Changeset 123722 in webkit
- Timestamp:
- Jul 26, 2012 2:49:52 AM (12 years ago)
- Location:
- trunk
- Files:
-
- 26 added
- 15 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r123720 r123722 1 2012-07-26 Mike West <mkwst@chromium.org> 2 3 Implement the experimental Content Security Policy script interface. 4 https://bugs.webkit.org/show_bug.cgi?id=91707 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowconnectionto-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowconnectionto.html: Added. 10 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-alloweval-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-alloweval.html: Added. 12 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowfontfrom-expected.txt: Added. 13 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowfontfrom.html: Added. 14 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowframefrom-expected.txt: Added. 15 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowframefrom.html: Added. 16 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowimagefrom-expected.txt: Added. 17 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowimagefrom.html: Added. 18 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowmediafrom-expected.txt: Added. 19 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowmediafrom.html: Added. 20 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowobjectfrom-expected.txt: Added. 21 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowobjectfrom.html: Added. 22 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowscriptfrom-expected.txt: Added. 23 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowscriptfrom.html: Added. 24 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowstylefrom-expected.txt: Added. 25 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowstylefrom.html: Added. 26 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive-expected.txt: Added. 27 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive.html: Added. 28 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi-expected.txt: Added. 29 * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi.html: Added. 30 * http/tests/security/contentSecurityPolicy/resources/securitypolicy-tests-base.js: Added. 31 (log): 32 (injectPolicy): 33 1 34 2012-07-26 Ádám Kallai <kadam@inf.u-szeged.hu> 2 35 -
trunk/Source/WebCore/CMakeLists.txt
r123522 r123722 533 533 page/Coordinates.idl 534 534 page/Crypto.idl 535 page/DOMSecurityPolicy.idl 535 536 page/DOMSelection.idl 536 537 page/DOMWindow.idl … … 1625 1626 page/ContextMenuController.cpp 1626 1627 page/Crypto.cpp 1628 page/DOMSecurityPolicy.cpp 1627 1629 page/DOMSelection.cpp 1628 1630 page/DOMTimer.cpp -
trunk/Source/WebCore/ChangeLog
r123721 r123722 1 2012-07-26 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Implement the Content Security Policy script interface. 4 https://bugs.webkit.org/show_bug.cgi?id=91707 5 6 Reviewed by Adam Barth. 7 8 The CSP 1.1 editor's draft defines a script interface that gives 9 developers the ability to query a document regarding the restrictions 10 set by it's currently active content security policy[1]. This patch 11 exposes that API in terms of a new DOMSecurityPolicy object. 12 13 Data for the API is gathered from the existing ContentSecurityPolicy 14 object on the containing document. CSP's various methods have been 15 extended with a `reportingStatus` parameter which, unsurprisingly, 16 determines whether a violation report should be sent for blocked 17 resources. This allows us to reuse the same codepaths by simply using 18 ContentSecurityPolicy::SuppressReport when querying on behalf of the 19 API, and ContentSecurityPolicy::SendReport when checking resources a 20 page wants to load. 21 22 This feature is gated on the CSP_NEXT flag, which is currently disabled 23 for all ports other than Chromium. 24 25 [1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-interfaces--experimental 26 27 Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowconnectionto.html 28 http/tests/security/contentSecurityPolicy/1.1/securitypolicy-alloweval.html 29 http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowfontfrom.html 30 http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowframefrom.html 31 http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowimagefrom.html 32 http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowmediafrom.html 33 http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowobjectfrom.html 34 http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowscriptfrom.html 35 http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowstylefrom.html 36 http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive.html 37 http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi.html 38 39 * CMakeLists.txt: 40 * DerivedSources.cpp: 41 * DerivedSources.make: 42 * DerivedSources.pri: 43 * GNUmakefile.list.am: 44 * WebCore.gypi: 45 * bindings/gobject/GNUmakefile.am: 46 * WebCore.xcodeproj/project.pbxproj: 47 We added a new object, so let's tell _everyone!_ 48 * dom/Document.cpp: 49 (WebCore::Document::securityPolicy): 50 Expose the SecurityPolicy object via Document, gated on CSP_NEXT. 51 (WebCore): 52 * dom/Document.h: 53 (WebCore): 54 (Document): 55 * dom/Document.idl: 56 Adding the SecurityPolicy object to the document, gated on CSP_NEXT. 57 * page/ContentSecurityPolicy.cpp: 58 (CSPDirectiveList): 59 (WebCore::CSPDirectiveList::checkInline): 60 (WebCore::CSPDirectiveList::checkNonce): 61 (WebCore::CSPDirectiveList::checkSource): 62 Extracting the core checks out into separate methods. 