Changeset 116177 in webkit


Ignore:
Timestamp:
May 4, 2012 2:40:48 PM (12 years ago)
Author:
abarth@webkit.org
Message:

Refactor CSP state to prepare for having both a ReportOnly and an Enforced policy
https://bugs.webkit.org/show_bug.cgi?id=85662

Reviewed by Eric Seidel.

Source/WebCore:

This patch refactors the ContentSecurityPolicy state into a separate
DirectiveList class to prepare for
https://bugs.webkit.org/show_bug.cgi?id=85561, which will cause us to
need two directive lists: one for enforcement and one for monitoring.

This patch shouldn't cause any change in behavior.

  • page/ContentSecurityPolicy.cpp:

(CSPDirectiveList):
(WebCore::CSPDirectiveList::header):
(WebCore::CSPDirectiveList::headerType):
(WebCore::CSPDirectiveList::denyIfEnforcingPolicy):
(WebCore):
(WebCore::CSPDirectiveList::CSPDirectiveList):
(WebCore::CSPDirectiveList::create):
(WebCore::CSPDirectiveList::reportViolation):
(WebCore::CSPDirectiveList::logUnrecognizedDirective):
(WebCore::CSPDirectiveList::checkEval):
(WebCore::CSPDirectiveList::operativeDirective):
(WebCore::CSPDirectiveList::checkInlineAndReportViolation):
(WebCore::CSPDirectiveList::checkEvalAndReportViolation):
(WebCore::CSPDirectiveList::checkSourceAndReportViolation):
(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):
(WebCore::CSPDirectiveList::allowInlineScript):
(WebCore::CSPDirectiveList::allowInlineStyle):
(WebCore::CSPDirectiveList::allowEval):
(WebCore::CSPDirectiveList::allowScriptFromSource):
(WebCore::CSPDirectiveList::allowObjectFromSource):
(WebCore::CSPDirectiveList::allowChildFrameFromSource):
(WebCore::CSPDirectiveList::allowImageFromSource):
(WebCore::CSPDirectiveList::allowStyleFromSource):
(WebCore::CSPDirectiveList::allowFontFromSource):
(WebCore::CSPDirectiveList::allowMediaFromSource):
(WebCore::CSPDirectiveList::allowConnectFromSource):
(WebCore::CSPDirectiveList::parse):
(WebCore::CSPDirectiveList::parseDirective):
(WebCore::CSPDirectiveList::parseReportURI):
(WebCore::CSPDirectiveList::createCSPDirective):
(WebCore::CSPDirectiveList::applySandboxPolicy):
(WebCore::CSPDirectiveList::addDirective):
(WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
(WebCore::ContentSecurityPolicy::~ContentSecurityPolicy):
(WebCore::ContentSecurityPolicy::copyStateFrom):
(WebCore::ContentSecurityPolicy::didReceiveHeader):
(WebCore::ContentSecurityPolicy::setOverrideAllowInlineStyle):
(WebCore::ContentSecurityPolicy::header):
(WebCore::ContentSecurityPolicy::headerType):
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
(WebCore::ContentSecurityPolicy::allowInlineScript):
(WebCore::ContentSecurityPolicy::allowInlineStyle):
(WebCore::ContentSecurityPolicy::allowEval):
(WebCore::ContentSecurityPolicy::allowScriptFromSource):
(WebCore::ContentSecurityPolicy::allowObjectFromSource):
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
(WebCore::ContentSecurityPolicy::allowImageFromSource):
(WebCore::ContentSecurityPolicy::allowStyleFromSource):
(WebCore::ContentSecurityPolicy::allowFontFromSource):
(WebCore::ContentSecurityPolicy::allowMediaFromSource):
(WebCore::ContentSecurityPolicy::allowConnectFromSource):

  • page/ContentSecurityPolicy.h:

(WebCore):

  • workers/WorkerMessagingProxy.cpp:

(WebCore::WorkerMessagingProxy::startWorkerContext):

Source/WebKit/chromium:

Update callers to the new function name.

