriptController::createWindowShell(DOMWrapperWorld& world)
{
ASSERT(!m_windowShells.contains(&world));
@@ -134,7 +134,7 @@
Strong<JSDOMWindowShell> windowShell2(windowShell);
m_windowShells.add(&world, windowShell);
world.didCreateWindowShell(this);
- return windowShell.get();
+ return *windowShell.get();
}
Deprecated::ScriptValue ScriptController::evaluateInWorld(const ScriptSourceCode& sourceCode, DOMWrapperWorld& world, ExceptionDetails* exceptionDetails)
@@ -249,27 +249,22 @@
JSLockHolder lock(world.vm());
- JSDOMWindowShell* windowShell = createWindowShell(world);
+ JSDOMWindowShell& windowShell = createWindowShell(world);
- windowShell->window()->updateDocument();
+ windowShell.window()->updateDocument();
- if (m_frame.document()) {
- bool shouldBypassMainWorldContentSecurityPolicy = !world.isNormal();
- if (shouldBypassMainWorldContentSecurityPolicy)
- windowShell->window()->setEvalEnabled(true);
- else
- windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, shouldBypassMainWorldContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
- }
+ if (Document* document = m_frame.document())
+ document->contentSecurityPolicy()->didCreateWindowShell(windowShell);
if (Page* page = m_frame.page()) {
- attachDebugger(windowShell, page->debugger());
- windowShell->window()->setProfileGroup(page->group().identifier());
- windowShell->window()->setConsoleClient(&page->console());
+ attachDebugger(&windowShell, page->debugger());
+ windowShell.window()->setProfileGroup(page->group().identifier());
+ windowShell.window()->setConsoleClient(&page->console());
}
m_frame.loader().dispatchDidClearWindowObjectInWorld(world);
- return windowShell;
+ return &windowShell;
}
TextPosition ScriptController::eventHandlerPosition() const
Modified: trunk/Source/WebCore/bindings/js/ScriptController.h (198378 => 198379)
--- trunk/Source/WebCore/bindings/js/ScriptController.h 2016-03-18 06:12:42 UTC (rev 198378)
+++ trunk/Source/WebCore/bindings/js/ScriptController.h 2016-03-18 06:32:24 UTC (rev 198379)
@@ -79,7 +79,7 @@
WEBCORE_EXPORT static Ref<DOMWrapperWorld> createWorld();
- JSDOMWindowShell* createWindowShell(DOMWrapperWorld&);
+ JSDOMWindowShell& createWindowShell(DOMWrapperWorld&);
void destroyWindowShell(DOMWrapperWorld&);
Vector<JSC::Strong<JSDOMWindowShell>> windowShells();
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (198378 => 198379)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-03-18 06:12:42 UTC (rev 198378)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-03-18 06:32:24 UTC (rev 198379)
@@ -41,6 +41,7 @@
#include "Frame.h"
#include "HTMLParserIdioms.h"
#include "InspectorInstrumentation.h"
+#include "JSDOMWindowShell.h"
#include "JSMainThreadExecState.h"
#include "ParsingUtilities.h"
#include "PingLoader.h"
@@ -88,6 +89,19 @@
didReceiveHeader(policy->header(), policy->headerType(), ContentSecurityPolicy::PolicyFrom::Inherited);
}
+void ContentSecurityPolicy::didCreateWindowShell(JSDOMWindowShell& windowShell) const
+{
+ JSDOMWindow* window = windowShell.window();
+ ASSERT(window);
+ ASSERT(window->scriptExecutionContext());
+ ASSERT(window->scriptExecutionContext()->contentSecurityPolicy() == this);
+ if (!windowShell.world().isNormal()) {
+ window->setEvalEnabled(true);
+ return;
+ }
+ window->setEvalEnabled(m_lastPolicyEvalDisabledErrorMessage.isNull(), m_lastPolicyEvalDisabledErrorMessage);
+}
+
ContentSecurityPolicyResponseHeaders ContentSecurityPolicy::responseHeaders() const
{
ContentSecurityPolicyResponseHeaders result;
@@ -119,7 +133,7 @@
// header1,header2 OR header1
// ^ ^
std::unique_ptr<ContentSecurityPolicyDirectiveList> policy = ContentSecurityPolicyDirectiveList::create(*this, String(begin, position - begin), type, policyFrom);
