chromium/src/third_party/blink/renderer/core/execution_context/security_context.h - manifest_repos/chromium_src - Git at Google

 /*
  * Copyright (C) 2011 Google Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
  *
  * THIS SOFTWARE IS PROVIDED BY GOOGLE, INC. ``AS IS'' AND ANY
  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL APPLE COMPUTER, INC. OR
  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
  * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  *
  */

 #ifndef THIRD_PARTY_BLINK_RENDERER_CORE_EXECUTION_CONTEXT_SECURITY_CONTEXT_H_
 #define THIRD_PARTY_BLINK_RENDERER_CORE_EXECUTION_CONTEXT_SECURITY_CONTEXT_H_

 #include <memory>

 #include "base/macros.h"
 #include "base/memory/scoped_refptr.h"
 #include "services/network/public/mojom/web_sandbox_flags.mojom-blink-forward.h"
 #include "third_party/blink/public/mojom/feature_policy/document_policy_feature.mojom-blink-forward.h"
 #include "third_party/blink/public/mojom/feature_policy/feature_policy.mojom-blink-forward.h"
 #include "third_party/blink/public/mojom/feature_policy/feature_policy_feature.mojom-blink-forward.h"
 #include "third_party/blink/public/mojom/security_context/insecure_request_policy.mojom-blink-forward.h"
 #include "third_party/blink/public/platform/web_vector.h"
 #include "third_party/blink/renderer/core/core_export.h"
 #include "third_party/blink/renderer/platform/heap/handle.h"
 #include "third_party/blink/renderer/platform/wtf/forward.h"
 #include "third_party/blink/renderer/platform/wtf/hash_set.h"
 #include "third_party/blink/renderer/platform/wtf/text/string_hash.h"

 namespace blink {

 class ContentSecurityPolicy;
 class DocumentPolicy;
 class ExecutionContext;
 class FeaturePolicy;
 class PolicyValue;
 class SecurityOrigin;
 struct ParsedFeaturePolicyDeclaration;

 using ParsedFeaturePolicy = std::vector<ParsedFeaturePolicyDeclaration>;

 enum class SecureContextMode { kInsecureContext, kSecureContext };

 // Explanation as to why |SecureContextMode| was set as it was set.
 enum class SecureContextModeExplanation {
   kSecure,
   kSecureLocalhost,
   kInsecureScheme,
   kInsecureAncestor,
 };

 // Whether to report policy violations when checking whether a feature is
 // enabled.
 enum class ReportOptions { kReportOnFailure, kDoNotReport };

 // Defines the security properties (such as the security origin, content
 // security policy, and other restrictions) of an environment in which
 // script execution or other activity may occur.
 //
 // Mostly 1:1 with ExecutionContext, except that while remote (i.e.,
 // out-of-process) environments do not have an ExecutionContext in the local
 // process (as execution cannot occur locally), they do have a SecurityContext
 // to allow those properties to be queried.
 class CORE_EXPORT SecurityContext {
   DISALLOW_NEW();

  public:
   explicit SecurityContext(ExecutionContext*);
   SecurityContext(const SecurityContext&) = delete;
   SecurityContext& operator=(const SecurityContext&) = delete;
   virtual ~SecurityContext();

   void Trace(Visitor*) const;

   using InsecureNavigationsSet = HashSet<unsigned, WTF::AlreadyHashed>;
   static WTF::Vector<unsigned> SerializeInsecureNavigationSet(
       const InsecureNavigationsSet&);

   const SecurityOrigin* GetSecurityOrigin() const {
     return security_origin_.get();
   }
   SecurityOrigin* GetMutableSecurityOrigin() { return security_origin_.get(); }

   ContentSecurityPolicy* GetContentSecurityPolicy() const {
     return content_security_policy_.Get();
   }
   void SetContentSecurityPolicy(ContentSecurityPolicy*);

   // Explicitly override the security origin for this security context with
   // safety CHECKs.
   void SetSecurityOrigin(scoped_refptr<SecurityOrigin>);

   // Like SetSecurityOrigin(), but no security CHECKs.
   void SetSecurityOriginForTesting(scoped_refptr<SecurityOrigin>);

   network::mojom::blink::WebSandboxFlags GetSandboxFlags() const {
     return sandbox_flags_;
   }
   bool IsSandboxed(network::mojom::blink::WebSandboxFlags mask) const;
   void SetSandboxFlags(network::mojom::blink::WebSandboxFlags flags);

   void SetRequireTrustedTypes();
   void SetRequireTrustedTypesForTesting();  // Skips sanity checks.
   bool TrustedTypesRequiredByPolicy() const;