63 (WebCore::CSPDirectiveList::checkEvalAndReportViolation): 64 Use checkEval. 65 (WebCore::CSPDirectiveList::checkNonceAndReportViolation): 66 Use checkNonce. 67 (WebCore::CSPDirectiveList::checkInlineAndReportViolation): 68 Use checkInline. 69 (WebCore::CSPDirectiveList::checkSourceAndReportViolation): 70 Use checkSource. 71 (WebCore::CSPDirectiveList::allowJavaScriptURLs): 72 (WebCore::CSPDirectiveList::allowInlineEventHandlers): 73 (WebCore::CSPDirectiveList::allowInlineScript): 74 (WebCore::CSPDirectiveList::allowInlineStyle): 75 (WebCore::CSPDirectiveList::allowEval): 76 (WebCore::CSPDirectiveList::allowScriptFromSource): 77 (WebCore::CSPDirectiveList::allowObjectFromSource): 78 (WebCore::CSPDirectiveList::allowChildFrameFromSource): 79 (WebCore::CSPDirectiveList::allowImageFromSource): 80 (WebCore::CSPDirectiveList::allowStyleFromSource): 81 (WebCore::CSPDirectiveList::allowFontFromSource): 82 (WebCore::CSPDirectiveList::allowMediaFromSource): 83 (WebCore::CSPDirectiveList::allowConnectToSource): 84 These methods now branch on `reportingStatus`: if `SendReoport`, 85 they call `checkXAndReportViolation`, otherwise, they call `checkX`. 86 (WebCore::CSPDirectiveList::gatherReportURIs): 87 New method that gathers the violation report URIs into a DOMStringList. 88 (WebCore::isAllowedByAllWithCallStack): 89 (WebCore::isAllowedByAllWithContext): 90 (WebCore::isAllowedByAllWithURL): 91 These now pass reportingStatus through to the various `allowX` methods. 92 (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): 93 (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): 94 (WebCore::ContentSecurityPolicy::allowInlineScript): 95 (WebCore::ContentSecurityPolicy::allowInlineStyle): 96 (WebCore::ContentSecurityPolicy::allowEval): 97 (WebCore::ContentSecurityPolicy::allowScriptFromSource): 98 (WebCore::ContentSecurityPolicy::allowObjectFromSource): 99 (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): 100 (WebCore::ContentSecurityPolicy::allowImageFromSource): 101 (WebCore::ContentSecurityPolicy::allowStyleFromSource): 102 (WebCore::ContentSecurityPolicy::allowFontFromSource): 103 (WebCore::ContentSecurityPolicy::allowMediaFromSource): 104 (WebCore::ContentSecurityPolicy::allowConnectToSource): 105 These accept a new `reportingStatus` parameter, which is passed through 106 to the CSPDirectiveList methods. 107 (WebCore::ContentSecurityPolicy::isActive): 108 New method that returns `true` if policy is active. 109 (WebCore::ContentSecurityPolicy::gatherReportURIs): 110 New method that returns a DOMStringList of violation report URIs. 111 * page/ContentSecurityPolicy.h: 112 (WebCore): 113 * page/DOMSecurityPolicy.cpp: Added. 114 (WebCore::DOMSecurityPolicy::DOMSecurityPolicy): 115 (WebCore): 116 (WebCore::DOMSecurityPolicy::~DOMSecurityPolicy): 117 (WebCore::DOMSecurityPolicy::isActive): 118 (WebCore::DOMSecurityPolicy::reportURIs): 119 (WebCore::DOMSecurityPolicy::allowsInlineScript): 120 (WebCore::DOMSecurityPolicy::allowsInlineStyle): 121 (WebCore::DOMSecurityPolicy::allowsEval): 122 (WebCore::DOMSecurityPolicy::allowsConnectionTo): 123 (WebCore::DOMSecurityPolicy::allowsFontFrom): 124 (WebCore::DOMSecurityPolicy::allowsFrameFrom): 125 (WebCore::DOMSecurityPolicy::allowsImageFrom): 126 (WebCore::DOMSecurityPolicy::allowsMediaFrom): 127 (WebCore::DOMSecurityPolicy::allowsObjectFrom): 128 (WebCore::DOMSecurityPolicy::allowsScriptFrom): 129 (WebCore::DOMSecurityPolicy::allowsStyleFrom): 130 * page/DOMSecurityPolicy.h: Added. 131 (WebCore): 132 (DOMSecurityPolicy): 133 (WebCore::DOMSecurityPolicy::create): 134 * page/DOMSecurityPolicy.idl: Added. 135 1 136 2012-07-26 Gyuyoung Kim <gyuyoung.kim@samsung.com> 2 137 -
trunk/Source/WebCore/DerivedSources.cpp
r123522 r123722 95 95 #include "JSDOMPlugin.cpp" 96 96 #include "JSDOMPluginArray.cpp" 97 #include "JSDOMSecurityPolicy.cpp" 97 98 #include "JSDOMSelection.cpp" 98 99 #include "JSDOMSettableTokenList.cpp" -
trunk/Source/WebCore/DerivedSources.make
r123522 r123722 412 412 $(WebCore)/page/Coordinates.idl \ 413 413 $(WebCore)/page/Crypto.idl \ 414 $(WebCore)/page/DOMSecurityPolicy.idl \ 414 415 $(WebCore)/page/DOMSelection.idl \ 415 416 $(WebCore)/page/DOMWindow.idl \ -
trunk/Source/WebCore/DerivedSources.pri
r123522 r123722 416 416 $$PWD/page/Coordinates.idl \ 417 417 $$PWD/page/Crypto.idl \ 418 $$PWD/page/DOMSecurityPolicy.idl \ 418 419 $$PWD/page/DOMSelection.idl \ 419 420 $$PWD/page/DOMWindow.idl \ -
trunk/Source/WebCore/GNUmakefile.list.am
r123627 r123722 143 143 DerivedSources/WebCore/JSDOMPlugin.cpp \ 144 144 DerivedSources/WebCore/JSDOMPlugin.h \ 145 DerivedSources/WebCore/JSDOMSecurityPolicy.cpp \ 146 DerivedSources/WebCore/JSDOMSecurityPolicy.h \ 145 147 DerivedSources/WebCore/JSDOMSelection.cpp \ 146 148 DerivedSources/WebCore/JSDOMSelection.h \ … … 970 972 $(WebCore)/page/Coordinates.idl \ 971 973 $(WebCore)/page/Crypto.idl \ 974 $(WebCore)/page/DOMSecurityPolicy.idl \ 972 975 $(WebCore)/page/DOMSelection.idl \ 973 976 $(WebCore)/page/DOMWindow.idl \ … … 3031 3034 Source/WebCore/page/Crypto.cpp \ 3032 3035 Source/WebCore/page/Crypto.h \ 3036 Source/WebCore/page/DOMSecurityPolicy.cpp \ 3037 Source/WebCore/page/DOMSecurityPolicy.h \ 3033 3038 Source/WebCore/page/DOMSelection.cpp \ 3034 3039 Source/WebCore/page/DOMSelection.h \ -
