1 | /* |
2 | * Copyright (C) 2011 Google, Inc. All rights reserved. |
3 | * Copyright (C) 2016 Apple Inc. All rights reserved. |
4 | * |
5 | * Redistribution and use in source and binary forms, with or without |
6 | * modification, are permitted provided that the following conditions |
7 | * are met: |
8 | * 1. Redistributions of source code must retain the above copyright |
9 | * notice, this list of conditions and the following disclaimer. |
10 | * 2. Redistributions in binary form must reproduce the above copyright |
11 | * notice, this list of conditions and the following disclaimer in the |
12 | * documentation and/or other materials provided with the distribution. |
13 | * |
14 | * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY |
15 | * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
16 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
17 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR |
18 | * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
19 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
20 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
21 | * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
22 | * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
23 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
24 | * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
25 | */ |
26 | |
27 | #pragma once |
28 | |
29 | #include "ContentSecurityPolicyHash.h" |
30 | #include "ContentSecurityPolicySource.h" |
31 | #include <wtf/HashSet.h> |
32 | #include <wtf/OptionSet.h> |
33 | #include <wtf/text/StringHash.h> |
34 | #include <wtf/text/WTFString.h> |
35 | |
36 | namespace WebCore { |
37 | |
38 | class ContentSecurityPolicy; |
39 | |
40 | class ContentSecurityPolicySourceList { |
41 | public: |
42 | ContentSecurityPolicySourceList(const ContentSecurityPolicy&, const String& directiveName); |
43 | |
44 | void parse(const String&); |
45 | |
46 | bool matches(const URL&, bool didReceiveRedirectResponse) const; |
47 | bool matches(const ContentSecurityPolicyHash&) const; |
48 | bool matches(const String& nonce) const; |
49 | |
50 | OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithmsUsed() const { return m_hashAlgorithmsUsed; } |
51 | |
52 | bool allowInline() const { return m_allowInline && m_hashes.isEmpty() && m_nonces.isEmpty(); } |
53 | bool allowEval() const { return m_allowEval; } |
54 | bool allowSelf() const { return m_allowSelf; } |
55 | bool isNone() const { return m_isNone; } |
56 | |
57 | private: |
58 | void parse(const UChar* begin, const UChar* end); |
59 | |
60 | bool parseSource(const UChar* begin, const UChar* end, String& scheme, String& host, Optional<uint16_t>& port, String& path, bool& hostHasWildcard, bool& portHasWildcard); |
61 | bool parseScheme(const UChar* begin, const UChar* end, String& scheme); |
62 | bool parseHost(const UChar* begin, const UChar* end, String& host, bool& hostHasWildcard); |
63 | bool parsePort(const UChar* begin, const UChar* end, Optional<uint16_t>& port, bool& portHasWildcard); |
64 | bool parsePath(const UChar* begin, const UChar* end, String& path); |
65 | |
66 | bool parseNonceSource(const UChar* begin, const UChar* end); |
67 | |
68 | bool isProtocolAllowedByStar(const URL&) const; |
69 | |
70 | bool parseHashSource(const UChar* begin, const UChar* end); |
71 | |
72 | const ContentSecurityPolicy& m_policy; |
73 | Vector<ContentSecurityPolicySource> m_list; |
74 | HashSet<String> m_nonces; |
75 | HashSet<ContentSecurityPolicyHash> m_hashes; |
76 | OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsUsed; |
77 | String m_directiveName; |
78 | bool m_allowSelf { false }; |
79 | bool m_allowStar { false }; |
80 | bool m_allowInline { false }; |
81 | bool m_allowEval { false }; |
82 | bool m_isNone { false }; |
83 | }; |
84 | |
85 | } // namespace WebCore |
86 | |