diff options
author | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-09-17 20:12:04 +0000 |
---|---|---|
committer | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-09-17 20:12:04 +0000 |
commit | 1a08d69f4fb1dcce066be38cd1c5d087b77257c2 (patch) | |
tree | 022c320155ecb7105af07ba85776e945c5061bf2 | |
parent | f72f31f42c3f6085d3128ca5acbbfb5adf8ce2f7 (diff) | |
download | chromium_src-1a08d69f4fb1dcce066be38cd1c5d087b77257c2.zip chromium_src-1a08d69f4fb1dcce066be38cd1c5d087b77257c2.tar.gz chromium_src-1a08d69f4fb1dcce066be38cd1c5d087b77257c2.tar.bz2 |
Merge 153520 - Apply frame-src content-security-policy to WebUI pages.
BUG=143003
Review URL: https://chromiumcodereview.appspot.com/10829465
TBR=tsepez@chromium.org
Review URL: https://codereview.chromium.org/10908293
git-svn-id: svn://svn.chromium.org/chrome/branches/1229/src@157176 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | chrome/browser/ui/webui/chrome_url_data_manager_backend.cc | 49 |
1 files changed, 36 insertions, 13 deletions
diff --git a/chrome/browser/ui/webui/chrome_url_data_manager_backend.cc b/chrome/browser/ui/webui/chrome_url_data_manager_backend.cc index 6e6216e..0157bbd 100644 --- a/chrome/browser/ui/webui/chrome_url_data_manager_backend.cc +++ b/chrome/browser/ui/webui/chrome_url_data_manager_backend.cc @@ -88,12 +88,25 @@ class ChromeURLContentSecurityPolicyExceptionSet } }; -// It is OK to add URLs to this set which slightly reduces the CSP for them. -class ChromeURLContentSecurityPolicyObjectTagSet - : public std::set<std::string> { +// It is OK to add URLs to these maps which map specific URLs to custom CSP +// directives thereby slightly reducing the protection applied to the page. +class ChromeURLObjectSrcExceptionMap + : public std::map<std::string, std::string> { public: - ChromeURLContentSecurityPolicyObjectTagSet() : std::set<std::string>() { - insert(chrome::kChromeUIPrintHost); + ChromeURLObjectSrcExceptionMap() : std::map<std::string, std::string>() { + insert(std::pair<std::string, std::string>( + chrome::kChromeUIPrintHost, "object-src 'self';")); + } +}; + +class ChromeURLFrameSrcExceptionMap + : public std::map<std::string, std::string> { + public: + ChromeURLFrameSrcExceptionMap() : std::map<std::string, std::string>() { + insert(std::pair<std::string, std::string>( + chrome::kChromeUIUberHost, "frame-src chrome:;")); + insert(std::pair<std::string, std::string>( + chrome::kChromeUIUberFrameHost, "frame-src chrome:;")); } }; @@ -101,9 +114,11 @@ base::LazyInstance<ChromeURLContentSecurityPolicyExceptionSet> g_chrome_url_content_security_policy_exception_set = LAZY_INSTANCE_INITIALIZER; -base::LazyInstance<ChromeURLContentSecurityPolicyObjectTagSet> - g_chrome_url_content_security_policy_object_tag_set = - LAZY_INSTANCE_INITIALIZER; +base::LazyInstance<ChromeURLObjectSrcExceptionMap> + g_chrome_url_object_src_exception_map = LAZY_INSTANCE_INITIALIZER; + +base::LazyInstance<ChromeURLFrameSrcExceptionMap> + g_chrome_url_frame_src_exception_map = LAZY_INSTANCE_INITIALIZER; // Determine the least-privileged content security policy header, if any, // that is compatible with a given WebUI URL, and append it to the existing @@ -115,12 +130,20 @@ void AddContentSecurityPolicyHeader( if (exceptions->find(url.host()) == exceptions->end()) { std::string base = kChromeURLContentSecurityPolicyHeaderBase; - ChromeURLContentSecurityPolicyObjectTagSet* object_tag_set = - g_chrome_url_content_security_policy_object_tag_set.Pointer(); - base.append(object_tag_set->find(url.host()) == object_tag_set->end() ? - "object-src 'none';" : - "object-src 'self';"); + ChromeURLObjectSrcExceptionMap* object_map = + g_chrome_url_object_src_exception_map.Pointer(); + ChromeURLObjectSrcExceptionMap::iterator object_iter = + object_map->find(url.host()); + base.append(object_iter == object_map->end() ? + "object-src 'none';" : object_iter->second); + + ChromeURLFrameSrcExceptionMap* frame_map = + g_chrome_url_frame_src_exception_map.Pointer(); + ChromeURLFrameSrcExceptionMap::iterator frame_iter = + frame_map->find(url.host()); + base.append(frame_iter == frame_map->end() ? + "frame-src 'none';" : frame_iter->second); headers->AddHeader(base); } |