trunk/Source/WebCore/WebCore.gypi
r123644 r123722 224 224 'page/ContextMenuController.h', 225 225 'page/Coordinates.h', 226 'page/DOMSecurityPolicy.h', 226 227 'page/DOMWindow.h', 227 228 'page/DOMWindowExtension.h', … … 1166 1167 'page/Coordinates.idl', 1167 1168 'page/Crypto.idl', 1169 'page/DOMSecurityPolicy.idl', 1168 1170 'page/DOMSelection.idl', 1169 1171 'page/DOMWindow.idl', … … 3048 3050 'page/Crypto.cpp', 3049 3051 'page/Crypto.h', 3052 'page/DOMSecurityPolicy.cpp', 3050 3053 'page/DOMSelection.cpp', 3051 3054 'page/DOMSelection.h', … … 7246 7249 '<(PRODUCT_DIR)/DerivedSources/WebCore/JSDOMPluginArray.cpp', 7247 7250 '<(PRODUCT_DIR)/DerivedSources/WebCore/JSDOMPluginArray.h', 7251 '<(PRODUCT_DIR)/DerivedSources/WebCore/JSDOMSecurityPolicy.cpp', 7252 '<(PRODUCT_DIR)/DerivedSources/WebCore/JSDOMSecurityPolicy.h', 7248 7253 '<(PRODUCT_DIR)/DerivedSources/WebCore/JSDOMSelection.cpp', 7249 7254 '<(PRODUCT_DIR)/DerivedSources/WebCore/JSDOMSelection.h', -
trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj
r123623 r123722 782 782 2D9066060BE141D400956998 /* LayoutState.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2D9066040BE141D400956998 /* LayoutState.cpp */; }; 783 783 2D9066070BE141D400956998 /* LayoutState.h in Headers */ = {isa = PBXBuildFile; fileRef = 2D9066050BE141D400956998 /* LayoutState.h */; settings = {ATTRIBUTES = (Private, ); }; }; 784 2D9A246E15B9BD0000D34527 /* DOMSecurityPolicy.h in Headers */ = {isa = PBXBuildFile; fileRef = 2D9A246B15B9BBDD00D34527 /* DOMSecurityPolicy.h */; }; 785 2D9A246F15B9BD2F00D34527 /* DOMSecurityPolicy.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2D9A246A15B9BBDD00D34527 /* DOMSecurityPolicy.cpp */; }; 786 2D9A247315B9C2D100D34527 /* DOMDOMSecurityPolicy.mm in Sources */ = {isa = PBXBuildFile; fileRef = 2D9A247215B9C2C700D34527 /* DOMDOMSecurityPolicy.mm */; }; 787 2D9A247415B9C2E300D34527 /* DOMDOMSecurityPolicy.h in Headers */ = {isa = PBXBuildFile; fileRef = 2D9A247015B9C29500D34527 /* DOMDOMSecurityPolicy.h */; }; 788 2D9A247515B9C2E300D34527 /* DOMDOMSecurityPolicyInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = 2D9A247115B9C29500D34527 /* DOMDOMSecurityPolicyInternal.h */; }; 789 2D9A247615B9C2F400D34527 /* DOMDOMSecurityPolicy.h in Copy Generated Headers */ = {isa = PBXBuildFile; fileRef = 2D9A247015B9C29500D34527 /* DOMDOMSecurityPolicy.h */; }; 784 790 2D9F0E1314FF1CBF00BA0FF7 /* linearSRGB.icc in Resources */ = {isa = PBXBuildFile; fileRef = 2D9F0E1214FF1CBF00BA0FF7 /* linearSRGB.icc */; }; 785 791 2E0888D41148848A00AF4265 /* JSDOMFormData.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2E0888D21148848A00AF4265 /* JSDOMFormData.cpp */; }; … … 6553 6559 files = ( 6554 6560 5DF7F5C20F01F92A00526B4B /* CSSPropertyNames.h in Copy Generated Headers */, 6561 2D9A247615B9C2F400D34527 /* DOMDOMSecurityPolicy.h in Copy Generated Headers */, 6555 6562 8538F0300AD71CDB006A81D1 /* DOMAbstractView.h in Copy Generated Headers */, 6556 6563 1C11CCBC0AA6093700DADB20 /* DOMAttr.h in Copy Generated Headers */, … … 7813 7820 2D90660B0665D937006B6F1A /* ClipboardMac.h */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.c.h; path = ClipboardMac.h; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; }; 7814 7821 2D90660C0665D937006B6F1A /* ClipboardMac.mm */ = {isa = PBXFileReference; fileEncoding = 30; indentWidth = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ClipboardMac.mm; sourceTree = "<group>"; tabWidth = 8; usesTabs = 0; }; 7822 2D9A246A15B9BBDD00D34527 /* DOMSecurityPolicy.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMSecurityPolicy.cpp; sourceTree = "<group>"; }; 7823 2D9A246B15B9BBDD00D34527 /* DOMSecurityPolicy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMSecurityPolicy.h; sourceTree = "<group>"; }; 7824 2D9A247015B9C29500D34527 /* DOMDOMSecurityPolicy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMDOMSecurityPolicy.h; sourceTree = "<group>"; }; 7825 2D9A247115B9C29500D34527 /* DOMDOMSecurityPolicyInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMDOMSecurityPolicyInternal.h; sourceTree = "<group>"; }; 7826 2D9A247215B9C2C700D34527 /* DOMDOMSecurityPolicy.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = DOMDOMSecurityPolicy.mm; sourceTree = "<group>"; }; 7815 7827 2D9F0E1214FF1CBF00BA0FF7 /* linearSRGB.icc */ = {isa = PBXFileReference; lastKnownFileType = file; path = linearSRGB.icc; sourceTree = "<group>"; }; 7816 7828 2E0888C3114883A900AF4265 /* DOMFormData.