diff options
Diffstat (limited to 'Source/WebCore/page/ContentSecurityPolicy.cpp')
-rw-r--r-- | Source/WebCore/page/ContentSecurityPolicy.cpp | 39 |
1 files changed, 33 insertions, 6 deletions
diff --git a/Source/WebCore/page/ContentSecurityPolicy.cpp b/Source/WebCore/page/ContentSecurityPolicy.cpp index 4bb3a88a8..2667a8284 100644 --- a/Source/WebCore/page/ContentSecurityPolicy.cpp +++ b/Source/WebCore/page/ContentSecurityPolicy.cpp @@ -500,13 +500,15 @@ bool CSPSourceList::parsePath(const UChar* begin, const UChar* end, String& path // path/to/file.js?query=string || path/to/file.js#anchor // ^ ^ if (position < end) - return false; + m_policy->reportInvalidPathCharacter(m_directiveName, String(begin, end - begin), *position); - path = decodeURLEscapeSequences(String(begin, end - begin)); + path = decodeURLEscapeSequences(String(begin, position - begin)); if (!path.endsWith('/')) path = path + '/'; - ASSERT(position == end && path.endsWith('/')); + ASSERT(position <= end); + ASSERT(position == end || (*position == '#' || *position == '?')); + ASSERT(path.endsWith('/')); return true; } @@ -885,7 +887,12 @@ bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directiv { if (checkEval(directive)) return true; - reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine, callStack); + + String suffix = String(); + if (directive == m_defaultSrc) + suffix = " Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback."; + + reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, callStack); if (!m_reportOnly) { m_policy->reportBlockedScriptExecutionToInspector(directive->text()); return false; @@ -918,7 +925,12 @@ bool CSPDirectiveList::checkInlineAndReportViolation(SourceListDirective* direct { if (checkInline(directive)) return true; - reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine); + + String suffix = String(); + if (directive == m_defaultSrc) + suffix = makeString(" Note that '", (isScript ? "script" : "style"), "-src' was not explicitly set, so 'default-src' is used as a fallback."); + + reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine); if (!m_reportOnly) { if (isScript) @@ -939,7 +951,11 @@ bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* direct if (type == "form") prefix = "Refused to send form data to '"; - reportViolation(directive->text(), makeString(prefix, url.string(), "' because it violates the following Content Security Policy directive: \"", directive->text(), "\".\n"), url); + String suffix = String(); + if (directive == m_defaultSrc) + suffix = " Note that '" + type + "-src' was not explicitly set, so 'default-src' is used as a fallback."; + + reportViolation(directive->text(), prefix + url.string() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\"." + suffix + "\n", url); return denyIfEnforcingPolicy(); } @@ -1573,6 +1589,17 @@ void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& d logToConsole(message); } +void ContentSecurityPolicy::reportInvalidPathCharacter(const String& directiveName, const String& value, const char invalidChar) const +{ + ASSERT(invalidChar == '#' || invalidChar == '?'); + + String ignoring = "The fragment identifier, including the '#', will be ignored."; + if (invalidChar == '?') + ignoring = "The query component, including the '?', will be ignored."; + String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains a source with an invalid path: '", value, "'. ", ignoring); + logToConsole(message); +} + void ContentSecurityPolicy::reportInvalidNonce(const String& nonce) const { String message = makeString("Ignoring invalid Content Security Policy script nonce: '", nonce, "'.\n"); |