chrome-devtools-frontend/front_end/sdk/ContentSecurityPolicyIssue.js

Chrome DevTools UI

// Copyright 2020 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

import {ls} from '../platform/platform.js';

import {Issue, IssueCategory, IssueKind, MarkdownIssueDescription} from './Issue.js';  // eslint-disable-line no-unused-vars
import {IssuesModel} from './IssuesModel.js';  // eslint-disable-line no-unused-vars


export class ContentSecurityPolicyIssue extends Issue {
  /**
   * @param {!Protocol.Audits.ContentSecurityPolicyIssueDetails} issueDetails
   * @param {!IssuesModel} issuesModel
   */
  constructor(issueDetails, issuesModel) {
    const issueCode = [
      Protocol.Audits.InspectorIssueCode.ContentSecurityPolicyIssue, issueDetails.contentSecurityPolicyViolationType
    ].join('::');
    super(issueCode, issuesModel);
    this._issueDetails = issueDetails;
  }

  /**
   * @override
   * @return {!IssueCategory}
   */
  getCategory() {
    return IssueCategory.ContentSecurityPolicy;
  }

  /**
   * @override
   * @return {string}
   */
  primaryKey() {
    return JSON.stringify(this._issueDetails, [
      'blockedURL', 'contentSecurityPolicyViolationType', 'violatedDirective', 'isReportOnly', 'sourceCodeLocation',
      'url', 'lineNumber', 'columnNumber', 'violatingNodeId'
    ]);
  }

  /**
   * @override
   * @returns {?MarkdownIssueDescription}
   */
  getDescription() {
    const description = issueDescriptions.get(this._issueDetails.contentSecurityPolicyViolationType);
    if (description) {
      return description;
    }
    return null;
  }

  /**
   * @returns {!Protocol.Audits.ContentSecurityPolicyIssueDetails}
   */
  details() {
    return this._issueDetails;
  }
}

const cspURLViolation = {
  file: 'issues/descriptions/cspURLViolation.md',
  substitutions: undefined,
  issueKind: IssueKind.BreakingChange,
  links: [{
    link: 'https://developers.google.com/web/fundamentals/security/csp#source_allowlists',
    linkTitle: ls`Content Security Policy - Source Allowlists`
  }],
};

const cspInlineViolation = {
  file: 'issues/descriptions/cspInlineViolation.md',
  substitutions: undefined,
  issueKind: IssueKind.BreakingChange,
  links: [{
    link: 'https://developers.google.com/web/fundamentals/security/csp#inline_code_is_considered_harmful',
    linkTitle: ls`Content Security Policy - Inline Code`
  }],
};

const cspEvalViolation = {
  file: 'issues/descriptions/cspEvalViolation.md',
  substitutions: undefined,
  issueKind: IssueKind.BreakingChange,
  links: [{
    link: 'https://developers.google.com/web/fundamentals/security/csp#eval_too',
    linkTitle: ls`Content Security Policy - Eval`
  }],
};

const cspTrustedTypesSinkViolation = {
  file: 'issues/descriptions/cspTrustedTypesSinkViolation.md',
  substitutions: undefined,
  issueKind: IssueKind.BreakingChange,
  links: [{link: 'https://web.dev/trusted-types/#fix-the-violations', linkTitle: ls`Trusted Types - Fix violations`}],
};

const cspTrustedTypesPolicyViolation = {
  file: 'issues/descriptions/cspTrustedTypesPolicyViolation.md',
  substitutions: undefined,
  issueKind: IssueKind.BreakingChange,
  links: [{link: 'https://web.dev/trusted-types/', linkTitle: ls`Trusted Types - Policy violation`}],
};

/** @type {string} */
export const urlViolationCode = [
  Protocol.Audits.InspectorIssueCode.ContentSecurityPolicyIssue,
  Protocol.Audits.ContentSecurityPolicyViolationType.KURLViolation
].join('::');

/** @type {string} */
export const inlineViolationCode = [
  Protocol.Audits.InspectorIssueCode.ContentSecurityPolicyIssue,
  Protocol.Audits.ContentSecurityPolicyViolationType.KInlineViolation
].join('::');

/** @type {string} */
export const evalViolationCode = [
  Protocol.Audits.InspectorIssueCode.ContentSecurityPolicyIssue,
  Protocol.Audits.ContentSecurityPolicyViolationType.KEvalViolation
].join('::');

/** @type {string} */
export const trustedTypesSinkViolationCode = [
  Protocol.Audits.InspectorIssueCode.ContentSecurityPolicyIssue,
  Protocol.Audits.ContentSecurityPolicyViolationType.KTrustedTypesSinkViolation
].join('::');

/** @type {string} */
export const trustedTypesPolicyViolationCode = [
  Protocol.Audits.InspectorIssueCode.ContentSecurityPolicyIssue,
  Protocol.Audits.ContentSecurityPolicyViolationType.KTrustedTypesPolicyViolation
].join('::');

// TODO(crbug.com/1082628): Add handling of other CSP violation types later as they'll need more work.
/** @type {!Map<!Protocol.Audits.ContentSecurityPolicyViolationType, !MarkdownIssueDescription>} */
const issueDescriptions = new Map([
  [Protocol.Audits.ContentSecurityPolicyViolationType.KURLViolation, cspURLViolation],
  [Protocol.Audits.ContentSecurityPolicyViolationType.KInlineViolation, cspInlineViolation],
  [Protocol.Audits.ContentSecurityPolicyViolationType.KEvalViolation, cspEvalViolation],
  [Protocol.Audits.ContentSecurityPolicyViolationType.KTrustedTypesSinkViolation, cspTrustedTypesSinkViolation],
  [Protocol.Audits.ContentSecurityPolicyViolationType.KTrustedTypesPolicyViolation, cspTrustedTypesPolicyViolation],
]);