| blob | 423161032d33d77805f2b4bca9be9d385156b50b |
1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
24 // MIME types
38 // There is no not-whitespace character in this document.
47 }
49 }
57 }
61 }
67 }
73 }
76 }
79 // We exclude ftp:// from here. FTP doesn't provide a Content-Type
80 // header which our policy depends on, so we cannot protect any
81 // document from FTP servers.
83 }
93 // SameDomainOrHost() extracts the effective domains (public suffix plus one)
94 // from the two URLs and compare them.
98 }
100 // We don't use Webkit's existing CORS policy implementation since
101 // their policy works in terms of origins, not sites. For example,
102 // when frame is sub.a.com and it is not allowed to access a document
103 // with sub1.a.com. But under Site Isolation, it's allowed.
108 // Many websites are sending back "\"*\"" instead of "*". This is
109 // non-standard practice, and not supported by Chrome. Refer to
110 // CrossOriginAccessControl::passesAccessControlCheck().
112 // TODO(dsjang): * is not allowed for the response from a request
113 // with cookies. This allows for more than what the renderer will
114 // eventually be able to receive, so we won't see illegal cross-site
115 // documents allowed by this. We have to find a way to see if this
116 // response is from a cookie-tagged request or not in the future.
120 // TODO(dsjang): The CORS spec only treats a fully specified URL, except for
121 // "*", but many websites are using just a domain for access_control_origin,
122 // and this is blocked by Webkit's CORS logic here :
123 // CrossOriginAccessControl::passesAccessControlCheck(). GURL is set
124 // is_valid() to false when it is created from a URL containing * in the
125 // domain part.
129 }
131 // This function is a slight modification of |net::SniffForHTML|.
133 // The content sniffer used by Chrome and Firefox are using "<!--"
134 // as one of the HTML signatures, but it also appears in valid
135 // JavaScript, considered as well-formed JS by the browser. Since
136 // we do not want to block any JS, we exclude it from our HTML
137 // signatures. This can weaken our document block policy, but we can
138 // break less websites.
139 // TODO(dsjang): parameterize |net::SniffForHTML| with an option
140 // that decides whether to include <!-- or not, so that we can
141 // remove this function.
142 // TODO(dsjang): Once CrossSiteDocumentClassifier is moved into the browser
143 // process, we should do single-thread checking here for the static
144 // initializer.
162 };
168 // If we cannot find "<!--", we fail sniffing this as HTML.
173 // Search for --> and do SniffForHTML after that. If we can find the
174 // comment's end, we start HTML sniffing from there again.
180 // Proceed to the index next to the ending comment (-->).
182 }
185 }
188 // TODO(dsjang): Chrome's mime_sniffer is using strncasecmp() for
189 // this signature. However, XML is case-sensitive. Don't we have to
190 // be more lenient only to block documents starting with the exact
191 // string <?xml rather than <?XML ?
192 // TODO(dsjang): Once CrossSiteDocumentClassifier is moved into the browser
193 // process, we should do single-thread checking here for the static
194 // initializer.
197 }
200 // TODO(dsjang): We have to come up with a better way to sniff
201 // JSON. However, even RE cannot help us that much due to the fact
202 // that we don't do full parsing. This DFA starts with state 0, and
203 // finds {, "/' and : in that order. We're avoiding adding a
204 // dependency on a regular expression library.
206 kStartState,
207 kLeftBraceState,
208 kLeftQuoteState,
209 kColonState,
210 kTerminalState,
223 else
229 else
240 }
241 }
243 }