- if (!policy->allowEval(0, ContentSecurityPolicy::ReportingStatus::SuppressReport))
+ if (!policy->allowEval(nullptr, ContentSecurityPolicyDirectiveList::ReportingStatus::SuppressReport))
m_lastPolicyEvalDisabledErrorMessage = policy->evalDisabledErrorMessage();
m_policies.append(policy.release());
@@ -160,8 +174,8 @@
return equalIgnoringASCIICase(url.protocol(), m_selfSourceProtocol);
}
-template<bool (ContentSecurityPolicyDirectiveList::*allowed)(const Frame&, const URL&, ContentSecurityPolicy::ReportingStatus) const>
-static bool isAllowedByAllWithFrame(const CSPDirectiveListVector& policies, const Frame& frame, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
+template<bool (ContentSecurityPolicyDirectiveList::*allowed)(const Frame&, const URL&, ContentSecurityPolicyDirectiveList::ReportingStatus) const>
+static bool isAllowedByAllWithFrame(const CSPDirectiveListVector& policies, const Frame& frame, const URL& url, ContentSecurityPolicyDirectiveList::ReportingStatus reportingStatus)
{
for (auto& policy : policies) {
if (!(policy.get()->*allowed)(frame, url, reportingStatus))
@@ -170,8 +184,8 @@
return true;
}
-template<bool (ContentSecurityPolicyDirectiveList::*allowed)(ContentSecurityPolicy::ReportingStatus) const>
-bool isAllowedByAll(const CSPDirectiveListVector& policies, ContentSecurityPolicy::ReportingStatus reportingStatus)
+template<bool (ContentSecurityPolicyDirectiveList::*allowed)(ContentSecurityPolicyDirectiveList::ReportingStatus) const>
+static bool isAllowedByAll(const CSPDirectiveListVector& policies, ContentSecurityPolicyDirectiveList::ReportingStatus reportingStatus)
{
for (auto& policy : policies) {
if (!(policy.get()->*allowed)(reportingStatus))
@@ -180,8 +194,8 @@
return true;
}
-template<bool (ContentSecurityPolicyDirectiveList::*allowed)(JSC::ExecState* state, ContentSecurityPolicy::ReportingStatus) const>
-bool isAllowedByAllWithState(const CSPDirectiveListVector& policies, JSC::ExecState* state, ContentSecurityPolicy::ReportingStatus reportingStatus)
+template<bool (ContentSecurityPolicyDirectiveList::*allowed)(JSC::ExecState* state, ContentSecurityPolicyDirectiveList::ReportingStatus) const>
+static bool isAllowedByAllWithState(const CSPDirectiveListVector& policies, JSC::ExecState* state, ContentSecurityPolicyDirectiveList::ReportingStatus reportingStatus)
{
for (auto& policy : policies) {
if (!(policy.get()->*allowed)(state, reportingStatus))
@@ -190,8 +204,8 @@
return true;
}
-template<bool (ContentSecurityPolicyDirectiveList::*allowed)(const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const>
-bool isAllowedByAllWithContext(const CSPDirectiveListVector& policies, const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus)
+template<bool (ContentSecurityPolicyDirectiveList::*allowed)(const String&, const WTF::OrdinalNumber&, ContentSecurityPolicyDirectiveList::ReportingStatus) const>
+static bool isAllowedByAllWithContext(const CSPDirectiveListVector& policies, const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicyDirectiveList::ReportingStatus reportingStatus)
{
for (auto& policy : policies) {
if (!(policy.get()->*allowed)(contextURL, contextLine, reportingStatus))
@@ -225,7 +239,7 @@
}
template<bool (ContentSecurityPolicyDirectiveList::*allowed)(const ContentSecurityPolicyHash&) const>
-bool isAllowedByAllWithHashFromContent(const CSPDirectiveListVector& policies, const String& content, const TextEncoding& encoding, OptionSet<ContentSecurityPolicyHashAlgorithm> algorithms)
+static bool isAllowedByAllWithHashFromContent(const CSPDirectiveListVector& policies, const String& content, const TextEncoding& encoding, OptionSet<ContentSecurityPolicyHashAlgorithm> algorithms)
{
// FIXME: Compute the digest with respect to the raw bytes received from the page.