  • src/SharedWorkerRepository.cpp:

(WebCore::SharedWorkerScriptLoader::notifyFinished):

  • src/WebWorkerClientImpl.cpp:

(WebKit::WebWorkerClientImpl::startWorkerContext):

Location:
trunk/Source
Files:
8 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r116174 r116177  
     12012-05-04  Adam Barth  <abarth@webkit.org>
     2
     3        Refactor CSP state to prepare for having both a ReportOnly and an Enforced policy
     4        https://bugs.webkit.org/show_bug.cgi?id=85662
     5
     6        Reviewed by Eric Seidel.
     7
     8        This patch refactors the ContentSecurityPolicy state into a separate
     9        DirectiveList class to prepare for
     10        https://bugs.webkit.org/show_bug.cgi?id=85561, which will cause us to
     11        need two directive lists: one for enforcement and one for monitoring.
     12
     13        This patch shouldn't cause any change in behavior.
     14
     15        * page/ContentSecurityPolicy.cpp:
     16        (CSPDirectiveList):
     17        (WebCore::CSPDirectiveList::header):
     18        (WebCore::CSPDirectiveList::headerType):
     19        (WebCore::CSPDirectiveList::denyIfEnforcingPolicy):
     20        (WebCore):
     21        (WebCore::CSPDirectiveList::CSPDirectiveList):
     22        (WebCore::CSPDirectiveList::create):
     23        (WebCore::CSPDirectiveList::reportViolation):
     24        (WebCore::CSPDirectiveList::logUnrecognizedDirective):
     25        (WebCore::CSPDirectiveList::checkEval):
     26        (WebCore::CSPDirectiveList::operativeDirective):
     27        (WebCore::CSPDirectiveList::checkInlineAndReportViolation):
     28        (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
     29        (WebCore::CSPDirectiveList::checkSourceAndReportViolation):
     30        (WebCore::CSPDirectiveList::allowJavaScriptURLs):
     31        (WebCore::CSPDirectiveList::allowInlineEventHandlers):
     32        (WebCore::CSPDirectiveList::allowInlineScript):
     33        (WebCore::CSPDirectiveList::allowInlineStyle):
     34        (WebCore::CSPDirectiveList::allowEval):
     35        (WebCore::CSPDirectiveList::allowScriptFromSource):
     36        (WebCore::CSPDirectiveList::allowObjectFromSource):
     37        (WebCore::CSPDirectiveList::allowChildFrameFromSource):
     38        (WebCore::CSPDirectiveList::allowImageFromSource):
     39        (WebCore::CSPDirectiveList::allowStyleFromSource):
     40        (WebCore::CSPDirectiveList::allowFontFromSource):
     41        (WebCore::CSPDirectiveList::allowMediaFromSource):
     42        (WebCore::CSPDirectiveList::allowConnectFromSource):
     43        (WebCore::CSPDirectiveList::parse):
     44        (WebCore::CSPDirectiveList::parseDirective):
     45        (WebCore::CSPDirectiveList::parseReportURI):
     46        (WebCore::CSPDirectiveList::createCSPDirective):
     47        (WebCore::CSPDirectiveList::applySandboxPolicy):
     48        (WebCore::CSPDirectiveList::addDirective):
     49        (WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
     50        (WebCore::ContentSecurityPolicy::~ContentSecurityPolicy):
     51        (WebCore::ContentSecurityPolicy::copyStateFrom):
     52        (WebCore::ContentSecurityPolicy::didReceiveHeader):
     53        (WebCore::ContentSecurityPolicy::setOverrideAllowInlineStyle):
     54        (WebCore::ContentSecurityPolicy::header):
     55        (WebCore::ContentSecurityPolicy::headerType):
     56        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
     57        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
     58        (WebCore::ContentSecurityPolicy::allowInlineScript):
     59        (WebCore::ContentSecurityPolicy::allowInlineStyle):
     60        (WebCore::ContentSecurityPolicy::allowEval):
     61        (WebCore::ContentSecurityPolicy::allowScriptFromSource):
     62        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
     63        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
     64        (WebCore::ContentSecurityPolicy::allowImageFromSource):
     65        (WebCore::ContentSecurityPolicy::allowStyleFromSource):
     66        (WebCore::ContentSecurityPolicy::allowFontFromSource):
     67        (WebCore::ContentSecurityPolicy::allowMediaFromSource):
     68        (WebCore::ContentSecurityPolicy::allowConnectFromSource):
     69        * page/ContentSecurityPolicy.h:
     70        (WebCore):
     71        * workers/WorkerMessagingProxy.cpp:
     72        (WebCore::WorkerMessagingProxy::startWorkerContext):
     73
    1742012-05-04  Abhishek Arya  <inferno@chromium.org>
    275

