2 * Copyright (C) 2011 Google, Inc. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY GOOGLE INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26 #ifndef ContentSecurityPolicy_h
27 #define ContentSecurityPolicy_h
29 #include <wtf/Vector.h>
30 #include <wtf/text/WTFString.h>
38 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> {
40 static PassRefPtr<ContentSecurityPolicy> create(Document* document)
42 return adoptRef(new ContentSecurityPolicy(document));
44 ~ContentSecurityPolicy();
51 void didReceiveHeader(const String&, HeaderType);
53 bool allowJavaScriptURLs() const;
54 bool allowInlineEventHandlers() const;
55 bool allowInlineScript() const;
56 bool allowInlineStyle() const;
57 bool allowEval() const;
59 bool allowScriptFromSource(const KURL&) const;
60 bool allowObjectFromSource(const KURL&) const;
61 bool allowChildFrameFromSource(const KURL&) const;
62 bool allowImageFromSource(const KURL&) const;
63 bool allowStyleFromSource(const KURL&) const;
64 bool allowFontFromSource(const KURL&) const;
65 bool allowMediaFromSource(const KURL&) const;
68 explicit ContentSecurityPolicy(Document*);
70 void parse(const String&);
71 bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
72 void parseReportURI(const String&);
73 void addDirective(const String& name, const String& value);
75 PassOwnPtr<CSPDirective> createCSPDirective(const String& name, const String& value);
77 CSPDirective* operativeDirective(CSPDirective*) const;
78 void reportViolation(const String& directiveText, const String& consoleMessage) const;
79 bool checkEval(CSPDirective*) const;
81 bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;
82 bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage) const;
83 bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
85 bool denyIfEnforcingPolicy() const { return m_reportOnly; }
91 OwnPtr<CSPDirective> m_defaultSrc;
92 OwnPtr<CSPDirective> m_scriptSrc;
93 OwnPtr<CSPDirective> m_objectSrc;
94 OwnPtr<CSPDirective> m_frameSrc;
95 OwnPtr<CSPDirective> m_imgSrc;
96 OwnPtr<CSPDirective> m_styleSrc;
97 OwnPtr<CSPDirective> m_fontSrc;
98 OwnPtr<CSPDirective> m_mediaSrc;
99 Vector<KURL> m_reportURLs;