Context Navigation

← Previous Changeset
Next Changeset →

Changeset 121883 in webkit

Timestamp:

Jul 4, 2012 11:45:37 PM (12 years ago)

Author:

commit-queue@webkit.org

Message:

Implement the script-nonce Content Security Policy directive.
https://bugs.webkit.org/show_bug.cgi?id=89577

Patch by Mike West <mkwst@chromium.org> on 2012-07-04
Reviewed by Adam Barth.

Source/WebCore:

This patch implements the (experimental) script-nonce Content Security
Policy directive from the 1.1 spec, which allows for selective
execution of script by specifying a "nonce" attribute for the
script tag. Script is only loaded and executed if it both matches the
nonce and matches the script-src whitelist (if present).

The implementation is gated on the ENABLE_CSP_NEXT flag, which is
currently disabled for all ports other than Chromium.

Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental

Tests: http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html

http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce.html
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce.html
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html

dom/ScriptElement.cpp:

(WebCore::ScriptElement::requestScript):
(WebCore::ScriptElement::executeScript):

Passing the nonce attribute through to check against CSP.

html/HTMLAttributeNames.in:
html/HTMLScriptElement.idl:

Adding the nonce attribute to the script tag.

page/ContentSecurityPolicy.cpp:

(CSPDirectiveList):
(WebCore::CSPDirectiveList::logInvalidNonce):
(WebCore):
(WebCore::CSPDirectiveList::checkNonceAndReportViolation):
(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):

If a nonce is set, deny JavaScript URLs and inline event handlers.

(WebCore::CSPDirectiveList::allowScriptNonce):
(WebCore::CSPDirectiveList::parseScriptNonce):
(WebCore::CSPDirectiveList::addDirective):
(WebCore::isAllowedByAllWithNonce):
(WebCore::ContentSecurityPolicy::allowScriptNonce):

page/ContentSecurityPolicy.h:

(WebCore):

LayoutTests:

http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html: Added.
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce.html: Added.
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html: Added.
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce.html: Added.
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html: Added.
http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl:

Adding noncy goodness to the echo script.

http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:

(test):

platform/gtk/TestExpectations:

Skipping 1.1 tests on GTK (missed it in r121879).

Location:

trunk

Files:

: 11 added
: 10 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1 (added)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt (added)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html (added)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce-expected.txt (added)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce.html (added)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt (added)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html (added)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce-expected.txt (added)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce.html (added)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt (added)
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html (added)
LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl (modified) (2 diffs)
LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js (modified) (1 diff)
LayoutTests/platform/gtk/TestExpectations (modified) (1 diff)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/dom/ScriptElement.cpp (modified) (2 diffs)
Source/WebCore/html/HTMLAttributeNames.in (modified) (1 diff)
Source/WebCore/html/HTMLScriptElement.idl (modified) (1 diff)
Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (15 diffs)
Source/WebCore/page/ContentSecurityPolicy.h (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r121879
+                      r121883
+-07-04  Mike West  <mkwst@chromium.org>
+        Implement the script-nonce Content Security Policy directive.
+        https://bugs.webkit.org/show_bug.cgi?id=89577
+        Reviewed by Adam Barth.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl:
+            Adding noncy goodness to the echo script.
+        * http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:
+        (test):
+        * platform/gtk/TestExpectations:
+            Skipping 1.1 tests on GTK (missed it in r121879).
 -07-04  Mike West  <mkwst@chromium.org>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl

-                      r78058
+                      r121883
 ($text, $replacement) = ($replacement, $text) if $cgi->param('should_run') eq 'no';
+my $nonce = "";
+if ($cgi->param('nonce') ne '') {
+  $nonce = "nonce='".$cgi->param('nonce')."'";
+}
 print "<!DOCTYPE html>\n";
 print "<html>\n";
 …
 print "$text\n";
 print "</div>\n";
 print "<script src=\"".$cgi->param('q')."\"></script>\n";
+print "<script $nonce src=\"".$cgi->param('q')."\"></script>\n";
 print "</body>\n";
 print "</html>\n";

