chromium/src/third_party/blink/renderer/core/frame/csp/csp_directive_list.h - manifest_repos/chromium_src - Git at Google

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_CSP_DIRECTIVE_LIST_H_
 #define THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_CSP_DIRECTIVE_LIST_H_

 #include "base/macros.h"
 #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
 #include "third_party/blink/renderer/platform/heap/handle.h"
 #include "third_party/blink/renderer/platform/loader/fetch/resource_request.h"
 #include "third_party/blink/renderer/platform/network/content_security_policy_parsers.h"
 #include "third_party/blink/renderer/platform/network/http_parsers.h"
 #include "third_party/blink/renderer/platform/weborigin/reporting_disposition.h"
 #include "third_party/blink/renderer/platform/wtf/text/atomic_string.h"
 #include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
 #include "third_party/blink/renderer/platform/wtf/vector.h"

 namespace blink {

 class KURL;
 class SecurityOrigin;

 enum class ResourceType : uint8_t;

 struct CORE_EXPORT CSPOperativeDirective {
   CSPDirectiveName type;
   const network::mojom::blink::CSPSourceList* source_list;
 };

 CORE_EXPORT
 network::mojom::blink::ContentSecurityPolicyPtr CSPDirectiveListParse(
     ContentSecurityPolicy*,
     const UChar* begin,
     const UChar* end,
     const SecurityOrigin& self_origin,
     network::mojom::ContentSecurityPolicyType,
     network::mojom::ContentSecurityPolicySource,
     bool should_parse_wasm_eval = false);

 CORE_EXPORT
 bool CSPDirectiveListIsReportOnly(
     const network::mojom::blink::ContentSecurityPolicy& csp);

 CORE_EXPORT
 bool CSPDirectiveListAllowFromSource(
     const network::mojom::blink::ContentSecurityPolicy& csp,
     ContentSecurityPolicy* policy,
     CSPDirectiveName type,
     const KURL& url,
     const KURL& url_before_redirects,
     ResourceRequest::RedirectStatus redirect_status,
     ReportingDisposition reporting_disposition,
     const String& nonce = String(),
     const IntegrityMetadataSet& hashes = IntegrityMetadataSet(),
     ParserDisposition parser_disposition = kParserInserted);

 CORE_EXPORT
 bool CSPDirectiveListAllowTrustedTypeAssignmentFailure(
     const network::mojom::blink::ContentSecurityPolicy& csp,
     ContentSecurityPolicy* policy,
     const String& message,
     const String& sample,
     const String& sample_prefix);

 CORE_EXPORT
 bool CSPDirectiveListAllowTrustedTypePolicy(
     const network::mojom::blink::ContentSecurityPolicy& csp,
     ContentSecurityPolicy* policy,
     const String& policy_name,
     bool is_duplicate,
     ContentSecurityPolicy::AllowTrustedTypePolicyDetails& violation_details);

 CORE_EXPORT
 bool CSPDirectiveListRequiresTrustedTypes(
     const network::mojom::blink::ContentSecurityPolicy& csp);

 CORE_EXPORT
 bool CSPDirectiveListAllowInline(
     const network::mojom::blink::ContentSecurityPolicy& csp,
     ContentSecurityPolicy* policy,
     ContentSecurityPolicy::InlineType inline_type,
     Element* element,
     const String& content,
     const String& nonce,
     const String& context_url,
     const WTF::OrdinalNumber& context_line,
     ReportingDisposition reporting_disposition);

 // Returns whether or not the Javascript code generation should call back the
 // CSP checker before any script evaluation from a string is being made.
 CORE_EXPORT
 bool CSPDirectiveListShouldCheckEval(
     const network::mojom::blink::ContentSecurityPolicy& csp);

 CORE_EXPORT
 bool CSPDirectiveListAllowEval(
     const network::mojom::blink::ContentSecurityPolicy& csp,
     ContentSecurityPolicy* policy,
     ReportingDisposition reporting_disposition,
     ContentSecurityPolicy::ExceptionStatus exception_status,
     const String& content);

 CORE_EXPORT
 bool CSPDirectiveListAllowWasmEval(
     const network::mojom::blink::ContentSecurityPolicy& csp,
     ContentSecurityPolicy* policy,
     ReportingDisposition reporting_disposition,
     ContentSecurityPolicy::ExceptionStatus exception_status,
     const String& content);

 CORE_EXPORT
 bool CSPDirectiveListShouldDisableEval(
     const network::mojom::blink::ContentSecurityPolicy& csp,
     String& error_message);

