Changeset 118585 in webkit

Timestamp:

May 25, 2012, 4:29:45 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

Inline script and style blocked by Content Security Policy should provide more detailed console errors.
​https://bugs.webkit.org/show_bug.cgi?id=86848

Patch by Mike West <​mkwst@chromium.org> on 2012-05-25
Reviewed by Adam Barth.

Source/WebCore:

This change adds a URL and line number for context to each call to
ContentSecurityPolicy::allowInline*, and pipes it through to the
console message generation in CSPDirectiveList::reportViolation.

Line numbers are not added for injected scripts (document.write(...),
document.body.appendChild, and etc.).

Tests: http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html

http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html
http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html
http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html

• bindings/ScriptControllerBase.cpp:

(WebCore::ScriptController::executeIfJavaScriptURL):

• bindings/js/JSLazyEventListener.cpp:

(WebCore::JSLazyEventListener::initializeJSFunction):

• bindings/v8/V8LazyEventListener.cpp:

(WebCore::V8LazyEventListener::prepareListenerObject):

• dom/ScriptElement.cpp:

(WebCore::ScriptElement::ScriptElement):
(WebCore::ScriptElement::executeScript):

• dom/ScriptElement.h:

(ScriptElement):

• dom/StyleElement.cpp:

(WebCore::StyleElement::StyleElement):
(WebCore::StyleElement::createSheet):

• dom/StyleElement.h:

(StyleElement):

• dom/StyledElement.cpp:

(WebCore::StyledElement::StyledElement):
(WebCore):
(WebCore::StyledElement::style):
(WebCore::StyledElement::styleAttributeChanged):

• dom/StyledElement.h:

(StyledElement):

• page/ContentSecurityPolicy.cpp:

(CSPDirectiveList):
(WebCore::CSPDirectiveList::reportViolation):
(WebCore::CSPDirectiveList::checkInlineAndReportViolation):
(WebCore::CSPDirectiveList::checkEvalAndReportViolation):
(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):
(WebCore::CSPDirectiveList::allowInlineScript):
(WebCore::CSPDirectiveList::allowInlineStyle):
(WebCore::CSPDirectiveList::allowEval):
(WebCore):
(WebCore::isAllowedByAllWithCallStack):
(WebCore::isAllowedByAllWithContext):
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
(WebCore::ContentSecurityPolicy::allowInlineScript):
(WebCore::ContentSecurityPolicy::allowInlineStyle):

• page/ContentSecurityPolicy.h:

(WTF):

LayoutTests:

• http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt:
• http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt.
• http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html: Added.
• http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html: Added.
• http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
• http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
• http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
• http/tests/security/contentSecurityPolicy/report-only-expected.txt:
• http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
• http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
• http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
• http/tests/security/contentSecurityPolicy/resources/inject-script.js: Added.
• http/tests/security/contentSecurityPolicy/resources/inject-style.js: Added.
• http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
• http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt ) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/inject-script.js (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/inject-style.js (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/ScriptControllerBase.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/JSLazyEventListener.cpp (modified) (1 diff)
• Source/WebCore/bindings/v8/V8LazyEventListener.cpp (modified) (1 diff)
• Source/WebCore/dom/ScriptElement.cpp (modified) (5 diffs)
• Source/WebCore/dom/ScriptElement.h (modified) (1 diff)
• Source/WebCore/dom/StyleElement.cpp (modified) (5 diffs)
• Source/WebCore/dom/StyleElement.h (modified) (3 diffs)
• Source/WebCore/dom/StyledElement.cpp (modified) (4 diffs)
• Source/WebCore/dom/StyledElement.h (modified) (3 diffs)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (11 diffs)
• Source/WebCore/page/ContentSecurityPolicy.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-05-25  Mike West  <mkwst@chromium.org>
+
+        Inline script and style blocked by Content Security Policy should provide more detailed console errors.
+        https://bugs.webkit.org/show_bug.cgi?id=86848
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt:
+        * http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt.
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+        * http/tests/security/contentSecurityPolicy/resources/inject-script.js: Added.
+        * http/tests/security/contentSecurityPolicy/resources/inject-style.js: Added.
+        * http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
+        * http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt:
+
 2012-05-25  Joshua Bell  <jsbell@chromium.org>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 11: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
-CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
+CONSOLE MESSAGE: line 14: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
 
