Changeset 124636 in webkit


Ignore:
Timestamp:
Aug 3, 2012 12:14:10 PM (12 years ago)
Author:
commit-queue@webkit.org
Message:

Blocking a plugin via CSP should result in one (and only one) console message.
https://bugs.webkit.org/show_bug.cgi?id=92649

Patch by Mike West <mkwst@chromium.org> on 2012-08-03
Reviewed by Adam Barth.

Source/WebCore:

Currently, blocking a plugin via Content Security Policy results in some
leakage of console log messages between tests. I'm unclear as to the
root cause, but the symptoms exhibited include
SubframeLoader::requestPlugin being called multiple times for a single
element, which in turn causes multiple console logs to be sent. These
messages tend to appear in the subsequent test, making the
http/test/security/contentSecurityPolicy/object-src-* set of tests
flakey indeed.

This patch addresses the issue by marking elements' plugins as
unavailable when they're blocked by CSP. No new tests have been added:
this patch should simply make the current tests actually pass.

  • loader/SubframeLoader.cpp:

(WebCore::SubframeLoader::requestPlugin):

We check the CSP status in SubframeLoader::loadPlugin, which is
called at the end of this function. Checking CSP status in both
locations is redundant.

(WebCore::SubframeLoader::loadPlugin):

If the plugin is blocked by CSP, tell the element's embedded object
renderer that the plugin is unavailable.

  • platform/LocalizedStrings.cpp:

(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):

  • platform/LocalizedStrings.h:

(WebCore):

  • platform/blackberry/LocalizedStringsBlackBerry.cpp:

(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):

  • platform/efl/LocalizedStringsEfl.cpp:

(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):

  • platform/gtk/LocalizedStringsGtk.cpp:

(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):

  • platform/qt/LocalizedStringsQt.cpp:

(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):

  • rendering/RenderEmbeddedObject.cpp:

(WebCore::unavailablePluginReplacementText):

  • rendering/RenderEmbeddedObject.h:

Return appropriate text when the plugin is blocked by CSP.

Source/WebKit/chromium:

  • src/LocalizedStrings.cpp:

(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):

Adding a stub for the newly added string.

Location:
trunk/Source
Files:
12 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r124634 r124636  
     12012-08-03  Mike West  <mkwst@chromium.org>
     2
     3        Blocking a plugin via CSP should result in one (and only one) console message.
     4        https://bugs.webkit.org/show_bug.cgi?id=92649
     5
     6        Reviewed by Adam Barth.
     7
     8        Currently, blocking a plugin via Content Security Policy results in some
     9        leakage of console log messages between tests. I'm unclear as to the
     10        root cause, but the symptoms exhibited include
     11        `SubframeLoader::requestPlugin` being called multiple times for a single
     12        element, which in turn causes multiple console logs to be sent. These
     13        messages tend to appear in the subsequent test, making the
     14        `http/test/security/contentSecurityPolicy/object-src-*` set of tests
     15        flakey indeed.
     16
     17        This patch addresses the issue by marking elements' plugins as
     18        unavailable when they're blocked by CSP. No new tests have been added:
     19        this patch should simply make the current tests actually pass.
     20
     21        * loader/SubframeLoader.cpp:
     22        (WebCore::SubframeLoader::requestPlugin):
     23            We check the CSP status in `SubframeLoader::loadPlugin`, which is
     24            called at the end of this function. Checking CSP status in both
     25            locations is redundant.
     26        (WebCore::SubframeLoader::loadPlugin):
     27            If the plugin is blocked by CSP, tell the element's embedded object
     28            renderer that the plugin is unavailable.
     29        * platform/LocalizedStrings.cpp:
     30        (WebCore::blockedPluginByContentSecurityPolicyText):
     31        (WebCore):
     32        * platform/LocalizedStrings.h:
     33        (WebCore):
     34        * platform/blackberry/LocalizedStringsBlackBerry.cpp:
     35        (WebCore::blockedPluginByContentSecurityPolicyText):
     36        (WebCore):
     37        * platform/efl/LocalizedStringsEfl.cpp:
     38        (WebCore::blockedPluginByContentSecurityPolicyText):
     39        (WebCore):
     40        * platform/gtk/LocalizedStringsGtk.cpp:
     41        (WebCore::blockedPluginByContentSecurityPolicyText):
     42        (WebCore):
     43        * platform/qt/LocalizedStringsQt.cpp:
     44        (WebCore::blockedPluginByContentSecurityPolicyText):
     45        (WebCore):
     46        * rendering/RenderEmbeddedObject.cpp:
     47        (WebCore::unavailablePluginReplacementText):
     48        * rendering/RenderEmbeddedObject.h:
     49            Return appropriate text when the plugin is blocked by CSP.
     50
    1512012-08-03  Kentaro Hara  <haraken@chromium.org>
    252