// See <https://bugs.webkit.org/show_bug.cgi?id=155184>.
@@ -242,8 +256,8 @@
return false;
}
-template<bool (ContentSecurityPolicyDirectiveList::*allowFromURL)(const URL&, ContentSecurityPolicy::ReportingStatus) const>
-bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
+template<bool (ContentSecurityPolicyDirectiveList::*allowFromURL)(const URL&, ContentSecurityPolicyDirectiveList::ReportingStatus) const>
+static bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const URL& url, ContentSecurityPolicyDirectiveList::ReportingStatus reportingStatus)
{
if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
return true;
@@ -255,14 +269,14 @@
return true;
}
-bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowJavaScriptURLs>(m_policies, contextURL, contextLine, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowJavaScriptURLs>(m_policies, contextURL, contextLine, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineEventHandlers>(m_policies, contextURL, contextLine, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineEventHandlers>(m_policies, contextURL, contextLine, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
// FIXME: We should compute the document encoding once and cache it instead of computing it on each invocation.
@@ -300,17 +314,17 @@
return false;
}
-bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, bool overrideContentSecurityPolicy) const
{
if (overrideContentSecurityPolicy)
return true;
if (!m_hashAlgorithmsForInlineScripts.isEmpty() && !scriptContent.isEmpty()
&& isAllowedByAllWithHashFromContent<&ContentSecurityPolicyDirectiveList::allowInlineScriptWithHash>(m_policies, scriptContent, documentEncoding(), m_hashAlgorithmsForInlineScripts))
return true;
- return isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine, reportingStatus);
+ return isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, bool overrideContentSecurityPolicy) const
{
if (overrideContentSecurityPolicy)
return true;
@@ -319,97 +333,88 @@
if (!m_hashAlgorithmsForInlineStylesheets.isEmpty() && !styleContent.isEmpty()
&& isAllowedByAllWithHashFromContent<&ContentSecurityPolicyDirectiveList::allowInlineStyleWithHash>(m_policies, styleContent, documentEncoding(), m_hashAlgorithmsForInlineStylesheets))
return true;
- return isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine, reportingStatus);
+ return isAllowedByAllWithContext<&ContentSecurityPolicyDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowEval(JSC::ExecState* state, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowEval(JSC::ExecState* state, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithState<&ContentSecurityPolicyDirectiveList::allowEval>(m_policies, state, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithState<&ContentSecurityPolicyDirectiveList::allowEval>(m_policies, state, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowFrameAncestors(const Frame& frame, const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowFrameAncestors(const Frame& frame, const URL& url, bool overrideContentSecurityPolicy) const
{
if (overrideContentSecurityPolicy)
return true;
Frame& topFrame = frame.tree().top();
if (&frame == &topFrame)
return true;
- return isAllowedByAllWithFrame<&ContentSecurityPolicyDirectiveList::allowFrameAncestors>(m_policies, frame, url, reportingStatus);
+ return isAllowedByAllWithFrame<&ContentSecurityPolicyDirectiveList::allowFrameAncestors>(m_policies, frame, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-String ContentSecurityPolicy::evalDisabledErrorMessage() const
+bool ContentSecurityPolicy::allowPluginType(const String& type, const String& typeAttribute, const URL& url, bool overrideContentSecurityPolicy) const
{
- for (auto& policy : m_policies) {
- if (!policy->allowEval(0, ContentSecurityPolicy::ReportingStatus::SuppressReport))
- return policy->evalDisabledErrorMessage();
- }
- return String();
-}
-
-bool ContentSecurityPolicy::allowPluginType(const String& type, const String& typeAttribute, const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
-{
if (overrideContentSecurityPolicy)
return true;
for (auto& policy : m_policies) {
- if (!policy->allowPluginType(type, typeAttribute, url, reportingStatus))
+ if (!policy->allowPluginType(type, typeAttribute, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport))
return false;
}
return true;
}
-bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowScriptFromSource>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowScriptFromSource>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowObjectFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowObjectFromSource(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowObjectFromSource>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowObjectFromSource>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowChildFrameFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowChildFrameFromSource(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowChildFrameFromSource>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowChildFrameFromSource>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowChildContextFromSource>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowChildContextFromSource>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowImageFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowImageFromSource(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowImageFromSource>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowImageFromSource>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowStyleFromSource>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowStyleFromSource>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowFontFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowFontFromSource(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowFontFromSource>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowFontFromSource>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowMediaFromSource>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowMediaFromSource>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowConnectToSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowConnectToSource(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowConnectToSource>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowConnectToSource>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowFormAction(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowFormAction(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowFormAction>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowFormAction>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
-bool ContentSecurityPolicy::allowBaseURI(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowBaseURI(const URL& url, bool overrideContentSecurityPolicy) const
{
- return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowBaseURI>(m_policies, url, reportingStatus);
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowBaseURI>(m_policies, url, ContentSecurityPolicyDirectiveList::ReportingStatus::SendReport);
}
bool ContentSecurityPolicy::isActive() const
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (198378 => 198379)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-03-18 06:12:42 UTC (rev 198378)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-03-18 06:32:24 UTC (rev 198379)
@@ -42,6 +42,7 @@
class ContentSecurityPolicyDirectiveList;
class ContentSecurityPolicySource;
class DOMStringList;
+class JSDOMWindowShell;
class ScriptExecutionContext;
class SecurityOrigin;
class TextEncoding;
@@ -61,6 +62,8 @@
void copyStateFrom(const ContentSecurityPolicy*);
+ void didCreateWindowShell(JSDOMWindowShell&) const;
+
// Be sure to update the behavior of XSSAuditor::combineXSSProtectionHeaderAndCSP whenever you change this enum's content or ordering.
enum ReflectedXSSDisposition {
ReflectedXSSUnset = 0,
@@ -81,30 +84,26 @@
void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&, ReportParsingErrors = ReportParsingErrors::Yes);
void processHTTPEquiv(const String& content, ContentSecurityPolicyHeaderType type) { didReceiveHeader(content, type, ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta); }
- enum class ReportingStatus {
- SendReport,
- SuppressReport
- };
- bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false) const;
+ bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false) const;
bool allowScriptWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
- bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, bool overrideContentSecurityPolicy = false) const;
bool allowStyleWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
- bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowEval(JSC::ExecState* = nullptr, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowChildContextFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowMediaFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowFrameAncestors(const Frame&, const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, bool overrideContentSecurityPolicy = false) const;
+ bool allowEval(JSC::ExecState*, bool overrideContentSecurityPolicy = false) const;
+ bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowChildContextFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowMediaFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false) const;
+ bool allowFrameAncestors(const Frame&, const URL&, bool overrideContentSecurityPolicy = false) const;
void setOverrideAllowInlineStyle(bool);
@@ -112,8 +111,6 @@
void gatherReportURIs(DOMStringList&) const;
