Changeset 117006 in webkit


Ignore:
Timestamp:
May 14, 2012 2:53:58 PM (12 years ago)
Author:
commit-queue@webkit.org
Message:

Content Security Policy console errors include violated directive.
https://bugs.webkit.org/show_bug.cgi?id=86323

Source/WebCore:

Patch by Mike West <mike@mikewest.org> on 2012-05-14
Reviewed by Adam Barth.

Console errors generated when resources, inline script/style, or eval
are blocked by Content Security Policy directives should include the
text of the directive that's been violated. This gives developers more
of the information they need to resolve the issue.

Test: http/tests/security/contentSecurityPolicy/*

  • page/ContentSecurityPolicy.cpp:

(WebCore::CSPDirectiveList::checkEvalAndReportViolation):
(WebCore::CSPDirectiveList::checkInlineAndReportViolation):
(WebCore::CSPDirectiveList::checkSourceAndReportViolation):
(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):
(WebCore::CSPDirectiveList::allowInlineScript):
(WebCore::CSPDirectiveList::allowInlineStyle):
(WebCore::CSPDirectiveList::allowEval):

LayoutTests:

Sharded http/tests/security/contentSecurityPolicy/source-list-parsing.html
into four tests, and reworked it to have a well-defined order.

Patch by Mike West <mike@mikewest.org> on 2012-05-14
Reviewed by Adam Barth.

  • http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt:
  • http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt:
  • http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt:
  • http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt:
  • http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt:
  • http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/image-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-none-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt:
  • http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt: Removed
  • http/tests/security/contentSecurityPolicy/source-list-parsing.html: Removed
  • http/tests/security/contentSecurityPolicy/source-list-parsing-01-expected.txt: Added
  • http/tests/security/contentSecurityPolicy/source-list-parsing-01.html: Added
  • http/tests/security/contentSecurityPolicy/source-list-parsing-02-expected.txt: Added
  • http/tests/security/contentSecurityPolicy/source-list-parsing-02.html: Added
  • http/tests/security/contentSecurityPolicy/source-list-parsing-03-expected.txt: Added
  • http/tests/security/contentSecurityPolicy/source-list-parsing-03.html: Added
  • http/tests/security/contentSecurityPolicy/source-list-parsing-04-expected.txt: Added
  • http/tests/security/contentSecurityPolicy/source-list-parsing-04.html: Added
  • http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt:
  • http/tests/security/contentSecurityPolicy/style-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/worker-connect-src-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt:
  • http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt:
  • media/csp-blocks-video-expected.txt:
  • platform/chromium/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt:
Location:
trunk
Files:
9 added
2 deleted
47 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r116997 r117006  
     12012-05-14  Mike West  <mike@mikewest.org>
     2
     3        Content Security Policy console errors include violated directive.
     4        https://bugs.webkit.org/show_bug.cgi?id=86323
     5
     6        Sharded http/tests/security/contentSecurityPolicy/source-list-parsing.html
     7        into four tests, and reworked it to have a well-defined order.
     8
     9        Reviewed by Adam Barth.
     10
     11        * http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt:
     12        * http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt:
     13        * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt:
     14        * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt:
     15        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt:
     16        * http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
     17        * http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt:
     18        * http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt:
     19        * http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt:
     20        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt:
     21        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt:
     22        * http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt:
     23        * http/tests/security/contentSecurityPolicy/image-blocked-expected.txt:
     24        * http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
     25        * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
     26        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
     27        * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt:
     28        * http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt:
     29        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
     30        * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt:
     31        * http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt:
     32        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
     33        * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt:
     34        * http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt:
     35        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
     36        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
     37        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
     38        * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
     39        * http/tests/security/contentSecurityPolicy/script-src-none-expected.txt:
     40        * http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
     41        * http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt:
     42        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt:
     43        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt:
     44        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt:
     45        * http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt: Removed
     46        * http/tests/security/contentSecurityPolicy/source-list-parsing.html: Removed
     47        * http/tests/security/contentSecurityPolicy/source-list-parsing-01-expected.txt: Added
     48        * http/tests/security/contentSecurityPolicy/source-list-parsing-01.html: Added
     49        * http/tests/security/contentSecurityPolicy/source-list-parsing-02-expected.txt: Added
     50        * http/tests/security/contentSecurityPolicy/source-list-parsing-02.html: Added
     51        * http/tests/security/contentSecurityPolicy/source-list-parsing-03-expected.txt: Added
     52        * http/tests/security/contentSecurityPolicy/source-list-parsing-03.html: Added
     53        * http/tests/security/contentSecurityPolicy/source-list-parsing-04-expected.txt: Added
     54        * http/tests/security/contentSecurityPolicy/source-list-parsing-04.html: Added
     55        * http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt:
     56        * http/tests/security/contentSecurityPolicy/style-blocked-expected.txt:
     57        * http/tests/security/contentSecurityPolicy/worker-connect-src-blocked-expected.txt:
     58        * http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt:
     59        * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt:
     60        * http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt:
     61        * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt:
     62        * media/csp-blocks-video-expected.txt:
     63        * platform/chromium/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt:
     64
    1652012-05-14  Stephen Chenney  <schenney@chromium.org>
    266
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "default-src 'self'".
    22
    33This page should neither alert "FAIL" nor generate any mixed content warnings in the console.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt

