Ejemplo n.º 1
0
bool CSPDirectiveList::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
    if (url.protocolIsAbout())
        return true;
    return reportingStatus == ContentSecurityPolicy::SendReport ?
        checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, ContentSecurityPolicy::ObjectSrc) :
        checkSource(operativeDirective(m_objectSrc.get()), url);
}
Ejemplo n.º 2
0
static bool shouldInheritSecurityOriginFromOwner(const KURL& url) {
  // https://html.spec.whatwg.org/multipage/browsers.html#origin
  //
  // If a Document is the initial "about:blank" document The origin and
  // effective script origin of the Document are those it was assigned when its
  // browsing context was created.
  //
  // Note: We generalize this to all "blank" URLs and invalid URLs because we
  // treat all of these URLs as about:blank.
  return url.isEmpty() || url.protocolIsAbout();
}
Ejemplo n.º 3
0
// static
PresentationRequest* PresentationRequest::create(ExecutionContext* executionContext, const String& url, ExceptionState& exceptionState)
{
    KURL parsedUrl = KURL(executionContext->url(), url);
    if (!parsedUrl.isValid() || parsedUrl.protocolIsAbout()) {
        exceptionState.throwTypeError("'" + url + "' can't be resolved to a valid URL.");
        return nullptr;
    }

    PresentationRequest* request = new PresentationRequest(executionContext, parsedUrl);
    request->suspendIfNeeded();
    return request;
}
bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url, ContentSecurityPolicy::RedirectStatus redirectStatus, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
    if (url.protocolIsAbout())
        return true;

    // 'frame-src' is the only directive which overrides something other than the default sources.
    // It overrides 'child-src', which overrides the default sources. So, we do this nested set
    // of calls to 'operativeDirective()' to grab 'frame-src' if it exists, 'child-src' if it
    // doesn't, and 'defaut-src' if neither are available.
    SourceListDirective* whichDirective = operativeDirective(m_frameSrc.get(), operativeDirective(m_childSrc.get()));

    return reportingStatus == ContentSecurityPolicy::SendReport ? checkSourceAndReportViolation(whichDirective, url, ContentSecurityPolicy::FrameSrc, redirectStatus) : checkSource(whichDirective, url, redirectStatus);
}
Ejemplo n.º 5
0
bool LocalFrame::isURLAllowed(const KURL& url) const {
  // Exempt about: URLs from self-reference check.
  if (url.protocolIsAbout())
    return true;

  // We allow one level of self-reference because some sites depend on that,
  // but we don't allow more than one.
  bool foundSelfReference = false;
  for (const Frame* frame = this; frame; frame = frame->tree().parent()) {
    if (!frame->isLocalFrame())
      continue;
    if (equalIgnoringFragmentIdentifier(toLocalFrame(frame)->document()->url(),
                                        url)) {
      if (foundSelfReference)
        return false;
      foundSelfReference = true;
    }
  }
  return true;
}
Ejemplo n.º 6
0
ScriptPromise ServiceWorkerWindowClient::navigate(ScriptState* scriptState,
                                                  const String& url) {
  ScriptPromiseResolver* resolver = ScriptPromiseResolver::create(scriptState);
  ScriptPromise promise = resolver->promise();
  ExecutionContext* context = scriptState->getExecutionContext();

  KURL parsedUrl = KURL(toWorkerGlobalScope(context)->location()->url(), url);
  if (!parsedUrl.isValid() || parsedUrl.protocolIsAbout()) {
    resolver->reject(V8ThrowException::createTypeError(
        scriptState->isolate(), "'" + url + "' is not a valid URL."));
    return promise;
  }
  if (!context->getSecurityOrigin()->canDisplay(parsedUrl)) {
    resolver->reject(V8ThrowException::createTypeError(
        scriptState->isolate(),
        "'" + parsedUrl.elidedString() + "' cannot navigate."));
    return promise;
  }

  ServiceWorkerGlobalScopeClient::from(context)->navigate(
      uuid(), parsedUrl, new NavigateClientCallback(resolver));
  return promise;
}