   // https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-insecure-navigations-set
   void SetInsecureNavigationsSet(const WebVector<unsigned>& set) {
     insecure_navigations_to_upgrade_.clear();
     for (unsigned hash : set)
       insecure_navigations_to_upgrade_.insert(hash);
   }
   void AddInsecureNavigationUpgrade(unsigned hashed_host) {
     insecure_navigations_to_upgrade_.insert(hashed_host);
   }
   const InsecureNavigationsSet& InsecureNavigationsToUpgrade() const {
     return insecure_navigations_to_upgrade_;
   }
   void ClearInsecureNavigationsToUpgradeForTest() {
     insecure_navigations_to_upgrade_.clear();
   }

   // https://w3c.github.io/webappsec-upgrade-insecure-requests/#insecure-requests-policy
   void SetInsecureRequestPolicy(mojom::blink::InsecureRequestPolicy policy) {
     insecure_request_policy_ = policy;
   }
   mojom::blink::InsecureRequestPolicy GetInsecureRequestPolicy() const {
     return insecure_request_policy_;
   }

   const FeaturePolicy* GetFeaturePolicy() const {
     return feature_policy_.get();
   }
   const FeaturePolicy* GetReportOnlyFeaturePolicy() const {
     return report_only_feature_policy_.get();
   }
   void SetFeaturePolicy(std::unique_ptr<FeaturePolicy>);
   void SetReportOnlyFeaturePolicy(std::unique_ptr<FeaturePolicy>);

   const DocumentPolicy* GetDocumentPolicy() const {
     return document_policy_.get();
   }
   void SetDocumentPolicy(std::unique_ptr<DocumentPolicy> policy);

   const DocumentPolicy* GetReportOnlyDocumentPolicy() const {
     return report_only_document_policy_.get();
   }
   void SetReportOnlyDocumentPolicy(std::unique_ptr<DocumentPolicy> policy);

   // Tests whether the policy-controlled feature is enabled in this frame.
   // Use ExecutionContext::IsFeatureEnabled if a failure should be reported.
   // |should_report| is an extra return value that indicates whether
   // the potential violation should be reported.
   bool IsFeatureEnabled(mojom::blink::FeaturePolicyFeature,
                         bool* should_report = nullptr) const;

   bool IsFeatureEnabled(mojom::blink::DocumentPolicyFeature) const;
   struct FeatureStatus {
     bool enabled;       /* Whether the feature is enabled. */
     bool should_report; /* Whether a report should be sent. */
   };
   FeatureStatus IsFeatureEnabled(mojom::blink::DocumentPolicyFeature,
                                  PolicyValue threshold_value) const;

   SecureContextMode GetSecureContextMode() const {
     return secure_context_mode_;
   }

   SecureContextModeExplanation GetSecureContextModeExplanation() const {
     return secure_context_explanation_;
   }

  protected:
   network::mojom::blink::WebSandboxFlags sandbox_flags_;
   scoped_refptr<SecurityOrigin> security_origin_;
   std::unique_ptr<FeaturePolicy> feature_policy_;
   std::unique_ptr<FeaturePolicy> report_only_feature_policy_;
   std::unique_ptr<DocumentPolicy> document_policy_;
   std::unique_ptr<DocumentPolicy> report_only_document_policy_;

  private:
   // execution_context_ will be nullptr if this is a RemoteSecurityContext.
   Member<ExecutionContext> execution_context_;
   Member<ContentSecurityPolicy> content_security_policy_;
   mojom::blink::InsecureRequestPolicy insecure_request_policy_;
   InsecureNavigationsSet insecure_navigations_to_upgrade_;
   bool require_safe_types_ = false;
   SecureContextMode secure_context_mode_ = SecureContextMode::kInsecureContext;
   SecureContextModeExplanation secure_context_explanation_ =
       SecureContextModeExplanation::kInsecureScheme;
 };