 CORE_EXPORT
 bool CSPDirectiveListAllowDynamic(
     const network::mojom::blink::ContentSecurityPolicy& csp,
     CSPDirectiveName directive_type);

 CORE_EXPORT
 bool CSPDirectiveListAllowHash(
     const network::mojom::blink::ContentSecurityPolicy& csp,
     const network::mojom::blink::CSPHashSource& hash_value,
     const ContentSecurityPolicy::InlineType inline_type);

 // We consider `object-src` restrictions to be reasonable iff they're
 // equivalent to `object-src 'none'`.
 CORE_EXPORT
 bool CSPDirectiveListIsObjectRestrictionReasonable(
     const network::mojom::blink::ContentSecurityPolicy& csp);

 // We consider `base-uri` restrictions to be reasonable iff they're equivalent
 // to `base-uri 'none'` or `base-uri 'self'`.
 CORE_EXPORT
 bool CSPDirectiveListIsBaseRestrictionReasonable(
     const network::mojom::blink::ContentSecurityPolicy& csp);

 // We consider `script-src` restrictions to be reasonable iff they're not
 // URL-based (e.g. they contain only nonces and hashes, or they use
 // 'strict-dynamic'). Neither `'unsafe-eval'` nor `'unsafe-hashes'` affect
 // this judgement.
 CORE_EXPORT
 bool CSPDirectiveListIsScriptRestrictionReasonable(
     const network::mojom::blink::ContentSecurityPolicy& csp);

 CORE_EXPORT
 bool CSPDirectiveListIsActiveForConnections(
     const network::mojom::blink::ContentSecurityPolicy& csp);

 // Return the operative directive name and CSPSourceList for a given directive
 // name, falling back to generic directives according to Content Security
 // Policies rules. For example, if 'default-src' is defined but 'media-src' is
 // not, OperativeDirective(CSPDirectiveName::MediaSrc) will return type
 // CSPDirectiveName::DefaultSrc and the corresponding CSPSourceList. If no
 // operative directive for the given type is defined, this will return
 // CSPDirectiveName::Unknown and nullptr.
 CORE_EXPORT
 CSPOperativeDirective CSPDirectiveListOperativeDirective(
     const network::mojom::blink::ContentSecurityPolicy& csp,
     CSPDirectiveName type);

 }  // namespace blink

 #endif  // THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_CSP_DIRECTIVE_LIST_H_
	// Copyright 2014 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_CSP_DIRECTIVE_LIST_H_
	#define THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_CSP_DIRECTIVE_LIST_H_

	#include "base/macros.h"
	#include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
	#include "third_party/blink/renderer/platform/heap/handle.h"
	#include "third_party/blink/renderer/platform/loader/fetch/resource_request.h"
	#include "third_party/blink/renderer/platform/network/content_security_policy_parsers.h"
	#include "third_party/blink/renderer/platform/network/http_parsers.h"
	#include "third_party/blink/renderer/platform/weborigin/reporting_disposition.h"
	#include "third_party/blink/renderer/platform/wtf/text/atomic_string.h"
	#include "third_party/blink/renderer/platform/wtf/text/wtf_string.h"
	#include "third_party/blink/renderer/platform/wtf/vector.h"

	namespace blink {

	class KURL;
	class SecurityOrigin;

	enum class ResourceType : uint8_t;

	struct CORE_EXPORT CSPOperativeDirective {
	CSPDirectiveName type;
	const network::mojom::blink::CSPSourceList* source_list;
	};

	CORE_EXPORT
	network::mojom::blink::ContentSecurityPolicyPtr CSPDirectiveListParse(
	ContentSecurityPolicy*,
	const UChar* begin,
	const UChar* end,
	const SecurityOrigin& self_origin,
	network::mojom::ContentSecurityPolicyType,
	network::mojom::ContentSecurityPolicySource,
	bool should_parse_wasm_eval = false);

	CORE_EXPORT
	bool CSPDirectiveListIsReportOnly(
	const network::mojom::blink::ContentSecurityPolicy& csp);

	CORE_EXPORT
	bool CSPDirectiveListAllowFromSource(
	const network::mojom::blink::ContentSecurityPolicy& csp,
	ContentSecurityPolicy* policy,
	CSPDirectiveName type,
	const KURL& url,
	const KURL& url_before_redirects,
	ResourceRequest::RedirectStatus redirect_status,
	ReportingDisposition reporting_disposition,
	const String& nonce = String(),
	const IntegrityMetadataSet& hashes = IntegrityMetadataSet(),
	ParserDisposition parser_disposition = kParserInserted);