    r116254 r117006  
    1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    3 CONSOLE MESSAGE: Refused to apply inline style because of Content-Security-Policy.
     3CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
    44
    55This test checks that we enforce all the supplied policies. This test passes if it doesn't alert fail and if the style doesn't apply.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load connect from 'http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to connect to connect 'http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis' because it violates the following Content Security Policy directive: "connect-src http://localhost:8000".
    22
    33Pass
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load connect from 'ws://localhost:8880/websocket/tests/hybi/echo' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to connect to connect 'ws://localhost:8880/websocket/tests/hybi/echo' because it violates the following Content Security Policy directive: "connect-src ws://127.0.0.1:8880".
    22
    33Pass
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load connect from 'http://localhost:8000/xmlhttprequest/resources/get.txt' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to connect to connect 'http://localhost:8000/xmlhttprequest/resources/get.txt' because it violates the following Content Security Policy directive: "connect-src http://127.0.0.1:8000".
    22
    33Pass
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
    22
    3 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.
     3CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
    44
    55This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt

    r104803 r117006  
    11CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
    22
    3 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     3CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
    44
    55This script should not execute even though there are parse errors in the policy.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt

    r104803 r117006  
    11CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'aaa'.
    22
    3 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     3CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
    44
    55This script should not execute even though there are parse errors in the policy.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
    22
    33This script should not execute even though there are parse errors in the policy.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to evaluate script because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to evaluate script because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
    22
    33ALERT: PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to evaluate script because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to evaluate script because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
    22
    33ALERT: PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "frame-src 'none'".
    22
    33
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
    22
    33This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
    22
    3 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.
     3CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
    44
    55This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt

    r104803 r117006  
    11CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
    22
    3 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.
     3CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
    44
    5 CONSOLE MESSAGE: Refused to execute inline event handler because of Content-Security-Policy.
     5CONSOLE MESSAGE: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
    66
    77This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt

    r116066 r117006  
    55CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
    66
    7 CONSOLE MESSAGE: Refused to execute JavaScript URL because of Content-Security-Policy.
     7CONSOLE MESSAGE: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
    88
    99This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to apply inline style because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
    22
    33PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to apply inline style because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
    22
    33PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt

    r116066 r117006  
    55CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
    66
    7 CONSOLE MESSAGE: Refused to execute JavaScript URL because of Content-Security-Policy.
     7CONSOLE MESSAGE: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'".
    88
    99CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load object from '' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the object '' because it violates the following Content Security Policy directive: "object-src 'none'".
    22
    33This test passes if there is a console message saying the plugin was blocked.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load object from 'data:application/x-webkit-test-netscape,alertwhenloaded' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the object 'data:application/x-webkit-test-netscape,alertwhenloaded' because it violates the following Content Security Policy directive: "object-src 'none'".
    22
    33
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt

    r116274 r117006  
    1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because of Content-Security-Policy.
     1CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33ALERT: PASS
    4 CONSOLE MESSAGE: Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy.
     4CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
    55
    66CSP report received:
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt

    r116274 r117006  
    1 CONSOLE MESSAGE: [Report Only] Refused to load image from 'http://localhost:8080/security/resources/abe.png' because of Content-Security-Policy.
     1CONSOLE MESSAGE: [Report Only] Refused to load the image 'http://localhost:8080/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
    22
    33CSP report received:
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt

    r116274 r117006  
    1 CONSOLE MESSAGE: [Report Only] Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy.
     1CONSOLE MESSAGE: [Report Only] Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
    22
    33CSP report received:
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt

    r116274 r117006  
    1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because of Content-Security-Policy.
     1CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33ALERT: PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt

    r116274 r117006  
    1 CONSOLE MESSAGE: [Report Only] Refused to execute inline script because of Content-Security-Policy.
     1CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33ALERT: PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt

    r116274 r117006  
    1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33CSP report received:
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt

    r116274 r117006  
    1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt

    r104803 r117006  
    11CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
    22
    3 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     3CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
    44
    55Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to execute inline event handler because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'none'".
    22
    33 
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src localhost".
    22
    3 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     3CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1".
    44
    55Loads an iframe which in turns tries to load an external script. The request for the script is redirected to 'localhost'. The iframe has a content security policy disabling external scripts from hosts other than 'localhost'. So the script should be allowed to run.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load script from 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load script from 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the script 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt

    r116335 r117006  
    1 CONSOLE MESSAGE: Refused to execute inline script because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
    22
    33This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load style from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/blue.css' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the style 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/blue.css' because it violates the following Content Security Policy directive: "style-src 'none'".
    22
    33PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load connect from 'http://127.0.0.1:8000/xmlhttprequest/resources/get.txt' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to connect to connect 'http://127.0.0.1:8000/xmlhttprequest/resources/get.txt' because it violates the following Content Security Policy directive: "connect-src 'none'".
    22
    33ALERT: xhr blocked
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
    22
    33ALERT: Error: SECURITY_ERR: DOM Exception 18
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
    22
    33layer at (0,0) size 800x600
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-img-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
    22
    33Here is an image: 
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
    22
    33layer at (0,0) size 800x600
  • trunk/LayoutTests/media/csp-blocks-video-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load media from 'test.mp4' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the media 'test.mp4' because it violates the following Content Security Policy directive: "media-src 'none'".
    22
    33END OF TEST
  • trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load media from 'http://127.0.0.1:8000/media/video-load-and-stall.cgi?name=../../../media/content/test.ogv&mimeType=video/ogg&stallAt=100000' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the media 'http://127.0.0.1:8000/media/video-load-and-stall.cgi?name=../../../media/content/test.ogv&mimeType=video/ogg&stallAt=100000' because it violates the following Content Security Policy directive: "media-src 'none'".
    22
    33END OF TEST
  • trunk/LayoutTests/platform/chromium/media/csp-blocks-video-expected.txt

    r104803 r117006  
    1 CONSOLE MESSAGE: Refused to load media from 'test.ogv' because of Content-Security-Policy.
     1CONSOLE MESSAGE: Refused to load the media 'test.ogv' because it violates the following Content Security Policy directive: "media-src 'none'".
    22
    33END OF TEST
  • trunk/Source/WebCore/ChangeLog

    r117005 r117006  
     12012-05-14  Mike West  <mike@mikewest.org>
     2
     3        Content Security Policy console errors include violated directive.
     4        https://bugs.webkit.org/show_bug.cgi?id=86323
     5
     6        Reviewed by Adam Barth.
     7
     8        Console errors generated when resources, inline script/style, or eval
     9        are blocked by Content Security Policy directives should include the
     10        text of the directive that's been violated. This gives developers more
     11        of the information they need to resolve the issue.
     12
     13        Test: http/tests/security/contentSecurityPolicy/*
     14
     15        * page/ContentSecurityPolicy.cpp:
     16        (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
     17        (WebCore::CSPDirectiveList::checkInlineAndReportViolation):
     18        (WebCore::CSPDirectiveList::checkSourceAndReportViolation):
     19        (WebCore::CSPDirectiveList::allowJavaScriptURLs):
     20        (WebCore::CSPDirectiveList::allowInlineEventHandlers):
     21        (WebCore::CSPDirectiveList::allowInlineScript):
     22        (WebCore::CSPDirectiveList::allowInlineStyle):
     23        (WebCore::CSPDirectiveList::allowEval):
     24
    1252012-05-14  Julien Chaffraix  <jchaffraix@webkit.org>
    226
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r116842 r117006  
    643643    if (!directive || directive->allowInline())
    644644        return true;
    645     reportViolation(directive->text(), consoleMessage);
     645    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n");
    646646    return denyIfEnforcingPolicy();
    647647}
     
    651651    if (checkEval(directive))
    652652        return true;
    653     reportViolation(directive->text(), consoleMessage);
     653    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n");
    654654    return denyIfEnforcingPolicy();
    655655}
     
    659659    if (!directive || directive->allows(url))
    660660        return true;
    661     reportViolation(directive->text(), "Refused to load " + type + " from '" + url.string() + "' because of Content-Security-Policy.\n", url);
     661    String verb = type == "connect" ? "connect to" : "load the";
     662    reportViolation(directive->text(), "Refused to " + verb + " " + type + " '" + url.string() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\".\n", url);
    662663    return denyIfEnforcingPolicy();
    663664}
     
    665666bool CSPDirectiveList::allowJavaScriptURLs() const
    666667{
    667     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because of Content-Security-Policy.\n"));
     668    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "));
    668669    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
    669670}
     
    671672bool CSPDirectiveList::allowInlineEventHandlers() const
    672673{
    673     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because of Content-Security-Policy.\n"));
     674    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because it violates the following Content Security Policy directive: "));
    674675    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
    675676}
     
    677678bool CSPDirectiveList::allowInlineScript() const
    678679{
    679     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because of Content-Security-Policy.\n"));
     680    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because it violates the following Content Security Policy directive: "));
    680681    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
    681682}
     
    683684bool CSPDirectiveList::allowInlineStyle() const
    684685{
    685     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because of Content-Security-Policy.\n"));
     686    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because it violates the following Content Security Policy directive: "));
    686687    return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage);
    687688}
     
    689690bool CSPDirectiveList::allowEval() const
    690691{
    691     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because of Content-Security-Policy.\n"));
     692    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because it violates the following Content Security Policy directive: "));
    692693    return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
    693694}
Note: See TracChangeset for help on using the changeset viewer.