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = DOMFormData.idl; sourceTree = "<group>"; }; … … 15600 15612 isa = PBXGroup; 15601 15613 children = ( 15614 2D9A246A15B9BBDD00D34527 /* DOMSecurityPolicy.cpp */, 15615 2D9A246B15B9BBDD00D34527 /* DOMSecurityPolicy.h */, 15602 15616 316FE1060E6E1D8400BF6088 /* animation */, 15603 15617 93C09A820B064F05005ABD4D /* mac */, … … 15873 15887 isa = PBXGroup; 15874 15888 children = ( 15889 2D9A247215B9C2C700D34527 /* DOMDOMSecurityPolicy.mm */, 15890 2D9A247015B9C29500D34527 /* DOMDOMSecurityPolicy.h */, 15891 2D9A247115B9C29500D34527 /* DOMDOMSecurityPolicyInternal.h */, 15875 15892 85D389B00A991A7F00282145 /* DOMAttr.h */, 15876 15893 85D389B10A991A7F00282145 /* DOMAttr.mm */, … … 22825 22842 8502AB9B0AD4394E00378540 /* DOMSVGFEImageElementInternal.h in Headers */, 22826 22843 8502AB5C0AD438C000378540 /* DOMSVGFEMergeElement.h in Headers */, 22844 2D9A247415B9C2E300D34527 /* DOMDOMSecurityPolicy.h in Headers */, 22845 2D9A247515B9C2E300D34527 /* DOMDOMSecurityPolicyInternal.h in Headers */, 22827 22846 8502AB9C0AD4394E00378540 /* DOMSVGFEMergeElementInternal.h in Headers */, 22828 22847 8502AB5E0AD438C000378540 /* DOMSVGFEMergeNodeElement.h in Headers */, … … 23339 23358 A81369D4097374F600D74463 /* HTMLFieldSetElement.h in Headers */, 23340 23359 A8CFF7A60A156978000A4234 /* HTMLFontElement.h in Headers */, 23360 2D9A246E15B9BD0000D34527 /* DOMSecurityPolicy.h in Headers */, 23341 23361 977B386F122883E900B81FF8 /* HTMLFormattingElementList.h in Headers */, 23342 23362 A8DF3FCE097FA0FC0052981B /* HTMLFormCollection.h in Headers */, … … 25654 25674 files = ( 25655 25675 FDE6860215B0A93B00BB480C /* WrapShapeFunctions.cpp in Sources */, 25676 2D9A247315B9C2D100D34527 /* DOMDOMSecurityPolicy.mm in Sources */, 25656 25677 97BC69DA1505F076001B74AC /* AbstractDatabase.cpp in Sources */, 25657 25678 41E1B1D00FF5986900576B3B /* AbstractWorker.cpp in Sources */, … … 26111 26132 858C38A80AA8F20400B187A4 /* DOMRect.mm in Sources */, 26112 26133 BCAEFCAE1016CE4A0040D34E /* DOMRGBColor.mm in Sources */, 26134 2D9A246F15B9BD2F00D34527 /* DOMSecurityPolicy.cpp in Sources */, 26113 26135 BC5A86840C33676000EEA649 /* DOMSelection.cpp in Sources */, 26114 26136 4ACBC0C312713CCA0094F9B2 /* DOMSettableTokenList.cpp in Sources */, -
trunk/Source/WebCore/bindings/gobject/GNUmakefile.am
r123434 r123722 44 44 DerivedSources/webkit/WebKitDOMDOMPlugin.cpp \ 45 45 DerivedSources/webkit/WebKitDOMDOMPluginPrivate.h \ 46 DerivedSources/webkit/WebKitDOMDOMSecurityPolicy.cpp \ 47 DerivedSources/webkit/WebKitDOMDOMSecurityPolicyPrivate.h \ 46 48 DerivedSources/webkit/WebKitDOMDOMSelection.cpp \ 47 49 DerivedSources/webkit/WebKitDOMDOMSelectionPrivate.h \ … … 279 281 DerivedSources/webkit/WebKitDOMDOMImplementation.h \ 280 282 DerivedSources/webkit/WebKitDOMDOMSettableTokenList.h \ 283 DerivedSources/webkit/WebKitDOMDOMSecurityPolicy.h \ 281 284 DerivedSources/webkit/WebKitDOMDOMStringList.h \ 282 285 DerivedSources/webkit/WebKitDOMDOMStringMap.h \ -
trunk/Source/WebCore/dom/Document.cpp
r123412 r123722 223 223 #endif 224 224 225 #if ENABLE(CSP_NEXT) 226 #include "DOMSecurityPolicy.h" 227 #endif 228 225 229 using namespace std; 226 230 using namespace WTF; … … 1641 1645 { 1642 1646 dispatchEvent(Event::create(eventNames().webkitvisibilitychangeEvent, false, false)); 1647 } 1648 #endif 1649 1650 #if ENABLE(CSP_NEXT) 1651 DOMSecurityPolicy* Document::securityPolicy() 1652 { 1653 if (!m_domSecurityPolicy) 1654 m_domSecurityPolicy = DOMSecurityPolicy::create(this); 1655 return m_domSecurityPolicy.get(); 1643 1656 } 1644 1657 #endif -
trunk/Source/WebCore/dom/Document.h
r123412 r123722 180 180 #endif 181 181 182 #if ENABLE(CSP_NEXT) 183 class DOMSecurityPolicy; 184 #endif 185 182 186 typedef int ExceptionCode; 183 187 … … 417 421 #endif 418 422 423 #if ENABLE(CSP_NEXT) 424 DOMSecurityPolicy* securityPolicy(); 425 #endif 426 419 427 PassRefPtr<Node> adoptNode(PassRefPtr<Node> source, ExceptionCode&); 420 428 … … 1540 1548 RefPtr<WebKitNamedFlowCollection> m_namedFlows; 1541 1549 1550 #if ENABLE(CSP_NEXT) 1551 RefPtr<DOMSecurityPolicy> m_domSecurityPolicy; 1552 #endif 1553 1542 1554 #ifndef NDEBUG 1543 1555 bool m_didDispatchViewportPropertiesChanged; -
trunk/Source/WebCore/dom/Document.idl
r120486 r123722 376 376 readonly attribute [Conditional=PAGE_VISIBILITY_API] boolean webkitHidden; 377 377 378 // Security Policy API: http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-interfaces 379 readonly attribute [Conditional=CSP_NEXT] DOMSecurityPolicy SecurityPolicy; 380 378 381 }; 379 382 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r122741 r123722 28 28 29 29 #include "Console.h" 30 #include "DOMStringList.h" 30 31 #include "Document.h" 31 32 #include "FormData.h" … … 547 548 ContentSecurityPolicy::HeaderType headerType() const { return m_reportOnly ? ContentSecurityPolicy::ReportOnly : ContentSecurityPolicy::EnforcePolicy; } 548 549 549 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const;550 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const;551 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const;552 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const;553 bool allowEval(PassRefPtr<ScriptCallStack> ) const;550 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; 551 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; 552 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; 553 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; 554 bool allowEval(PassRefPtr<ScriptCallStack>, ContentSecurityPolicy::ReportingStatus) const; 554 555 bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL&) const; 555 556 556 bool allowScriptFromSource(const KURL&) const; 557 bool allowObjectFromSource(const KURL&) const; 558 bool allowChildFrameFromSource(const KURL&) const; 559 bool allowImageFromSource(const KURL&) const; 560 bool allowStyleFromSource(const KURL&) const; 561 bool allowFontFromSource(const KURL&) const; 562 bool allowMediaFromSource(const KURL&) const; 563 bool allowConnectToSource(const KURL&) const; 557 bool allowScriptFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 558 bool allowObjectFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 559 bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 560 bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 561 bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 562 bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 563 bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 564 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 565 566 void gatherReportURIs(DOMStringList&) const; 564 567 565 568 private: … … 581 584 void logDuplicateDirective(const String& name) const; 582 585 void logInvalidNonce(const String& nonce) const; 586 583 587 bool checkEval(CSPDirective*) const; 584 588 bool checkInline(CSPDirective*) const; 589 bool checkNonce(const String&) const; 590 bool checkSource(CSPDirective*, const KURL&) const; 591 592 bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const; 585 593 bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const; 586 594 bool checkNonceAndReportViolation(const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const; 587 bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;588 595 bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const; 589 596 … … 708 715 } 709 716 717 bool CSPDirectiveList::checkInline(CSPDirective* directive) const 718 { 719 return !directive || directive->allowInline(); 720 } 721 722 bool CSPDirectiveList::checkNonce(const String& nonce) const 723 { 724 return (m_scriptNonce.isNull() 725 || (!m_scriptNonce.isEmpty() 726 && nonce.stripWhiteSpace() == m_scriptNonce)); 727 } 728 729 bool CSPDirectiveList::checkSource(CSPDirective* directive, const KURL& url) const 730 { 731 return !directive || directive->allows(url); 732 } 733 710 734 CSPDirective* CSPDirectiveList::operativeDirective(CSPDirective* directive) const 711 735 { … … 713 737 } 714 738 739 bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const 740 { 741 if (checkEval(directive)) 742 return true; 743 reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine, callStack); 744 return denyIfEnforcingPolicy(); 745 } 746 747 bool CSPDirectiveList::checkNonceAndReportViolation(const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const 748 { 749 if (checkNonce(nonce)) 750 return true; 751 reportViolation(m_scriptNonce, consoleMessage + "\"script-nonce " + m_scriptNonce + "\".\n", KURL(), contextURL, contextLine); 752 return denyIfEnforcingPolicy(); 753 } 754 715 755 bool CSPDirectiveList::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const 716 756 { 717 if ( !directive || directive->allowInline())757 if (checkInline(directive)) 718 758 return true; 719 759 reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine); … … 721 761 } 722 762 723 bool CSPDirectiveList::checkNonceAndReportViolation(const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const724 {725 if (m_scriptNonce.isNull() || (!m_scriptNonce.isEmpty() && nonce.stripWhiteSpace() == m_scriptNonce))726 return true;727 reportViolation(m_scriptNonce, consoleMessage + "\"script-nonce " + m_scriptNonce + "\".\n", KURL(), contextURL, contextLine);728 return denyIfEnforcingPolicy();729 }730 731 bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const732 {733 if (checkEval(directive))734 return true;735 reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine, callStack);736 return denyIfEnforcingPolicy();737 }738 739 763 bool CSPDirectiveList::checkSourceAndReportViolation(CSPDirective* directive, const KURL& url, const String& type) const 740 764 { 741 if ( !directive || directive->allows(url))765 if (checkSource(directive, url)) 742 766 return true; 743 767 String verb = type == "connect" ? "connect to" : "load the"; … … 746 770 } 747 771 748 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const772 bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const 749 773 { 750 774 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: ")); 751 return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine) 752 && checkNonceAndReportViolation(String(), consoleMessage, contextURL, contextLine)); 753 } 754 755 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const 775 if (reportingStatus == ContentSecurityPolicy::SendReport) { 776 return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine) 777 && checkNonceAndReportViolation(String(), consoleMessage, contextURL, contextLine)); 778 } else { 779 return (checkInline(operativeDirective(m_scriptSrc.get())) 780 && checkNonce(String())); 781 } 782 } 783 784 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const 756 785 { 757 786 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because it violates the following Content Security Policy directive: ")); 758 return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine) 759 && checkNonceAndReportViolation(String(), consoleMessage, contextURL, contextLine)); 760 } 761 762 bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const 787 if (reportingStatus == ContentSecurityPolicy::SendReport) { 788 return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine) 789 && checkNonceAndReportViolation(String(), consoleMessage, contextURL, contextLine)); 790 } else { 791 return (checkInline(operativeDirective(m_scriptSrc.get())) 792 && checkNonce(String())); 793 } 794 } 795 796 bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const 763 797 { 764 798 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because it violates the following Content Security Policy directive: ")); 765 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine); 766 } 767 768 bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const 799 return reportingStatus == ContentSecurityPolicy::SendReport ? 