Changeset 126047 in webkit
- Timestamp:
- Aug 20, 2012 11:33:20 AM (12 years ago)
- Location:
- trunk
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r126032 r126047 1 2012-08-20 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: The 'plugin-types' warning should include details about explicit type declaration when relevant. 4 https://bugs.webkit.org/show_bug.cgi?id=94432 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt: 9 * http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt: 10 1 11 2012-08-20 Sheriff Bot <webkit.review.bot@gmail.com> 2 12 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt
r125531 r126047 1 CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. 1 CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>'). 2 2 3 3 Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a console message above and "FAIL!" isn't logged. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt
r125531 r126047 1 CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. 1 CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>'). 2 2 3 3 Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a console message above. -
trunk/Source/WebCore/ChangeLog
r126046 r126047 1 2012-08-20 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: The 'plugin-types' warning should include details about explicit type declaration when relevant. 4 https://bugs.webkit.org/show_bug.cgi?id=94432 5 6 Reviewed by Adam Barth. 7 8 Given a 'plugin-types' Content Security Policy directive, an 'object' or 9 'embed' tag is blocked if it doesn't include an explicit declaration of 10 the plugin's expected media type. This restriction should be made clear 11 in the console warning that's generated. 12 13 Existing tests have been adjusted to agree with the new error string. 14 15 * page/ContentSecurityPolicy.cpp: 16 (WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation): 17 If a media type fail to match the policy's restrictions, and the 18 declared type attribute is empty, then add another line to the 19 console warning, espousing the virtues of explicit declaration. 20 1 21 2012-08-20 Dana Jansens <danakj@chromium.org> 2 22 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r125817 r126047 862 862 return true; 863 863 864 reportViolation(directive->text(), consoleMessage + "\'" + directive->text() + "\'.\n", KURL()); 864 String message = makeString(consoleMessage, "\'", directive->text(), "\'."); 865 if (typeAttribute.isEmpty()) 866 message = message + " When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>')."; 867 868 reportViolation(directive->text(), message + "\n", KURL()); 865 869 return denyIfEnforcingPolicy(); 866 870 }
Note: See TracChangeset
for help on using the changeset viewer.