 }  // namespace blink

 #endif  // THIRD_PARTY_BLINK_RENDERER_CORE_EXECUTION_CONTEXT_SECURITY_CONTEXT_H_
	/*
	* Copyright (C) 2011 Google Inc. All Rights Reserved.
	*
	* Redistribution and use in source and binary forms, with or without
	* modification, are permitted provided that the following conditions
	* are met:
	* 1. Redistributions of source code must retain the above copyright
	* notice, this list of conditions and the following disclaimer.
	* 2. Redistributions in binary form must reproduce the above copyright
	* notice, this list of conditions and the following disclaimer in the
	* documentation and/or other materials provided with the distribution.
	*
	* THIS SOFTWARE IS PROVIDED BY GOOGLE, INC. ``AS IS'' AND ANY
	* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR
	* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
	* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
	* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
	* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
	* OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	*
	*/

	#ifndef THIRD_PARTY_BLINK_RENDERER_CORE_EXECUTION_CONTEXT_SECURITY_CONTEXT_H_
	#define THIRD_PARTY_BLINK_RENDERER_CORE_EXECUTION_CONTEXT_SECURITY_CONTEXT_H_

	#include <memory>

	#include "base/macros.h"
	#include "base/memory/scoped_refptr.h"
	#include "services/network/public/mojom/web_sandbox_flags.mojom-blink-forward.h"
	#include "third_party/blink/public/mojom/feature_policy/document_policy_feature.mojom-blink-forward.h"
	#include "third_party/blink/public/mojom/feature_policy/feature_policy.mojom-blink-forward.h"
	#include "third_party/blink/public/mojom/feature_policy/feature_policy_feature.mojom-blink-forward.h"
	#include "third_party/blink/public/mojom/security_context/insecure_request_policy.mojom-blink-forward.h"
	#include "third_party/blink/public/platform/web_vector.h"
	#include "third_party/blink/renderer/core/core_export.h"
	#include "third_party/blink/renderer/platform/heap/handle.h"
	#include "third_party/blink/renderer/platform/wtf/forward.h"
	#include "third_party/blink/renderer/platform/wtf/hash_set.h"
	#include "third_party/blink/renderer/platform/wtf/text/string_hash.h"

	namespace blink {

	class ContentSecurityPolicy;
	class DocumentPolicy;
	class ExecutionContext;
	class FeaturePolicy;
	class PolicyValue;
	class SecurityOrigin;
	struct ParsedFeaturePolicyDeclaration;

	using ParsedFeaturePolicy = std::vector<ParsedFeaturePolicyDeclaration>;

	enum class SecureContextMode { kInsecureContext, kSecureContext };

	// Explanation as to why \|SecureContextMode\| was set as it was set.
	enum class SecureContextModeExplanation {
	kSecure,
	kSecureLocalhost,
	kInsecureScheme,
	kInsecureAncestor,
	};

	// Whether to report policy violations when checking whether a feature is
	// enabled.
	enum class ReportOptions { kReportOnFailure, kDoNotReport };

	// Defines the security properties (such as the security origin, content
	// security policy, and other restrictions) of an environment in which
	// script execution or other activity may occur.
	//
	// Mostly 1:1 with ExecutionContext, except that while remote (i.e.,
	// out-of-process) environments do not have an ExecutionContext in the local
	// process (as execution cannot occur locally), they do have a SecurityContext
	// to allow those properties to be queried.
	class CORE_EXPORT SecurityContext {
	DISALLOW_NEW();

	public:
	explicit SecurityContext(ExecutionContext*);
	SecurityContext(const SecurityContext&) = delete;
	SecurityContext& operator=(const SecurityContext&) = delete;
	virtual ~SecurityContext();

	void Trace(Visitor*) const;

	using InsecureNavigationsSet = HashSet<unsigned, WTF::AlreadyHashed>;
	static WTF::Vector<unsigned> SerializeInsecureNavigationSet(
	const InsecureNavigationsSet&);

	const SecurityOrigin* GetSecurityOrigin() const {
	return security_origin_.get();
	}
	SecurityOrigin* GetMutableSecurityOrigin() { return security_origin_.get(); }

	ContentSecurityPolicy* GetContentSecurityPolicy() const {
	return content_security_policy_.Get();
	}
	void SetContentSecurityPolicy(ContentSecurityPolicy*);

	// Explicitly override the security origin for this security context with
	// safety CHECKs.
	void SetSecurityOrigin(scoped_refptr<SecurityOrigin>);

