Changeset 124371 in webkit


Ignore:
Timestamp:
Aug 1, 2012 2:34:13 PM (12 years ago)
Author:
commit-queue@webkit.org
Message:

CSP should correctly block plugin resources rendered in PluginDocuments.
https://bugs.webkit.org/show_bug.cgi?id=92675

Patch by Mike West <mkwst@chromium.org> on 2012-08-01
Reviewed by Adam Barth.

Source/WebCore:

In certain cases, plugins aren't loaded directly, but are stuffed into a
newly-created PluginDocument before rendering. While we were already
correctly populating information that allowed us to make decisions about
that document's security origin, and already dealing with sandbox
status by creating a 'SinkDocument' that ignored plugin data, we weren't
correctly inheriting the parent frame's Content Security Policy. This
patch ensures that PluginDocuments correctly inherit their parent's
Content Security Policy, meaning that the plugin is blocked or allowed
according to the policy of the protected resource in which the
PluginDocument is embedded.

Tests: http/tests/security/contentSecurityPolicy/object-src-url-allowed.html

http/tests/security/contentSecurityPolicy/object-src-url-blocked.html

  • dom/Document.cpp:

(WebCore::Document::initContentSecurityPolicy):

Populate a created PluginDocument with its frame's parent's Content
Security Policy.

LayoutTests:

  • http/tests/plugins/resources/mock-plugin.pl: Added.

This lovely perl script mocks a plugin by sending a
'Content-Type application/x-webkit-test-netscape' header.

  • http/tests/security/contentSecurityPolicy/object-src-url-allowed-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/object-src-url-allowed.html: Added.
  • http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/object-src-url-blocked.html: Added.

Test that non-'data:' URLs that end up in PluginDocuments are also
dealt with correctly by CSP.

Location:
trunk
Files:
5 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r124369 r124371  
     12012-08-01  Mike West  <mkwst@chromium.org>
     2
     3        CSP should correctly block plugin resources rendered in PluginDocuments.
     4        https://bugs.webkit.org/show_bug.cgi?id=92675
     5
     6        Reviewed by Adam Barth.
     7
     8        * http/tests/plugins/resources/mock-plugin.pl: Added.
     9            This lovely perl script mocks a plugin by sending a
     10            'Content-Type application/x-webkit-test-netscape' header.
     11        * http/tests/security/contentSecurityPolicy/object-src-url-allowed-expected.txt: Added.
     12        * http/tests/security/contentSecurityPolicy/object-src-url-allowed.html: Added.
     13        * http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt: Added.
     14        * http/tests/security/contentSecurityPolicy/object-src-url-blocked.html: Added.
     15            Test that non-'data:' URLs that end up in PluginDocuments are also
     16            dealt with correctly by CSP.
     17
    1182012-08-01  Florin Malita  <fmalita@chromium.org>
    219
  • trunk/Source/WebCore/ChangeLog

    r124369 r124371  
     12012-08-01  Mike West  <mkwst@chromium.org>
     2
     3        CSP should correctly block plugin resources rendered in PluginDocuments.
     4        https://bugs.webkit.org/show_bug.cgi?id=92675
     5
     6        Reviewed by Adam Barth.
     7
     8        In certain cases, plugins aren't loaded directly, but are stuffed into a
     9        newly-created PluginDocument before rendering. While we were already
     10        correctly populating information that allowed us to make decisions about
     11        that document's security origin, and already dealing with sandbox
     12        status by creating a 'SinkDocument' that ignored plugin data, we weren't
     13        correctly inheriting the parent frame's Content Security Policy. This
     14        patch ensures that PluginDocuments correctly inherit their parent's
     15        Content Security Policy, meaning that the plugin is blocked or allowed
     16        according to the policy of the protected resource in which the
     17        PluginDocument is embedded.
     18
     19        Tests: http/tests/security/contentSecurityPolicy/object-src-url-allowed.html
     20               http/tests/security/contentSecurityPolicy/object-src-url-blocked.html
     21
     22        * dom/Document.cpp:
     23        (WebCore::Document::initContentSecurityPolicy):
     24            Populate a created PluginDocument with its frame's parent's Content
     25            Security Policy.
     26
    1272012-08-01  Florin Malita  <fmalita@chromium.org>
    228
  • trunk/Source/WebCore/dom/Document.cpp

    r124350 r124371  
    50625062void Document::initContentSecurityPolicy()
    50635063{
    5064     if (!m_frame->tree()->parent() || !shouldInheritSecurityOriginFromOwner(m_url))
    5065         return;
     5064    if (!m_frame->tree()->parent() || (!shouldInheritSecurityOriginFromOwner(m_url) && !isPluginDocument()))
     5065        return;
     5066
    50665067    contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());
    50675068}
Note: See TracChangeset for help on using the changeset viewer.