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js

-                      r120174
+                      r121883
                  "&csp=" + escape(current[1]) +
                  "&q=" + baseURL + escape(current[2]);
+    if (current[3])
+      iframe.src += "&nonce=" + escape(current[3]);
     iframe.onload = test;
     document.body.appendChild(iframe);

trunk/LayoutTests/platform/gtk/TestExpectations

-                      r121874
+                      r121883
 // Disable webaudio codec tests, including proprietary codecs.
 BUGWK88794 SKIP : webaudio/codec-tests = PASS
+// Content Security Policy 1.1 (ENABLE_CSP_NEXT) is not enabled
+BUGWK85558 SKIP : http/tests/security/contentSecurityPolicy/1.1 = TEXT
 //////////////////////////////////////////////////////////////////////////////////////////

trunk/Source/WebCore/ChangeLog

-                      r121882
+                      r121883
+-07-04  Mike West  <mkwst@chromium.org>
+        Implement the script-nonce Content Security Policy directive.
+        https://bugs.webkit.org/show_bug.cgi?id=89577
+        Reviewed by Adam Barth.
+        This patch implements the (experimental) script-nonce Content Security
+        Policy directive from the 1.1 spec, which allows for selective
+        execution of script by specifying a "nonce" attribute for the
+        script tag. Script is only loaded and executed if it both matches the
+        nonce and matches the script-src whitelist (if present).
+        The implementation is gated on the ENABLE_CSP_NEXT flag, which is
+        currently disabled for all ports other than Chromium.
+        Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental
+        Tests: http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html
+               http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce.html
+               http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html
+               http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce.html
+               http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html
+        * dom/ScriptElement.cpp:
+        (WebCore::ScriptElement::requestScript):
+        (WebCore::ScriptElement::executeScript):
+            Passing the nonce attribute through to check against CSP.
+        * html/HTMLAttributeNames.in:
+        * html/HTMLScriptElement.idl:
+            Adding the `nonce` attribute to the script tag.
+        * page/ContentSecurityPolicy.cpp:
+        (CSPDirectiveList):
+        (WebCore::CSPDirectiveList::logInvalidNonce):
+        (WebCore):
+        (WebCore::CSPDirectiveList::checkNonceAndReportViolation):
+        (WebCore::CSPDirectiveList::allowJavaScriptURLs):
+        (WebCore::CSPDirectiveList::allowInlineEventHandlers):
+            If a nonce is set, deny JavaScript URLs and inline event handlers.
+        (WebCore::CSPDirectiveList::allowScriptNonce):
+        (WebCore::CSPDirectiveList::parseScriptNonce):
+        (WebCore::CSPDirectiveList::addDirective):
+        (WebCore::isAllowedByAllWithNonce):
+        (WebCore::ContentSecurityPolicy::allowScriptNonce):
+        * page/ContentSecurityPolicy.h:
+        (WebCore):
 -07-04  Gyuyoung Kim  <gyuyoung.kim@samsung.com>

trunk/Source/WebCore/dom/ScriptElement.cpp

-                      r118585
+                      r121883
     if (!m_element->inDocument() || m_element->document() != originalDocument)
         return false;
+    if (!m_element->document()->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), m_element->document()->url(), m_startLineNumber, m_element->document()->completeURL(sourceUrl)))
+        return false;
     ASSERT(!m_cachedScript);
 …
     if (sourceCode.isEmpty())
+        return;
+    if (!m_element->document()->contentSecurityPolicy()->allowScriptNonce(m_element->fastGetAttribute(HTMLNames::nonceAttr), m_element->document()->url(), m_startLineNumber))
         return;

trunk/Source/WebCore/html/HTMLAttributeNames.in

r117662	r121883
159	159	name
160	160	nohref
	161	nonce
161	162	noresize
162	163	noshade

trunk/Source/WebCore/html/HTMLScriptElement.idl

r111359	r121883
30	30	attribute [Reflect] DOMString type;
31	31	attribute [Reflect] DOMString crossOrigin;
	32	attribute [Reflect, Conditional=CSP_NEXT] DOMString nonce;
32	33	};
33	34	}