  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r116052 r116177  
    483483};
    484484
    485 ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
    486     : m_havePolicy(false)
    487     , m_scriptExecutionContext(scriptExecutionContext)
     485class CSPDirectiveList {
     486public:
     487    static PassOwnPtr<CSPDirectiveList> create(ScriptExecutionContext*, const String&, ContentSecurityPolicy::HeaderType);
     488
     489    const String& header() const { return m_header; }
     490    ContentSecurityPolicy::HeaderType headerType() const { return m_reportOnly ? ContentSecurityPolicy::ReportOnly : ContentSecurityPolicy::EnforcePolicy; }
     491
     492    bool allowJavaScriptURLs() const;
     493    bool allowInlineEventHandlers() const;
     494    bool allowInlineScript() const;
     495    bool allowInlineStyle() const;
     496    bool allowEval() const;
     497
     498    bool allowScriptFromSource(const KURL&) const;
     499    bool allowObjectFromSource(const KURL&) const;
     500    bool allowChildFrameFromSource(const KURL&) const;
     501    bool allowImageFromSource(const KURL&) const;
     502    bool allowStyleFromSource(const KURL&) const;
     503    bool allowFontFromSource(const KURL&) const;
     504    bool allowMediaFromSource(const KURL&) const;
     505    bool allowConnectFromSource(const KURL&) const;
     506
     507private:
     508    explicit CSPDirectiveList(ScriptExecutionContext*);
     509
     510    void parse(const String&);
     511
     512    bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
     513    void parseReportURI(const String&);
     514    void addDirective(const String& name, const String& value);
     515    void applySandboxPolicy(const String& sandboxPolicy);
     516
     517    PassOwnPtr<CSPDirective> createCSPDirective(const String& name, const String& value);
     518
     519    CSPDirective* operativeDirective(CSPDirective*) const;
     520    void reportViolation(const String& directiveText, const String& consoleMessage) const;
     521    void logUnrecognizedDirective(const String& name) const;
     522    bool checkEval(CSPDirective*) const;
     523
     524    bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;
     525    bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage) const;
     526    bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
     527
     528    bool denyIfEnforcingPolicy() const { return m_reportOnly; }
     529
     530    ScriptExecutionContext* m_scriptExecutionContext;
     531    String m_header;
     532
     533    bool m_reportOnly;
     534    bool m_haveSandboxPolicy;
     535
     536    OwnPtr<CSPDirective> m_defaultSrc;
     537    OwnPtr<CSPDirective> m_scriptSrc;
     538    OwnPtr<CSPDirective> m_objectSrc;
     539    OwnPtr<CSPDirective> m_frameSrc;
     540    OwnPtr<CSPDirective> m_imgSrc;
     541    OwnPtr<CSPDirective> m_styleSrc;
     542    OwnPtr<CSPDirective> m_fontSrc;
     543    OwnPtr<CSPDirective> m_mediaSrc;
     544    OwnPtr<CSPDirective> m_connectSrc;
     545
     546    Vector<KURL> m_reportURLs;
     547};
     548
     549CSPDirectiveList::CSPDirectiveList(ScriptExecutionContext* scriptExecutionContext)
     550    : m_scriptExecutionContext(scriptExecutionContext)
    488551    , m_reportOnly(false)
    489552    , m_haveSandboxPolicy(false)
    490     , m_overrideInlineStyleAllowed(false)
    491 {
    492 }
    493 
    494 ContentSecurityPolicy::~ContentSecurityPolicy()
    495 {
    496 }
    497 
    498 void ContentSecurityPolicy::copyStateFrom(const ContentSecurityPolicy* other)
    499 {
    500     ASSERT(!m_havePolicy);
    501     if (other->m_havePolicy)
    502         didReceiveHeader(other->m_header, other->m_reportOnly ? ReportOnly : EnforcePolicy);
    503 }
    504 
    505 void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType type)
    506 {
    507     if (m_havePolicy)
    508         return; // The first policy wins.
    509 
    510     parse(header);
    511     m_havePolicy = true;
    512     m_header = header;
     553{
     554}
     555
     556PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ScriptExecutionContext* scriptExecutionContext, const String& header, ContentSecurityPolicy::HeaderType type)
     557{
     558    OwnPtr<CSPDirectiveList> policy = adoptPtr(new CSPDirectiveList(scriptExecutionContext));
     559    policy->parse(header);
     560    policy->m_header = header;
    513561
    514562    switch (type) {
    515     case ReportOnly:
    516         m_reportOnly = true;
    517         return;
    518     case EnforcePolicy:
    519         ASSERT(!m_reportOnly);
     563    case ContentSecurityPolicy::ReportOnly:
     564        policy->m_reportOnly = true;
     565        return policy.release();
     566    case ContentSecurityPolicy::EnforcePolicy:
     567        ASSERT(!policy->m_reportOnly);
    520568        break;
    521569    }
    522570
    523     if (!checkEval(operativeDirective(m_scriptSrc.get())))
    524         m_scriptExecutionContext->disableEval();
    525 }
    526 
    527 void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage) const
     571    if (!policy->checkEval(policy->operativeDirective(policy->m_scriptSrc.get())))
     572        scriptExecutionContext->disableEval();
     573
     574    return policy.release();
     575}
     576
     577void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage) const
    528578{
    529579    String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
     
