diff options
Diffstat (limited to 'chromium/third_party/WebKit/Source/core/frame/ContentSecurityPolicy.h')
-rw-r--r-- | chromium/third_party/WebKit/Source/core/frame/ContentSecurityPolicy.h | 171 |
1 files changed, 0 insertions, 171 deletions
diff --git a/chromium/third_party/WebKit/Source/core/frame/ContentSecurityPolicy.h b/chromium/third_party/WebKit/Source/core/frame/ContentSecurityPolicy.h deleted file mode 100644 index 0720123a02d..00000000000 --- a/chromium/third_party/WebKit/Source/core/frame/ContentSecurityPolicy.h +++ /dev/null @@ -1,171 +0,0 @@ -/* - * Copyright (C) 2011 Google, Inc. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR - * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY - * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef ContentSecurityPolicy_h -#define ContentSecurityPolicy_h - -#include "bindings/v8/ScriptState.h" -#include "platform/network/HTTPParsers.h" -#include "wtf/HashSet.h" -#include "wtf/PassOwnPtr.h" -#include "wtf/Vector.h" -#include "wtf/text/StringHash.h" -#include "wtf/text/TextPosition.h" -#include "wtf/text/WTFString.h" - -namespace WTF { -class OrdinalNumber; -} - -namespace WebCore { - -class ContentSecurityPolicyResponseHeaders; -class CSPDirectiveList; -class DOMStringList; -class JSONObject; -class KURL; -class ExecutionContextClient; -class SecurityOrigin; - -typedef int SandboxFlags; -typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector; - -class ContentSecurityPolicy { - WTF_MAKE_FAST_ALLOCATED; -public: - static PassOwnPtr<ContentSecurityPolicy> create(ExecutionContextClient* client) - { - return adoptPtr(new ContentSecurityPolicy(client)); - } - ~ContentSecurityPolicy(); - - void copyStateFrom(const ContentSecurityPolicy*); - - enum HeaderType { - Report, - Enforce, - }; - - enum ReportingStatus { - SendReport, - SuppressReport - }; - - enum HashAlgorithms { - HashAlgorithmsNone = 0, - HashAlgorithmsSha1 = 1 << 1, - HashAlgorithmsSha256 = 1 << 2 - }; - - void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); - void didReceiveHeader(const String&, HeaderType); - - // These functions are wrong because they assume that there is only one header. - // FIXME: Replace them with functions that return vectors. - const String& deprecatedHeader() const; - HeaderType deprecatedHeaderType() const; - - bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; - bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; - bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; - bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; - bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const; - bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const; - - bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const; - bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const; - bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) const; - bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const; - bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const; - bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const; - bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const; - bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const; - bool allowFormAction(const KURL&, ReportingStatus = SendReport) const; - bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const; - // The nonce and hash allow functions are guaranteed to not have any side - // effects, including reporting. - bool allowScriptNonce(const String& nonce) const; - bool allowStyleNonce(const String& nonce) const; - bool allowScriptHash(const String& source) const; - - void usesScriptHashAlgorithms(uint8_t HashAlgorithms); - - ReflectedXSSDisposition reflectedXSSDisposition() const; - - void setOverrideAllowInlineStyle(bool); - - bool isActive() const; - void gatherReportURIs(DOMStringList&) const; - - void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression) const; - void reportDuplicateDirective(const String&) const; - void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const; - void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const; - void reportInvalidPluginTypes(const String&) const; - void reportInvalidSandboxFlags(const String&) const; - void reportInvalidSourceExpression(const String& directiveName, const String& source) const; - void reportInvalidReflectedXSS(const String&) const; - void reportMissingReportURI(const String&) const; - void reportUnsupportedDirective(const String&) const; - void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header); - - void reportBlockedScriptExecutionToInspector(const String& directiveText) const; - - const KURL url() const; - KURL completeURL(const String&) const; - SecurityOrigin* securityOrigin() const; - void enforceSandboxFlags(SandboxFlags) const; - String evalDisabledErrorMessage() const; - - bool experimentalFeaturesEnabled() const; - - static bool shouldBypassMainWorld(ExecutionContext*); - - ExecutionContextClient* client() { return m_client; } - -private: - explicit ContentSecurityPolicy(ExecutionContextClient*); - - void logToConsole(const String& message) const; - void addPolicyFromHeaderValue(const String&, HeaderType); - - bool shouldSendViolationReport(const String&) const; - void didSendViolationReport(const String&); - - ExecutionContextClient* m_client; - bool m_overrideInlineStyleAllowed; - CSPDirectiveListVector m_policies; - - HashSet<unsigned, AlreadyHashed> m_violationReportsSent; - - // We put the hash functions used on the policy object so that we only need - // to calculate a script hash once and then distribute it to all of the - // directives for validation. - uint8_t m_sourceHashAlgorithmsUsed; -}; - -} - -#endif |