Changeset 116066 in webkit


Ignore:
Timestamp:
May 3, 2012 8:45:06 PM (12 years ago)
Author:
abarth@webkit.org
Message:

CSP: Eval isn't blocked in about:blank subframes
https://bugs.webkit.org/show_bug.cgi?id=85553

Reviewed by Eric Seidel.

Source/WebCore:

ContentSecurityPolicy has a back pointer to ScriptExecutionContext.
That means we shouldn't share a single ContentSecurityPolicy object
between multiple ScriptExecutionContexts. This patch copies the state
from one ScriptExecutionContext to another rather than sharing the
ContentSecurityPolicy object itself.

This resulted in a subtle but w.r.t. blocking eval. Because we block
eval by setting a bit in the JavaScript engine when enforcing the
policy, that bit wasn't copied along with the rest of the state when we
were sharing the ContentSecurityPolicy object. Now that we use the
more robust ContentSecurityPolicy::copyStateFrom function, we don't
have that bug.

Test: http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html

  • dom/Document.cpp:

(WebCore::Document::initSecurityContext):
(WebCore):
(WebCore::Document::initContentSecurityPolicy):

  • dom/Document.h:

(Document):

  • dom/SecurityContext.cpp:

(WebCore::SecurityContext::setContentSecurityPolicy):

  • dom/SecurityContext.h:

(SecurityContext):

  • loader/FrameLoader.cpp:

(WebCore::FrameLoader::didBeginDocument):

  • page/ContentSecurityPolicy.h:

(WebCore::ContentSecurityPolicy::create):

LayoutTests:

  • http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html: Added.
    • New test for the eval issue.
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
  • http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt:
  • http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt:
    • Now that we re-parse the CSP policy, we log parse errors to the console more times. This isn't ideal and is something we might change in the future.
  • platform/chromium/http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt: Added.
    • Add a Chromium-specific baseline for this test because the eval error is slightly different between V8 and JSC.
Location:
trunk
Files:
3 added
12 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r116063 r116066  
     12012-05-03  Adam Barth  <abarth@webkit.org>
     2
     3        CSP: Eval isn't blocked in about:blank subframes
     4        https://bugs.webkit.org/show_bug.cgi?id=85553
     5
     6        Reviewed by Eric Seidel.
     7
     8        * http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt: Added.
     9        * http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html: Added.
     10            - New test for the eval issue.
     11        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
     12        * http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt:
     13        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
     14        * http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt:
     15            - Now that we re-parse the CSP policy, we log parse errors to the
     16              console more times. This isn't ideal and is something we might
     17              change in the future.
     18        * platform/chromium/http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe-expected.txt: Added.
     19            - Add a Chromium-specific baseline for this test because the eval
     20              error is slightly different between V8 and JSC.
     21
    1222012-05-03  David Barr  <davidbarr@chromium.org>
    223
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt

    r104803 r116066  
     1CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
     2
     3CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
     4
    15CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
    26
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt

    r104803 r116066  
     1CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
     2
     3CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
     4
    15CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
    26
    37ALERT: PASS
     8CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
    49
     10CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
     11
     12
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt

    r104803 r116066  
     1CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
     2
     3CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
     4
    15CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
    26
    37CONSOLE MESSAGE: Refused to execute JavaScript URL because of Content-Security-Policy.
    48
     9CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
    510
     11CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
     12
     13
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt

    r104803 r116066  
     1CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
     2
    13CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
    24
  • trunk/Source/WebCore/ChangeLog

    r116065 r116066  
     12012-05-03  Adam Barth  <abarth@webkit.org>
     2
     3        CSP: Eval isn't blocked in about:blank subframes
     4        https://bugs.webkit.org/show_bug.cgi?id=85553
     5
     6        Reviewed by Eric Seidel.
     7
     8        ContentSecurityPolicy has a back pointer to ScriptExecutionContext.
     9        That means we shouldn't share a single ContentSecurityPolicy object
     10        between multiple ScriptExecutionContexts.  This patch copies the state
     11        from one ScriptExecutionContext to another rather than sharing the
     12        ContentSecurityPolicy object itself.
     13
     14        This resulted in a subtle but w.r.t. blocking eval.  Because we block
     15        eval by setting a bit in the JavaScript engine when enforcing the
     16        policy, that bit wasn't copied along with the rest of the state when we
     17        were sharing the ContentSecurityPolicy object.  Now that we use the
     18        more robust ContentSecurityPolicy::copyStateFrom function, we don't
     19        have that bug.
     20
     21        Test: http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html
     22
     23        * dom/Document.cpp:
     24        (WebCore::Document::initSecurityContext):
     25        (WebCore):
     26        (WebCore::Document::initContentSecurityPolicy):
     27        * dom/Document.h:
     28        (Document):
     29        * dom/SecurityContext.cpp:
     30        (WebCore::SecurityContext::setContentSecurityPolicy):
     31        * dom/SecurityContext.h:
     32        (SecurityContext):
     33        * loader/FrameLoader.cpp:
     34        (WebCore::FrameLoader::didBeginDocument):
     35        * page/ContentSecurityPolicy.h:
     36        (WebCore::ContentSecurityPolicy::create):
     37
    1382012-05-03  Abhishek Arya  <inferno@chromium.org>
    239
  • trunk/Source/WebCore/dom/Document.cpp

    r115819 r116066  
    49774977    // https://bugs.webkit.org/show_bug.cgi?id=15313
    49784978    setSecurityOrigin(ownerFrame->document()->securityOrigin());
    4979     setContentSecurityPolicy(ownerFrame->document()->contentSecurityPolicy());
     4979}
     4980
     4981void Document::initContentSecurityPolicy()
     4982{
     4983    if (!m_frame->tree()->parent() || !shouldInheritSecurityOriginFromOwner(m_url))
     4984        return;
     4985    contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());
    49804986}
    49814987
  • trunk/Source/WebCore/dom/Document.h

    r115819 r116066  
    10401040
    10411041    void initSecurityContext();
     1042    void initContentSecurityPolicy();
    10421043
    10431044    // Explicitly override the security origin for this document.
  • trunk/Source/WebCore/dom/SecurityContext.cpp

    r115773 r116066  
    5151}
    5252
    53 void SecurityContext::setContentSecurityPolicy(PassRefPtr<ContentSecurityPolicy> contentSecurityPolicy)
     53void SecurityContext::setContentSecurityPolicy(PassOwnPtr<ContentSecurityPolicy> contentSecurityPolicy)
    5454{
    5555    m_contentSecurityPolicy = contentSecurityPolicy;
  • trunk/Source/WebCore/dom/SecurityContext.h

    r115773 r116066  
    7878    //       that already contains content.
    7979    void setSecurityOrigin(PassRefPtr<SecurityOrigin>);
    80     void setContentSecurityPolicy(PassRefPtr<ContentSecurityPolicy>);
     80    void setContentSecurityPolicy(PassOwnPtr<ContentSecurityPolicy>);
    8181
    8282    void didFailToInitializeSecurityOrigin() { m_haveInitializedSecurityOrigin = false; }
     
    9191    SandboxFlags m_sandboxFlags;
    9292    RefPtr<SecurityOrigin> m_securityOrigin;
    93     RefPtr<ContentSecurityPolicy> m_contentSecurityPolicy;
     93    OwnPtr<ContentSecurityPolicy> m_contentSecurityPolicy;
    9494};
    9595
  • trunk/Source/WebCore/loader/FrameLoader.cpp

    r115796 r116066  
    607607
    608608    updateFirstPartyForCookies();
     609    m_frame->document()->initContentSecurityPolicy();
    609610
    610611    Settings* settings = m_frame->document()->settings();
  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r109730 r116066  
    2727#define ContentSecurityPolicy_h
    2828
     29#include <wtf/PassOwnPtr.h>
    2930#include <wtf/RefCounted.h>
    3031#include <wtf/Vector.h>
     
    3738class KURL;
    3839
    39 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> {
     40class ContentSecurityPolicy {
    4041public:
    41     static PassRefPtr<ContentSecurityPolicy> create(ScriptExecutionContext* scriptExecutionContext)
     42    static PassOwnPtr<ContentSecurityPolicy> create(ScriptExecutionContext* scriptExecutionContext)
    4243    {
    43         return adoptRef(new ContentSecurityPolicy(scriptExecutionContext));
     44        return adoptPtr(new ContentSecurityPolicy(scriptExecutionContext));
    4445    }
    4546    ~ContentSecurityPolicy();
Note: See TracChangeset for help on using the changeset viewer.