bool ContentSecurityPolicy::checkSourceAndReportViolation(CSPDirective* directive, const KURL& url, const String& type) const { if (!directive || directive->allows(url)) return true; reportViolation(directive->text(), makeString("Refused to load ", type, " from '", url.string(), "' because of Content-Security-Policy.\n")); return false; }
bool ContentSecurityPolicy::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage) const { if (checkEval(directive)) return true; reportViolation(directive->text(), consoleMessage); return false; }
bool ContentSecurityPolicy::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage) const { if (!directive || directive->allowInline()) return true; reportViolation(directive->text(), consoleMessage); return false; }
bool CSPDirectiveList::checkMediaTypeAndReportViolation(MediaListDirective* directive, const String& type, const String& typeAttribute, const String& consoleMessage) const { if (checkMediaType(directive, type, typeAttribute)) return true; String message = consoleMessage + "\'" + directive->text() + "\'."; if (typeAttribute.isEmpty()) message = message + " When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>')."; reportViolation(directive->text(), ContentSecurityPolicy::PluginTypes, message + "\n", KURL()); return denyIfEnforcingPolicy(); }
bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* directive, const KURL& url, const String& effectiveDirective) const { if (checkSource(directive, url)) return true; String prefix; if (ContentSecurityPolicy::BaseURI == effectiveDirective) prefix = "Refused to set the document's base URI to '"; else if (ContentSecurityPolicy::ChildSrc == effectiveDirective) prefix = "Refused to create a child context containing '"; else if (ContentSecurityPolicy::ConnectSrc == effectiveDirective) prefix = "Refused to connect to '"; else if (ContentSecurityPolicy::FontSrc == effectiveDirective) prefix = "Refused to load the font '"; else if (ContentSecurityPolicy::FormAction == effectiveDirective) prefix = "Refused to send form data to '"; else if (ContentSecurityPolicy::FrameSrc == effectiveDirective) prefix = "Refused to frame '"; else if (ContentSecurityPolicy::ImgSrc == effectiveDirective) prefix = "Refused to load the image '"; else if (ContentSecurityPolicy::MediaSrc == effectiveDirective) prefix = "Refused to load media from '"; else if (ContentSecurityPolicy::ManifestSrc == effectiveDirective) prefix = "Refused to load manifest from '"; else if (ContentSecurityPolicy::ObjectSrc == effectiveDirective) prefix = "Refused to load plugin data from '"; else if (ContentSecurityPolicy::ScriptSrc == effectiveDirective) prefix = "Refused to load the script '"; else if (ContentSecurityPolicy::StyleSrc == effectiveDirective) prefix = "Refused to load the stylesheet '"; String suffix = String(); if (directive == m_defaultSrc) suffix = " Note that '" + effectiveDirective + "' was not explicitly set, so 'default-src' is used as a fallback."; reportViolation(directive->text(), effectiveDirective, prefix + url.elidedString() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\"." + suffix + "\n", url); return denyIfEnforcingPolicy(); }