Unreviewed. Fix GTK test /webkit/WebKitSettings/webkit-settings after r249962.
[WebKit-https.git] / Source / WebCore / page / csp / ContentSecurityPolicyDirectiveList.h
1 /*
2  * Copyright (C) 2011 Google, Inc. All rights reserved.
3  * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY
15  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
18  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
19  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
20  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
21  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
22  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26
27 #pragma once
28
29 #include "ContentSecurityPolicy.h"
30 #include "ContentSecurityPolicyHash.h"
31 #include "ContentSecurityPolicyMediaListDirective.h"
32 #include "ContentSecurityPolicySourceListDirective.h"
33 #include <wtf/URL.h>
34
35 namespace WebCore {
36
37 class Frame;
38
39 class ContentSecurityPolicyDirectiveList {
40     WTF_MAKE_FAST_ALLOCATED;
41 public:
42     static std::unique_ptr<ContentSecurityPolicyDirectiveList> create(ContentSecurityPolicy&, const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicy::PolicyFrom);
43     ContentSecurityPolicyDirectiveList(ContentSecurityPolicy&, ContentSecurityPolicyHeaderType);
44
45     const String& header() const { return m_header; }
46     ContentSecurityPolicyHeaderType headerType() const { return m_headerType; }
47
48     const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeEval() const;
49     const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineScript() const;
50     const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineStyle() const;
51
52     const ContentSecurityPolicyDirective* violatedDirectiveForScriptHash(const ContentSecurityPolicyHash&) const;
53     const ContentSecurityPolicyDirective* violatedDirectiveForStyleHash(const ContentSecurityPolicyHash&) const;
54
55     const ContentSecurityPolicyDirective* violatedDirectiveForScriptNonce(const String&) const;
56     const ContentSecurityPolicyDirective* violatedDirectiveForStyleNonce(const String&) const;
57
58     const ContentSecurityPolicyDirective* violatedDirectiveForBaseURI(const URL&) const;
59     const ContentSecurityPolicyDirective* violatedDirectiveForChildContext(const URL&, bool didReceiveRedirectResponse) const;
60     const ContentSecurityPolicyDirective* violatedDirectiveForConnectSource(const URL&, bool didReceiveRedirectResponse) const;
61     const ContentSecurityPolicyDirective* violatedDirectiveForFont(const URL&, bool didReceiveRedirectResponse) const;
62     const ContentSecurityPolicyDirective* violatedDirectiveForFormAction(const URL&, bool didReceiveRedirectResponse) const;
63     const ContentSecurityPolicyDirective* violatedDirectiveForFrame(const URL&, bool didReceiveRedirectResponse) const;
64     const ContentSecurityPolicyDirective* violatedDirectiveForFrameAncestor(const Frame&) const;
65     const ContentSecurityPolicyDirective* violatedDirectiveForFrameAncestorOrigins(const Vector<RefPtr<SecurityOrigin>>&) const;
66     const ContentSecurityPolicyDirective* violatedDirectiveForImage(const URL&, bool didReceiveRedirectResponse) const;
67 #if ENABLE(APPLICATION_MANIFEST)
68     const ContentSecurityPolicyDirective* violatedDirectiveForManifest(const URL&, bool didReceiveRedirectResponse) const;
69 #endif
70     const ContentSecurityPolicyDirective* violatedDirectiveForMedia(const URL&, bool didReceiveRedirectResponse) const;
71     const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&, bool didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone) const;
72     const ContentSecurityPolicyDirective* violatedDirectiveForPluginType(const String& type, const String& typeAttribute) const;
73     const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&, bool didReceiveRedirectResponse) const;
74     const ContentSecurityPolicyDirective* violatedDirectiveForStyle(const URL&, bool didReceiveRedirectResponse) const;
75
76     const ContentSecurityPolicyDirective* defaultSrc() const { return m_defaultSrc.get(); }
77
78     bool hasBlockAllMixedContentDirective() const { return m_hasBlockAllMixedContentDirective; }
79     bool hasFrameAncestorsDirective() const { return !!m_frameAncestors; }
80
81     const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
82     const String& webAssemblyDisabledErrorMessage() const { return m_webAssemblyDisabledErrorMessage; }
83     bool isReportOnly() const { return m_reportOnly; }
84     const Vector<String>& reportURIs() const { return m_reportURIs; }
85
86     // FIXME: Remove this once we teach ContentSecurityPolicyDirectiveList how to log an arbitrary console message.
87     const ContentSecurityPolicy& policy() const { return m_policy; }
88
89 private:
90     void parse(const String&, ContentSecurityPolicy::PolicyFrom);
91
92     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
93     void parseReportURI(const String& name, const String& value);
94     void parsePluginTypes(const String& name, const String& value);
95     void addDirective(const String& name, const String& value);
96     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
97     void setUpgradeInsecureRequests(const String& name);
98     void setBlockAllMixedContentEnabled(const String& name);
99
100     template <class CSPDirectiveType>
101     void setCSPDirective(const String& name, const String& value, std::unique_ptr<CSPDirectiveType>&);
102
103     ContentSecurityPolicySourceListDirective* operativeDirective(ContentSecurityPolicySourceListDirective*) const;
104
105     void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
106     void setWebAssemblyDisabledErrorMessage(const String& errorMessage) { m_webAssemblyDisabledErrorMessage = errorMessage; }
107
108     // FIXME: Make this a const reference once we teach applySandboxPolicy() to store its policy as opposed to applying it directly onto ContentSecurityPolicy.
109     ContentSecurityPolicy& m_policy;
110
111     String m_header;
112     ContentSecurityPolicyHeaderType m_headerType;
113
114     bool m_reportOnly { false };
115     bool m_haveSandboxPolicy { false };
116     bool m_upgradeInsecureRequests { false };
117     bool m_hasBlockAllMixedContentDirective { false };
118
119     std::unique_ptr<ContentSecurityPolicyMediaListDirective> m_pluginTypes;
120     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_baseURI;
121     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_connectSrc;
122     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_childSrc;
123     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_defaultSrc;
124     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_fontSrc;
125     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_formAction;
126     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_frameAncestors;
127     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_frameSrc;
128     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_imgSrc;
129 #if ENABLE(APPLICATION_MANIFEST)
130     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_manifestSrc;
131 #endif
132     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_mediaSrc;
133     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_objectSrc;
134     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_scriptSrc;
135     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_styleSrc;
136     
137     Vector<String> m_reportURIs;
138     
139     String m_evalDisabledErrorMessage;
140     String m_webAssemblyDisabledErrorMessage;
141 };
142
143 } // namespace WebCore