- String evalDisabledErrorMessage() const;
-
bool experimentalFeaturesEnabled() const;
// The following functions are used by internal data structures to call back into this object when parsing, validating,
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (198378 => 198379)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-03-18 06:12:42 UTC (rev 198378)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-03-18 06:32:24 UTC (rev 198379)
@@ -286,26 +286,26 @@
return denyIfEnforcingPolicy();
}
-bool ContentSecurityPolicyDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
{
static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to execute _javascript_ URL because it violates the following Content Security Policy directive: "));
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true);
return m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get()));
}
-bool ContentSecurityPolicyDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
{
static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to execute inline event handler because it violates the following Content Security Policy directive: "));
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true);
return m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get()));
}
-bool ContentSecurityPolicyDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
{
static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to execute inline script because it violates the following Content Security Policy directive: "));
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true);
return m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get()));
}
@@ -320,10 +320,10 @@
return checkNonce(operativeDirective(m_scriptSrc.get()), nonce);
}
-bool ContentSecurityPolicyDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus reportingStatus) const
{
static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to apply inline style because it violates the following Content Security Policy directive: "));
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage, contextURL, contextLine, false);
return m_reportOnly || checkInline(operativeDirective(m_styleSrc.get()));
}
@@ -338,45 +338,45 @@
return checkNonce(operativeDirective(m_styleSrc.get()), nonce);
}
-bool ContentSecurityPolicyDirectiveList::allowEval(JSC::ExecState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowEval(JSC::ExecState* state, ReportingStatus reportingStatus) const
{
static NeverDestroyed<String> consoleMessage(ASCIILiteral("Refused to evaluate script because it violates the following Content Security Policy directive: "));
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), state);
return m_reportOnly || checkEval(operativeDirective(m_scriptSrc.get()));
}
-bool ContentSecurityPolicyDirectiveList::allowPluginType(const String& type, const String& typeAttribute, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowPluginType(const String& type, const String& typeAttribute, const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkMediaTypeAndReportViolation(m_pluginTypes.get(), type, typeAttribute, "Refused to load '" + url.stringCenterEllipsizedToLength() + "' (MIME type '" + typeAttribute + "') because it violates the following Content Security Policy Directive: ");
return m_reportOnly || checkMediaType(m_pluginTypes.get(), type, typeAttribute);
}
-bool ContentSecurityPolicyDirectiveList::allowScriptFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowScriptFromSource(const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, scriptSrc);
return m_reportOnly || checkSource(operativeDirective(m_scriptSrc.get()), url);
}
-bool ContentSecurityPolicyDirectiveList::allowObjectFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowObjectFromSource(const URL& url, ReportingStatus reportingStatus) const
{
if (url.isBlankURL())
return true;
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, objectSrc);
return m_reportOnly || checkSource(operativeDirective(m_objectSrc.get()), url);
}
-bool ContentSecurityPolicyDirectiveList::allowChildContextFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowChildContextFromSource(const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(operativeDirective(m_childSrc.get()), url, childSrc);
return m_reportOnly || checkSource(operativeDirective(m_childSrc.get()), url);
}
-bool ContentSecurityPolicyDirectiveList::allowChildFrameFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowChildFrameFromSource(const URL& url, ReportingStatus reportingStatus) const
{
if (url.isBlankURL())
return true;
@@ -384,63 +384,63 @@
// We must enforce the frame-src directive (if specified) before enforcing the child-src directive for a nested browsing
// context by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested> (29 August 2015).
ContentSecurityPolicySourceListDirective* directiveToEnforce = operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get());
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(directiveToEnforce, url, frameSrc);
return m_reportOnly || checkSource(directiveToEnforce, url);
}
-bool ContentSecurityPolicyDirectiveList::allowImageFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowImageFromSource(const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, imgSrc);
return m_reportOnly || checkSource(operativeDirective(m_imgSrc.get()), url);
}
-bool ContentSecurityPolicyDirectiveList::allowStyleFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowStyleFromSource(const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, styleSrc);
return m_reportOnly || checkSource(operativeDirective(m_styleSrc.get()), url);
}
-bool ContentSecurityPolicyDirectiveList::allowFontFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowFontFromSource(const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, fontSrc);
return m_reportOnly || checkSource(operativeDirective(m_fontSrc.get()), url);
}
-bool ContentSecurityPolicyDirectiveList::allowMediaFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowMediaFromSource(const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, mediaSrc);
return m_reportOnly || checkSource(operativeDirective(m_mediaSrc.get()), url);
}
-bool ContentSecurityPolicyDirectiveList::allowConnectToSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowConnectToSource(const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, connectSrc);
return m_reportOnly || checkSource(operativeDirective(m_connectSrc.get()), url);
}
-bool ContentSecurityPolicyDirectiveList::allowFormAction(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowFormAction(const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(m_formAction.get(), url, formAction);
return m_reportOnly || checkSource(m_formAction.get(), url);
}
-bool ContentSecurityPolicyDirectiveList::allowBaseURI(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowBaseURI(const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkSourceAndReportViolation(m_baseURI.get(), url, baseURI);
return m_reportOnly || checkSource(m_baseURI.get(), url);
}
-bool ContentSecurityPolicyDirectiveList::allowFrameAncestors(const Frame& frame, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicyDirectiveList::allowFrameAncestors(const Frame& frame, const URL& url, ReportingStatus reportingStatus) const
{
- if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ if (reportingStatus == ReportingStatus::SendReport)
return checkFrameAncestorsAndReportViolation(m_frameAncestors.get(), frame, url, frameAncestors);
return m_reportOnly || checkFrameAncestors(m_frameAncestors.get(), frame);
}
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (198378 => 198379)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-03-18 06:12:42 UTC (rev 198378)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-03-18 06:32:24 UTC (rev 198379)
@@ -48,30 +48,34 @@
const String& header() const { return m_header; }
ContentSecurityPolicyHeaderType headerType() const { return m_headerType; }
- bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
- bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
- bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
+ enum class ReportingStatus {
+ SendReport,
+ SuppressReport
+ };
+ bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus) const;
+ bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus) const;
+ bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus) const;
bool allowInlineScriptWithHash(const ContentSecurityPolicyHash&) const;
bool allowScriptWithNonce(const String& nonce) const;
- bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
+ bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus) const;
bool allowInlineStyleWithHash(const ContentSecurityPolicyHash&) const;
bool allowStyleWithNonce(const String& nonce) const;
- bool allowEval(JSC::ExecState*, ContentSecurityPolicy::ReportingStatus) const;
- bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ContentSecurityPolicy::ReportingStatus) const;
+ bool allowEval(JSC::ExecState*, ReportingStatus) const;
+ bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ReportingStatus) const;
- bool allowScriptFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
- bool allowObjectFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
- bool allowChildFrameFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
- bool allowChildContextFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
- bool allowImageFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
- bool allowStyleFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
- bool allowFontFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
- bool allowMediaFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
- bool allowConnectToSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
- bool allowFormAction(const URL&, ContentSecurityPolicy::ReportingStatus) const;
- bool allowBaseURI(const URL&, ContentSecurityPolicy::ReportingStatus) const;
+ bool allowScriptFromSource(const URL&, ReportingStatus) const;
+ bool allowObjectFromSource(const URL&, ReportingStatus) const;
+ bool allowChildFrameFromSource(const URL&, ReportingStatus) const;
+ bool allowChildContextFromSource(const URL&, ReportingStatus) const;
+ bool allowImageFromSource(const URL&, ReportingStatus) const;
+ bool allowStyleFromSource(const URL&, ReportingStatus) const;
+ bool allowFontFromSource(const URL&, ReportingStatus) const;
+ bool allowMediaFromSource(const URL&, ReportingStatus) const;
+ bool allowConnectToSource(const URL&, ReportingStatus) const;
+ bool allowFormAction(const URL&, ReportingStatus) const;
+ bool allowBaseURI(const URL&, ReportingStatus) const;
- bool allowFrameAncestors(const Frame&, const URL&, ContentSecurityPolicy::ReportingStatus) const;
+ bool allowFrameAncestors(const Frame&, const URL&, ReportingStatus) const;
const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
