void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source)
{
String message = "The source list for Content Security Policy directive '" + directiveName + "' contains an invalid source: '" + source + "'. It will be ignored.";
if (equalIgnoringCase(source, "'none'"))
message = message + " Note that 'none' has no effect unless it is the only expression in the source list.";
logToConsole(message);
}
void Console::doLog(const LogLevel level, const wxString& message) {
if (!message.empty()) {
logToDebugOut(level, message);
logToConsole(level, message);
logNotifier(level, message);
}
}
void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source) const
{
String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains an invalid source: '", source, "'. It will be ignored.");
if (equalLettersIgnoringASCIICase(source, "'none'"))
message = makeString(message, " Note that 'none' has no effect unless it is the only expression in the source list.");
logToConsole(message);
}
void ContentSecurityPolicy::reportInvalidPluginTypes(const String& pluginType) const
{
String message;
if (pluginType.isNull())
message = "'plugin-types' Content Security Policy directive is empty; all plugins will be blocked.\n";
else
message = makeString("Invalid plugin type in 'plugin-types' Content Security Policy directive: '", pluginType, "'.\n");
logToConsole(message);
}
void ContentSecurityPolicy::reportInvalidPathCharacter(const String& directiveName, const String& value, const char invalidChar)
{
ASSERT(invalidChar == '#' || invalidChar == '?');
String ignoring = "The fragment identifier, including the '#', will be ignored.";
if (invalidChar == '?')
ignoring = "The query component, including the '?', will be ignored.";
String message = "The source list for Content Security Policy directive '" + directiveName + "' contains a source with an invalid path: '" + value + "'. " + ignoring;
logToConsole(message);
}
void Console::setTextCtrl(wxTextCtrl* textCtrl) {
m_textCtrl = textCtrl;
if (m_textCtrl != NULL) {
for (unsigned int i = 0; i < m_buffer.size(); i++) {
const LogMessage& message = m_buffer[i];
logToConsole(message);
}
m_buffer.clear();
}
}
void Console::log(const LogMessage& message) {
if (message.string().empty())
return;
logToDebug(message);
logToFile(message);
if (m_textCtrl != NULL)
logToConsole(message);
else
m_buffer.push_back(message);
}
void ContentSecurityPolicy::reportInvalidPluginTypes(const String& pluginType)
{
String message;
if (pluginType.isNull())
message = "'plugin-types' Content Security Policy directive is empty; all plugins will be blocked.\n";
else if (pluginType == "'none'")
message = "Invalid plugin type in 'plugin-types' Content Security Policy directive: '" + pluginType + "'. Did you mean to set the object-src directive to 'none'?\n";
else
message = "Invalid plugin type in 'plugin-types' Content Security Policy directive: '" + pluginType + "'.\n";
logToConsole(message);
}
//生成log字符串
void Log::logData(LogLevel level, const char * buf)
{
static char s_log_level[Level_count][10]=
{
"Error",
"Warning",
"Info",
"Trace",
"Debug"
};
char format_log[MAX_LOG_SIZE];
std::string current_time=StrTimeStamp();
sprintf_s(format_log, sizeof(format_log), "[%s] [threadID:%d][%s] %s\n", s_log_level[level],GetCurrentThreadId(),current_time.c_str(), buf);
//如果是错误信息,则高亮显示
if(level==Error)
{
setColor(GREEN);
logToConsole(format_log);
resetColor();
logToErrFile(format_log);
}
else if(level==Warn)
{
setColor(CYAN);
logToConsole(format_log);
resetColor();
logToErrFile(format_log);
}
else
logToConsole(format_log);
logToFile(format_log);
m_log_line++;
if(m_log_line>=MAX_LOG_LINE)
m_log_line=0;
}
void QrScanner::process(const QString& data) {
if(m_bClosing)
return;
QUrl url(data);
logToConsole(QString("Processing: %1").arg(data));
logToConsole(QString("Scheme: %1").arg(url.scheme()));
if(!QString("otpauth").compare(url.scheme(), Qt::CaseInsensitive)){
bool hotp = false;
int digits = 6;
QString path = QUrl::fromPercentEncoding(url.path().mid(1).toAscii());
QString secret = url.queryItemValue("secret");
if(QString("totp").compare(url.host(), Qt::CaseInsensitive)){
hotp = true;
}
if(url.hasQueryItem("digits")){
digits = url.queryItemValue("digits").toInt();
}
Q_EMIT detected(path, secret, digits, hotp);
logToConsole(data);
logToConsole(QString("Path: %1, Secret: %2, Digit: %3, HOTP: %4").arg(path).arg(secret).arg(digits).arg(hotp));
}
}
void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) const
{
String message;
if (equalLettersIgnoringASCIICase(name, "allow"))
message = ASCIILiteral("The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.");
else if (equalLettersIgnoringASCIICase(name, "options"))
message = ASCIILiteral("The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.");
else if (equalLettersIgnoringASCIICase(name, "policy-uri"))
message = ASCIILiteral("The 'policy-uri' directive has been removed from the specification. Please specify a complete policy via the Content-Security-Policy header.");
else
message = makeString("Unrecognized Content-Security-Policy directive '", name, "'.\n"); // FIXME: Why does this include a newline?
