1/*
2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 *    notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 *    notice, this list of conditions and the following disclaimer in the
11 *    documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#ifndef ContentSecurityPolicy_h
27#define ContentSecurityPolicy_h
28
29#include "bindings/v8/ScriptState.h"
30#include "wtf/HashSet.h"
31#include "wtf/PassOwnPtr.h"
32#include "wtf/Vector.h"
33#include "wtf/text/StringHash.h"
34#include "wtf/text/TextPosition.h"
35#include "wtf/text/WTFString.h"
36
37namespace WTF {
38class OrdinalNumber;
39}
40
41namespace WebCore {
42
43class ContentSecurityPolicyResponseHeaders;
44class CSPDirectiveList;
45class DOMStringList;
46class JSONObject;
47class KURL;
48class ScriptExecutionContext;
49class SecurityOrigin;
50
51typedef int SandboxFlags;
52typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector;
53
54class ContentSecurityPolicy {
55    WTF_MAKE_FAST_ALLOCATED;
56public:
57    static PassOwnPtr<ContentSecurityPolicy> create(ScriptExecutionContext* scriptExecutionContext)
58    {
59        return adoptPtr(new ContentSecurityPolicy(scriptExecutionContext));
60    }
61    ~ContentSecurityPolicy();
62
63    void copyStateFrom(const ContentSecurityPolicy*);
64
65    enum HeaderType {
66        Report,
67        Enforce,
68        PrefixedReport,
69        PrefixedEnforce
70    };
71
72    enum ReportingStatus {
73        SendReport,
74        SuppressReport
75    };
76
77    // Be sure to update the behavior of XSSAuditor::combineXSSProtectionHeaderAndCSP whenever you change this enum's content or ordering.
78    enum ReflectedXSSDisposition {
79        ReflectedXSSUnset = 0,
80        AllowReflectedXSS,
81        ReflectedXSSInvalid,
82        FilterReflectedXSS,
83        BlockReflectedXSS
84    };
85
86    void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
87    void didReceiveHeader(const String&, HeaderType);
88
89    // These functions are wrong because they assume that there is only one header.
90    // FIXME: Replace them with functions that return vectors.
91    const String& deprecatedHeader() const;
92    HeaderType deprecatedHeaderType() const;
93
94    bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
95    bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
96    bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
97    bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
98    bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const;
99    bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const;
100
101    bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const;
102    bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const;
103    bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) const;
104    bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const;
105    bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const;
106    bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const;
107    bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const;
108    bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const;
109    bool allowFormAction(const KURL&, ReportingStatus = SendReport) const;
110    bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const;
111    bool allowScriptNonce(const String& nonce) const;
112
113    ReflectedXSSDisposition reflectedXSSDisposition() const;
114
115    void setOverrideAllowInlineStyle(bool);
116
117    bool isActive() const;
118    void gatherReportURIs(DOMStringList&) const;
119
120    void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression) const;
121    void reportDuplicateDirective(const String&) const;
122    void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
123    void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
124    void reportInvalidNonce(const String&) const;
125    void reportInvalidPluginTypes(const String&) const;
126    void reportInvalidSandboxFlags(const String&) const;
127    void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
128    void reportInvalidReflectedXSS(const String&) const;
129    void reportMissingReportURI(const String&) const;
130    void reportUnsupportedDirective(const String&) const;
131    void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0);
132
133    void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
134
135    const KURL& url() const;
136    KURL completeURL(const String&) const;
137    SecurityOrigin* securityOrigin() const;
138    void enforceSandboxFlags(SandboxFlags) const;
139    String evalDisabledErrorMessage() const;
140
141    bool experimentalFeaturesEnabled() const;
142
143    static bool shouldBypassMainWorld(ScriptExecutionContext*);
144
145private:
146    explicit ContentSecurityPolicy(ScriptExecutionContext*);
147
148    void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;
149    void addPolicyFromHeaderValue(const String&, HeaderType);
150
151    bool shouldSendViolationReport(const String&) const;
152    void didSendViolationReport(const String&);
153
154    ScriptExecutionContext* m_scriptExecutionContext;
155    bool m_overrideInlineStyleAllowed;
156    CSPDirectiveListVector m_policies;
157
158    HashSet<unsigned, AlreadyHashed> m_violationReportsSent;
159};
160
161}
162
163#endif
164