Changeset 125983 in webkit

Timestamp:

Aug 19, 2012 3:39:54 PM (12 years ago)

Author:

commit-queue@webkit.org

Message:

CSP 1.1: Add 'plugin-types' and 'form-action' DOM API.
​https://bugs.webkit.org/show_bug.cgi?id=94415

Patch by Mike West <​mkwst@chromium.org> on 2012-08-19
Reviewed by Adam Barth.

Source/WebCore:

Experimental implementations of the new 'plugin-types' and 'form-action'
directives recently landed, but we neglected to add DOM API endpoints to
query their state. Those APIs have been added to the specification[1],
and this patch brings our implementation up to date.

Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html

http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html

• page/DOMSecurityPolicy.cpp:

(isAllowed):

As a drive-by, change a parameter from a KURL to a String to match
the actual template. There's no reason to stringify an empty URL
when we can just use an empty string instead.

(isAllowedWithType):

Call out to the ContentSecurityPolicy object to check the protected
resource's ability to load a given media type.

(WebCore::DOMSecurityPolicy::allowsFormAction):

Call out to the ContentSecurityPolicy object to check the protected
resource's ability to submit a form to the given URL.

(WebCore):
(WebCore::DOMSecurityPolicy::allowsPluginType):

Pipes the plugin type through 'isAllowedWithType' for resolution.

• page/DOMSecurityPolicy.h:

Add the 'allowsPluginType' and 'allowsFormAction' methods.

(DOMSecurityPolicy):

• page/DOMSecurityPolicy.idl:

Add the 'allowsPluginType' and 'allowsFormAction' methods.

LayoutTests:

• http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html: Added.
• http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/DOMSecurityPolicy.cpp (modified) (4 diffs)
• Source/WebCore/page/DOMSecurityPolicy.h (modified) (1 diff)
• Source/WebCore/page/DOMSecurityPolicy.idl (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-08-19  Mike West  <mkwst@chromium.org>
+
+        CSP 1.1: Add 'plugin-types' and 'form-action' DOM API.
+        https://bugs.webkit.org/show_bug.cgi?id=94415
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html: Added.
+
 2012-08-19  Pavel Feldman  <pfeldman@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-08-19  Mike West  <mkwst@chromium.org>
+
+        CSP 1.1: Add 'plugin-types' and 'form-action' DOM API.
+        https://bugs.webkit.org/show_bug.cgi?id=94415
+
+        Reviewed by Adam Barth.
+
+        Experimental implementations of the new 'plugin-types' and 'form-action'
+        directives recently landed, but we neglected to add DOM API endpoints to
+        query their state. Those APIs have been added to the specification[1],
+        and this patch brings our implementation up to date.
+
+        Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html
+               http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html
+
+        * page/DOMSecurityPolicy.cpp:
+        (isAllowed):
+            As a drive-by, change a parameter from a KURL to a String to match
+            the actual template. There's no reason to stringify an empty URL
+            when we can just use an empty string instead.
+        (isAllowedWithType):
+            Call out to the ContentSecurityPolicy object to check the protected
+            resource's ability to load a given media type.
+        (WebCore::DOMSecurityPolicy::allowsFormAction):
+            Call out to the ContentSecurityPolicy object to check the protected
+            resource's ability to submit a form to the given URL.
+        (WebCore):
+        (WebCore::DOMSecurityPolicy::allowsPluginType):
+            Pipes the plugin type through 'isAllowedWithType' for resolution.
+        * page/DOMSecurityPolicy.h:
+            Add the 'allowsPluginType' and 'allowsFormAction' methods.
+        (DOMSecurityPolicy):
+        * page/DOMSecurityPolicy.idl:
+            Add the 'allowsPluginType' and 'allowsFormAction' methods.
+
 2012-08-19  Pavel Feldman  <pfeldman@chromium.org>
 

trunk/Source/WebCore/page/DOMSecurityPolicy.cpp

@@ -49 +49 @@
 }
 
+template<bool (ContentSecurityPolicy::*allowWithType)(const String&, const String&, const KURL&, ContentSecurityPolicy::ReportingStatus) const>
+bool isAllowedWithType(ScriptExecutionContext* context, const String& type)
+{
+    if (!isPolicyActiveInContext(context))
+        return true;
+
+    return (context->contentSecurityPolicy()->*allowWithType)(type, type, KURL(), ContentSecurityPolicy::SuppressReport);
+}
+
 template<bool (ContentSecurityPolicy::*allowWithURL)(const KURL&, ContentSecurityPolicy::ReportingStatus) const>
 bool isAllowedWithURL(ScriptExecutionContext* context, const String& url)
@@ -68 +77 @@
         return true;
 
-    return (context->contentSecurityPolicy()->*allowWithContext)(KURL(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport);
+    return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport);
 }
 
@@ -126 +135 @@
 }
 
+bool DOMSecurityPolicy::allowsFormAction(const String& url) const
+{
+    return isAllowedWithURL<&ContentSecurityPolicy::allowFormAction>(scriptExecutionContext(), url);
+}
+
 bool DOMSecurityPolicy::allowsFrameFrom(const String& url) const
 {
@@ -146 +160 @@
 }
 
+bool DOMSecurityPolicy::allowsPluginType(const String& type) const
+{
+    return isAllowedWithType<&ContentSecurityPolicy::allowPluginType>(scriptExecutionContext(), type);
+}
+
 bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const
 {

trunk/Source/WebCore/page/DOMSecurityPolicy.h

@@ -56 +56 @@
     bool allowsConnectionTo(const String& url) const;
     bool allowsFontFrom(const String& url) const;
+    bool allowsFormAction(const String& url) const;
     bool allowsFrameFrom(const String& url) const;
     bool allowsImageFrom(const String& url) const;
     bool allowsMediaFrom(const String& url) const;
     bool allowsObjectFrom(const String& url) const;
+    bool allowsPluginType(const String& type) const;
     bool allowsScriptFrom(const String& url) const;
     bool allowsStyleFrom(const String& url) const;

trunk/Source/WebCore/page/DOMSecurityPolicy.idl

@@ -36 +36 @@
         boolean allowsConnectionTo(in DOMString url);
         boolean allowsFontFrom(in DOMString url);
+        boolean allowsFormAction(in DOMString url);
         boolean allowsFrameFrom(in DOMString url);
         boolean allowsImageFrom(in DOMString url);
         boolean allowsMediaFrom(in DOMString url);
         boolean allowsObjectFrom(in DOMString url);
+        boolean allowsPluginType(in DOMString type);
         boolean allowsScriptFrom(in DOMString url);
         boolean allowsStyleFrom(in DOMString url);