 This test checks that we enforce all the supplied policies. This test passes if it doesn't alert fail and if the style doesn't apply.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
+CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
 
 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt

@@ -3 +3 @@
 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
 
-This test passes if it doesn't alert fail.
+

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
+CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
 
 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
 
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
+CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
 
-CONSOLE MESSAGE: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
+CONSOLE MESSAGE: line 7: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
 
 This test passes if it doesn't alert fail.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt

@@ -5 +5 @@
 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
 
-CONSOLE MESSAGE: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
+CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
 
 This test passes if it doesn't alert fail. 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
+CONSOLE MESSAGE: line 10: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
 
 PASS

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
+CONSOLE MESSAGE: line 5: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
 
 PASS

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt

@@ -5 +5 @@
 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
 
-CONSOLE MESSAGE: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'".
+CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'".
 
 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 3: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 ALERT: PASS

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 2: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 ALERT: PASS

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 ALERT: PASS

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 2: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 CSP report received:

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 2: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'none'".
+CONSOLE MESSAGE: line 3: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'none'".
 
   

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 This test passes if it doesn't alert fail. 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-05-25  Mike West  <mkwst@chromium.org>
+
+        Inline script and style blocked by Content Security Policy should provide more detailed console errors.
+        https://bugs.webkit.org/show_bug.cgi?id=86848
+
+        Reviewed by Adam Barth.
+
+        This change adds a URL and line number for context to each call to
+        `ContentSecurityPolicy::allowInline*`, and pipes it through to the
+        console message generation in `CSPDirectiveList::reportViolation`.
+
+        Line numbers are not added for injected scripts (`document.write(...)`,
+        `document.body.appendChild`, and etc.).
+
+        Tests: http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html
+               http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html
+               http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html
+               http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html
+
+        * bindings/ScriptControllerBase.cpp:
+        (WebCore::ScriptController::executeIfJavaScriptURL):
+        * bindings/js/JSLazyEventListener.cpp:
+        (WebCore::JSLazyEventListener::initializeJSFunction):
+        * bindings/v8/V8LazyEventListener.cpp:
+        (WebCore::V8LazyEventListener::prepareListenerObject):
+        * dom/ScriptElement.cpp:
+        (WebCore::ScriptElement::ScriptElement):
+        (WebCore::ScriptElement::executeScript):
+        * dom/ScriptElement.h:
+        (ScriptElement):
+        * dom/StyleElement.cpp:
+        (WebCore::StyleElement::StyleElement):
+        (WebCore::StyleElement::createSheet):
+        * dom/StyleElement.h:
+        (StyleElement):
+        * dom/StyledElement.cpp:
+        (WebCore::StyledElement::StyledElement):
+        (WebCore):
+        (WebCore::StyledElement::style):
+        (WebCore::StyledElement::styleAttributeChanged):
+        * dom/StyledElement.h:
+        (StyledElement):
+        * page/ContentSecurityPolicy.cpp:
+        (CSPDirectiveList):
+        (WebCore::CSPDirectiveList::reportViolation):
+        (WebCore::CSPDirectiveList::checkInlineAndReportViolation):
+        (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
+        (WebCore::CSPDirectiveList::allowJavaScriptURLs):
+        (WebCore::CSPDirectiveList::allowInlineEventHandlers):
+        (WebCore::CSPDirectiveList::allowInlineScript):
+        (WebCore::CSPDirectiveList::allowInlineStyle):
+        (WebCore::CSPDirectiveList::allowEval):
+        (WebCore):
+        (WebCore::isAllowedByAllWithCallStack):
+        (WebCore::isAllowedByAllWithContext):
+        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
+        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
+        (WebCore::ContentSecurityPolicy::allowInlineScript):
+        (WebCore::ContentSecurityPolicy::allowInlineStyle):
+        * page/ContentSecurityPolicy.h:
+        (WTF):
+
 2012-05-25  Tim Horton  <timothy_horton@apple.com>
 

trunk/Source/WebCore/bindings/ScriptControllerBase.cpp

@@ -33 +33 @@
 #include "Settings.h"
 #include "UserGestureIndicator.h"
+#include <wtf/text/TextPosition.h>
 
 namespace WebCore {
@@ -76 +77 @@
     if (!m_frame->page()
         || !m_frame->page()->javaScriptURLsAreAllowed()
-        || !m_frame->document()->contentSecurityPolicy()->allowJavaScriptURLs()
+        || !m_frame->document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame->document()->url(), eventHandlerPosition().m_line)
         || m_frame->inViewSourceMode())
         return true;

trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp

@@ -81 +81 @@
         return 0;
 
