Changeset 118585 in webkit


Ignore:
Timestamp:
May 25, 2012 4:29:45 PM (12 years ago)
Author:
commit-queue@webkit.org
Message:

Inline script and style blocked by Content Security Policy should provide more detailed console errors.
https://bugs.webkit.org/show_bug.cgi?id=86848

Patch by Mike West <mkwst@chromium.org> on 2012-05-25
Reviewed by Adam Barth.

Source/WebCore:

This change adds a URL and line number for context to each call to
ContentSecurityPolicy::allowInline*, and pipes it through to the
console message generation in CSPDirectiveList::reportViolation.

Line numbers are not added for injected scripts (document.write(...),
document.body.appendChild, and etc.).

Tests: http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html

http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html
http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html
http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html

  • bindings/ScriptControllerBase.cpp:

(WebCore::ScriptController::executeIfJavaScriptURL):

  • bindings/js/JSLazyEventListener.cpp:

(WebCore::JSLazyEventListener::initializeJSFunction):

  • bindings/v8/V8LazyEventListener.cpp:

(WebCore::V8LazyEventListener::prepareListenerObject):

  • dom/ScriptElement.cpp:

(WebCore::ScriptElement::ScriptElement):
(WebCore::ScriptElement::executeScript):

  • dom/ScriptElement.h:

(ScriptElement):

  • dom/StyleElement.cpp:

(WebCore::StyleElement::StyleElement):
(WebCore::StyleElement::createSheet):

  • dom/StyleElement.h:

(StyleElement):

  • dom/StyledElement.cpp:

(WebCore::StyledElement::StyledElement):
(WebCore):
(WebCore::StyledElement::style):
(WebCore::StyledElement::styleAttributeChanged):

  • dom/StyledElement.h:

(StyledElement):

  • page/ContentSecurityPolicy.cpp:

(CSPDirectiveList):
(WebCore::CSPDirectiveList::reportViolation):
(WebCore::CSPDirectiveList::checkInlineAndReportViolation):
(WebCore::CSPDirectiveList::checkEvalAndReportViolation):
(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):
(WebCore::CSPDirectiveList::allowInlineScript):
(WebCore::CSPDirectiveList::allowInlineStyle):
(WebCore::CSPDirectiveList::allowEval):
(WebCore):
(WebCore::isAllowedByAllWithCallStack):
(WebCore::isAllowedByAllWithContext):
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
(WebCore::ContentSecurityPolicy::allowInlineScript):
(WebCore::ContentSecurityPolicy::allowInlineStyle):

  • page/ContentSecurityPolicy.h:

(WTF):

LayoutTests:

  • http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt:
  • http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html: Added.
  • http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt.
  • http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html: Added.
  • http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html: Added.
  • http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html: Added.
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
  • http/tests/security/contentSecurityPolicy/resources/inject-script.js: Added.
  • http/tests/security/contentSecurityPolicy/resources/inject-style.js: Added.
  • http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
  • http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt:
Location:
trunk
Files:
9 added
28 edited
1 copied

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r118584 r118585  
     12012-05-25  Mike West  <mkwst@chromium.org>
     2
     3        Inline script and style blocked by Content Security Policy should provide more detailed console errors.
     4        https://bugs.webkit.org/show_bug.cgi?id=86848
     5
     6        Reviewed by Adam Barth.
     7
     8        * http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt:
     9        * http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
     10        * http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt: Added.
     11        * http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html: Added.
     12        * http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt.
     13        * http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html: Added.
     14        * http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt: Added.
     15        * http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html: Added.
     16        * http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt: Added.
     17        * http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html: Added.
     18        * http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
     19        * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
     20        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
     21        * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt:
     22        * http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt:
     23        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
     24        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
     25        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
     26        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
     27        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
     28        * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
     29        * http/tests/security/contentSecurityPolicy/resources/inject-script.js: Added.
     30        * http/tests/security/contentSecurityPolicy/resources/inject-style.js: Added.
     31        * http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
     32        * http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt:
     33
    1342012-05-25  Joshua Bell  <jsbell@chromium.org>
    235
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
     1CONSOLE MESSAGE: line 11: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    3 CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
     3CONSOLE MESSAGE: line 14: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
    44
    55This test checks that we enforce all the supplied policies. This test passes if it doesn't alert fail and if the style doesn't apply.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
     1CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
    22
    33CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt

    r118584 r118585  
    33CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
    44
    5 This test passes if it doesn't alert fail.
     5
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
     1CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
    22
    33CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt

    r117006 r118585  
    11CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
    22
    3 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
     3CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
    44
    5 CONSOLE MESSAGE: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
     5CONSOLE MESSAGE: line 7: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
    66
    77This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt

    r117006 r118585  
    55CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
    66
    7 CONSOLE MESSAGE: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
     7CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
    88
    99This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
     1CONSOLE MESSAGE: line 10: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
    22
    33PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
     1CONSOLE MESSAGE: line 5: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
    22
    33PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt

    r117006 r118585  
    55CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
    66
    7 CONSOLE MESSAGE: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'".
     7CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'".
    88
    99CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
     1CONSOLE MESSAGE: line 3: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33ALERT: PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
     1CONSOLE MESSAGE: line 2: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33ALERT: PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
     1CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33ALERT: PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
     1CONSOLE MESSAGE: line 2: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33CSP report received:
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
     1CONSOLE MESSAGE: line 2: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'none'".
     1CONSOLE MESSAGE: line 3: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'none'".
    22
    33 
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt

    r117006 r118585  
    1 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
     1CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33This test passes if it doesn't alert fail.
  • trunk/Source/WebCore/ChangeLog

    r118583 r118585  
     12012-05-25  Mike West  <mkwst@chromium.org>
     2
     3        Inline script and style blocked by Content Security Policy should provide more detailed console errors.
     4        https://bugs.webkit.org/show_bug.cgi?id=86848
     5
     6        Reviewed by Adam Barth.
     7
     8        This change adds a URL and line number for context to each call to
     9        `ContentSecurityPolicy::allowInline*`, and pipes it through to the
     10        console message generation in `CSPDirectiveList::reportViolation`.
     11
     12        Line numbers are not added for injected scripts (`document.write(...)`,
     13        `document.body.appendChild`, and etc.).
     14
     15        Tests: http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html
     16               http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html
     17               http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html
     18               http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html
     19
     20        * bindings/ScriptControllerBase.cpp:
     21        (WebCore::ScriptController::executeIfJavaScriptURL):
     22        * bindings/js/JSLazyEventListener.cpp:
     23        (WebCore::JSLazyEventListener::initializeJSFunction):
     24        * bindings/v8/V8LazyEventListener.cpp:
     25        (WebCore::V8LazyEventListener::prepareListenerObject):
     26        * dom/ScriptElement.cpp:
     27        (WebCore::ScriptElement::ScriptElement):
     28        (WebCore::ScriptElement::executeScript):
     29        * dom/ScriptElement.h:
     30        (ScriptElement):
     31        * dom/StyleElement.cpp:
     32        (WebCore::StyleElement::StyleElement):
     33        (WebCore::StyleElement::createSheet):
     34        * dom/StyleElement.h:
     35        (StyleElement):
     36        * dom/StyledElement.cpp:
     37        (WebCore::StyledElement::StyledElement):
     38        (WebCore):
     39        (WebCore::StyledElement::style):
     40        (WebCore::StyledElement::styleAttributeChanged):
     41        * dom/StyledElement.h:
     42        (StyledElement):
     43        * page/ContentSecurityPolicy.cpp:
     44        (CSPDirectiveList):
     45        (WebCore::CSPDirectiveList::reportViolation):
     46        (WebCore::CSPDirectiveList::checkInlineAndReportViolation):
     47        (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
     48        (WebCore::CSPDirectiveList::allowJavaScriptURLs):
     49        (WebCore::CSPDirectiveList::allowInlineEventHandlers):
     50        (WebCore::CSPDirectiveList::allowInlineScript):
     51        (WebCore::CSPDirectiveList::allowInlineStyle):
     52        (WebCore::CSPDirectiveList::allowEval):
     53        (WebCore):
     54        (WebCore::isAllowedByAllWithCallStack):
     55        (WebCore::isAllowedByAllWithContext):
     56        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
     57        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
     58        (WebCore::ContentSecurityPolicy::allowInlineScript):
     59        (WebCore::ContentSecurityPolicy::allowInlineStyle):
     60        * page/ContentSecurityPolicy.h:
     61        (WTF):
     62
    1632012-05-25  Tim Horton  <timothy_horton@apple.com>
    264
  • trunk/Source/WebCore/bindings/ScriptControllerBase.cpp

    r106043 r118585  
    3333#include "Settings.h"
    3434#include "UserGestureIndicator.h"
     35#include <wtf/text/TextPosition.h>
    3536
    3637namespace WebCore {
     