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

-                      r120684
+                      r121883
 #include "InspectorInstrumentation.h"
 #include "InspectorValues.h"
+#include "KURL.h"
 #include "PingLoader.h"
 #include "SchemeRegistry.h"
 …
     bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     bool allowEval(PassRefPtr<ScriptCallStack>) const;
+    bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL&) const;
     bool allowScriptFromSource(const KURL&) const;
 …
     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
     void parseReportURI(const String& name, const String& value);
+    void parseScriptNonce(const String& name, const String& value);
     void addDirective(const String& name, const String& value);
     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
 …
     void logUnrecognizedDirective(const String& name) const;
     void logDuplicateDirective(const String& name) const;
+    void logInvalidNonce(const String& nonce) const;
     bool checkEval(CSPDirective*) const;
     bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool checkNonceAndReportViolation(const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
     bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
 …
     Vector<KURL> m_reportURIs;
+    String m_scriptNonce;
 };
 …
+}
+void CSPDirectiveList::logInvalidNonce(const String& nonce) const
+{
+    String message = makeString("Ignoring invalid Content Security Policy script nonce: '", nonce, "'.\n");
+    m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message);
+}
 bool CSPDirectiveList::checkEval(CSPDirective* directive) const
+{
 …
         return true;
     reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
+    return denyIfEnforcingPolicy();
+}
+bool CSPDirectiveList::checkNonceAndReportViolation(const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
+{
+    if (m_scriptNonce.isEmpty() || nonce.stripWhiteSpace() == m_scriptNonce)
+        return true;
+    reportViolation(m_scriptNonce, consoleMessage + "\"script-nonce " + m_scriptNonce + "\".\n", KURL(), contextURL, contextLine);
     return denyIfEnforcingPolicy();
+}
 …
+{
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "));
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
+    return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine)
+            && checkNonceAndReportViolation(String(), consoleMessage, contextURL, contextLine));
+}
 …
+{
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because it violates the following Content Security Policy directive: "));
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
+    return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine)
+            && checkNonceAndReportViolation(String(), consoleMessage, contextURL, contextLine));
+}
 …
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because it violates the following Content Security Policy directive: "));
     return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), callStack);
+}
+bool CSPDirectiveList::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& url) const
+{
+    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute script because it violates the following Content Security Policy directive: "));
+    if (url.isEmpty())
+        return checkNonceAndReportViolation(nonce, consoleMessage, contextURL, contextLine);
+    return checkNonceAndReportViolation(nonce, "Refused to load '" + url.string() + "' because it violates the following Content Security Policy directive: ", contextURL, contextLine);
+}
 …
+}
+void CSPDirectiveList::parseScriptNonce(const String& name, const String& value)
+{
+    if (!m_scriptNonce.isEmpty()) {
+        logDuplicateDirective(name);
+        return;
+    }
+    String nonce;
+    const UChar* position = value.characters();
+    const UChar* end = position + value.length();
+    skipWhile<isASCIISpace>(position, end);
+    const UChar* nonceBegin = position;
+    if (position == end) {
+        logInvalidNonce(String());
+        return;
+    }
+    skipWhile<isNotASCIISpace>(position, end);
+    if (nonceBegin < position)
+        nonce = String(nonceBegin, position - nonceBegin);
+    // Trim off trailing whitespace: If we're not at the end of the string, log
+    // an error.
+    skipWhile<isASCIISpace>(position, end);
+    if (position < end)
+        logInvalidNonce(value);
+    else
+        m_scriptNonce = nonce;
+}
 void CSPDirectiveList::setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirective>& directive)
+{
 …
     DEFINE_STATIC_LOCAL(String, defaultSrc, ("default-src"));
     DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
+#if ENABLE(CSP_NEXT)
+    DEFINE_STATIC_LOCAL(String, scriptNonce, ("script-nonce"));
+#endif
     DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src"));
     DEFINE_STATIC_LOCAL(String, frameSrc, ("frame-src"));
 …
     else if (equalIgnoringCase(name, reportURI))
         parseReportURI(name, value);
+#if ENABLE(CSP_NEXT)
+    else if (equalIgnoringCase(name, scriptNonce))
+        parseScriptNonce(name, value);
+#endif
     else
         logUnrecognizedDirective(name);
 …
+}
+template<bool (CSPDirectiveList::*allowed)(const String&, const String&, const WTF::OrdinalNumber&, const KURL&) const>
+bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& url)
+{
+    for (size_t i = 0; i < policies.size(); ++i) {
+        if (!(policies[i].get()->*allowed)(nonce, contextURL, contextLine, url))
+            return false;
+    }
+    return true;
+}
 template<bool (CSPDirectiveList::*allowFromURL)(const KURL&) const>
 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& url)
 …
+}
+bool ContentSecurityPolicy::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& url) const
+{
+    return isAllowedByAllWithNonce<&CSPDirectiveList::allowScriptNonce>(m_policies, nonce, contextURL, contextLine, url);
+}
 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const
+{

trunk/Source/WebCore/page/ContentSecurityPolicy.h

-                      r118585
+                      r121883
 #define ContentSecurityPolicy_h
+#include "KURL.h"
 #include <wtf/PassOwnPtr.h>
 #include <wtf/RefCounted.h>
 …
 class ScriptCallStack;
 class ScriptExecutionContext;
-class KURL;
 typedef Vector<OwnPtr<CSPDirectiveList> > CSPDirectiveListVector;
 …
     bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     bool allowEval(PassRefPtr<ScriptCallStack>) const;
+    bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& = KURL()) const;
     bool allowScriptFromSource(const KURL&) const;

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 121883 in webkit

Legend:

Download in other formats: