blob: 821c27aa1770340e27ea7979c1c949a6147d7856 [file] [log] [blame]
// Copyright 2015 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef COBALT_CSP_DIRECTIVE_LIST_H_
#define COBALT_CSP_DIRECTIVE_LIST_H_
#include <string>
#include <vector>
#include "base/basictypes.h"
#include "base/memory/scoped_ptr.h"
#include "cobalt/csp/content_security_policy.h"
#include "googleurl/src/gurl.h"
namespace cobalt {
namespace csp {
class MediaListDirective;
class SourceListDirective;
class DirectiveList {
public:
DirectiveList(ContentSecurityPolicy* policy, const base::StringPiece& text,
HeaderType header_type, HeaderSource header_source);
~DirectiveList();
void Parse(const base::StringPiece& text);
const std::string& header() const { return header_; }
HeaderType header_type() const { return header_type_; }
HeaderSource header_source() const { return header_source_; }
bool AllowJavaScriptURLs(
const std::string& context_url, int context_line,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowInlineEventHandlers(
const std::string& context_url, int context_line,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowInlineScript(
const std::string& context_url, int context_line,
ContentSecurityPolicy::ReportingStatus reporting_status,
const std::string& script_content) const;
bool AllowInlineStyle(const std::string& context_url, int context_line,
ContentSecurityPolicy::ReportingStatus reporting_status,
const std::string& style_content) const;
bool AllowEval(ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowPluginType(
const std::string& type, const std::string& type_attribute,
const GURL& url,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowScriptFromSource(
const GURL& url, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowObjectFromSource(
const GURL&, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowImageFromSource(
const GURL&, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowStyleFromSource(
const GURL&, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowFontFromSource(
const GURL&, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowMediaFromSource(
const GURL&, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowManifestFromSource(
const GURL&, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowConnectToSource(
const GURL&, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowNavigateToSource(
const GURL&, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowFormAction(
const GURL&, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowBaseURI(
const GURL&, ContentSecurityPolicy::RedirectStatus redirect_status,
ContentSecurityPolicy::ReportingStatus reporting_status) const;
bool AllowScriptNonce(const std::string& script) const;
bool AllowStyleNonce(const std::string& style) const;
bool AllowScriptHash(const HashValue& script) const;
bool AllowStyleHash(const HashValue& script) const;
const std::string& eval_disabled_error_message() const {
return eval_disabled_error_message_;
}
ReflectedXSSDisposition reflected_xss_disposition() const {
return reflected_xss_disposition_;
}
ReferrerPolicy referrer_policy() const { return referrer_policy_; }
bool did_set_referrer_policy() const { return did_set_referrer_policy_; }
bool report_only() const { return report_only_; }
const std::vector<std::string>& report_endpoints() const {
return report_endpoints_;
}
bool has_location_src() const { return location_src_ != NULL; }
// Used to copy plugin-types into a plugin document in a nested
// browsing context.
bool has_plugin_types() const { return !!plugin_types_; }
const std::string& PluginTypesText() const;
private:
bool ParseDirective(const char* begin, const char* end, std::string* name,
std::string* value);
void ParseReportURI(const std::string& name, const std::string& value);
void ParsePluginTypes(const std::string& name, const std::string& value);
void ParseReflectedXSS(const std::string& name, const std::string& value);
void ParseReferrer(const std::string& name, const std::string& value);
std::string ParseSuboriginName(const std::string& policy);
void AddDirective(const std::string& name, const std::string& value);
void ApplySandboxPolicy(const std::string& name,
const std::string& sandbox_policy);
void ApplySuboriginPolicy(const std::string& name,
const std::string& suborigin_policy);
void EnforceStrictMixedContentChecking(const std::string& name,
const std::string& value);
void EnableInsecureRequestsUpgrade(const std::string& name,
const std::string& value);
void SetCSPDirective(const std::string& name, const std::string& value,
scoped_ptr<SourceListDirective>*);
void SetCSPDirective(const std::string& name, const std::string& value,
scoped_ptr<MediaListDirective>*);
SourceListDirective* OperativeDirective(SourceListDirective* directive) const;
SourceListDirective* OperativeDirective(
SourceListDirective*, SourceListDirective* directive_override) const;
void ReportViolation(const std::string& directive_text,
const std::string& effective_directive,
const std::string& console_message,
const GURL& blocked_url) const;
void ReportViolationWithLocation(const std::string& directive_text,
const std::string& effective_directive,
const std::string& console_message,
const GURL& blocked_url,
const std::string& context_url,
int context_line) const;
bool CheckEval(SourceListDirective* directive) const;
bool CheckInline(SourceListDirective* directive) const;
bool CheckNonce(SourceListDirective* directive,
const std::string& nonce) const;
bool CheckHash(SourceListDirective* directive,
const HashValue& hash_value) const;
bool CheckSource(SourceListDirective* directive, const GURL& url,
ContentSecurityPolicy::RedirectStatus redirect_status) const;
bool CheckMediaType(MediaListDirective* directive, const std::string& type,
const std::string& type_attribute) const;
void set_eval_disabled_error_message(const std::string& error_message) {
eval_disabled_error_message_ = error_message;
}
bool CheckEvalAndReportViolation(SourceListDirective* directive,
const std::string& console_message) const;
bool CheckInlineAndReportViolation(SourceListDirective* directive,
const std::string& console_message,
const std::string& context_url,
int context_line, bool is_script,
const std::string& hash_value) const;
bool CheckSourceAndReportViolation(
SourceListDirective* directive, const GURL& url,
const std::string& effective_directive,
ContentSecurityPolicy::RedirectStatus redirect_status) const;
bool CheckMediaTypeAndReportViolation(
MediaListDirective* directive, const std::string& type,
const std::string& type_attribute,
const std::string& console_message) const;
bool deny_if_enforcing_policy() const { return report_only_; }
ContentSecurityPolicy* policy_;
std::string header_;
HeaderType header_type_;
HeaderSource header_source_;
bool report_only_;
bool has_sandbox_policy_;
bool has_suborigin_policy_;
ReflectedXSSDisposition reflected_xss_disposition_;
bool did_set_referrer_policy_;
ReferrerPolicy referrer_policy_;
bool strict_mixed_content_checking_enforced_;
bool upgrade_insecure_requests_;
scoped_ptr<MediaListDirective> plugin_types_;
scoped_ptr<SourceListDirective> base_uri_;
scoped_ptr<SourceListDirective> child_src_;
scoped_ptr<SourceListDirective> connect_src_;
scoped_ptr<SourceListDirective> default_src_;
scoped_ptr<SourceListDirective> font_src_;
scoped_ptr<SourceListDirective> form_action_;
scoped_ptr<SourceListDirective> frame_ancestors_;
scoped_ptr<SourceListDirective> frame_src_;
scoped_ptr<SourceListDirective> img_src_;
scoped_ptr<SourceListDirective> location_src_;
scoped_ptr<SourceListDirective> media_src_;
scoped_ptr<SourceListDirective> manifest_src_;
scoped_ptr<SourceListDirective> object_src_;
scoped_ptr<SourceListDirective> script_src_;
scoped_ptr<SourceListDirective> style_src_;
std::vector<std::string> report_endpoints_;
std::string eval_disabled_error_message_;
};
} // namespace csp
} // namespace cobalt
#endif // COBALT_CSP_DIRECTIVE_LIST_H_