Changeset 129525 in webkit


Ignore:
Timestamp:
Sep 25, 2012 10:24:18 AM (12 years ago)
Author:
commit-queue@webkit.org
Message:

CSP paths: Ignore invalid path components, rather than dropping the source completely.
https://bugs.webkit.org/show_bug.cgi?id=97538

Patch by Mike West <mkwst@google.com> on 2012-09-25
Reviewed by Adam Barth.

Source/WebCore:

Content Security Policy directives that accept source lists currently
handle soure URI paths containing '?' or '#' in a draconian fashion by
dropping the entire source expression. We should be slightly friendlier,
and ignore simply the portion of the source expression that we know to
be invalid, just as we previously ignored everything after and including
a '/' in source expressions before we supported paths.

The new behavior is covered by existing tests, and two test-cases added
to http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html.

  • page/ContentSecurityPolicy.cpp:

(WebCore::CSPSourceList::parsePath):

Report an error to the console, rather than ignoring a path that
contains an invalid fragment or query.

(WebCore::ContentSecurityPolicy::reportInvalidPathCharacter):
(WebCore):

  • page/ContentSecurityPolicy.h:

Add a new warning type to cover this case.

LayoutTests:

  • http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt:
  • http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt:

Updating to the new error message.

  • http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt:
  • http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html:

Adding new tests to check that valid paths followed by '?' or '#'
drop the invalid component, but remain valid sources.

Location:
trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r129520 r129525  
     12012-09-25  Mike West  <mkwst@google.com>
     2
     3        CSP paths: Ignore invalid path components, rather than dropping the source completely.
     4        https://bugs.webkit.org/show_bug.cgi?id=97538
     5
     6        Reviewed by Adam Barth.
     7
     8        * http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt:
     9        * http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt:
     10            Updating to the new error message.
     11        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt:
     12        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html:
     13            Adding new tests to check that valid paths followed by '?' or '#'
     14            drop the invalid component, but remain valid sources.
     15
    1162012-09-25  Zan Dobersek  <zandobersek@gmail.com>
    217
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt

    r129143 r129525  
    11CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path".
    22
    3 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/path?query=string'. It will be ignored.
     3CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
    44CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path?query=string".
    55
    6 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/path#anchor'. It will be ignored.
     6CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
    77CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path#anchor".
    88
    99CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path".
    1010
    11 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:8000/path?query=string'. It will be ignored.
     11CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
    1212CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path?query=string".
    1313
    14 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:8000/path#anchor'. It will be ignored.
     14CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
    1515CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path#anchor".
    1616
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt

    r129143 r129525  
    11CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path".
    22
    3 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:*/path?query=string'. It will be ignored.
     3CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
    44CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path?query=string".
    55
    6 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:*/path#anchor'. It will be ignored.
     6CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
    77CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path#anchor".
    88
    99CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path".
    1010
    11 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:8000/path?query=string'. It will be ignored.
     11CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path?query=string'. The query component, including the '?', will be ignored.
    1212CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path?query=string".
    1313
    14 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:8000/path#anchor'. It will be ignored.
     14CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/path#anchor'. The fragment identifier, including the '#', will be ignored.
    1515CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path#anchor".
    1616
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt

    r129143 r129525  
    1 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/not-security#query=string'. It will be ignored.
     1CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security#query=string'. The fragment identifier, including the '#', will be ignored.
     2CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security?query=string'. The query component, including the '?', will be ignored.
     3CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security#query=string'. The fragment identifier, including the '#', will be ignored.
    24CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security#query=string".
    35
    4 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/not-security?query=string'. It will be ignored.
     6CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security?query=string'. The query component, including the '?', will be ignored.
    57CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security?query=string".
    68
     
    4042--------
    4143PASS
     44
     45--------
     46Frame: '<!--framePath //<!--frame6-->-->'
     47--------
     48PASS
     49
     50--------
     51Frame: '<!--framePath //<!--frame7-->-->'
     52--------
     53PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html

    r129143 r129525  
    55<script>
    66var tests = [
     7    ['yes', 'script-src 127.0.0.1:*/security#query=string', 'resources/script.js'],
     8    ['yes', 'script-src 127.0.0.1:*/security?query=string', 'resources/script.js'],
    79    ['no', 'script-src 127.0.0.1:*/not-security#query=string', 'resources/script.js'],
    810    ['no', 'script-src 127.0.0.1:*/not-security?query=string', 'resources/script.js'],
  • trunk/Source/WebCore/ChangeLog

    r129524 r129525  
     12012-09-25  Mike West  <mkwst@google.com>
     2
     3        CSP paths: Ignore invalid path components, rather than dropping the source completely.
     4        https://bugs.webkit.org/show_bug.cgi?id=97538
     5
     6        Reviewed by Adam Barth.
     7
     8        Content Security Policy directives that accept source lists currently
     9        handle soure URI paths containing '?' or '#' in a draconian fashion by
     10        dropping the entire source expression. We should be slightly friendlier,
     11        and ignore simply the portion of the source expression that we know to
     12        be invalid, just as we previously ignored everything after and including
     13        a '/' in source expressions before we supported paths.
     14
     15        The new behavior is covered by existing tests, and two test-cases added
     16        to http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html.
     17
     18        * page/ContentSecurityPolicy.cpp:
     19        (WebCore::CSPSourceList::parsePath):
     20            Report an error to the console, rather than ignoring a path that
     21            contains an invalid fragment or query.
     22        (WebCore::ContentSecurityPolicy::reportInvalidPathCharacter):
     23        (WebCore):
     24        * page/ContentSecurityPolicy.h:
     25            Add a new warning type to cover this case.
     26
    1272012-09-25  commit-queue@webkit.org  <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
    228
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r129315 r129525  
    501501    //                ^                               ^
    502502    if (position < end)
    503         return false;
    504 
    505     path = decodeURLEscapeSequences(String(begin, end - begin));
     503        m_policy->reportInvalidPathCharacter(m_directiveName, String(begin, end - begin), *position);
     504
     505    path = decodeURLEscapeSequences(String(begin, position - begin));
    506506    if (!path.endsWith('/'))
    507507        path = path + '/';
    508508
    509     ASSERT(position == end && path.endsWith('/'));
     509    ASSERT(position <= end);
     510    ASSERT(position == end || (*position == '#' || *position == '?'));
     511    ASSERT(path.endsWith('/'));
    510512    return true;
    511513}
     
    15741576}
    15751577
     1578void ContentSecurityPolicy::reportInvalidPathCharacter(const String& directiveName, const String& value, const char invalidChar) const
     1579{
     1580    ASSERT(invalidChar == '#' || invalidChar == '?');
     1581
     1582    String ignoring = "The fragment identifier, including the '#', will be ignored.";
     1583    if (invalidChar == '?')
     1584        ignoring = "The query component, including the '?', will be ignored.";
     1585    String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains a source with an invalid path: '", value, "'. ", ignoring);
     1586    logToConsole(message);
     1587}
     1588
    15761589void ContentSecurityPolicy::reportInvalidNonce(const String& nonce) const
    15771590{
  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r129143 r129525  
    102102    void reportDuplicateDirective(const String&) const;
    103103    void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
     104    void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
    104105    void reportInvalidNonce(const String&) const;
    105106    void reportInvalidPluginTypes(const String&) const;
Note: See TracChangeset for help on using the changeset viewer.