1/* 2 * Copyright (C) 2013 Google, Inc. All Rights Reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY 14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR 17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY 21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include "config.h" 27#include "XSSAuditorDelegate.h" 28 29#include "Console.h" 30#include "DOMWindow.h" 31#include "Document.h" 32#include "DocumentLoader.h" 33#include "FormData.h" 34#include "Frame.h" 35#include "FrameLoader.h" 36#include "FrameLoaderClient.h" 37#include "HTMLParserIdioms.h" 38#include "InspectorValues.h" 39#include "PingLoader.h" 40#include "SecurityOrigin.h" 41#include <wtf/text/StringBuilder.h> 42#include <wtf/text/CString.h> 43 44namespace WebCore { 45 46XSSAuditorDelegate::XSSAuditorDelegate(Document* document) 47 : m_document(document) 48 , m_didSendNotifications(false) 49{ 50 ASSERT(isMainThread()); 51 ASSERT(m_document); 52} 53 54static inline String buildConsoleError(const XSSInfo& xssInfo, const String& url) 55{ 56 StringBuilder message; 57 message.append("The XSS Auditor "); 58 message.append(xssInfo.m_didBlockEntirePage ? "blocked access to" : "refused to execute a script in"); 59 message.append(" '"); 60 message.append(url); 61 message.append("' because "); 62 message.append(xssInfo.m_didBlockEntirePage ? "the source code of a script" : "its source code"); 63 message.append(" was found within the request."); 64 65 if (xssInfo.m_didSendCSPHeader) 66 message.append(" The server sent a 'Content-Security-Policy' header requesting this behavior."); 67 else if (xssInfo.m_didSendXSSProtectionHeader) 68 message.append(" The server sent an 'X-XSS-Protection' header requesting this behavior."); 69 else 70 message.append(" The auditor was enabled as the server sent neither an 'X-XSS-Protection' nor 'Content-Security-Policy' header."); 71 72 return message.toString(); 73} 74 75PassRefPtr<FormData> XSSAuditorDelegate::generateViolationReport() 76{ 77 ASSERT(isMainThread()); 78 79 FrameLoader* frameLoader = m_document->frame()->loader(); 80 String httpBody; 81 if (frameLoader->documentLoader()) { 82 if (FormData* formData = frameLoader->documentLoader()->originalRequest().httpBody()) 83 httpBody = formData->flattenToString(); 84 } 85 86 RefPtr<InspectorObject> reportDetails = InspectorObject::create(); 87 reportDetails->setString("request-url", m_document->url().string()); 88 reportDetails->setString("request-body", httpBody); 89 90 RefPtr<InspectorObject> reportObject = InspectorObject::create(); 91 reportObject->setObject("xss-report", reportDetails.release()); 92 93 return FormData::create(reportObject->toJSONString().utf8().data()); 94} 95 96void XSSAuditorDelegate::didBlockScript(const XSSInfo& xssInfo) 97{ 98 ASSERT(isMainThread()); 99 100 m_document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, buildConsoleError(xssInfo, m_document->url().string())); 101 102 FrameLoader* frameLoader = m_document->frame()->loader(); 103 if (xssInfo.m_didBlockEntirePage) 104 frameLoader->stopAllLoaders(); 105 106 if (!m_didSendNotifications) { 107 m_didSendNotifications = true; 108 109 frameLoader->client()->didDetectXSS(m_document->url(), xssInfo.m_didBlockEntirePage); 110 111 if (!m_reportURL.isEmpty()) 112 PingLoader::sendViolationReport(m_document->frame(), m_reportURL, generateViolationReport()); 113 } 114 115 if (xssInfo.m_didBlockEntirePage) 116 m_document->frame()->navigationScheduler()->scheduleLocationChange(m_document->securityOrigin(), SecurityOrigin::urlWithUniqueSecurityOrigin(), String()); 117} 118 119} // namespace WebCore 120