Changeset 116052 in webkit


Ignore:
Timestamp:
May 3, 2012 5:53:16 PM (12 years ago)
Author:
abarth@webkit.org
Message:

CSP shouldn't block about:blank for iframes
https://bugs.webkit.org/show_bug.cgi?id=85233

Reviewed by Eric Seidel.

Source/WebCore:

As discussed at the W3C WebAppSec face-to-face meeting, there's no
point in blocking about:blank iframes or objects because blocking a
frame or object just results in displaying about:blank anyway. This
patch just removes the spurious console message and violation report.

Test: http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html

  • page/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::allowObjectFromSource):
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource):

LayoutTests:

Test that about:blank iframes and objects don't generate debug log
messages.

  • http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r116051 r116052  
     12012-05-03  Adam Barth  <abarth@webkit.org>
     2
     3        CSP shouldn't block about:blank for iframes
     4        https://bugs.webkit.org/show_bug.cgi?id=85233
     5
     6        Reviewed by Eric Seidel.
     7
     8        Test that about:blank iframes and objects don't generate debug log
     9        messages.
     10
     11        * http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default-expected.txt: Added.
     12        * http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html: Added.
     13
    1142012-05-03  Sheriff Bot  <webkit.review.bot@gmail.com>
    215
  • trunk/Source/WebCore/ChangeLog

    r116051 r116052  
     12012-05-03  Adam Barth  <abarth@webkit.org>
     2
     3        CSP shouldn't block about:blank for iframes
     4        https://bugs.webkit.org/show_bug.cgi?id=85233
     5
     6        Reviewed by Eric Seidel.
     7
     8        As discussed at the W3C WebAppSec face-to-face meeting, there's no
     9        point in blocking about:blank iframes or objects because blocking a
     10        frame or object just results in displaying about:blank anyway.  This
     11        patch just removes the spurious console message and violation report.
     12
     13        Test: http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html
     14
     15        * page/ContentSecurityPolicy.cpp:
     16        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
     17        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
     18
    1192012-05-03  Sheriff Bot  <webkit.review.bot@gmail.com>
    220
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r109730 r116052  
    642642{
    643643    DEFINE_STATIC_LOCAL(String, type, ("object"));
     644    if (url.protocolIs("about"))
     645        return true;
    644646    return checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type);
    645647}
     
    648650{
    649651    DEFINE_STATIC_LOCAL(String, type, ("frame"));
     652    if (url.protocolIs("about"))
     653        return true;
    650654    return checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type);
    651655}
Note: See TracChangeset for help on using the changeset viewer.