ContentSecurityPolicy.h [plain text]
#ifndef ContentSecurityPolicy_h
#define ContentSecurityPolicy_h
#include "URL.h"
#include "ScriptState.h"
#include <memory>
#include <wtf/RefCounted.h>
#include <wtf/Vector.h>
#include <wtf/text/TextPosition.h>
#include <wtf/text/WTFString.h>
namespace WTF {
class OrdinalNumber;
}
namespace WebCore {
class CSPDirectiveList;
class DOMStringList;
class ScriptExecutionContext;
class SecurityOrigin;
typedef int SandboxFlags;
typedef Vector<std::unique_ptr<CSPDirectiveList>> CSPDirectiveListVector;
class ContentSecurityPolicy {
WTF_MAKE_FAST_ALLOCATED;
public:
explicit ContentSecurityPolicy(ScriptExecutionContext*);
~ContentSecurityPolicy();
void copyStateFrom(const ContentSecurityPolicy*);
enum HeaderType {
Report,
Enforce,
PrefixedReport,
PrefixedEnforce
};
enum class ReportingStatus {
SendReport,
SuppressReport
};
enum ReflectedXSSDisposition {
ReflectedXSSUnset = 0,
AllowReflectedXSS,
ReflectedXSSInvalid,
FilterReflectedXSS,
BlockReflectedXSS
};
void didReceiveHeader(const String&, HeaderType);
const String& deprecatedHeader() const;
HeaderType deprecatedHeaderType() const;
bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowEval(JSC::ExecState* = nullptr, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowMediaFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
ReflectedXSSDisposition reflectedXSSDisposition() const;
void setOverrideAllowInlineStyle(bool);
bool isActive() const;
void gatherReportURIs(DOMStringList&) const;
void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression) const;
void reportDuplicateDirective(const String&) const;
void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
void reportInvalidPluginTypes(const String&) const;
void reportInvalidSandboxFlags(const String&) const;
void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
void reportInvalidReflectedXSS(const String&) const;
void reportMissingReportURI(const String&) const;
void reportUnsupportedDirective(const String&) const;
void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<URL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
const URL& url() const;
URL completeURL(const String&) const;
SecurityOrigin* securityOrigin() const;
void enforceSandboxFlags(SandboxFlags) const;
String evalDisabledErrorMessage() const;
bool experimentalFeaturesEnabled() const;
private:
void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
ScriptExecutionContext* m_scriptExecutionContext;
bool m_overrideInlineStyleAllowed;
CSPDirectiveListVector m_policies;
};
}
#endif