    7677    if (!m_frame->page()
    7778        || !m_frame->page()->javaScriptURLsAreAllowed()
    78         || !m_frame->document()->contentSecurityPolicy()->allowJavaScriptURLs()
     79        || !m_frame->document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame->document()->url(), eventHandlerPosition().m_line)
    7980        || m_frame->inViewSourceMode())
    8081        return true;
  • trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp

    r113387 r118585  
    8181        return 0;
    8282
    83     if (!document->contentSecurityPolicy()->allowInlineEventHandlers())
     83    if (!document->contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL, m_position.m_line))
    8484        return 0;
    8585
  • trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp

    r117928 r118585  
    106106        return;
    107107
    108     if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers())
     108    if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL, m_position.m_line))
    109109        return;
    110110
  • trunk/Source/WebCore/dom/ScriptElement.cpp

    r118192 r118585  
    4242#include "ScriptSourceCode.h"
    4343#include "ScriptValue.h"
     44#include "ScriptableDocumentParser.h"
    4445#include "SecurityOrigin.h"
    4546#include "Settings.h"
     
    4849#include <wtf/text/StringBuilder.h>
    4950#include <wtf/text/StringHash.h>
     51#include <wtf/text/TextPosition.h>
    5052
    5153#if ENABLE(SVG)
     
    5961    : m_element(element)
    6062    , m_cachedScript(0)
     63    , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
    6164    , m_parserInserted(parserInserted)
    6265    , m_isExternalScript(false)
     
    7174{
    7275    ASSERT(m_element);
     76    if (parserInserted && m_element->document()->scriptableDocumentParser() && !m_element->document()->isInDocumentWrite())
     77        m_startLineNumber = m_element->document()->scriptableDocumentParser()->lineNumber();
    7378}
    7479
     
    277282        return;
    278283
    279     if (!m_isExternalScript && !m_element->document()->contentSecurityPolicy()->allowInlineScript())
     284    if (!m_isExternalScript && !m_element->document()->contentSecurityPolicy()->allowInlineScript(m_element->document()->url(), m_startLineNumber))
    280285        return;
    281286
  • trunk/Source/WebCore/dom/ScriptElement.h

    r118192 r118585  
    9494    Element* m_element;
    9595    CachedResourceHandle<CachedScript> m_cachedScript;
     96    WTF::OrdinalNumber m_startLineNumber;
    9697    bool m_parserInserted : 1;
    9798    bool m_isExternalScript : 1;
  • trunk/Source/WebCore/dom/StyleElement.cpp

    r118336 r118585  
    3131#include "StyleSheetContents.h"
    3232#include <wtf/text/StringBuilder.h>
     33#include <wtf/text/TextPosition.h>
    3334
    3435namespace WebCore {
     
    4950    : m_createdByParser(createdByParser)
    5051    , m_loading(false)
    51     , m_startLineNumber(0)
    52 {
    53     if (createdByParser && document && document->scriptableDocumentParser())
    54         m_startLineNumber = document->scriptableDocumentParser()->lineNumber().zeroBasedInt();
     52    , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
     53{
     54    if (createdByParser && document && document->scriptableDocumentParser() && !document->isInDocumentWrite())
     55        m_startLineNumber = document->scriptableDocumentParser()->lineNumber();
    5556}
    5657
     
    145146}
    146147
    147 void StyleElement::createSheet(Element* e, int startLineNumber, const String& text)
     148void StyleElement::createSheet(Element* e, WTF::OrdinalNumber startLineNumber, const String& text)
    148149{
    149150    ASSERT(e);
     
    158159    // If type is empty or CSS, this is a CSS style sheet.
    159160    const AtomicString& type = this->type();
    160     if (document->contentSecurityPolicy()->allowInlineStyle() && isCSS(e, type)) {
     161    if (document->contentSecurityPolicy()->allowInlineStyle(e->document()->url(), startLineNumber) && isCSS(e, type)) {
    161162        RefPtr<MediaQuerySet> mediaQueries;
    162163        if (e->isHTMLElement())
     
    174175            m_sheet->setMediaQueries(mediaQueries.release());
    175176            m_sheet->setTitle(e->title());
    176    
    177             m_sheet->contents()->parseStringAtLine(text, startLineNumber);
     177            m_sheet->contents()->parseStringAtLine(text, startLineNumber.zeroBasedInt());
    178178
    179179            m_loading = false;
  • trunk/Source/WebCore/dom/StyleElement.h

    r113887 r118585  
    2323
    2424#include "CSSStyleSheet.h"
     25#include <wtf/text/TextPosition.h>
    2526
    2627namespace WebCore {
     
    5354
    5455private:
    55     void createSheet(Element*, int startLineNumber, const String& text = String());
     56    void createSheet(Element*, WTF::OrdinalNumber startLineNumber, const String& text = String());
    5657    void process(Element*);
    5758    void clearSheet();
     
