Changeset 116052 in webkit
- Timestamp:
- May 3, 2012 5:53:16 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r116051 r116052 1 2012-05-03 Adam Barth <abarth@webkit.org> 2 3 CSP shouldn't block about:blank for iframes 4 https://bugs.webkit.org/show_bug.cgi?id=85233 5 6 Reviewed by Eric Seidel. 7 8 Test that about:blank iframes and objects don't generate debug log 9 messages. 10 11 * http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default-expected.txt: Added. 12 * http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html: Added. 13 1 14 2012-05-03 Sheriff Bot <webkit.review.bot@gmail.com> 2 15 -
trunk/Source/WebCore/ChangeLog
r116051 r116052 1 2012-05-03 Adam Barth <abarth@webkit.org> 2 3 CSP shouldn't block about:blank for iframes 4 https://bugs.webkit.org/show_bug.cgi?id=85233 5 6 Reviewed by Eric Seidel. 7 8 As discussed at the W3C WebAppSec face-to-face meeting, there's no 9 point in blocking about:blank iframes or objects because blocking a 10 frame or object just results in displaying about:blank anyway. This 11 patch just removes the spurious console message and violation report. 12 13 Test: http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html 14 15 * page/ContentSecurityPolicy.cpp: 16 (WebCore::ContentSecurityPolicy::allowObjectFromSource): 17 (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): 18 1 19 2012-05-03 Sheriff Bot <webkit.review.bot@gmail.com> 2 20 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r109730 r116052 642 642 { 643 643 DEFINE_STATIC_LOCAL(String, type, ("object")); 644 if (url.protocolIs("about")) 645 return true; 644 646 return checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type); 645 647 } … … 648 650 { 649 651 DEFINE_STATIC_LOCAL(String, type, ("frame")); 652 if (url.protocolIs("about")) 653 return true; 650 654 return checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type); 651 655 }
Note: See TracChangeset
for help on using the changeset viewer.