logToConsole(message);
}
void ContentSecurityPolicy::reportUnsupportedDirective(const String& name)
{
DEFINE_STATIC_LOCAL(String, allow, ("allow"));
DEFINE_STATIC_LOCAL(String, options, ("options"));
DEFINE_STATIC_LOCAL(String, policyURI, ("policy-uri"));
DEFINE_STATIC_LOCAL(String, allowMessage, ("The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect."));
DEFINE_STATIC_LOCAL(String, optionsMessage, ("The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect."));
DEFINE_STATIC_LOCAL(String, policyURIMessage, ("The 'policy-uri' directive has been removed from the specification. Please specify a complete policy via the Content-Security-Policy header."));
String message = "Unrecognized Content-Security-Policy directive '" + name + "'.\n";
MessageLevel level = ErrorMessageLevel;
if (equalIgnoringCase(name, allow)) {
message = allowMessage;
} else if (equalIgnoringCase(name, options)) {
message = optionsMessage;
} else if (equalIgnoringCase(name, policyURI)) {
message = policyURIMessage;
} else if (isDirectiveName(name)) {
message = "The Content-Security-Policy directive '" + name + "' is implemented behind a flag which is currently disabled.\n";
level = InfoMessageLevel;
}
logToConsole(message, level);
}
void ContentSecurityPolicy::reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression)
{
String message = "The Content Security Policy directive '" + directiveName + "' contains '" + sourceExpression + "' as a source expression. Did you mean '" + directiveName + " ...; " + sourceExpression + "...' (note the semicolon)?";
logToConsole(message);
}
void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value)
{
String message = "The value for Content Security Policy directive '" + directiveName + "' contains an invalid character: '" + value + "'. Non-whitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/rfc3986#section-2.1.";
logToConsole(message);
}
void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<String>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const
{
logToConsole(consoleMessage, contextURL, contextLine, state);
// FIXME: Support sending reports from worker.
if (!is<Document>(m_scriptExecutionContext))
return;
Document& document = downcast<Document>(*m_scriptExecutionContext);
Frame* frame = document.frame();
if (!frame)
return;
#if ENABLE(CSP_NEXT)
if (experimentalFeaturesEnabled()) {
// FIXME: This code means that we're gathering information like line numbers twice. Once we can bring this out from behind the flag, we should reuse the data gathered here when generating the JSON report below.
String documentURI = document.url().string();
String referrer = document.referrer();
String blockedURI = stripURLForUseInReport(document, blockedURL);
String violatedDirective = directiveText;
String originalPolicy = header;
String sourceFile = String();
int lineNumber = 0;
Ref<ScriptCallStack> stack = createScriptCallStack(JSMainThreadExecState::currentState(), 2);
const ScriptCallFrame* callFrame = stack->firstNonNativeCallFrame();
if (callFrame && callFrame->lineNumber()) {
URL source = URL(URL(), callFrame->sourceURL());
sourceFile = stripURLForUseInReport(document, source);
lineNumber = callFrame->lineNumber();
}
document.enqueueDocumentEvent(SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, false, false, documentURI, referrer, blockedURI, violatedDirective, effectiveDirective, originalPolicy, sourceFile, lineNumber));
}
#endif
if (reportURIs.isEmpty())
return;
// We need to be careful here when deciding what information to send to the
// report-uri. Currently, we send only the current document's URL and the
// directive that was violated. The document's URL is safe to send because
// it's the document itself that's requesting that it be sent. You could
// make an argument that we shouldn't send HTTPS document URLs to HTTP
// report-uris (for the same reasons that we suppress the Referer in that
// case), but the Referer is sent implicitly whereas this request is only
// sent explicitly. As for which directive was violated, that's pretty
// harmless information.
