Changeset 126047 in webkit


Ignore:
Timestamp:
Aug 20, 2012 11:33:20 AM (12 years ago)
Author:
commit-queue@webkit.org
Message:

CSP 1.1: The 'plugin-types' warning should include details about explicit type declaration when relevant.
https://bugs.webkit.org/show_bug.cgi?id=94432

Patch by Mike West <mkwst@chromium.org> on 2012-08-20
Reviewed by Adam Barth.

Source/WebCore:

Given a 'plugin-types' Content Security Policy directive, an 'object' or
'embed' tag is blocked if it doesn't include an explicit declaration of
the plugin's expected media type. This restriction should be made clear
in the console warning that's generated.

Existing tests have been adjusted to agree with the new error string.

  • page/ContentSecurityPolicy.cpp:

(WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation):

If a media type fail to match the policy's restrictions, and the
declared type attribute is empty, then add another line to the
console warning, espousing the virtues of explicit declaration.

LayoutTests:

  • http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt:
Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r126032 r126047  
     12012-08-20  Mike West  <mkwst@chromium.org>
     2
     3        CSP 1.1: The 'plugin-types' warning should include details about explicit type declaration when relevant.
     4        https://bugs.webkit.org/show_bug.cgi?id=94432
     5
     6        Reviewed by Adam Barth.
     7
     8        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt:
     9        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt:
     10
    1112012-08-20  Sheriff Bot  <webkit.review.bot@gmail.com>
    212
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt

    r125531 r126047  
    1 CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'.
     1CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>').
    22
    33Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a console message above and "FAIL!" isn't logged. 
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt

    r125531 r126047  
    1 CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'.
     1CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>').
    22
    33Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a console message above. 
  • trunk/Source/WebCore/ChangeLog

    r126046 r126047  
     12012-08-20  Mike West  <mkwst@chromium.org>
     2
     3        CSP 1.1: The 'plugin-types' warning should include details about explicit type declaration when relevant.
     4        https://bugs.webkit.org/show_bug.cgi?id=94432
     5
     6        Reviewed by Adam Barth.
     7
     8        Given a 'plugin-types' Content Security Policy directive, an 'object' or
     9        'embed' tag is blocked if it doesn't include an explicit declaration of
     10        the plugin's expected media type. This restriction should be made clear
     11        in the console warning that's generated.
     12
     13        Existing tests have been adjusted to agree with the new error string.
     14
     15        * page/ContentSecurityPolicy.cpp:
     16        (WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation):
     17            If a media type fail to match the policy's restrictions, and the
     18            declared type attribute is empty, then add another line to the
     19            console warning, espousing the virtues of explicit declaration.
     20
    1212012-08-20  Dana Jansens  <danakj@chromium.org>
    222
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r125817 r126047  
    862862        return true;
    863863
    864     reportViolation(directive->text(), consoleMessage + "\'" + directive->text() + "\'.\n", KURL());
     864    String message = makeString(consoleMessage, "\'", directive->text(), "\'.");
     865    if (typeAttribute.isEmpty())
     866        message = message + " When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>').";
     867
     868    reportViolation(directive->text(), message + "\n", KURL());
    865869    return denyIfEnforcingPolicy();
    866870}
Note: See TracChangeset for help on using the changeset viewer.