-    if (!document->contentSecurityPolicy()->allowInlineEventHandlers())
+    if (!document->contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL, m_position.m_line))
         return 0;
 

trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp

@@ -106 +106 @@
         return;
 
-    if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers())
+    if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL, m_position.m_line))
         return;
 

trunk/Source/WebCore/dom/ScriptElement.cpp

@@ -42 +42 @@
 #include "ScriptSourceCode.h"
 #include "ScriptValue.h"
+#include "ScriptableDocumentParser.h"
 #include "SecurityOrigin.h"
 #include "Settings.h"
@@ -48 +49 @@
 #include <wtf/text/StringBuilder.h>
 #include <wtf/text/StringHash.h>
+#include <wtf/text/TextPosition.h>
 
 #if ENABLE(SVG)
@@ -59 +61 @@
     : m_element(element)
     , m_cachedScript(0)
+    , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
     , m_parserInserted(parserInserted)
     , m_isExternalScript(false)
@@ -71 +74 @@
 {
     ASSERT(m_element);
+    if (parserInserted && m_element->document()->scriptableDocumentParser() && !m_element->document()->isInDocumentWrite())
+        m_startLineNumber = m_element->document()->scriptableDocumentParser()->lineNumber();
 }
 
@@ -277 +282 @@
         return;
 
-    if (!m_isExternalScript && !m_element->document()->contentSecurityPolicy()->allowInlineScript())
+    if (!m_isExternalScript && !m_element->document()->contentSecurityPolicy()->allowInlineScript(m_element->document()->url(), m_startLineNumber))
         return;
 

trunk/Source/WebCore/dom/ScriptElement.h

@@ -94 +94 @@
     Element* m_element;
     CachedResourceHandle<CachedScript> m_cachedScript;
+    WTF::OrdinalNumber m_startLineNumber;
     bool m_parserInserted : 1;
     bool m_isExternalScript : 1;

trunk/Source/WebCore/dom/StyleElement.cpp

@@ -31 +31 @@
 #include "StyleSheetContents.h"
 #include <wtf/text/StringBuilder.h>
+#include <wtf/text/TextPosition.h>
 
 namespace WebCore {
@@ -49 +50 @@
     : m_createdByParser(createdByParser)
     , m_loading(false)
-    , m_startLineNumber(0)
-{
-    if (createdByParser && document && document->scriptableDocumentParser())
-        m_startLineNumber = document->scriptableDocumentParser()->lineNumber().zeroBasedInt();
+    , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
+{
+    if (createdByParser && document && document->scriptableDocumentParser() && !document->isInDocumentWrite())
+        m_startLineNumber = document->scriptableDocumentParser()->lineNumber();
 }
 
@@ -145 +146 @@
 }
 
-void StyleElement::createSheet(Element* e, int startLineNumber, const String& text)
+void StyleElement::createSheet(Element* e, WTF::OrdinalNumber startLineNumber, const String& text)
 {
     ASSERT(e);
@@ -158 +159 @@
     // If type is empty or CSS, this is a CSS style sheet.
     const AtomicString& type = this->type();
-    if (document->contentSecurityPolicy()->allowInlineStyle() && isCSS(e, type)) {
+    if (document->contentSecurityPolicy()->allowInlineStyle(e->document()->url(), startLineNumber) && isCSS(e, type)) {
         RefPtr<MediaQuerySet> mediaQueries;
         if (e->isHTMLElement())
@@ -174 +175 @@
             m_sheet->setMediaQueries(mediaQueries.release());
             m_sheet->setTitle(e->title());
-    
-            m_sheet->contents()->parseStringAtLine(text, startLineNumber);
+            m_sheet->contents()->parseStringAtLine(text, startLineNumber.zeroBasedInt());
 
             m_loading = false;

