1/*
2 * Copyright (C) 2011 Google, Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 *    notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 *    notice, this list of conditions and the following disclaimer in the
11 *    documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#ifndef ContentSecurityPolicy_h
27#define ContentSecurityPolicy_h
28
29#include "KURL.h"
30#include "ScriptState.h"
31#include <wtf/PassOwnPtr.h>
32#include <wtf/RefCounted.h>
33#include <wtf/Vector.h>
34#include <wtf/text/TextPosition.h>
35#include <wtf/text/WTFString.h>
36
37namespace WTF {
38class OrdinalNumber;
39}
40
41namespace WebCore {
42
43class CSPDirectiveList;
44class DOMStringList;
45class ScriptExecutionContext;
46class SecurityOrigin;
47
48typedef int SandboxFlags;
49typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector;
50
51class ContentSecurityPolicy {
52    WTF_MAKE_FAST_ALLOCATED;
53public:
54    static PassOwnPtr<ContentSecurityPolicy> create(ScriptExecutionContext* scriptExecutionContext)
55    {
56        return adoptPtr(new ContentSecurityPolicy(scriptExecutionContext));
57    }
58    ~ContentSecurityPolicy();
59
60    void copyStateFrom(const ContentSecurityPolicy*);
61
62    enum HeaderType {
63        Report,
64        Enforce,
65        PrefixedReport,
66        PrefixedEnforce
67    };
68
69    enum ReportingStatus {
70        SendReport,
71        SuppressReport
72    };
73
74    // Be sure to update the behavior of XSSAuditor::combineXSSProtectionHeaderAndCSP whenever you change this enum's content or ordering.
75    enum ReflectedXSSDisposition {
76        ReflectedXSSUnset = 0,
77        AllowReflectedXSS,
78        ReflectedXSSInvalid,
79        FilterReflectedXSS,
80        BlockReflectedXSS
81    };
82
83    void didReceiveHeader(const String&, HeaderType);
84
85    // These functions are wrong because they assume that there is only one header.
86    // FIXME: Replace them with functions that return vectors.
87    const String& deprecatedHeader() const;
88    HeaderType deprecatedHeaderType() const;
89
90    bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
91    bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
92    bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
93    bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
94    bool allowEval(ScriptState* = 0, ReportingStatus = SendReport) const;
95    bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& = KURL()) const;
96    bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const;
97
98    bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const;
99    bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const;
100    bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) const;
101    bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const;
102    bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const;
103    bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const;
104    bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const;
105    bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const;
106    bool allowFormAction(const KURL&, ReportingStatus = SendReport) const;
107    bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const;
108
109    ReflectedXSSDisposition reflectedXSSDisposition() const;
110
111    void setOverrideAllowInlineStyle(bool);
112
113    bool isActive() const;
114    void gatherReportURIs(DOMStringList&) const;
115
116    void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression) const;
117    void reportDuplicateDirective(const String&) const;
118    void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
119    void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
120    void reportInvalidNonce(const String&) const;
121    void reportInvalidPluginTypes(const String&) const;
122    void reportInvalidSandboxFlags(const String&) const;
123    void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
124    void reportInvalidReflectedXSS(const String&) const;
125    void reportMissingReportURI(const String&) const;
126    void reportUnsupportedDirective(const String&) const;
127    void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;
128
129    void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
130
131    const KURL& url() const;
132    KURL completeURL(const String&) const;
133    SecurityOrigin* securityOrigin() const;
134    void enforceSandboxFlags(SandboxFlags) const;
135    String evalDisabledErrorMessage() const;
136
137    bool experimentalFeaturesEnabled() const;
138
139private:
140    explicit ContentSecurityPolicy(ScriptExecutionContext*);
141
142    void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;
143
144    ScriptExecutionContext* m_scriptExecutionContext;
145    bool m_overrideInlineStyleAllowed;
146    CSPDirectiveListVector m_policies;
147};
148
149}
150
151#endif
152