Changeset 126785 in webkit
- Timestamp:
- Aug 27, 2012 1:08:39 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 6 added
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r126782 r126785 1 2012-08-27 Mike West <mkwst@chromium.org> 2 3 'self' in a CSP directive should match blob: and filesystem: URLs. 4 https://bugs.webkit.org/show_bug.cgi?id=94918 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/blob-urls-match-self.html: Added. 10 * http/tests/security/contentSecurityPolicy/filesystem-urls-match-self-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html: Added. 12 Test the new functionality. 13 * http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js: 14 (test): 15 Adding support for data: URLs. 16 * http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt: Added. 17 * http/tests/security/contentSecurityPolicy/source-list-parsing-08.html: Added. 18 Adding data: URL tests to ensure that grabbing the inner URL of the 19 URL to test doesn't inadvertently regress that behavior. 20 * platform/efl/Skipped: 21 * platform/mac/Skipped: 22 * platform/qt/Skipped: 23 * platform/win/Skipped: 24 Skipping filessytem test on ports where it's not enabled. 25 1 26 2012-08-27 Simon Fraser <simon.fraser@apple.com> 2 27 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js
r121883 r126785 15 15 "should_run=" + escape(current[0]) + 16 16 "&csp=" + escape(current[1]) + 17 "&q=" + baseURL + escape(current[2]); 17 "&q=" + (current[2].match(/^data:/) ? 18 escape(current[2]) : 19 baseURL + escape(current[2])); 18 20 if (current[3]) 19 21 iframe.src += "&nonce=" + escape(current[3]); -
trunk/LayoutTests/platform/efl/Skipped
r126192 r126785 1063 1063 # Requires ENABLE(FILE_SYSTEM) 1064 1064 fast/forms/file/input-file-entries.html 1065 http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html 1065 1066 1066 1067 # Transparent image being produced -
trunk/LayoutTests/platform/mac/Skipped
r126700 r126785 340 340 http/tests/filesystem 341 341 http/tests/inspector/filesystem 342 http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html 342 343 http/tests/security/filesystem-iframe-from-remote.html 343 344 http/tests/security/mixedContent/filesystem-url-in-iframe.html -
trunk/LayoutTests/platform/qt/Skipped
r126753 r126785 119 119 http/tests/filesystem 120 120 http/tests/inspector/filesystem 121 http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html 121 122 http/tests/security/filesystem-iframe-from-remote.html 122 123 http/tests/security/mixedContent/filesystem-url-in-iframe.html -
trunk/LayoutTests/platform/win/Skipped
r126684 r126785 1301 1301 http/tests/filesystem 1302 1302 http/tests/inspector/filesystem 1303 http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html 1303 1304 http/tests/security/filesystem-iframe-from-remote.html 1304 1305 http/tests/websocket/tests/hybi/send-file-blob.html -
trunk/Source/WebCore/ChangeLog
r126783 r126785 1 2012-08-27 Mike West <mkwst@chromium.org> 2 3 'self' in a CSP directive should match blob: and filesystem: URLs. 4 https://bugs.webkit.org/show_bug.cgi?id=94918 5 6 Reviewed by Adam Barth. 7 8 'blob:' and 'filesystem:' URLs are same-origin with the page on which 9 they were created. Currently, we're using the wrong URL for comparison 10 when matching against CSP directive source lists. This patch adjusts the 11 matching logic to compare against the blob's inner URL, rather than 12 directly against the blob itself. 13 14 Tests: http/tests/security/contentSecurityPolicy/blob-urls-match-self.html 15 http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html 16 http/tests/security/contentSecurityPolicy/source-list-parsing-08.html 17 18 * page/ContentSecurityPolicy.cpp: 19 (WebCore::CSPSourceList::matches): 20 If we should use the inner URL of a given resource, extract it into 21 a local variable, and pass that into CSPSource for comparison. 22 * page/SecurityOrigin.cpp: 23 (WebCore::SecurityOrigin::shouldUseInnerURL): 24 (WebCore::SecurityOrigin::extractInnerURL): 25 Move shouldUseInnerURL and extractInnerURL to SecurityOrigin's 26 public signature. 27 (WebCore::shouldTreatAsUniqueOrigin): 28 (WebCore::SecurityOrigin::create): 29 (WebCore::SecurityOrigin::isSecure): 30 shouldUseInnerURL and extractInnerURL are now static methods of 31 SecurityOrigin: updating calls to mathc. 32 * page/SecurityOrigin.h: 33 1 34 2012-08-27 Kevin Funk <kevin.funk@kdab.com> 2 35 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r126488 r126785 245 245 return true; 246 246 247 KURL effectiveURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; 248 247 249 for (size_t i = 0; i < m_list.size(); ++i) { 248 if (m_list[i].matches( url))250 if (m_list[i].matches(effectiveURL)) 249 251 return true; 250 252 } -
trunk/Source/WebCore/page/SecurityOrigin.cpp
r126365 r126785 54 54 } 55 55 56 // Some URL schemes use nested URLs for their security context. For example, 57 // filesystem URLs look like the following: 58 // 59 // filesystem:http://example.com/temporary/path/to/file.png 60 // 61 // We're supposed to use "http://example.com" as the origin. 62 // 63 // Generally, we add URL schemes to this list when WebKit support them. For 64 // example, we don't include the "jar" scheme, even though Firefox understands 65 // that jar uses an inner URL for it's security origin. 66 // 67 static bool shouldUseInnerURL(const KURL& url) 56 bool SecurityOrigin::shouldUseInnerURL(const KURL& url) 68 57 { 69 58 #if ENABLE(BLOB) … … 82 71 // that all the URL schemes we currently support that use inner URLs for their 83 72 // security origin can be parsed using this algorithm. 84 static KURLextractInnerURL(const KURL& url)73 KURL SecurityOrigin::extractInnerURL(const KURL& url) 85 74 { 86 75 if (url.innerURL()) … … 106 95 107 96 // FIXME: Do we need to unwrap the URL further? 108 KURL innerURL = shouldUseInnerURL(url) ?extractInnerURL(url) : url;97 KURL innerURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url; 109 98 110 99 // FIXME: Check whether innerURL is valid. -
trunk/Source/WebCore/page/SecurityOrigin.h
r126365 r126785 53 53 static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port); 54 54 55 // Some URL schemes use nested URLs for their security context. For example, 56 // filesystem URLs look like the following: 57 // 58 // filesystem:http://example.com/temporary/path/to/file.png 59 // 60 // We're supposed to use "http://example.com" as the origin. 61 // 62 // Generally, we add URL schemes to this list when WebKit support them. For 63 // example, we don't include the "jar" scheme, even though Firefox 64 // understands that "jar" uses an inner URL for it's security origin. 65 static bool shouldUseInnerURL(const KURL&); 66 static KURL extractInnerURL(const KURL&); 67 55 68 // Create a deep copy of this SecurityOrigin. This method is useful 56 69 // when marshalling a SecurityOrigin to another thread.
Note: See TracChangeset
for help on using the changeset viewer.