800 checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine) : 801 checkInline(operativeDirective(m_scriptSrc.get())); 802 } 803 804 bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const 769 805 { 770 806 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because it violates the following Content Security Policy directive: ")); 771 return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage, contextURL, contextLine); 772 } 773 774 bool CSPDirectiveList::allowEval(PassRefPtr<ScriptCallStack> callStack) const 807 return reportingStatus == ContentSecurityPolicy::SendReport ? 808 checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage, contextURL, contextLine) : 809 checkInline(operativeDirective(m_styleSrc.get())); 810 } 811 812 bool CSPDirectiveList::allowEval(PassRefPtr<ScriptCallStack> callStack, ContentSecurityPolicy::ReportingStatus reportingStatus) const 775 813 { 776 814 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because it violates the following Content Security Policy directive: ")); 777 return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), callStack); 815 return reportingStatus == ContentSecurityPolicy::SendReport ? 816 checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), callStack) : 817 checkEval(operativeDirective(m_scriptSrc.get())); 778 818 } 779 819 … … 786 826 } 787 827 788 bool CSPDirectiveList::allowScriptFromSource(const KURL& url ) const828 bool CSPDirectiveList::allowScriptFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 789 829 { 790 830 DEFINE_STATIC_LOCAL(String, type, ("script")); 791 return checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, type); 792 } 793 794 bool CSPDirectiveList::allowObjectFromSource(const KURL& url) const 831 return reportingStatus == ContentSecurityPolicy::SendReport ? 832 checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, type) : 833 checkSource(operativeDirective(m_scriptSrc.get()), url); 834 } 835 836 bool CSPDirectiveList::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 795 837 { 796 838 DEFINE_STATIC_LOCAL(String, type, ("object")); 797 839 if (url.isBlankURL()) 798 840 return true; 799 return checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type); 800 } 801 802 bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url) const 841 return reportingStatus == ContentSecurityPolicy::SendReport ? 842 checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type) : 843 checkSource(operativeDirective(m_objectSrc.get()), url); 844 } 845 846 bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 803 847 { 804 848 DEFINE_STATIC_LOCAL(String, type, ("frame")); 805 849 if (url.isBlankURL()) 806 850 return true; 807 return checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type); 808 } 809 810 bool CSPDirectiveList::allowImageFromSource(const KURL& url) const 851 return reportingStatus == ContentSecurityPolicy::SendReport ? 852 checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type) : 853 checkSource(operativeDirective(m_frameSrc.get()), url); 854 } 855 856 bool CSPDirectiveList::allowImageFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 811 857 { 812 858 DEFINE_STATIC_LOCAL(String, type, ("image")); 813 return checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, type); 814 } 815 816 bool CSPDirectiveList::allowStyleFromSource(const KURL& url) const 859 return reportingStatus == ContentSecurityPolicy::SendReport ? 860 checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, type) : 861 checkSource(operativeDirective(m_imgSrc.get()), url); 862 } 863 864 bool CSPDirectiveList::allowStyleFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 817 865 { 818 866 DEFINE_STATIC_LOCAL(String, type, ("style")); 819 return checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, type); 820 } 821 822 bool CSPDirectiveList::allowFontFromSource(const KURL& url) const 867 return reportingStatus == ContentSecurityPolicy::SendReport ? 868 checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, type) : 869 checkSource(operativeDirective(m_styleSrc.get()), url); 870 } 871 872 bool CSPDirectiveList::allowFontFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 823 873 { 824 874 DEFINE_STATIC_LOCAL(String, type, ("font")); 825 return checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, type); 826 } 827 828 bool CSPDirectiveList::allowMediaFromSource(const KURL& url) const 875 return reportingStatus == ContentSecurityPolicy::SendReport ? 876 checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, type) : 877 checkSource(operativeDirective(m_fontSrc.get()), url); 878 } 879 880 bool CSPDirectiveList::allowMediaFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 829 881 { 830 882 DEFINE_STATIC_LOCAL(String, type, ("media")); 831 return checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type); 832 } 833 834 bool CSPDirectiveList::allowConnectToSource(const KURL& url) const 883 return reportingStatus == ContentSecurityPolicy::SendReport ? 