    563613}
    564614
    565 void ContentSecurityPolicy::logUnrecognizedDirective(const String& name) const
     615void CSPDirectiveList::logUnrecognizedDirective(const String& name) const
    566616{
    567617    String message = makeString("Unrecognized Content-Security-Policy directive '", name, "'.\n");
     
    569619}
    570620
    571 bool ContentSecurityPolicy::checkEval(CSPDirective* directive) const
     621bool CSPDirectiveList::checkEval(CSPDirective* directive) const
    572622{
    573623    return !directive || directive->allowEval();
    574624}
    575625
    576 CSPDirective* ContentSecurityPolicy::operativeDirective(CSPDirective* directive) const
     626CSPDirective* CSPDirectiveList::operativeDirective(CSPDirective* directive) const
    577627{
    578628    return directive ? directive : m_defaultSrc.get();
    579629}
    580630
    581 bool ContentSecurityPolicy::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
     631bool CSPDirectiveList::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
    582632{
    583633    if (!directive || directive->allowInline())
     
    587637}
    588638
    589 bool ContentSecurityPolicy::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
     639bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
    590640{
    591641    if (checkEval(directive))
     
    595645}
    596646
    597 bool ContentSecurityPolicy::checkSourceAndReportViolation(CSPDirective* directive, const KURL& url, const String& type) const
     647bool CSPDirectiveList::checkSourceAndReportViolation(CSPDirective* directive, const KURL& url, const String& type) const
    598648{
    599649    if (!directive || directive->allows(url))
     
    603653}
    604654
    605 bool ContentSecurityPolicy::allowJavaScriptURLs() const
     655bool CSPDirectiveList::allowJavaScriptURLs() const
    606656{
    607657    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because of Content-Security-Policy.\n"));
     
    609659}
    610660
    611 bool ContentSecurityPolicy::allowInlineEventHandlers() const
     661bool CSPDirectiveList::allowInlineEventHandlers() const
    612662{
    613663    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because of Content-Security-Policy.\n"));
     
    615665}
    616666
    617 bool ContentSecurityPolicy::allowInlineScript() const
     667bool CSPDirectiveList::allowInlineScript() const
    618668{
    619669    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because of Content-Security-Policy.\n"));
     
    621671}
    622672
    623 bool ContentSecurityPolicy::allowInlineStyle() const
     673bool CSPDirectiveList::allowInlineStyle() const
    624674{
    625675    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because of Content-Security-Policy.\n"));
    626     return m_overrideInlineStyleAllowed || checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage);
    627 }
    628 
    629 bool ContentSecurityPolicy::allowEval() const
     676    return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage);
     677}
     678
     679bool CSPDirectiveList::allowEval() const
    630680{
    631681    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because of Content-Security-Policy.\n"));
     
