bool ContentSecurityPolicy::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage) const { if (checkEval(directive)) return true; reportViolation(directive->text(), consoleMessage); return false; }
bool CSPDirectiveList::allowEval(ScriptState* scriptState, ContentSecurityPolicy::ReportingStatus reportingStatus, ContentSecurityPolicy::ExceptionStatus exceptionStatus) const { if (reportingStatus == ContentSecurityPolicy::SendReport) { return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), "Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: ", scriptState, exceptionStatus); } return checkEval(operativeDirective(m_scriptSrc.get())); }
bool CSPDirectiveList::allowEval(ScriptState* scriptState, ContentSecurityPolicy::ReportingStatus reportingStatus) const { DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: ")); return reportingStatus == ContentSecurityPolicy::SendReport ? checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, scriptState) : checkEval(operativeDirective(m_scriptSrc.get())); }
void ContentSecurityPolicy::didReceiveHeader(const String& header) { if (m_havePolicy) return; // The first policy wins. parse(header); m_havePolicy = true; if (!checkEval(operativeDirective(m_scriptSrc.get()))) { if (Frame* frame = m_document->frame()) frame->script()->disableEval(); } }
bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directive, const String& consoleMessage, ScriptState* scriptState) const { if (checkEval(directive)) return true; String suffix = String(); if (directive == m_defaultSrc) suffix = " Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback."; reportViolationWithState(directive->text(), ContentSecurityPolicy::ScriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), scriptState); if (!m_reportOnly) { m_policy->reportBlockedScriptExecutionToInspector(directive->text()); return false; } return true; }