Changeset 129525 in webkit
- Timestamp:
- Sep 25, 2012 10:24:18 AM (12 years ago)
- Location:
- trunk
- Files:
-
- 8 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r129520 r129525 1 2012-09-25 Mike West <mkwst@google.com> 2 3 CSP paths: Ignore invalid path components, rather than dropping the source completely. 4 https://bugs.webkit.org/show_bug.cgi?id=97538 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt: 9 * http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt: 10 Updating to the new error message. 11 * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt: 12 * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html: 13 Adding new tests to check that valid paths followed by '?' or '#' 14 drop the invalid component, but remain valid sources. 15 1 16 2012-09-25 Zan Dobersek <zandobersek@gmail.com> 2 17 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt
r129143 r129525 1 1 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path". 2 2 3 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a n invalid source: '127.0.0.1:*/path?query=string'. Itwill be ignored.3 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored. 4 4 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path?query=string". 5 5 6 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a n invalid source: '127.0.0.1:*/path#anchor'. Itwill be ignored.6 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored. 7 7 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path#anchor". 8 8 9 9 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path". 10 10 11 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a n invalid source: '127.0.0.1:8000/path?query=string'. Itwill be ignored.11 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored. 12 12 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path?query=string". 13 13 14 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a n invalid source: '127.0.0.1:8000/path#anchor'. Itwill be ignored.14 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored. 15 15 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path#anchor". 16 16 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt
r129143 r129525 1 1 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path". 2 2 3 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a n invalid source: 'http://127.0.0.1:*/path?query=string'. Itwill be ignored.3 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored. 4 4 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path?query=string". 5 5 6 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a n invalid source: 'http://127.0.0.1:*/path#anchor'. Itwill be ignored.6 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored. 7 7 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path#anchor". 8 8 9 9 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path". 10 10 11 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a n invalid source: 'http://127.0.0.1:8000/path?query=string'. Itwill be ignored.11 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored. 12 12 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path?query=string". 13 13 14 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a n invalid source: 'http://127.0.0.1:8000/path#anchor'. Itwill be ignored.14 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored. 15 15 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path#anchor". 16 16 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt
r129143 r129525 1 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/not-security#query=string'. It will be ignored. 1 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security#query=string'. The fragment identifier, including the '#', will be ignored. 2 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security?query=string'. The query component, including the '?', will be ignored. 3 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security#query=string'. The fragment identifier, including the '#', will be ignored. 2 4 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security#query=string". 3 5 4 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a n invalid source: '127.0.0.1:*/not-security?query=string'. Itwill be ignored.6 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security?query=string'. The query component, including the '?', will be ignored. 5 7 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security?query=string". 6 8 … … 40 42 -------- 41 43 PASS 44 45 -------- 46 Frame: '<!--framePath //<!--frame6-->-->' 47 -------- 48 PASS 49 50 -------- 51 Frame: '<!--framePath //<!--frame7-->-->' 52 -------- 53 PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html
r129143 r129525 5 5 <script> 6 6 var tests = [ 7 ['yes', 'script-src 127.0.0.1:*/security#query=string', 'resources/script.js'], 8 ['yes', 'script-src 127.0.0.1:*/security?query=string', 'resources/script.js'], 7 9 ['no', 'script-src 127.0.0.1:*/not-security#query=string', 'resources/script.js'], 8 10 ['no', 'script-src 127.0.0.1:*/not-security?query=string', 'resources/script.js'], -
trunk/Source/WebCore/ChangeLog
r129524 r129525 1 2012-09-25 Mike West <mkwst@google.com> 2 3 CSP paths: Ignore invalid path components, rather than dropping the source completely. 4 https://bugs.webkit.org/show_bug.cgi?id=97538 5 6 Reviewed by Adam Barth. 7 8 Content Security Policy directives that accept source lists currently 9 handle soure URI paths containing '?' or '#' in a draconian fashion by 10 dropping the entire source expression. We should be slightly friendlier, 11 and ignore simply the portion of the source expression that we know to 12 be invalid, just as we previously ignored everything after and including 13 a '/' in source expressions before we supported paths. 14 15 The new behavior is covered by existing tests, and two test-cases added 16 to http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html. 17 18 * page/ContentSecurityPolicy.cpp: 19 (WebCore::CSPSourceList::parsePath): 20 Report an error to the console, rather than ignoring a path that 21 contains an invalid fragment or query. 22 (WebCore::ContentSecurityPolicy::reportInvalidPathCharacter): 23 (WebCore): 24 * page/ContentSecurityPolicy.h: 25 Add a new warning type to cover this case. 26 1 27 2012-09-25 commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc> 2 28 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r129315 r129525 501 501 // ^ ^ 502 502 if (position < end) 503 return false;504 505 path = decodeURLEscapeSequences(String(begin, end- begin));503 m_policy->reportInvalidPathCharacter(m_directiveName, String(begin, end - begin), *position); 504 505 path = decodeURLEscapeSequences(String(begin, position - begin)); 506 506 if (!path.endsWith('/')) 507 507 path = path + '/'; 508 508 509 ASSERT(position == end && path.endsWith('/')); 509 ASSERT(position <= end); 510 ASSERT(position == end || (*position == '#' || *position == '?')); 511 ASSERT(path.endsWith('/')); 510 512 return true; 511 513 } … … 1574 1576 } 1575 1577 1578 void ContentSecurityPolicy::reportInvalidPathCharacter(const String& directiveName, const String& value, const char invalidChar) const 1579 { 1580 ASSERT(invalidChar == '#' || invalidChar == '?'); 1581 1582 String ignoring = "The fragment identifier, including the '#', will be ignored."; 1583 if (invalidChar == '?') 1584 ignoring = "The query component, including the '?', will be ignored."; 1585 String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains a source with an invalid path: '", value, "'. ", ignoring); 1586 logToConsole(message); 1587 } 1588 1576 1589 void ContentSecurityPolicy::reportInvalidNonce(const String& nonce) const 1577 1590 { -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r129143 r129525 102 102 void reportDuplicateDirective(const String&) const; 103 103 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const; 104 void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const; 104 105 void reportInvalidNonce(const String&) const; 105 106 void reportInvalidPluginTypes(const String&) const;
Note: See TracChangeset
for help on using the changeset viewer.