Changeset 138817 in webkit
- Timestamp:
- Jan 4, 2013 11:09:12 AM (11 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 11 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r138816 r138817 1 2013-01-04 Mike West <mkwst@chromium.org> 2 3 CSP: XHR from an isolated world should bypass a page's policy. 4 https://bugs.webkit.org/show_bug.cgi?id=104480 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt: Added. 9 * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html: Added. 10 A new test! How wonderful! 11 * platform/efl/TestExpectations: 12 * platform/mac/TestExpectations: 13 * platform/qt/TestExpectations: 14 * platform/win/TestExpectations: 15 * platform/wincairo/TestExpectations: 16 Skipping the new test on ports that don't support it. 17 1 18 2013-01-04 Mike Lawther <mikelawther@chromium.org> 2 19 -
trunk/LayoutTests/platform/efl/TestExpectations
r138794 r138817 1130 1130 # JSC also doesn't support setIsolatedWorldContentSecurityPolicy 1131 1131 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp.html [ Failure ] 1132 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html [ Failure ] 1132 1133 1133 1134 #__worldID is undefined in isolated world -
trunk/LayoutTests/platform/mac/TestExpectations
r138782 r138817 440 440 441 441 # JSC also doesn't support setIsolatedWorldContentSecurityPolicy (webkit.org/b/100815) 442 http/tests/security/isolatedWorld/bypass-main-world-csp.html 442 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp.html [ Failure ] 443 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html [ Failure ] 443 444 444 445 # https://bugs.webkit.org/show_bug.cgi?id=63282 layerTreeAsText doesn't work for iframes -
trunk/LayoutTests/platform/qt/TestExpectations
r138801 r138817 206 206 207 207 # JSC also doesn't support setIsolatedWorldContentSecurityPolicy (webkit.org/b/100815) 208 http/tests/security/isolatedWorld/bypass-main-world-csp.html 208 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp.html [ Failure ] 209 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html [ Failure ] 209 210 210 211 # This test is for clients that choose to make the missing plugin indicator a button -
trunk/LayoutTests/platform/win/TestExpectations
r138766 r138817 1494 1494 1495 1495 # JSC also doesn't support setIsolatedWorldContentSecurityPolicy (webkit.org/b/100815) 1496 http/tests/security/isolatedWorld/bypass-main-world-csp.html 1496 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp.html [ Failure ] 1497 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html [ Failure ] 1497 1498 1498 1499 # ENABLE(WEBGL) is disabled -
trunk/LayoutTests/platform/wincairo/TestExpectations
r138499 r138817 2024 2024 2025 2025 # JSC also doesn't support setIsolatedWorldContentSecurityPolicy (webkit.org/b/100815) 2026 http/tests/security/isolatedWorld/bypass-main-world-csp.html 2026 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp.html [ Failure ] 2027 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html [ Failure ] 2027 2028 2028 2029 # ENABLE(WEBGL) is disabled -
trunk/Source/WebCore/ChangeLog
r138816 r138817 1 2013-01-04 Mike West <mkwst@chromium.org> 2 3 CSP: XHR from an isolated world should bypass a page's policy. 4 https://bugs.webkit.org/show_bug.cgi?id=104480 5 6 Reviewed by Adam Barth. 7 8 Connections of various types are governed by the page's Content Security 9 Policy 'connect-src' directive. In the special case of connections 10 generated from an isolated world, we'd like to bypass these restrictions 11 in order to allow things like extensions to enjoy their uniquely high- 12 privilege lifestyle. This patch does just that. 13 14 We'll lock them down to their own policy in webkit.org/b/104520, but 15 that's a bit far away at the moment. Soon! 16 17 Test: http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html 18 19 * Modules/websockets/WebSocket.cpp: 20 (WebCore::WebSocket::connect): 21 * loader/cache/CachedResourceLoader.cpp: 22 (WebCore::CachedResourceLoader::canRequest): 23 * page/EventSource.cpp: 24 (WebCore::EventSource::create): 25 * xml/XMLHttpRequest.cpp: 26 (WebCore::XMLHttpRequest::open): 27 Check whether or not code is running in an isolated world that has 28 its own Content Security Policy. If so, bypass the main world's CSP 29 checks. Isolated worlds gotta be free, man. 30 1 31 2013-01-04 Mike Lawther <mikelawther@chromium.org> 2 32 -
trunk/Source/WebCore/Modules/websockets/WebSocket.cpp
r137318 r138817 40 40 #include "ContentSecurityPolicy.h" 41 41 #include "DOMWindow.h" 42 #include "Document.h" 42 43 #include "Event.h" 43 44 #include "EventException.h" … … 45 46 #include "EventNames.h" 46 47 #include "ExceptionCode.h" 48 #include "Frame.h" 47 49 #include "Logging.h" 48 50 #include "MessageEvent.h" … … 239 241 } 240 242 241 if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(m_url)) { 243 // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. 244 bool shouldBypassMainWorldContentSecurityPolicy = false; 245 if (scriptExecutionContext()->isDocument()) { 246 Document* document = static_cast<Document*>(scriptExecutionContext()); 247 shouldBypassMainWorldContentSecurityPolicy = document->frame()->script()->shouldBypassMainWorldContentSecurityPolicy(); 248 } 249 if (!shouldBypassMainWorldContentSecurityPolicy && !scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(m_url)) { 242 250 m_state = CLOSED; 243 251 -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp
r138658 r138817 311 311 } 312 312 313 // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. 313 314 bool shouldBypassMainWorldContentSecurityPolicy = (frame() && frame()->script()->shouldBypassMainWorldContentSecurityPolicy()); 314 315 -
trunk/Source/WebCore/page/EventSource.cpp
r138285 r138817 37 37 #include "DOMWindow.h" 38 38 #include "Dictionary.h" 39 #include "Document.h" 39 40 #include "Event.h" 40 41 #include "EventException.h" 41 42 #include "ExceptionCode.h" 43 #include "Frame.h" 42 44 #include "MemoryCache.h" 43 45 #include "MessageEvent.h" … … 84 86 } 85 87 86 if (!context->contentSecurityPolicy()->allowConnectToSource(fullURL)) { 88 // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. 89 bool shouldBypassMainWorldContentSecurityPolicy = false; 90 if (context->isDocument()) { 91 Document* document = static_cast<Document*>(context); 92 shouldBypassMainWorldContentSecurityPolicy = document->frame()->script()->shouldBypassMainWorldContentSecurityPolicy(); 93 } 94 if (!shouldBypassMainWorldContentSecurityPolicy && !context->contentSecurityPolicy()->allowConnectToSource(fullURL)) { 87 95 // FIXME: Should this be throwing an exception? 88 96 ec = SECURITY_ERR; -
trunk/Source/WebCore/xml/XMLHttpRequest.cpp
r137318 r138817 494 494 } 495 495 496 if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url)) { 496 // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved. 497 bool shouldBypassMainWorldContentSecurityPolicy = false; 498 if (scriptExecutionContext()->isDocument()) { 499 Document* document = static_cast<Document*>(scriptExecutionContext()); 500 shouldBypassMainWorldContentSecurityPolicy = document->frame()->script()->shouldBypassMainWorldContentSecurityPolicy(); 501 } 502 if (!shouldBypassMainWorldContentSecurityPolicy && !scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(url)) { 497 503 // FIXME: Should this be throwing an exception? 498 504 ec = SECURITY_ERR;
Note: See TracChangeset
for help on using the changeset viewer.