trunk/Source/WebCore/dom/StyleElement.h

@@ -23 +23 @@
 
 #include "CSSStyleSheet.h"
+#include <wtf/text/TextPosition.h>
 
 namespace WebCore {
@@ -53 +54 @@
 
 private:
-    void createSheet(Element*, int startLineNumber, const String& text = String());
+    void createSheet(Element*, WTF::OrdinalNumber startLineNumber, const String& text = String());
     void process(Element*);
     void clearSheet();
@@ -59 +60 @@
     bool m_createdByParser;
     bool m_loading;
-    int m_startLineNumber;
+    WTF::OrdinalNumber m_startLineNumber;
 };
 

trunk/Source/WebCore/dom/StyledElement.cpp

@@ -38 +38 @@
 #include "HTMLNames.h"
 #include "HTMLParserIdioms.h"
+#include "ScriptableDocumentParser.h"
 #include "StylePropertySet.h"
 #include "StyleResolver.h"
 #include <wtf/HashFunctions.h>
+#include <wtf/text/TextPosition.h>
 
 using namespace std;
@@ -127 +129 @@
 }
 
+StyledElement::StyledElement(const QualifiedName& name, Document* document, ConstructionType type)
+    : Element(name, document, type)
+    , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
+{
+    if (document && document->scriptableDocumentParser() && !document->isInDocumentWrite())
+        m_startLineNumber = document->scriptableDocumentParser()->lineNumber();
+}
+
 StyledElement::~StyledElement()
 {
@@ -132 +142 @@
 }
 
-CSSStyleDeclaration* StyledElement::style() 
-{ 
+CSSStyleDeclaration* StyledElement::style()
+{
     return ensureAttributeData()->ensureMutableInlineStyle(this)->ensureInlineCSSStyleDeclaration(this); 
 }
@@ -174 +184 @@
         if (newStyleString.isNull())
             destroyInlineStyle();
-        else if (document()->contentSecurityPolicy()->allowInlineStyle())
+        else if (document()->contentSecurityPolicy()->allowInlineStyle(document()->url(), m_startLineNumber))
             ensureAttributeData()->updateInlineStyleAvoidingMutation(this, newStyleString);
         setIsStyleAttributeValid();

trunk/Source/WebCore/dom/StyledElement.h

@@ -28 +28 @@
 #include "Element.h"
 #include "StylePropertySet.h"
+#include <wtf/text/TextPosition.h>
 
 namespace WebCore {
@@ -63 +64 @@
 
 protected:
-    StyledElement(const QualifiedName& name, Document* document, ConstructionType type)
-        : Element(name, document, type)
-    {
-    }
+    StyledElement(const QualifiedName&, Document*, ConstructionType);
 
     virtual void attributeChanged(const Attribute&) OVERRIDE;
@@ -96 +94 @@
             attributeData()->destroyInlineStyle(this);
     }
+
+    WTF::OrdinalNumber m_startLineNumber;
 };
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -32 +32 @@
 #include "FormDataList.h"
 #include "Frame.h"
+#include "InspectorInstrumentation.h"
 #include "InspectorValues.h"
 #include "PingLoader.h"
@@ -37 +38 @@
 #include "SecurityOrigin.h"
 #include "TextEncoding.h"
+#include <wtf/text/TextPosition.h>
 #include <wtf/text/WTFString.h>
 
@@ -491 +493 @@
     ContentSecurityPolicy::HeaderType headerType() const { return m_reportOnly ? ContentSecurityPolicy::ReportOnly : ContentSecurityPolicy::EnforcePolicy; }
 
-    bool allowJavaScriptURLs() const;
-    bool allowInlineEventHandlers() const;
-    bool allowInlineScript() const;
-    bool allowInlineStyle() const;
+    bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     bool allowEval(PassRefPtr<ScriptCallStack>) const;
 
@@ -519 +521 @@
 
     CSPDirective* operativeDirective(CSPDirective*) const;
-    void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), PassRefPtr<ScriptCallStack> = 0) const;
+    void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
     void logUnrecognizedDirective(const String& name) const;
     bool checkEval(CSPDirective*) const;
 
-    bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;
-    bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, PassRefPtr<ScriptCallStack>) const;
+    bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
     bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
 