  • trunk/Source/WebCore/loader/SubframeLoader.cpp

    r124102 r124636  
    127127        if (m_frame->document()->isSandboxed(SandboxPlugins))
    128128            return false;
    129         if (!m_frame->document()->contentSecurityPolicy()->allowObjectFromSource(url))
    130             return false;
    131129    }
    132130
     
    422420    }
    423421
    424     if (!document()->contentSecurityPolicy()->allowObjectFromSource(url))
    425         return false;
     422    if (!document()->contentSecurityPolicy()->allowObjectFromSource(url)) {
     423        renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
     424        return false;
     425    }
    426426
    427427    FrameLoader* frameLoader = m_frame->loader();

  • trunk/Source/WebCore/platform/LocalizedStrings.cpp

    r122673 r124636  
    674674}
    675675
     676String blockedPluginByContentSecurityPolicyText()
     677{
     678    return WEB_UI_STRING("Blocked Plug-in", "Label text to be used if plugin is blocked by a page's Content Security Policy");
     679}
     680
    676681String insecurePluginVersionText()
    677682{

  • trunk/Source/WebCore/platform/LocalizedStrings.h

    r116695 r124636  
    168168    String missingPluginText();
    169169    String crashedPluginText();
     170    String blockedPluginByContentSecurityPolicyText();
    170171    String insecurePluginVersionText();
    171172    String multipleFileUploadText(unsigned numberOfFiles);

  • trunk/Source/WebCore/platform/blackberry/LocalizedStringsBlackBerry.cpp

    r123950 r124636  
    573573}
    574574
     575String blockedPluginByContentSecurityPolicyText()
     576{
     577    notImplemented();
     578    return String();
     579}
     580
    575581String insecurePluginVersionText()
    576582{

  • trunk/Source/WebCore/platform/efl/LocalizedStringsEfl.cpp

    r116708 r124636  
    561561}
    562562
     563String blockedPluginByContentSecurityPolicyText()
     564{
     565    notImplemented();
     566    return String();
     567}
     568
    563569String insecurePluginVersionText()
    564570{

  • trunk/Source/WebCore/platform/gtk/LocalizedStringsGtk.cpp

    r116710 r124636  
    472472    notImplemented();
    473473    return String::fromUTF8(_("Plug-in Failure"));
     474}
     475
     476String blockedPluginByContentSecurityPolicyText()
     477{
     478    notImplemented();
     479    return String();
    474480}
    475481

  • trunk/Source/WebCore/platform/qt/LocalizedStringsQt.cpp

    r116708 r124636  
    441441
    442442String crashedPluginText()
     443{
     444    notImplemented();
     445    return String();
     446}
     447
     448String blockedPluginByContentSecurityPolicyText()
    443449{
    444450    notImplemented();

  • trunk/Source/WebCore/rendering/RenderEmbeddedObject.cpp

    r120824 r124636  
    110110    case RenderEmbeddedObject::PluginCrashed:
    111111        return crashedPluginText();
     112    case RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy:
     113        return blockedPluginByContentSecurityPolicyText();
    112114    case RenderEmbeddedObject::InsecurePluginVersion:
    113115        return insecurePluginVersionText();

  • trunk/Source/WebCore/rendering/RenderEmbeddedObject.h

    r123811 r124636  
    4040        PluginMissing,
    4141        PluginCrashed,
     42        PluginBlockedByContentSecurityPolicy,
    4243        InsecurePluginVersion
    4344    };

  • trunk/Source/WebKit/chromium/ChangeLog

    r124632 r124636  
     12012-08-03  Mike West  <mkwst@chromium.org>
     2
     3        Blocking a plugin via CSP should result in one (and only one) console message.
     4        https://bugs.webkit.org/show_bug.cgi?id=92649
     5
     6        Reviewed by Adam Barth.
     7
     8        * src/LocalizedStrings.cpp:
     9        (WebCore::blockedPluginByContentSecurityPolicyText):
     10        (WebCore):
     11            Adding a stub for the newly added string.
     12
    1132012-08-03  Oli Lan  <olilan@chromium.org>
    214

  • trunk/Source/WebKit/chromium/src/LocalizedStrings.cpp

    r118384 r124636  
    214214    notImplemented();
    215215    return String("Plug-in Failure");
     216}
     217
     218String blockedPluginByContentSecurityPolicyText()
     219{
     220    notImplemented();
     221    return String();
    216222}
    217223
Note: See TracChangeset for help on using the changeset viewer.