WebAssembly: disable some APIs under CSP
[WebKit-https.git] / Source / WebCore / page / csp / ContentSecurityPolicyDirectiveList.h
1 /*
2  * Copyright (C) 2011 Google, Inc. All rights reserved.
3  * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY
15  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE INC. OR
18  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
19  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
20  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
21  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
22  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
24  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25  */
26
27 #pragma once
28
29 #include "ContentSecurityPolicy.h"
30 #include "ContentSecurityPolicyHash.h"
31 #include "ContentSecurityPolicyMediaListDirective.h"
32 #include "ContentSecurityPolicySourceListDirective.h"
33 #include "URL.h"
34
35 namespace WebCore {
36
37 class Frame;
38
39 class ContentSecurityPolicyDirectiveList {
40     WTF_MAKE_FAST_ALLOCATED;
41 public:
42     static std::unique_ptr<ContentSecurityPolicyDirectiveList> create(ContentSecurityPolicy&, const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicy::PolicyFrom);
43     ContentSecurityPolicyDirectiveList(ContentSecurityPolicy&, ContentSecurityPolicyHeaderType);
44
45     const String& header() const { return m_header; }
46     ContentSecurityPolicyHeaderType headerType() const { return m_headerType; }
47
48     const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeEval() const;
49     const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineScript() const;
50     const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineStyle() const;
51
52     const ContentSecurityPolicyDirective* violatedDirectiveForScriptHash(const ContentSecurityPolicyHash&) const;
53     const ContentSecurityPolicyDirective* violatedDirectiveForStyleHash(const ContentSecurityPolicyHash&) const;
54
55     const ContentSecurityPolicyDirective* violatedDirectiveForScriptNonce(const String&) const;
56     const ContentSecurityPolicyDirective* violatedDirectiveForStyleNonce(const String&) const;
57
58     const ContentSecurityPolicyDirective* violatedDirectiveForBaseURI(const URL&) const;
59     const ContentSecurityPolicyDirective* violatedDirectiveForChildContext(const URL&, bool didReceiveRedirectResponse) const;
60     const ContentSecurityPolicyDirective* violatedDirectiveForConnectSource(const URL&, bool didReceiveRedirectResponse) const;
61     const ContentSecurityPolicyDirective* violatedDirectiveForFont(const URL&, bool didReceiveRedirectResponse) const;
62     const ContentSecurityPolicyDirective* violatedDirectiveForFormAction(const URL&, bool didReceiveRedirectResponse) const;
63     const ContentSecurityPolicyDirective* violatedDirectiveForFrame(const URL&, bool didReceiveRedirectResponse) const;
64     const ContentSecurityPolicyDirective* violatedDirectiveForFrameAncestor(const Frame&) const;
65     const ContentSecurityPolicyDirective* violatedDirectiveForImage(const URL&, bool didReceiveRedirectResponse) const;
66     const ContentSecurityPolicyDirective* violatedDirectiveForMedia(const URL&, bool didReceiveRedirectResponse) const;
67     const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&, bool didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone) const;
68     const ContentSecurityPolicyDirective* violatedDirectiveForPluginType(const String& type, const String& typeAttribute) const;
69     const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&, bool didReceiveRedirectResponse) const;
70     const ContentSecurityPolicyDirective* violatedDirectiveForStyle(const URL&, bool didReceiveRedirectResponse) const;
71
72     const ContentSecurityPolicyDirective* defaultSrc() const { return m_defaultSrc.get(); }
73
74     bool hasBlockAllMixedContentDirective() const { return m_hasBlockAllMixedContentDirective; }
75
76     const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
77     const String& webAssemblyDisabledErrorMessage() const { return m_webAssemblyDisabledErrorMessage; }
78     bool isReportOnly() const { return m_reportOnly; }
79     const Vector<String>& reportURIs() const { return m_reportURIs; }
80
81     // FIXME: Remove this once we teach ContentSecurityPolicyDirectiveList how to log an arbitrary console message.
82     const ContentSecurityPolicy& policy() const { return m_policy; }
83
84 private:
85     void parse(const String&, ContentSecurityPolicy::PolicyFrom);
86
87     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
88     void parseReportURI(const String& name, const String& value);
89     void parsePluginTypes(const String& name, const String& value);
90     void addDirective(const String& name, const String& value);
91     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
92     void setUpgradeInsecureRequests(const String& name);
93     void setBlockAllMixedContentEnabled(const String& name);
94
95     template <class CSPDirectiveType>
96     void setCSPDirective(const String& name, const String& value, std::unique_ptr<CSPDirectiveType>&);
97
98     ContentSecurityPolicySourceListDirective* operativeDirective(ContentSecurityPolicySourceListDirective*) const;
99
100     void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
101     void setWebAssemblyDisabledErrorMessage(const String& errorMessage) { m_webAssemblyDisabledErrorMessage = errorMessage; }
102
103     // FIXME: Make this a const reference once we teach applySandboxPolicy() to store its policy as opposed to applying it directly onto ContentSecurityPolicy.
104     ContentSecurityPolicy& m_policy;
105
106     String m_header;
107     ContentSecurityPolicyHeaderType m_headerType;
108
109     bool m_reportOnly { false };
110     bool m_haveSandboxPolicy { false };
111     bool m_upgradeInsecureRequests { false };
112     bool m_hasBlockAllMixedContentDirective { false };
113
114     std::unique_ptr<ContentSecurityPolicyMediaListDirective> m_pluginTypes;
115     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_baseURI;
116     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_connectSrc;
117     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_childSrc;
118     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_defaultSrc;
119     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_fontSrc;
120     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_formAction;
121     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_frameAncestors;
122     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_frameSrc;
123     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_imgSrc;
124     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_mediaSrc;
125     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_objectSrc;
126     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_scriptSrc;
127     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_styleSrc;
128     
129     Vector<String> m_reportURIs;
130     
131     String m_evalDisabledErrorMessage;
132     String m_webAssemblyDisabledErrorMessage;
133 };
134
135 } // namespace WebCore