void ContentSecurityPolicy::addPolicyFromHeaderValue(const String& header, ContentSecurityPolicyHeaderType type, ContentSecurityPolicyHeaderSource source)
{
// If this is a report-only header inside a <meta> element, bail out.
if (source == ContentSecurityPolicyHeaderSourceMeta && type == ContentSecurityPolicyHeaderTypeReport && experimentalFeaturesEnabled()) {
reportReportOnlyInMeta(header);
return;
}
Vector<UChar> characters;
header.appendTo(characters);
const UChar* begin = characters.data();
const UChar* end = begin + characters.size();
// RFC2616, section 4.2 specifies that headers appearing multiple times can
// be combined with a comma. Walk the header string, and parse each comma
// separated chunk as a separate header.
const UChar* position = begin;
while (position < end) {
skipUntil<UChar>(position, end, ',');
// header1,header2 OR header1
// ^ ^
OwnPtr<CSPDirectiveList> policy = CSPDirectiveList::create(this, begin, position, type, source);
// When a referrer policy has already been set, the most recent
// one takes precedence.
if (type != ContentSecurityPolicyHeaderTypeReport && policy->didSetReferrerPolicy())
m_referrerPolicy = policy->referrerPolicy();
if (!policy->allowEval(0, SuppressReport) && m_disableEvalErrorMessage.isNull())
m_disableEvalErrorMessage = policy->evalDisabledErrorMessage();
m_policies.append(policy.release());
// Skip the comma, and begin the next header from the current position.
ASSERT(position == end || *position == ',');
skipExactly<UChar>(position, end, ',');
begin = position;
}
}
void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<String>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const
{
logToConsole(consoleMessage, contextURL, contextLine, state);
// FIXME: Support sending reports from worker.
if (!is<Document>(m_scriptExecutionContext))
return;
Document& document = downcast<Document>(*m_scriptExecutionContext);
Frame* frame = document.frame();
if (!frame)
return;
#if ENABLE(CSP_NEXT)
if (experimentalFeaturesEnabled()) {
// FIXME: This code means that we're gathering information like line numbers twice. Once we can bring this out from behind the flag, we should reuse the data gathered here when generating the JSON report below.
String documentURI = document.url().string();
String referrer = document.referrer();
String blockedURI = stripURLForUseInReport(document, blockedURL);
String violatedDirective = directiveText;
String originalPolicy = header;
String sourceFile = String();
int lineNumber = 0;
Ref<ScriptCallStack> stack = createScriptCallStack(JSMainThreadExecState::currentState(), 2);
const ScriptCallFrame* callFrame = stack->firstNonNativeCallFrame();
if (callFrame && callFrame->lineNumber()) {
URL source = URL(URL(), callFrame->sourceURL());
sourceFile = stripURLForUseInReport(document, source);
lineNumber = callFrame->lineNumber();
}
document.enqueueDocumentEvent(SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, false, false, documentURI, referrer, blockedURI, violatedDirective, effectiveDirective, originalPolicy, sourceFile, lineNumber));
}
#endif
if (reportURIs.isEmpty())
return;
// We need to be careful here when deciding what information to send to the
// report-uri. Currently, we send only the current document's URL and the
// directive that was violated. The document's URL is safe to send because
// it's the document itself that's requesting that it be sent. You could
// make an argument that we shouldn't send HTTPS document URLs to HTTP
// report-uris (for the same reasons that we suppress the Referer in that
// case), but the Referer is sent implicitly whereas this request is only
// sent explicitly. As for which directive was violated, that's pretty
// harmless information.
RefPtr<InspectorObject> cspReport = InspectorObject::create();
cspReport->setString(ASCIILiteral("document-uri"), document.url().strippedForUseAsReferrer());
cspReport->setString(ASCIILiteral("referrer"), document.referrer());
cspReport->setString(ASCIILiteral("violated-directive"), directiveText);
#if ENABLE(CSP_NEXT)
if (experimentalFeaturesEnabled())
cspReport->setString(ASCIILiteral("effective-directive"), effectiveDirective);
#else
UNUSED_PARAM(effectiveDirective);
#endif
cspReport->setString(ASCIILiteral("original-policy"), header);
cspReport->setString(ASCIILiteral("blocked-uri"), stripURLForUseInReport(document, blockedURL));
RefPtr<ScriptCallStack> stack = createScriptCallStack(JSMainThreadExecState::currentState(), 2);
const ScriptCallFrame* callFrame = stack->firstNonNativeCallFrame();
if (callFrame && callFrame->lineNumber()) {
URL source = URL(URL(), callFrame->sourceURL());
cspReport->setString(ASCIILiteral("source-file"), stripURLForUseInReport(document, source));
cspReport->setInteger(ASCIILiteral("line-number"), callFrame->lineNumber());
}
RefPtr<InspectorObject> reportObject = InspectorObject::create();
reportObject->setObject(ASCIILiteral("csp-report"), cspReport.release());
RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8());
for (const auto& url : reportURIs)
PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef());
}