RefPtr<InspectorObject> cspReport = InspectorObject::create();
cspReport->setString(ASCIILiteral("document-uri"), document.url().strippedForUseAsReferrer());
cspReport->setString(ASCIILiteral("referrer"), document.referrer());
cspReport->setString(ASCIILiteral("violated-directive"), directiveText);
#if ENABLE(CSP_NEXT)
if (experimentalFeaturesEnabled())
cspReport->setString(ASCIILiteral("effective-directive"), effectiveDirective);
#else
UNUSED_PARAM(effectiveDirective);
#endif
cspReport->setString(ASCIILiteral("original-policy"), header);
cspReport->setString(ASCIILiteral("blocked-uri"), stripURLForUseInReport(document, blockedURL));
RefPtr<ScriptCallStack> stack = createScriptCallStack(JSMainThreadExecState::currentState(), 2);
const ScriptCallFrame* callFrame = stack->firstNonNativeCallFrame();
if (callFrame && callFrame->lineNumber()) {
URL source = URL(URL(), callFrame->sourceURL());
cspReport->setString(ASCIILiteral("source-file"), stripURLForUseInReport(document, source));
cspReport->setInteger(ASCIILiteral("line-number"), callFrame->lineNumber());
}
RefPtr<InspectorObject> reportObject = InspectorObject::create();
reportObject->setObject(ASCIILiteral("csp-report"), cspReport.release());
RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8());
for (const auto& url : reportURIs)
PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef());
}
void ContentSecurityPolicy::reportInvalidSuboriginFlags(const String& invalidFlags)
{
logToConsole("Error while parsing the 'suborigin' Content Security Policy directive: " + invalidFlags);
}
void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue)
{
logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Valid values are \"allow\", \"filter\", and \"block\".");
}
void ContentSecurityPolicy::reportInvalidSandboxFlags(const String& invalidFlags) const
{
logToConsole("Error while parsing the 'sandbox' Content Security Policy directive: " + invalidFlags);
}
void ContentSecurityPolicy::reportInvalidReferrer(const String& invalidValue)
{
logToConsole("The 'referrer' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Valid values are \"no-referrer\", \"no-referrer-when-downgrade\", \"origin\", \"origin-when-cross-origin\", and \"unsafe-url\".");
}
void ContentSecurityPolicy::reportMissingReportURI(const String& policy)
{
logToConsole("The Content Security Policy '" + policy + "' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.");
}
QrScanner::~QrScanner() {
logToConsole("Destroyed.");
// m_pRoot->close();
}
void ContentSecurityPolicy::reportInvalidInReportOnly(const String& name)
{
logToConsole("The Content Security Policy directive '" + name + "' is ignored when delivered in a report-only policy.");
}
void ContentSecurityPolicy::reportDuplicateDirective(const String& name) const
{
logToConsole(makeString("Ignoring duplicate Content-Security-Policy directive '", name, "'.\n"));
}
void ContentSecurityPolicy::reportSuboriginInMeta(const String& suboriginName)
{
logToConsole("The Suborigin name '" + suboriginName + "' was delivered via a Content Security Policy in a <meta> element and not an HTTP header, which is disallowed. The Suborigin has been ignored.");
}
void ContentSecurityPolicy::reportMetaOutsideHead(const String& header)
{
logToConsole("The Content Security Policy '" + header + "' was delivered via a <meta> element outside the document's <head>, which is disallowed. The policy has been ignored.");
}
void ContentSecurityPolicy::reportReportOnlyInMeta(const String& header)
{
logToConsole("The report-only Content Security Policy '" + header + "' was delivered via a <meta> element, which is disallowed. The policy has been ignored.");
}
void ContentSecurityPolicy::logToConsole(const String& message, MessageLevel level)
{
logToConsole(ConsoleMessage::create(SecurityMessageSource, level, message));
}
void ContentSecurityPolicy::reportDuplicateDirective(const String& name)
{
String message = "Ignoring duplicate Content-Security-Policy directive '" + name + "'.\n";
logToConsole(message);
}
void ContentSecurityPolicy::reportValueForEmptyDirective(const String& name, const String& value)
{
logToConsole("The Content Security Policy directive '" + name + "' should be empty, but was delivered with a value of '" + value + "'. The directive has been applied, and the value ignored.");
}
void ContentSecurityPolicy::reportInvalidDirectiveInReportOnlyMode(const String& directiveName) const
{
logToConsole("The Content Security Policy directive '" + directiveName + "' is ignored when delivered in a report-only policy.");
}