    5960    bool m_createdByParser;
    6061    bool m_loading;
    61     int m_startLineNumber;
     62    WTF::OrdinalNumber m_startLineNumber;
    6263};
    6364
  • trunk/Source/WebCore/dom/StyledElement.cpp

    r118194 r118585  
    3838#include "HTMLNames.h"
    3939#include "HTMLParserIdioms.h"
     40#include "ScriptableDocumentParser.h"
    4041#include "StylePropertySet.h"
    4142#include "StyleResolver.h"
    4243#include <wtf/HashFunctions.h>
     44#include <wtf/text/TextPosition.h>
    4345
    4446using namespace std;
     
    127129}
    128130
     131StyledElement::StyledElement(const QualifiedName& name, Document* document, ConstructionType type)
     132    : Element(name, document, type)
     133    , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
     134{
     135    if (document && document->scriptableDocumentParser() && !document->isInDocumentWrite())
     136        m_startLineNumber = document->scriptableDocumentParser()->lineNumber();
     137}
     138
    129139StyledElement::~StyledElement()
    130140{
     
    132142}
    133143
    134 CSSStyleDeclaration* StyledElement::style() 
    135 { 
     144CSSStyleDeclaration* StyledElement::style()
     145{
    136146    return ensureAttributeData()->ensureMutableInlineStyle(this)->ensureInlineCSSStyleDeclaration(this);
    137147}
     
    174184        if (newStyleString.isNull())
    175185            destroyInlineStyle();
    176         else if (document()->contentSecurityPolicy()->allowInlineStyle())
     186        else if (document()->contentSecurityPolicy()->allowInlineStyle(document()->url(), m_startLineNumber))
    177187            ensureAttributeData()->updateInlineStyleAvoidingMutation(this, newStyleString);
    178188        setIsStyleAttributeValid();
  • trunk/Source/WebCore/dom/StyledElement.h

    r117323 r118585  
    2828#include "Element.h"
    2929#include "StylePropertySet.h"
     30#include <wtf/text/TextPosition.h>
    3031
    3132namespace WebCore {
     
    6364
    6465protected:
    65     StyledElement(const QualifiedName& name, Document* document, ConstructionType type)
    66         : Element(name, document, type)
    67     {
    68     }
     66    StyledElement(const QualifiedName&, Document*, ConstructionType);
    6967
    7068    virtual void attributeChanged(const Attribute&) OVERRIDE;
     
    9694            attributeData()->destroyInlineStyle(this);
    9795    }
     96
     97    WTF::OrdinalNumber m_startLineNumber;
    9898};
    9999
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r117826 r118585  
    3232#include "FormDataList.h"
    3333#include "Frame.h"
     34#include "InspectorInstrumentation.h"
    3435#include "InspectorValues.h"
    3536#include "PingLoader.h"
     
    3738#include "SecurityOrigin.h"
    3839#include "TextEncoding.h"
     40#include <wtf/text/TextPosition.h>
    3941#include <wtf/text/WTFString.h>
    4042
     
    491493    ContentSecurityPolicy::HeaderType headerType() const { return m_reportOnly ? ContentSecurityPolicy::ReportOnly : ContentSecurityPolicy::EnforcePolicy; }
    492494
    493     bool allowJavaScriptURLs() const;
    494     bool allowInlineEventHandlers() const;
    495     bool allowInlineScript() const;
    496     bool allowInlineStyle() const;
     495    bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     496    bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     497    bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     498    bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
    497499    bool allowEval(PassRefPtr<ScriptCallStack>) const;
    498500
     
    519521
    520522    CSPDirective* operativeDirective(CSPDirective*) const;
    521     void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), PassRefPtr<ScriptCallStack> = 0) const;
     523    void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
    522524    void logUnrecognizedDirective(const String& name) const;
    523525    bool checkEval(CSPDirective*) const;
    524526
    525     bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;
    526     bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, PassRefPtr<ScriptCallStack>) const;
     527    bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     528    bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
    527529    bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
    528530
     
    576578}
    577579
    578 void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, PassRefPtr<ScriptCallStack> callStack) const
     580void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
    579581{
    580582    String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
    581     m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, String(), 0, callStack);
     583    m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, contextURL, contextLine.oneBasedInt(), callStack);
    582584
    583585    if (m_reportURIs.isEmpty())
     