@@ -576 +578 @@
 }
 
-void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, PassRefPtr<ScriptCallStack> callStack) const
+void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
 {
     String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
-    m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, String(), 0, callStack);
+    m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, contextURL, contextLine.oneBasedInt(), callStack);
 
     if (m_reportURIs.isEmpty())
@@ -639 +641 @@
 }
 
-bool CSPDirectiveList::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
+bool CSPDirectiveList::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     if (!directive || directive->allowInline())
         return true;
-    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n");
+    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
     return denyIfEnforcingPolicy();
 }
 
-bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage, PassRefPtr<ScriptCallStack> callStack) const
+bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
 {
     if (checkEval(directive))
         return true;
-    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), callStack);
+    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine, callStack);
     return denyIfEnforcingPolicy();
 }
@@ -664 +666 @@
 }
 
-bool CSPDirectiveList::allowJavaScriptURLs() const
+bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "));
-    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
-}
-
-bool CSPDirectiveList::allowInlineEventHandlers() const
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
+}
+
+bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because it violates the following Content Security Policy directive: "));
-    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
-}
-
-bool CSPDirectiveList::allowInlineScript() const
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
+}
+
+bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because it violates the following Content Security Policy directive: "));
-    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
-}
-
-bool CSPDirectiveList::allowInlineStyle() const
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
+}
+
+bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because it violates the following Content Security Policy directive: "));
-    return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage);
+    return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage, contextURL, contextLine);
 }
 
@@ -691 +693 @@
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because it violates the following Content Security Policy directive: "));
-    return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, callStack);
+    return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), callStack);
 }
 
@@ -924 +926 @@
 }
 
-template<bool (CSPDirectiveList::*allowed)() const>
-bool isAllowedByAll(const CSPDirectiveListVector& policies)
-{
-    for (size_t i = 0; i < policies.size(); ++i) {
-        if (!(policies[i].get()->*allowed)())
-            return false;
-    }
-    return true;
-}
-
 template<bool (CSPDirectiveList::*allowed)(PassRefPtr<ScriptCallStack>) const>
 bool isAllowedByAllWithCallStack(const CSPDirectiveListVector& policies, PassRefPtr<ScriptCallStack> callStack)
@@ -944 +936 @@
 }
 
+template<bool (CSPDirectiveList::*allowed)(const String&, const WTF::OrdinalNumber&) const>
+bool isAllowedByAllWithContext(const CSPDirectiveListVector& policies, const String& contextURL, const WTF::OrdinalNumber& contextLine)
+{
+    for (size_t i = 0; i < policies.size(); ++i) {
+        if (!(policies[i].get()->*allowed)(contextURL, contextLine))
+            return false;
+    }
+    return true;
+}
+
 template<bool (CSPDirectiveList::*allowFromURL)(const KURL&) const>
 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& url)
@@ -954 +956 @@
 }
 
-bool ContentSecurityPolicy::allowJavaScriptURLs() const
-{
-    return isAllowedByAll<&CSPDirectiveList::allowJavaScriptURLs>(m_policies);
-}
-
-bool ContentSecurityPolicy::allowInlineEventHandlers() const
-{
-    return isAllowedByAll<&CSPDirectiveList::allowInlineEventHandlers>(m_policies);
-}
-
-bool ContentSecurityPolicy::allowInlineScript() const
-{
-    return isAllowedByAll<&CSPDirectiveList::allowInlineScript>(m_policies);
-}
-
-bool ContentSecurityPolicy::allowInlineStyle() const
+bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
+{
+    return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_policies, contextURL, contextLine);
+}
+
+bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
+{
+    return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers>(m_policies, contextURL, contextLine);
+}
+
+bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
+{
+    return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine);
+}
+
+bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     if (m_overrideInlineStyleAllowed)
         return true;
-    return isAllowedByAll<&CSPDirectiveList::allowInlineStyle>(m_policies);
+    return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine);
 }
 

trunk/Source/WebCore/page/ContentSecurityPolicy.h

@@ -32 +32 @@
 #include <wtf/text/WTFString.h>
 
+namespace WTF {
+class OrdinalNumber;
+}
+
 namespace WebCore {
 
@@ -63 +67 @@
     HeaderType deprecatedHeaderType() const;
 
-    bool allowJavaScriptURLs() const;
-    bool allowInlineEventHandlers() const;
-    bool allowInlineScript() const;
-    bool allowInlineStyle() const;
+    bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     bool allowEval(PassRefPtr<ScriptCallStack>) const;