	// Like SetSecurityOrigin(), but no security CHECKs.
	void SetSecurityOriginForTesting(scoped_refptr<SecurityOrigin>);

	network::mojom::blink::WebSandboxFlags GetSandboxFlags() const {
	return sandbox_flags_;
	}
	bool IsSandboxed(network::mojom::blink::WebSandboxFlags mask) const;
	void SetSandboxFlags(network::mojom::blink::WebSandboxFlags flags);

	void SetRequireTrustedTypes();
	void SetRequireTrustedTypesForTesting(); // Skips sanity checks.
	bool TrustedTypesRequiredByPolicy() const;

	// https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-insecure-navigations-set
	void SetInsecureNavigationsSet(const WebVector<unsigned>& set) {
	insecure_navigations_to_upgrade_.clear();
	for (unsigned hash : set)
	insecure_navigations_to_upgrade_.insert(hash);
	}
	void AddInsecureNavigationUpgrade(unsigned hashed_host) {
	insecure_navigations_to_upgrade_.insert(hashed_host);
	}
	const InsecureNavigationsSet& InsecureNavigationsToUpgrade() const {
	return insecure_navigations_to_upgrade_;
	}
	void ClearInsecureNavigationsToUpgradeForTest() {
	insecure_navigations_to_upgrade_.clear();
	}

	// https://w3c.github.io/webappsec-upgrade-insecure-requests/#insecure-requests-policy
	void SetInsecureRequestPolicy(mojom::blink::InsecureRequestPolicy policy) {
	insecure_request_policy_ = policy;
	}
	mojom::blink::InsecureRequestPolicy GetInsecureRequestPolicy() const {
	return insecure_request_policy_;
	}

	const FeaturePolicy* GetFeaturePolicy() const {
	return feature_policy_.get();
	}
	const FeaturePolicy* GetReportOnlyFeaturePolicy() const {
	return report_only_feature_policy_.get();
	}
	void SetFeaturePolicy(std::unique_ptr<FeaturePolicy>);
	void SetReportOnlyFeaturePolicy(std::unique_ptr<FeaturePolicy>);

	const DocumentPolicy* GetDocumentPolicy() const {
	return document_policy_.get();
	}
	void SetDocumentPolicy(std::unique_ptr<DocumentPolicy> policy);

	const DocumentPolicy* GetReportOnlyDocumentPolicy() const {
	return report_only_document_policy_.get();
	}
	void SetReportOnlyDocumentPolicy(std::unique_ptr<DocumentPolicy> policy);

	// Tests whether the policy-controlled feature is enabled in this frame.
	// Use ExecutionContext::IsFeatureEnabled if a failure should be reported.
	// \|should_report\| is an extra return value that indicates whether
	// the potential violation should be reported.
	bool IsFeatureEnabled(mojom::blink::FeaturePolicyFeature,
	bool* should_report = nullptr) const;

	bool IsFeatureEnabled(mojom::blink::DocumentPolicyFeature) const;
	struct FeatureStatus {
	bool enabled; /* Whether the feature is enabled. */
	bool should_report; /* Whether a report should be sent. */
	};
	FeatureStatus IsFeatureEnabled(mojom::blink::DocumentPolicyFeature,
	PolicyValue threshold_value) const;

	SecureContextMode GetSecureContextMode() const {
	return secure_context_mode_;
	}

	SecureContextModeExplanation GetSecureContextModeExplanation() const {
	return secure_context_explanation_;
	}

	protected:
	network::mojom::blink::WebSandboxFlags sandbox_flags_;
	scoped_refptr<SecurityOrigin> security_origin_;
	std::unique_ptr<FeaturePolicy> feature_policy_;
	std::unique_ptr<FeaturePolicy> report_only_feature_policy_;
	std::unique_ptr<DocumentPolicy> document_policy_;
	std::unique_ptr<DocumentPolicy> report_only_document_policy_;

	private:
	// execution_context_ will be nullptr if this is a RemoteSecurityContext.
	Member<ExecutionContext> execution_context_;
	Member<ContentSecurityPolicy> content_security_policy_;
	mojom::blink::InsecureRequestPolicy insecure_request_policy_;
	InsecureNavigationsSet insecure_navigations_to_upgrade_;
	bool require_safe_types_ = false;
	SecureContextMode secure_context_mode_ = SecureContextMode::kInsecureContext;
	SecureContextModeExplanation secure_context_explanation_ =
	SecureContextModeExplanation::kInsecureScheme;
	};

	} // namespace blink

	#endif // THIRD_PARTY_BLINK_RENDERER_CORE_EXECUTION_CONTEXT_SECURITY_CONTEXT_H_