| // Copyright 2015 Google Inc. All Rights Reserved. |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| #include "cobalt/csp/source.h" |
| |
| #include "base/logging.h" |
| #include "base/string_util.h" |
| |
| namespace cobalt { |
| namespace csp { |
| |
| Source::Source(ContentSecurityPolicy* policy, const SourceConfig& config) |
| : policy_(policy) { |
| // All comparisons require case-insensitivity. |
| // Lower-case everything here to simplify that. |
| config_.scheme = StringToLowerASCII(config.scheme); |
| config_.host = StringToLowerASCII(config.host); |
| config_.path = StringToLowerASCII(config.path); |
| config_.port = config.port; |
| config_.host_wildcard = config.host_wildcard; |
| config_.port_wildcard = config.port_wildcard; |
| } |
| |
| // https://www.w3.org/TR/2015/CR-CSP2-20150721/#match-source-expression |
| bool Source::Matches( |
| const GURL& url, |
| ContentSecurityPolicy::RedirectStatus redirect_status) const { |
| if (!SchemeMatches(url)) { |
| return false; |
| } |
| if (IsSchemeOnly()) { |
| return true; |
| } |
| if (!HostMatches(url)) { |
| return false; |
| } |
| if (!PortMatches(url)) { |
| return false; |
| } |
| |
| bool paths_match = (redirect_status == ContentSecurityPolicy::kDidRedirect) || |
| PathMatches(url); |
| return paths_match; |
| } |
| |
| bool Source::SchemeMatches(const GURL& url) const { |
| if (config_.scheme.empty()) { |
| return policy_->SchemeMatchesSelf(url); |
| } |
| if (LowerCaseEqualsASCII(config_.scheme, "http")) { |
| return url.SchemeIs("http") || url.SchemeIs("https"); |
| } |
| if (LowerCaseEqualsASCII(config_.scheme, "ws")) { |
| return url.SchemeIs("ws") || url.SchemeIs("wss"); |
| } |
| return url.SchemeIs(config_.scheme.c_str()); |
| } |
| |
| bool Source::HostMatches(const GURL& url) const { |
| const std::string& host = url.host(); |
| bool match; |
| if (config_.host_wildcard == SourceConfig::kHasWildcard) { |
| match = EndsWith(host, "." + config_.host, false /* case_sensitive */); |
| } else { |
| match = LowerCaseEqualsASCII(host, config_.host.c_str()); |
| } |
| return match; |
| } |
| |
| bool Source::PathMatches(const GURL& url) const { |
| if (config_.path.empty()) { |
| return true; |
| } |
| |
| std::string path = StringToLowerASCII(url.path()); |
| if (EndsWith(config_.path, "/", true /* case sensitive */)) { |
| return StartsWithASCII(path, config_.path, true /* case_sensitive */); |
| } else { |
| return path == config_.path; |
| } |
| } |
| // https://www.w3.org/TR/2015/CR-CSP2-20150721/#match-source-expression #9-10 |
| bool Source::PortMatches(const GURL& url) const { |
| if (config_.port_wildcard == SourceConfig::kHasWildcard) { |
| return true; |
| } |
| |
| // Matches if ports are the same. If a port is unspecified, consider it as |
| // the default port for url's scheme. |
| const std::string& url_scheme = url.scheme(); |
| int config_port = config_.port; |
| if (config_port == url_parse::PORT_UNSPECIFIED) { |
| config_port = url_canon::DefaultPortForScheme( |
| url_scheme.c_str(), static_cast<int>(url_scheme.length())); |
| } |
| int url_port = url.EffectiveIntPort(); |
| if (url_port == config_port) { |
| return true; |
| } |
| |
| return false; |
| } |
| |
| bool Source::IsSchemeOnly() const { return config_.host.empty(); } |
| |
| } // namespace csp |
| } // namespace cobalt |