    633683}
    634684
    635 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const
     685bool CSPDirectiveList::allowScriptFromSource(const KURL& url) const
    636686{
    637687    DEFINE_STATIC_LOCAL(String, type, ("script"));
     
    639689}
    640690
    641 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
     691bool CSPDirectiveList::allowObjectFromSource(const KURL& url) const
    642692{
    643693    DEFINE_STATIC_LOCAL(String, type, ("object"));
     
    647697}
    648698
    649 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url) const
     699bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url) const
    650700{
    651701    DEFINE_STATIC_LOCAL(String, type, ("frame"));
     
    655705}
    656706
    657 bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const
     707bool CSPDirectiveList::allowImageFromSource(const KURL& url) const
    658708{
    659709    DEFINE_STATIC_LOCAL(String, type, ("image"));
     
    661711}
    662712
    663 bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const
     713bool CSPDirectiveList::allowStyleFromSource(const KURL& url) const
    664714{
    665715    DEFINE_STATIC_LOCAL(String, type, ("style"));
     
    667717}
    668718
    669 bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const
     719bool CSPDirectiveList::allowFontFromSource(const KURL& url) const
    670720{
    671721    DEFINE_STATIC_LOCAL(String, type, ("font"));
     
    673723}
    674724
    675 bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const
     725bool CSPDirectiveList::allowMediaFromSource(const KURL& url) const
    676726{
    677727    DEFINE_STATIC_LOCAL(String, type, ("media"));
     
    679729}
    680730
    681 bool ContentSecurityPolicy::allowConnectFromSource(const KURL& url) const
     731bool CSPDirectiveList::allowConnectFromSource(const KURL& url) const
    682732{
    683733    DEFINE_STATIC_LOCAL(String, type, ("connect"));
    684734    return checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type);
    685 }
    686 
    687 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value)
    688 {
    689     m_overrideInlineStyleAllowed = value;
    690735}
    691736
     
    693738// directive-list    = [ directive *( ";" [ directive ] ) ]
    694739//
    695 void ContentSecurityPolicy::parse(const String& policy)
    696 {
    697     ASSERT(!m_havePolicy);
    698 
     740void CSPDirectiveList::parse(const String& policy)
     741{
    699742    if (policy.isEmpty())
    700743        return;
     
    722765// directive-value   = *( WSP / <VCHAR except ";"> )
    723766//
    724 bool ContentSecurityPolicy::parseDirective(const UChar* begin, const UChar* end, String& name, String& value)
     767bool CSPDirectiveList::parseDirective(const UChar* begin, const UChar* end, String& name, String& value)
    725768{
    726769    ASSERT(name.isEmpty());
     
    761804}
    762805
    763 void ContentSecurityPolicy::parseReportURI(const String& value)
     806void CSPDirectiveList::parseReportURI(const String& value)
    764807{
    765808    const UChar* position = value.characters();
     
    779822}
    780823
    781 PassOwnPtr<CSPDirective> ContentSecurityPolicy::createCSPDirective(const String& name, const String& value)
     824PassOwnPtr<CSPDirective> CSPDirectiveList::createCSPDirective(const String& name, const String& value)
    782825{
    783826    return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext));
    784827}
    785828
    786 void ContentSecurityPolicy::applySandboxPolicy(const String& sandboxPolicy)
     829void CSPDirectiveList::applySandboxPolicy(const String& sandboxPolicy)
    787830{
    788831    ASSERT(!m_haveSandboxPolicy);
     
    791834}
    792835
    793 void ContentSecurityPolicy::addDirective(const String& name, const String& value)
     836void CSPDirectiveList::addDirective(const String& name, const String& value)
    794837{
    795838    DEFINE_STATIC_LOCAL(String, defaultSrc, ("default-src"));
     