884 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type) : 885 checkSource(operativeDirective(m_mediaSrc.get()), url); 886 } 887 888 bool CSPDirectiveList::allowConnectToSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 835 889 { 836 890 DEFINE_STATIC_LOCAL(String, type, ("connect")); 837 return checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type); 891 return reportingStatus == ContentSecurityPolicy::SendReport ? 892 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type) : 893 checkSource(operativeDirective(m_connectSrc.get()), url); 894 } 895 896 void CSPDirectiveList::gatherReportURIs(DOMStringList& list) const 897 { 898 for (size_t i = 0; i < m_reportURIs.size(); ++i) 899 list.append(m_reportURIs[i].string()); 838 900 } 839 901 … … 1083 1145 } 1084 1146 1085 template<bool (CSPDirectiveList::*allowed)(PassRefPtr<ScriptCallStack> ) const>1086 bool isAllowedByAllWithCallStack(const CSPDirectiveListVector& policies, PassRefPtr<ScriptCallStack> callStack )1147 template<bool (CSPDirectiveList::*allowed)(PassRefPtr<ScriptCallStack>, ContentSecurityPolicy::ReportingStatus) const> 1148 bool isAllowedByAllWithCallStack(const CSPDirectiveListVector& policies, PassRefPtr<ScriptCallStack> callStack, ContentSecurityPolicy::ReportingStatus reportingStatus) 1087 1149 { 1088 1150 for (size_t i = 0; i < policies.size(); ++i) { 1089 if (!(policies[i].get()->*allowed)(callStack ))1151 if (!(policies[i].get()->*allowed)(callStack, reportingStatus)) 1090 1152 return false; 1091 1153 } … … 1093 1155 } 1094 1156 1095 template<bool (CSPDirectiveList::*allowed)(const String&, const WTF::OrdinalNumber& ) const>1096 bool isAllowedByAllWithContext(const CSPDirectiveListVector& policies, const String& contextURL, const WTF::OrdinalNumber& contextLine )1157 template<bool (CSPDirectiveList::*allowed)(const String&, const WTF::OrdinalNumber&, ContentSecurityPolicy::ReportingStatus) const> 1158 bool isAllowedByAllWithContext(const CSPDirectiveListVector& policies, const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) 1097 1159 { 1098 1160 for (size_t i = 0; i < policies.size(); ++i) { 1099 if (!(policies[i].get()->*allowed)(contextURL, contextLine ))1161 if (!(policies[i].get()->*allowed)(contextURL, contextLine, reportingStatus)) 1100 1162 return false; 1101 1163 } … … 1113 1175 } 1114 1176 1115 template<bool (CSPDirectiveList::*allowFromURL)(const KURL& ) const>1116 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& url )1177 template<bool (CSPDirectiveList::*allowFromURL)(const KURL&, ContentSecurityPolicy::ReportingStatus) const> 1178 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) 1117 1179 { 1118 1180 if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol())) … … 1120 1182 1121 1183 for (size_t i = 0; i < policies.size(); ++i) { 1122 if (!(policies[i].get()->*allowFromURL)(url ))1184 if (!(policies[i].get()->*allowFromURL)(url, reportingStatus)) 1123 1185 return false; 1124 1186 } … … 1126 1188 } 1127 1189 1128 bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const1129 { 1130 return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_policies, contextURL, contextLine );1131 } 1132 1133 bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const1134 { 1135 return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers>(m_policies, contextURL, contextLine );1136 } 1137 1138 bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const1139 { 1140 return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine );1141 } 1142 1143 bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const1190 bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1191 { 1192 return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_policies, contextURL, contextLine, reportingStatus); 1193 } 1194 1195 bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1196 { 1197 return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers>(m_policies, contextURL, contextLine, reportingStatus); 1198 } 1199 1200 bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1201 { 1202 return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine, reportingStatus); 1203 } 1204 1205 bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1144 1206 { 1145 1207 if (m_overrideInlineStyleAllowed) 1146 1208 return true; 1147 return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine );1148 } 1149 1150 bool ContentSecurityPolicy::allowEval(PassRefPtr<ScriptCallStack> callStack ) const1151 { 1152 return isAllowedByAllWithCallStack<&CSPDirectiveList::allowEval>(m_policies, callStack );1209 return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine, reportingStatus); 1210 } 1211 1212 bool ContentSecurityPolicy::allowEval(PassRefPtr<ScriptCallStack> callStack, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1213 { 1214 return isAllowedByAllWithCallStack<&CSPDirectiveList::allowEval>(m_policies, callStack, reportingStatus); 1153 1215 } 1154 1216 … … 1158 1220 } 1159 1221 1160 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const 1161 { 1162 return isAllowedByAllWithURL<&CSPDirectiveList::allowScriptFromSource>(m_policies, url); 1163 } 1164 1165 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const 1166 { 1167 return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_policies, url); 1168 } 1169 1170 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url) const 1171 { 1172 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildFrameFromSource>(m_policies, url); 1173 } 1174 1175 bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const 