Changeset 117826 in webkit
- Timestamp:
- May 21, 2012 4:00:46 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r117824 r117826 1 2012-05-21 Mike West <mkwst@chromium.org> 2 3 Blocking `setTimeout` and `setInterval` evaluation with CSP should include a stack trace in the console warning. 4 https://bugs.webkit.org/show_bug.cgi?id=86943 5 6 Reviewed by Adam Barth. 7 8 * http/tests/inspector-enabled/contentSecurityPolicy-blocks-setInterval-expected.txt: Added. 9 * http/tests/inspector-enabled/contentSecurityPolicy-blocks-setInterval.html: Added. 10 * http/tests/inspector-enabled/contentSecurityPolicy-blocks-setTimeout-expected.txt: Added. 11 * http/tests/inspector-enabled/contentSecurityPolicy-blocks-setTimeout.html: Added. 12 1 13 2012-05-21 Levi Weintraub <leviw@chromium.org> 2 14 -
trunk/Source/WebCore/ChangeLog
r117825 r117826 1 2012-05-21 Mike West <mkwst@chromium.org> 2 3 Improving console error for CSP-blocked `setTimeout` and `setInterval` evaluation. 4 https://bugs.webkit.org/show_bug.cgi?id=86943 5 6 Reviewed by Adam Barth. 7 8 If the inspector is open, a stack trace is generated before calling 9 ContentSecurityPolicy::allowEval, and passed through to 10 ContentSecurityPolicy::reportViolation for use in the console message. 11 12 Test: http/tests/inspector-enabled/contentSecurityPolicy-blocks-setInterval.html 13 http/tests/inspector-enabled/contentSecurityPolicy-blocks-setTimeout.html 14 15 * bindings/js/ScheduledAction.cpp: 16 (WebCore::ScheduledAction::create): 17 * bindings/v8/custom/V8DOMWindowCustom.cpp: 18 (WebCore::WindowSetTimeoutImpl): 19 * page/ContentSecurityPolicy.cpp: 20 (CSPDirectiveList): 21 (WebCore::CSPDirectiveList::reportViolation): 22 (WebCore::CSPDirectiveList::checkEvalAndReportViolation): 23 (WebCore::CSPDirectiveList::allowEval): 24 (WebCore): 25 (WebCore::isAllowedByAllWithCallStack): 26 (WebCore::isAllowedByAllWithURL): 27 (WebCore::ContentSecurityPolicy::allowEval): 28 (WebCore::ContentSecurityPolicy::allowScriptFromSource): 29 (WebCore::ContentSecurityPolicy::allowObjectFromSource): 30 (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): 31 (WebCore::ContentSecurityPolicy::allowImageFromSource): 32 (WebCore::ContentSecurityPolicy::allowStyleFromSource): 33 (WebCore::ContentSecurityPolicy::allowFontFromSource): 34 (WebCore::ContentSecurityPolicy::allowMediaFromSource): 35 (WebCore::ContentSecurityPolicy::allowConnectToSource): 36 * page/ContentSecurityPolicy.h: 37 (WebCore): 38 1 39 2012-05-21 Antoine Labour <piman@chromium.org> 2 40 -
trunk/Source/WebCore/bindings/js/ScheduledAction.cpp
r116821 r117826 33 33 #include "JSDOMWindow.h" 34 34 #include "JSMainThreadExecState.h" 35 #include "ScriptCallStack.h" 36 #include "ScriptCallStackFactory.h" 35 37 #include "ScriptController.h" 36 38 #include "ScriptExecutionContext.h" … … 54 56 CallData callData; 55 57 if (getCallData(v, callData) == CallTypeNone) { 56 if (policy && !policy->allowEval()) 58 RefPtr<ScriptCallStack> callStack(createScriptCallStackForInspector(exec)); 59 if (policy && !policy->allowEval(callStack.release())) 57 60 return nullptr; 58 61 UString string = v.toString(exec)->value(exec); -
trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp
r117733 r117826 49 49 #include "PlatformScreen.h" 50 50 #include "ScheduledAction.h" 51 #include "ScriptCallStack.h" 52 #include "ScriptCallStackFactory.h" 51 53 #include "ScriptSourceCode.h" 52 54 #include "SerializedScriptValue.h" … … 130 132 id = DOMTimer::install(scriptContext, action.release(), timeout, singleShot); 131 133 } else { 132 if (imp->document() && !imp->document()->contentSecurityPolicy()->allowEval()) 134 RefPtr<ScriptCallStack> callStack(createScriptCallStackForInspector()); 135 if (imp->document() && !imp->document()->contentSecurityPolicy()->allowEval(callStack.release())) 133 136 return v8::Integer::New(0); 134 137 id = DOMTimer::install(scriptContext, adoptPtr(new ScheduledAction(V8Proxy::context(imp->frame()), functionString)), timeout, singleShot); -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r117006 r117826 495 495 bool allowInlineScript() const; 496 496 bool allowInlineStyle() const; 497 bool allowEval( ) const;497 bool allowEval(PassRefPtr<ScriptCallStack>) const; 498 498 499 499 bool allowScriptFromSource(const KURL&) const; … … 519 519 520 520 CSPDirective* operativeDirective(CSPDirective*) const; 521 void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL() ) const;521 void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), PassRefPtr<ScriptCallStack> = 0) const; 522 522 void logUnrecognizedDirective(const String& name) const; 523 523 bool checkEval(CSPDirective*) const; 524 524 525 525 bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const; 526 bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage ) const;526 bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, PassRefPtr<ScriptCallStack>) const; 527 527 bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const; 528 528 … … 576 576 } 577 577 578 void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL ) const578 void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, PassRefPtr<ScriptCallStack> callStack) const 579 579 { 580 580 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage; 581 m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message );581 m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, String(), 0, callStack); 582 582 583 583 if (m_reportURIs.isEmpty()) … … 647 647 } 648 648 649 bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage ) const649 bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage, PassRefPtr<ScriptCallStack> callStack) const 650 650 { 651 651 if (checkEval(directive)) 652 652 return true; 653 reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n" );653 reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), callStack); 654 654 return denyIfEnforcingPolicy(); 655 655 } … … 688 688 } 689 689 690 bool CSPDirectiveList::allowEval( ) const690 bool CSPDirectiveList::allowEval(PassRefPtr<ScriptCallStack> callStack) const 691 691 { 692 692 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because it violates the following Content Security Policy directive: ")); 693 return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage );693 return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, callStack); 694 694 } 695 695 … … 934 934 } 935 935 936 template<bool (CSPDirectiveList::*allowed)(PassRefPtr<ScriptCallStack>) const> 937 bool isAllowedByAllWithCallStack(const CSPDirectiveListVector& policies, PassRefPtr<ScriptCallStack> callStack) 938 { 939 for (size_t i = 0; i < policies.size(); ++i) { 940 if (!(policies[i].get()->*allowed)(callStack)) 941 return false; 942 } 943 return true; 944 } 945 936 946 template<bool (CSPDirectiveList::*allowFromURL)(const KURL&) const> 937 bool isAllowedByAll (const CSPDirectiveListVector& policies, const KURL& url)947 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& url) 938 948 { 939 949 for (size_t i = 0; i < policies.size(); ++i) { … … 966 976 } 967 977 968 bool ContentSecurityPolicy::allowEval( ) const969 { 970 return isAllowedByAll <&CSPDirectiveList::allowEval>(m_policies);978 bool ContentSecurityPolicy::allowEval(PassRefPtr<ScriptCallStack> callStack) const 979 { 980 return isAllowedByAllWithCallStack<&CSPDirectiveList::allowEval>(m_policies, callStack); 971 981 } 972 982 973 983 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const 974 984 { 975 return isAllowedByAll <&CSPDirectiveList::allowScriptFromSource>(m_policies, url);985 return isAllowedByAllWithURL<&CSPDirectiveList::allowScriptFromSource>(m_policies, url); 976 986 } 977 987 978 988 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const 979 989 { 980 return isAllowedByAll <&CSPDirectiveList::allowObjectFromSource>(m_policies, url);990 return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_policies, url); 981 991 } 982 992 983 993 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url) const 984 994 { 985 return isAllowedByAll <&CSPDirectiveList::allowChildFrameFromSource>(m_policies, url);995 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildFrameFromSource>(m_policies, url); 986 996 } 987 997 988 998 bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const 989 999 { 990 return isAllowedByAll <&CSPDirectiveList::allowImageFromSource>(m_policies, url);1000 return isAllowedByAllWithURL<&CSPDirectiveList::allowImageFromSource>(m_policies, url); 991 1001 } 992 1002 993 1003 bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const 994 1004 { 995 return isAllowedByAll <&CSPDirectiveList::allowStyleFromSource>(m_policies, url);1005 return isAllowedByAllWithURL<&CSPDirectiveList::allowStyleFromSource>(m_policies, url); 996 1006 } 997 1007 998 1008 bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const 999 1009 { 1000 return isAllowedByAll <&CSPDirectiveList::allowFontFromSource>(m_policies, url);1010 return isAllowedByAllWithURL<&CSPDirectiveList::allowFontFromSource>(m_policies, url); 1001 1011 } 1002 1012 1003 1013 bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const 1004 1014 { 1005 return isAllowedByAll <&CSPDirectiveList::allowMediaFromSource>(m_policies, url);1015 return isAllowedByAllWithURL<&CSPDirectiveList::allowMediaFromSource>(m_policies, url); 1006 1016 } 1007 1017 1008 1018 bool ContentSecurityPolicy::allowConnectToSource(const KURL& url) const 1009 1019 { 1010 return isAllowedByAll <&CSPDirectiveList::allowConnectToSource>(m_policies, url);1011 } 1012 1013 } 1020 return isAllowedByAllWithURL<&CSPDirectiveList::allowConnectToSource>(m_policies, url); 1021 } 1022 1023 } -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r116842 r117826 35 35 36 36 class CSPDirectiveList; 37 class ScriptCallStack; 37 38 class ScriptExecutionContext; 38 39 class KURL; … … 66 67 bool allowInlineScript() const; 67 68 bool allowInlineStyle() const; 68 bool allowEval( ) const;69 bool allowEval(PassRefPtr<ScriptCallStack>) const; 69 70 70 71 bool allowScriptFromSource(const KURL&) const;
Note: See TracChangeset
for help on using the changeset viewer.