    833876}
    834877
    835 }
     878ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
     879    : m_scriptExecutionContext(scriptExecutionContext)
     880    , m_overrideInlineStyleAllowed(false)
     881{
     882}
     883
     884ContentSecurityPolicy::~ContentSecurityPolicy()
     885{
     886}
     887
     888void ContentSecurityPolicy::copyStateFrom(const ContentSecurityPolicy* other)
     889{
     890    ASSERT(!m_policy);
     891    if (other->m_policy)
     892        didReceiveHeader(other->header(), other->headerType());
     893}
     894
     895void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType type)
     896{
     897    if (m_policy)
     898        return; // The first policy wins.
     899    m_policy = CSPDirectiveList::create(m_scriptExecutionContext, header, type);
     900}
     901
     902void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value)
     903{
     904    m_overrideInlineStyleAllowed = value;
     905}
     906
     907const String& ContentSecurityPolicy::header() const
     908{
     909    return m_policy ? m_policy->header() : emptyString();
     910}
     911
     912ContentSecurityPolicy::HeaderType ContentSecurityPolicy::headerType() const
     913{
     914    return m_policy ? m_policy->headerType() : EnforcePolicy;
     915}
     916
     917bool ContentSecurityPolicy::allowJavaScriptURLs() const
     918{
     919    return !m_policy || m_policy->allowJavaScriptURLs();
     920}
     921
     922bool ContentSecurityPolicy::allowInlineEventHandlers() const
     923{
     924    return !m_policy || m_policy->allowInlineEventHandlers();
     925}
     926
     927bool ContentSecurityPolicy::allowInlineScript() const
     928{
     929    return !m_policy || m_policy->allowInlineScript();
     930}
     931
     932bool ContentSecurityPolicy::allowInlineStyle() const
     933{
     934    return !m_policy || m_overrideInlineStyleAllowed || m_policy->allowInlineStyle();
     935}
     936
     937bool ContentSecurityPolicy::allowEval() const
     938{
     939    return !m_policy || m_policy->allowEval();
     940}
     941
     942bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const
     943{
     944    return !m_policy || m_policy->allowScriptFromSource(url);
     945}
     946
     947bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
     948{
     949    return !m_policy || m_policy->allowObjectFromSource(url);
     950}
     951
     952bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url) const
     953{
     954    return !m_policy || m_policy->allowChildFrameFromSource(url);
     955}
     956
     957bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const
     958{
     959    return !m_policy || m_policy->allowImageFromSource(url);
     960}
     961
     962bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const
     963{
     964    return !m_policy || m_policy->allowStyleFromSource(url);
     965}
     966
     967bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const
     968{
     969    return !m_policy || m_policy->allowFontFromSource(url);
     970}
     971
     972bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const
     973{
     974    return !m_policy || m_policy->allowMediaFromSource(url);
     975}
     976
     977bool ContentSecurityPolicy::allowConnectFromSource(const KURL& url) const
     978{
     979    return !m_policy || m_policy->allowConnectFromSource(url);
     980}
     981
     982}

  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r116066 r116177  
    3434namespace WebCore {
    3535
    36 class CSPDirective;
     36class CSPDirectiveList;
    3737class ScriptExecutionContext;
    3838class KURL;
     
    5454
    5555    void didReceiveHeader(const String&, HeaderType);
    56     String policy() { return m_header; }
    57     HeaderType headerType() { return m_reportOnly ? ReportOnly : EnforcePolicy; }
     56
     57    const String& header() const;
     58    HeaderType headerType() const;
    5859
    5960    bool allowJavaScriptURLs() const;
     