1176 { 1177 return isAllowedByAllWithURL<&CSPDirectiveList::allowImageFromSource>(m_policies, url); 1178 } 1179 1180 bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const 1181 { 1182 return isAllowedByAllWithURL<&CSPDirectiveList::allowStyleFromSource>(m_policies, url); 1183 } 1184 1185 bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const 1186 { 1187 return isAllowedByAllWithURL<&CSPDirectiveList::allowFontFromSource>(m_policies, url); 1188 } 1189 1190 bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const 1191 { 1192 return isAllowedByAllWithURL<&CSPDirectiveList::allowMediaFromSource>(m_policies, url); 1193 } 1194 1195 bool ContentSecurityPolicy::allowConnectToSource(const KURL& url) const 1196 { 1197 return isAllowedByAllWithURL<&CSPDirectiveList::allowConnectToSource>(m_policies, url); 1198 } 1199 1200 } 1222 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1223 { 1224 return isAllowedByAllWithURL<&CSPDirectiveList::allowScriptFromSource>(m_policies, url, reportingStatus); 1225 } 1226 1227 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1228 { 1229 return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_policies, url, reportingStatus); 1230 } 1231 1232 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1233 { 1234 return isAllowedByAllWithURL<&CSPDirectiveList::allowChildFrameFromSource>(m_policies, url, reportingStatus); 1235 } 1236 1237 bool ContentSecurityPolicy::allowImageFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1238 { 1239 return isAllowedByAllWithURL<&CSPDirectiveList::allowImageFromSource>(m_policies, url, reportingStatus); 1240 } 1241 1242 bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1243 { 1244 return isAllowedByAllWithURL<&CSPDirectiveList::allowStyleFromSource>(m_policies, url, reportingStatus); 1245 } 1246 1247 bool ContentSecurityPolicy::allowFontFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1248 { 1249 return isAllowedByAllWithURL<&CSPDirectiveList::allowFontFromSource>(m_policies, url, reportingStatus); 1250 } 1251 1252 bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1253 { 1254 return isAllowedByAllWithURL<&CSPDirectiveList::allowMediaFromSource>(m_policies, url, reportingStatus); 1255 } 1256 1257 bool ContentSecurityPolicy::allowConnectToSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1258 { 1259 return isAllowedByAllWithURL<&CSPDirectiveList::allowConnectToSource>(m_policies, url, reportingStatus); 1260 } 1261 1262 bool ContentSecurityPolicy::isActive() const 1263 { 1264 return !m_policies.isEmpty(); 1265 } 1266 1267 void ContentSecurityPolicy::gatherReportURIs(DOMStringList& list) const 1268 { 1269 for (size_t i = 0; i < m_policies.size(); ++i) 1270 m_policies[i].get()->gatherReportURIs(list); 1271 } 1272 1273 } -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r121883 r123722 41 41 class CSPDirectiveList; 42 42 class ScriptCallStack; 43 class DOMStringList; 43 44 class ScriptExecutionContext; 44 45 … … 60 61 }; 61 62 63 enum ReportingStatus { 64 SendReport, 65 SuppressReport 66 }; 67 62 68 void didReceiveHeader(const String&, HeaderType); 63 69 64 // These functions are wrong bec uase they assume that there is only one header.70 // These functions are wrong because they assume that there is only one header. 65 71 // FIXME: Replace them with functions that return vectors. 66 72 const String& deprecatedHeader() const; 67 73 HeaderType deprecatedHeaderType() const; 68 74 69 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const;70 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const;71 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const;72 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine ) const;73 bool allowEval(PassRefPtr<ScriptCallStack> ) const;75 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 76 bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 77 bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 78 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 79 bool allowEval(PassRefPtr<ScriptCallStack>, ReportingStatus = SendReport) const; 74 80 bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& = KURL()) const; 75 81 76 bool allowScriptFromSource(const KURL& ) const;77 bool allowObjectFromSource(const KURL& ) const;78 bool allowChildFrameFromSource(const KURL& ) const;79 bool allowImageFromSource(const KURL& ) const;80 bool allowStyleFromSource(const KURL& ) const;81 bool allowFontFromSource(const KURL& ) const;82 bool allowMediaFromSource(const KURL& ) const;83 bool allowConnectToSource(const KURL& ) const;82 bool allowScriptFromSource(const KURL&, ReportingStatus = SendReport) const; 83 bool allowObjectFromSource(const KURL&, ReportingStatus = SendReport) const; 84 bool allowChildFrameFromSource(const KURL&, ReportingStatus = SendReport) const; 85 bool allowImageFromSource(const KURL&, ReportingStatus = SendReport) const; 86 bool allowStyleFromSource(const KURL&, ReportingStatus = SendReport) const; 87 bool allowFontFromSource(const KURL&, ReportingStatus = SendReport) const; 88 bool allowMediaFromSource(const KURL&, ReportingStatus = SendReport) const; 89 bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const; 84 90 85 91 void setOverrideAllowInlineStyle(bool); 92 93 bool isActive() const; 94 void gatherReportURIs(DOMStringList&) const; 86 95 87 96 private:
Note: See TracChangeset
for help on using the changeset viewer.