diff options
| author | wolfbeast <mcwerewolf@gmail.com> | 2018-03-03 11:21:43 +0100 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@gmail.com> | 2018-03-03 11:22:15 +0100 |
| commit | c3039dadd95f5487e84311a9719604fa901aacd7 (patch) | |
| tree | 3168b0b2d41184b89f894821e25ca258d88d6af4 /dom/security/nsCSPUtils.h | |
| parent | 8891f99913d9054c363c0266cf4ee9718cbf474e (diff) | |
| download | UXP-c3039dadd95f5487e84311a9719604fa901aacd7.tar UXP-c3039dadd95f5487e84311a9719604fa901aacd7.tar.gz UXP-c3039dadd95f5487e84311a9719604fa901aacd7.tar.lz UXP-c3039dadd95f5487e84311a9719604fa901aacd7.tar.xz UXP-c3039dadd95f5487e84311a9719604fa901aacd7.zip | |
Add support for CSP v3 "worker-src" directive
Diffstat (limited to 'dom/security/nsCSPUtils.h')
| -rw-r--r-- | dom/security/nsCSPUtils.h | 47 |
1 files changed, 37 insertions, 10 deletions
diff --git a/dom/security/nsCSPUtils.h b/dom/security/nsCSPUtils.h index cfbe83256..91096712a 100644 --- a/dom/security/nsCSPUtils.h +++ b/dom/security/nsCSPUtils.h @@ -93,7 +93,8 @@ static const char* CSPStrDirectives[] = { "child-src", // CHILD_SRC_DIRECTIVE "block-all-mixed-content", // BLOCK_ALL_MIXED_CONTENT "require-sri-for", // REQUIRE_SRI_FOR - "sandbox" // SANDBOX_DIRECTIVE + "sandbox", // SANDBOX_DIRECTIVE + "worker-src" // WORKER_SRC_DIRECTIVE }; inline const char* CSP_CSPDirectiveToString(CSPDirective aDir) @@ -445,7 +446,7 @@ class nsCSPDirective { bool visitSrcs(nsCSPSrcVisitor* aVisitor) const; - private: + protected: CSPDirective mDirective; nsTArray<nsCSPBaseSrc*> mSrcs; }; @@ -453,26 +454,52 @@ class nsCSPDirective { /* =============== nsCSPChildSrcDirective ============= */ /* - * In CSP 2, the child-src directive covers both workers and - * subdocuments (i.e., frames and iframes). Workers were removed - * from script-src, but frames can be controlled by either child-src - * or frame-src directives, so child-src needs to know whether it should - * also restrict frames. When both are present the frame-src directive - * takes precedent. + * In CSP 3 child-src is deprecated. For backwards compatibility + * child-src needs to restrict: + * (*) frames, in case frame-src is not expicitly specified + * (*) workers, in case worker-src is not expicitly specified */ class nsCSPChildSrcDirective : public nsCSPDirective { public: explicit nsCSPChildSrcDirective(CSPDirective aDirective); virtual ~nsCSPChildSrcDirective(); - void setHandleFrameSrc(); + void setRestrictFrames() + { mRestrictFrames = true; } + + void setRestrictWorkers() + { mRestrictWorkers = true; } + + virtual bool restrictsContentType(nsContentPolicyType aContentType) const; + + virtual bool equals(CSPDirective aDirective) const; + + private: + bool mRestrictFrames; + bool mRestrictWorkers; +}; + +/* =============== nsCSPScriptSrcDirective ============= */ + +/* + * In CSP 3 worker-src restricts workers, for backwards compatibily + * script-src has to restrict workers as the ultimate fallback if + * neither worker-src nor child-src is present in a CSP. + */ +class nsCSPScriptSrcDirective : public nsCSPDirective { + public: + explicit nsCSPScriptSrcDirective(CSPDirective aDirective); + virtual ~nsCSPScriptSrcDirective(); + + void setRestrictWorkers() + { mRestrictWorkers = true; } virtual bool restrictsContentType(nsContentPolicyType aContentType) const; virtual bool equals(CSPDirective aDirective) const; private: - bool mHandleFrameSrc; + bool mRestrictWorkers; }; /* =============== nsBlockAllMixedContentDirective === */ |