    7778    explicit ContentSecurityPolicy(ScriptExecutionContext*);
    7879
    79     void parse(const String&);
    80     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
    81     void parseReportURI(const String&);
    82     void addDirective(const String& name, const String& value);
    83     void applySandboxPolicy(const String& sandboxPolicy);
    84 
    85     PassOwnPtr<CSPDirective> createCSPDirective(const String& name, const String& value);
    86 
    87     CSPDirective* operativeDirective(CSPDirective*) const;
    88     void reportViolation(const String& directiveText, const String& consoleMessage) const;
    89     void logUnrecognizedDirective(const String& name) const;
    90     bool checkEval(CSPDirective*) const;
    91 
    92     bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;
    93     bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage) const;
    94     bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
    95 
    96     bool denyIfEnforcingPolicy() const { return m_reportOnly; }
    97 
    98     bool m_havePolicy;
    9980    ScriptExecutionContext* m_scriptExecutionContext;
    100 
    101     bool m_reportOnly;
    102     String m_header;
    103     OwnPtr<CSPDirective> m_defaultSrc;
    104     OwnPtr<CSPDirective> m_scriptSrc;
    105     OwnPtr<CSPDirective> m_objectSrc;
    106     OwnPtr<CSPDirective> m_frameSrc;
    107     OwnPtr<CSPDirective> m_imgSrc;
    108     OwnPtr<CSPDirective> m_styleSrc;
    109     OwnPtr<CSPDirective> m_fontSrc;
    110     OwnPtr<CSPDirective> m_mediaSrc;
    111     OwnPtr<CSPDirective> m_connectSrc;
    112     bool m_haveSandboxPolicy;
    11381    bool m_overrideInlineStyleAllowed;
    114     Vector<KURL> m_reportURLs;
     82    OwnPtr<CSPDirectiveList> m_policy;
    11583};
    11684

  • trunk/Source/WebCore/workers/DefaultSharedWorkerRepository.cpp

    r113138 r116177  
    323323        DefaultSharedWorkerRepository::instance().workerScriptLoaded(*m_proxy, m_worker->scriptExecutionContext()->userAgent(m_scriptLoader->url()),
    324324                                                                     m_scriptLoader->script(), m_port.release(),
    325                                                                      m_worker->scriptExecutionContext()->contentSecurityPolicy()->policy(),
     325                                                                     m_worker->scriptExecutionContext()->contentSecurityPolicy()->header(),
    326326                                                                     m_worker->scriptExecutionContext()->contentSecurityPolicy()->headerType());
    327327    }

  • trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp

    r113138 r116177  
    273273{
    274274    RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode,
    275                                                                          m_scriptExecutionContext->contentSecurityPolicy()->policy(),
     275                                                                         m_scriptExecutionContext->contentSecurityPolicy()->header(),
    276276                                                                         m_scriptExecutionContext->contentSecurityPolicy()->headerType());
    277277    workerThreadCreated(thread);

  • trunk/Source/WebKit/chromium/ChangeLog

    r116142 r116177  
     12012-05-04  Adam Barth  <abarth@webkit.org>
     2
     3        Refactor CSP state to prepare for having both a ReportOnly and an Enforced policy
     4        https://bugs.webkit.org/show_bug.cgi?id=85662
     5
     6        Reviewed by Eric Seidel.
     7
     8        Update callers to the new function name.
     9
     10        * src/SharedWorkerRepository.cpp:
     11        (WebCore::SharedWorkerScriptLoader::notifyFinished):
     12        * src/WebWorkerClientImpl.cpp:
     13        (WebKit::WebWorkerClientImpl::startWorkerContext):
     14
    1152012-05-04  Sami Kyostila  <skyostil@chromium.org>
    216

  • trunk/Source/WebKit/chromium/src/SharedWorkerRepository.cpp

    r105380 r116177  
    172172        // Pass the script off to the worker, then send a connect event.
    173173        m_webWorker->startWorkerContext(m_url, m_name, m_worker->scriptExecutionContext()->userAgent(m_url), m_scriptLoader->script(),
    174                                         m_worker->scriptExecutionContext()->contentSecurityPolicy()->policy(),
     174                                        m_worker->scriptExecutionContext()->contentSecurityPolicy()->header(),
    175175                                        static_cast<WebKit::WebContentSecurityPolicyType>(m_worker->scriptExecutionContext()->contentSecurityPolicy()->headerType()),
    176176                                        m_responseAppCacheID);

  • trunk/Source/WebKit/chromium/src/WebWorkerClientImpl.cpp

    r114215 r116177  
    8888{
    8989    RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode,
    90                                                                          m_scriptExecutionContext->contentSecurityPolicy()->policy(),
     90                                                                         m_scriptExecutionContext->contentSecurityPolicy()->header(),
    9191                                                                         m_scriptExecutionContext->contentSecurityPolicy()->headerType());
    9292    m_proxy->workerThreadCreated(thread);
Note: See TracChangeset for help on using the changeset viewer.