    639641}
    640642
    641 bool CSPDirectiveList::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
     643bool CSPDirectiveList::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
    642644{
    643645    if (!directive || directive->allowInline())
    644646        return true;
    645     reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n");
     647    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
    646648    return denyIfEnforcingPolicy();
    647649}
    648650
    649 bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage, PassRefPtr<ScriptCallStack> callStack) const
     651bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
    650652{
    651653    if (checkEval(directive))
    652654        return true;
    653     reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), callStack);
     655    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine, callStack);
    654656    return denyIfEnforcingPolicy();
    655657}
     
    664666}
    665667
    666 bool CSPDirectiveList::allowJavaScriptURLs() const
     668bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
    667669{
    668670    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "));
    669     return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
    670 }
    671 
    672 bool CSPDirectiveList::allowInlineEventHandlers() const
     671    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
     672}
     673
     674bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
    673675{
    674676    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because it violates the following Content Security Policy directive: "));
    675     return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
    676 }
    677 
    678 bool CSPDirectiveList::allowInlineScript() const
     677    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
     678}
     679
     680bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
    679681{
    680682    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because it violates the following Content Security Policy directive: "));
    681     return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
    682 }
    683 
    684 bool CSPDirectiveList::allowInlineStyle() const
     683    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
     684}
     685
     686bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
    685687{
    686688    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because it violates the following Content Security Policy directive: "));
    687     return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage);
     689    return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage, contextURL, contextLine);
    688690}
    689691
     
    691693{
    692694    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because it violates the following Content Security Policy directive: "));
    693     return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, callStack);
     695    return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), callStack);
    694696}
    695697
     
    924926}
    925927
    926 template<bool (CSPDirectiveList::*allowed)() const>
    927 bool isAllowedByAll(const CSPDirectiveListVector& policies)
    928 {
    929     for (size_t i = 0; i < policies.size(); ++i) {
    930         if (!(policies[i].get()->*allowed)())
    931             return false;
    932     }
    933     return true;
    934 }
    935 
    936928template<bool (CSPDirectiveList::*allowed)(PassRefPtr<ScriptCallStack>) const>
    937929bool isAllowedByAllWithCallStack(const CSPDirectiveListVector& policies, PassRefPtr<ScriptCallStack> callStack)
     
    944936}
    945937
     938template<bool (CSPDirectiveList::*allowed)(const String&, const WTF::OrdinalNumber&) const>
     939bool isAllowedByAllWithContext(const CSPDirectiveListVector& policies, const String& contextURL, const WTF::OrdinalNumber& contextLine)
     940{
     941    for (size_t i = 0; i < policies.size(); ++i) {
     942        if (!(policies[i].get()->*allowed)(contextURL, contextLine))
     943            return false;
     944    }
     945    return true;
     946}
     947
    946948template<bool (CSPDirectiveList::*allowFromURL)(const KURL&) const>
    947949bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& url)
     
    954956}
    955957
    956 bool ContentSecurityPolicy::allowJavaScriptURLs() const
    957 {
    958     return isAllowedByAll<&CSPDirectiveList::allowJavaScriptURLs>(m_policies);
    959 }
    960 
    961 bool ContentSecurityPolicy::allowInlineEventHandlers() const
    962 {
    963     return isAllowedByAll<&CSPDirectiveList::allowInlineEventHandlers>(m_policies);
    964 }
    965 
    966 bool ContentSecurityPolicy::allowInlineScript() const
    967 {
    968     return isAllowedByAll<&CSPDirectiveList::allowInlineScript>(m_policies);
    969 }
    970 
    971 bool ContentSecurityPolicy::allowInlineStyle() const
     958bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
     959{
     960    return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_policies, contextURL, contextLine);
     961}
     962
     963bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
     964{
     965    return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers>(m_policies, contextURL, contextLine);
     966}
     967
     968bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
     969{
     970    return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine);
     971}
     972
     973bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
    972974{
    973975    if (m_overrideInlineStyleAllowed)
    974976        return true;
    975     return isAllowedByAll<&CSPDirectiveList::allowInlineStyle>(m_policies);
     977    return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine);
    976978}
    977979
  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r117826 r118585  
    3232#include <wtf/text/WTFString.h>
    3333
     34namespace WTF {
     35class OrdinalNumber;
     36}
     37
    3438namespace WebCore {
    3539
     
    6367    HeaderType deprecatedHeaderType() const;
    6468
    65     bool allowJavaScriptURLs() const;
    66     bool allowInlineEventHandlers() const;
    67     bool allowInlineScript() const;
    68     bool allowInlineStyle() const;
     69    bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     70    bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     71    bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     72    bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
    6973    bool allowEval(PassRefPtr<ScriptCallStack>) const;
    7074
Note: See TracChangeset for help on using the changeset viewer.