Changeset 131317 in webkit
- Timestamp:
- Oct 15, 2012 10:33:12 AM (12 years ago)
- Location:
- trunk
- Files:
-
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r131315 r131317 1 2012-10-15 Mike West <mkwst@chromium.org> 2 3 CSP source expressions should support paths at file-level granularity. 4 https://bugs.webkit.org/show_bug.cgi?id=99250 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html: 9 Adjust tests by adding trailing slashes to source expressions that 10 should match directories. 11 * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt: 12 * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html: 13 Adjust tests to check the new behavior: matching individiual files, 14 and matching directories only with a trailing '/'. 15 1 16 2012-10-15 Jay Civelli <jcivelli@chromium.org> 2 17 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html
r129143 r131317 11 11 ['no', 'script-src 127.0.0.1:8000/not-security', 'resources/script.js'], 12 12 ['no', 'script-src 127.0.0.1:8000/security%3bnot-contentSecurityPolicy', 'resources/script.js'], 13 ['yes', 'script-src 127.0.0.1:*/' + security , 'resources/script.js'],14 ['yes', 'script-src 127.0.0.1:*/security ', resources + '/script.js'],15 ['yes', 'script-src 127.0.0.1:*/' + security , resources + '/script.js'],13 ['yes', 'script-src 127.0.0.1:*/' + security + '/', 'resources/script.js'], 14 ['yes', 'script-src 127.0.0.1:*/security/', resources + '/script.js'], 15 ['yes', 'script-src 127.0.0.1:*/' + security + '/', resources + '/script.js'], 16 16 ]; 17 17 </script> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt
r129525 r131317 1 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security #query=string'. The fragment identifier, including the '#', will be ignored.2 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security ?query=string'. The query component, including the '?', will be ignored.3 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security #query=string'. The fragment identifier, including the '#', will be ignored.4 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security #query=string".1 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security/#query=string'. The fragment identifier, including the '#', will be ignored. 2 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security/?query=string'. The query component, including the '?', will be ignored. 3 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security/#query=string'. The fragment identifier, including the '#', will be ignored. 4 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security/#query=string". 5 5 6 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security ?query=string'. The query component, including the '?', will be ignored.7 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security ?query=string".6 CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security/?query=string'. The query component, including the '?', will be ignored. 7 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security/?query=string". 8 8 9 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'not-contentSecurityPolicy'. 9 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/security". 10 11 CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/security/contentSecurityPolicy/resources/script.js/". 10 12 11 13 Resources should be rejected unless they match a whitelisted path. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html
r129525 r131317 5 5 <script> 6 6 var tests = [ 7 ['yes', 'script-src 127.0.0.1:*/security #query=string', 'resources/script.js'],8 ['yes', 'script-src 127.0.0.1:*/security ?query=string', 'resources/script.js'],9 ['no', 'script-src 127.0.0.1:*/not-security #query=string', 'resources/script.js'],10 ['no', 'script-src 127.0.0.1:*/not-security ?query=string', 'resources/script.js'],11 [' yes', 'script-src 127.0.0.1:*/security', 'resources/script.js'],7 ['yes', 'script-src 127.0.0.1:*/security/#query=string', 'resources/script.js'], 8 ['yes', 'script-src 127.0.0.1:*/security/?query=string', 'resources/script.js'], 9 ['no', 'script-src 127.0.0.1:*/not-security/#query=string', 'resources/script.js'], 10 ['no', 'script-src 127.0.0.1:*/not-security/?query=string', 'resources/script.js'], 11 ['no', 'script-src 127.0.0.1:*/security', 'resources/script.js'], 12 12 ['yes', 'script-src 127.0.0.1:*/security/', 'resources/script.js'], 13 ['yes', 'script-src 127.0.0.1:*/security/contentSecurityPolicy ', 'resources/script.js'],14 [' yes', 'script-src 127.0.0.1:8000/security;not-contentSecurityPolicy', 'resources/script.js'],13 ['yes', 'script-src 127.0.0.1:*/security/contentSecurityPolicy/resources/script.js', 'resources/script.js'], 14 ['no', 'script-src 127.0.0.1:*/security/contentSecurityPolicy/resources/script.js/', 'resources/script.js'] 15 15 ]; 16 16 </script> -
trunk/Source/WebCore/ChangeLog
r131316 r131317 1 2012-10-15 Mike West <mkwst@chromium.org> 2 3 CSP source expressions should support paths at file-level granularity. 4 https://bugs.webkit.org/show_bug.cgi?id=99250 5 6 Reviewed by Adam Barth. 7 8 After a bit of discussion on public-webappsec[1], path support for CSP 9 source expressions has been tuned to support file-level granularity. In 10 particular, this means that: 11 12 - 'example.com/js' matches a file named 'js' 13 - 'example.com/js/' matches all files under a directory named 'js' 14 (note the trailing slash) 15 - 'example.com/js/file.js' matches only a file named 'file.js' 16 inside a directory named 'js' 17 18 Though this is part of the CSP 1.1 spec, it continues to be exposed 19 outside the CSP_NEXT flag for back-compatibility. 20 21 Test cases have been added to the existing 22 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-* 23 in order ensure that the new functionality works correctly. 24 25 * page/ContentSecurityPolicy.cpp: 26 (WebCore::CSPSource::pathMatches): 27 If the path ends with '/', do a prefix check. If not, check for an 28 exact match. 29 (WebCore::CSPSourceList::parsePath): 30 Don't automatically append a '/' to paths. 31 1 32 2012-10-15 George Staikos <staikos@webkit.org> 2 33 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r130657 r131317 182 182 String path = decodeURLEscapeSequences(url.path()); 183 183 184 return path.startsWith(m_path, false); 184 if (m_path.endsWith("/")) 185 return path.startsWith(m_path, false); 186 187 return path == m_path; 185 188 } 186 189 … … 506 509 507 510 path = decodeURLEscapeSequences(String(begin, position - begin)); 508 if (!path.endsWith('/'))509 path = path + '/';510 511 511 512 ASSERT(position <= end); 512 513 ASSERT(position == end || (*position == '#' || *position == '?')); 513 ASSERT(path.endsWith('/'));514 514 return true; 515 515 }
Note: See TracChangeset
for help on using the changeset viewer.