	CORE_EXPORT
	bool CSPDirectiveListAllowTrustedTypeAssignmentFailure(
	const network::mojom::blink::ContentSecurityPolicy& csp,
	ContentSecurityPolicy* policy,
	const String& message,
	const String& sample,
	const String& sample_prefix);

	CORE_EXPORT
	bool CSPDirectiveListAllowTrustedTypePolicy(
	const network::mojom::blink::ContentSecurityPolicy& csp,
	ContentSecurityPolicy* policy,
	const String& policy_name,
	bool is_duplicate,
	ContentSecurityPolicy::AllowTrustedTypePolicyDetails& violation_details);

	CORE_EXPORT
	bool CSPDirectiveListRequiresTrustedTypes(
	const network::mojom::blink::ContentSecurityPolicy& csp);

	CORE_EXPORT
	bool CSPDirectiveListAllowInline(
	const network::mojom::blink::ContentSecurityPolicy& csp,
	ContentSecurityPolicy* policy,
	ContentSecurityPolicy::InlineType inline_type,
	Element* element,
	const String& content,
	const String& nonce,
	const String& context_url,
	const WTF::OrdinalNumber& context_line,
	ReportingDisposition reporting_disposition);

	// Returns whether or not the Javascript code generation should call back the
	// CSP checker before any script evaluation from a string is being made.
	CORE_EXPORT
	bool CSPDirectiveListShouldCheckEval(
	const network::mojom::blink::ContentSecurityPolicy& csp);

	CORE_EXPORT
	bool CSPDirectiveListAllowEval(
	const network::mojom::blink::ContentSecurityPolicy& csp,
	ContentSecurityPolicy* policy,
	ReportingDisposition reporting_disposition,
	ContentSecurityPolicy::ExceptionStatus exception_status,
	const String& content);

	CORE_EXPORT
	bool CSPDirectiveListAllowWasmEval(
	const network::mojom::blink::ContentSecurityPolicy& csp,
	ContentSecurityPolicy* policy,
	ReportingDisposition reporting_disposition,
	ContentSecurityPolicy::ExceptionStatus exception_status,
	const String& content);

	CORE_EXPORT
	bool CSPDirectiveListShouldDisableEval(
	const network::mojom::blink::ContentSecurityPolicy& csp,
	String& error_message);

	CORE_EXPORT
	bool CSPDirectiveListAllowDynamic(
	const network::mojom::blink::ContentSecurityPolicy& csp,
	CSPDirectiveName directive_type);

	CORE_EXPORT
	bool CSPDirectiveListAllowHash(
	const network::mojom::blink::ContentSecurityPolicy& csp,
	const network::mojom::blink::CSPHashSource& hash_value,
	const ContentSecurityPolicy::InlineType inline_type);

	// We consider `object-src` restrictions to be reasonable iff they're
	// equivalent to `object-src 'none'`.
	CORE_EXPORT
	bool CSPDirectiveListIsObjectRestrictionReasonable(
	const network::mojom::blink::ContentSecurityPolicy& csp);

	// We consider `base-uri` restrictions to be reasonable iff they're equivalent
	// to `base-uri 'none'` or `base-uri 'self'`.
	CORE_EXPORT
	bool CSPDirectiveListIsBaseRestrictionReasonable(
	const network::mojom::blink::ContentSecurityPolicy& csp);

	// We consider `script-src` restrictions to be reasonable iff they're not
	// URL-based (e.g. they contain only nonces and hashes, or they use
	// 'strict-dynamic'). Neither `'unsafe-eval'` nor `'unsafe-hashes'` affect
	// this judgement.
	CORE_EXPORT
	bool CSPDirectiveListIsScriptRestrictionReasonable(
	const network::mojom::blink::ContentSecurityPolicy& csp);

	CORE_EXPORT
	bool CSPDirectiveListIsActiveForConnections(
	const network::mojom::blink::ContentSecurityPolicy& csp);

	// Return the operative directive name and CSPSourceList for a given directive
	// name, falling back to generic directives according to Content Security
	// Policies rules. For example, if 'default-src' is defined but 'media-src' is
	// not, OperativeDirective(CSPDirectiveName::MediaSrc) will return type
	// CSPDirectiveName::DefaultSrc and the corresponding CSPSourceList. If no
	// operative directive for the given type is defined, this will return
	// CSPDirectiveName::Unknown and nullptr.
	CORE_EXPORT
	CSPOperativeDirective CSPDirectiveListOperativeDirective(
	const network::mojom::blink::ContentSecurityPolicy& csp,
	CSPDirectiveName type);

	} // namespace blink

	#endif // THIRD_PARTY_BLINK_RENDERER_CORE_FRAME_CSP_CSP_DIRECTIVE_LIST_H_