1/* 2 * Copyright (C) 2013 Google, Inc. All Rights Reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include "config.h" 27#include "XSSAuditorDelegate.h" 28 29#include "Document.h" 30#include "DocumentLoader.h" 31#include "FormData.h" 32#include "Frame.h" 33#include "FrameLoader.h" 34#include "FrameLoaderClient.h" 35#include "HTMLParserIdioms.h" 36#include "PingLoader.h" 37#include "SecurityOrigin.h" 38#include <inspector/InspectorValues.h> 39#include <wtf/text/StringBuilder.h> 40#include <wtf/text/CString.h> 41 42using namespace Inspector; 43 44namespace WebCore { 45 46XSSAuditorDelegate::XSSAuditorDelegate(Document& document) 47 : m_document(document) 48 , m_didSendNotifications(false) 49{ 50 ASSERT(isMainThread()); 51} 52 53static inline String buildConsoleError(const XSSInfo& xssInfo) 54{ 55 StringBuilder message; 56 message.append("The XSS Auditor "); 57 message.append(xssInfo.m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in"); 58 message.append(" '"); 59 message.append(xssInfo.m_originalURL); 60 message.append("' because "); 61 message.append(xssInfo.m_didBlockEntirePage ? "the source code of a script" : "its source code"); 62 message.append(" was found within the request."); 63 64 if (xssInfo.m_didSendCSPHeader) 65 message.append(" The server sent a 'Content-Security-Policy' header requesting this behavior."); 66 else if (xssInfo.m_didSendXSSProtectionHeader) 67 message.append(" The server sent an 'X-XSS-Protection' header requesting this behavior."); 68 else 69 message.append(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header."); 70 71 return message.toString(); 72} 73 74PassRefPtr<FormData> XSSAuditorDelegate::generateViolationReport(const XSSInfo& xssInfo) 75{ 76 ASSERT(isMainThread()); 77 78 FrameLoader& frameLoader = m_document.frame()->loader(); 79 String httpBody; 80 if (frameLoader.documentLoader()) { 81 if (FormData* formData = frameLoader.documentLoader()->originalRequest().httpBody()) 82 httpBody = formData->flattenToString(); 83 } 84 85 RefPtr<InspectorObject> reportDetails = InspectorObject::create(); 86 reportDetails->setString("request-url", xssInfo.m_originalURL); 87 reportDetails->setString("request-body", httpBody); 88 89 RefPtr<InspectorObject> reportObject = InspectorObject::create(); 90 reportObject->setObject("xss-report", reportDetails.release()); 91 92 return FormData::create(reportObject->toJSONString().utf8().data()); 93} 94 95void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo) 96{ 97 ASSERT(isMainThread()); 98 99 m_document.addConsoleMessage(MessageSource::JS, MessageLevel::Error, buildConsoleError(xssInfo)); 100 101 FrameLoader& frameLoader = m_document.frame()->loader(); 102 if (xssInfo.m_didBlockEntirePage) 103 frameLoader.stopAllLoaders(); 104 105 if (!m_didSendNotifications) { 106 m_didSendNotifications = true; 107 108 frameLoader.client().didDetectXSS(m_document.url(), xssInfo.m_didBlockEntirePage); 109 110 if (!m_reportURL.isEmpty()) 111 PingLoader::sendViolationReport(*m_document.frame(), m_reportURL, generateViolationReport(xssInfo)); 112 } 113 114 if (xssInfo.m_didBlockEntirePage) 115 m_document.frame()->navigationScheduler().scheduleLocationChange(m_document.securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String()); 116} 117 118} // namespace WebCore 119