Changeset 142506 in webkit

Timestamp:

Feb 11, 2013 1:29:46 PM (11 years ago)

Author:

mkwst@chromium.org

Message:

CSP reports for blocked 'data:' URLs should report the scheme only.
​https://bugs.webkit.org/show_bug.cgi?id=109429

Reviewed by Adam Barth.

Source/WebCore:

​https://dvcs.w3.org/hg/content-security-policy/rev/001dc8e8bcc3 changed
the CSP 1.1 spec to require that blocked URLs that don't refer to
generally resolvable schemes (e.g. 'data:', 'javascript:', etc.) be
stripped down to their scheme in violation reports.

Test: http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html

• page/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::reportViolation):

If the blocked URL is a web-resolvable scheme, apply the current
stripping logic to it, otherwise, strip it to the scheme only.

• platform/KURL.h:

(KURL):

Move KURL::isHierarchical() out into KURL's public API.

LayoutTests:

• http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (1 diff)
• Source/WebCore/platform/KURL.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-02-11  Mike West  <mkwst@chromium.org>
+
+        CSP reports for blocked 'data:' URLs should report the scheme only.
+        https://bugs.webkit.org/show_bug.cgi?id=109429
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html: Added.
+
 2013-02-11  Julien Chaffraix  <jchaffraix@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-02-11  Mike West  <mkwst@chromium.org>
+
+        CSP reports for blocked 'data:' URLs should report the scheme only.
+        https://bugs.webkit.org/show_bug.cgi?id=109429
+
+        Reviewed by Adam Barth.
+
+        https://dvcs.w3.org/hg/content-security-policy/rev/001dc8e8bcc3 changed
+        the CSP 1.1 spec to require that blocked URLs that don't refer to
+        generally resolvable schemes (e.g. 'data:', 'javascript:', etc.) be
+        stripped down to their scheme in violation reports.
+
+        Test: http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::reportViolation):
+            If the blocked URL is a web-resolvable scheme, apply the current
+            stripping logic to it, otherwise, strip it to the scheme only.
+        * platform/KURL.h:
+        (KURL):
+            Move KURL::isHierarchical() out into KURL's public API.
+
 2013-02-11  Simon Fraser  <simon.fraser@apple.com>
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -1632 +1632 @@
     cspReport->setString("original-policy", header);
     if (blockedURL.isValid())
-        cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString());
+        if (blockedURL.isHierarchical())
+            cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString());
+        else
+            cspReport->setString("blocked-uri", blockedURL.protocol());
     else
         cspReport->setString("blocked-uri", String());

trunk/Source/WebCore/platform/KURL.h

@@ -121 +121 @@
 
     bool canSetPathname() const { return isHierarchical(); }
+    bool isHierarchical() const;
 
 #if USE(GOOGLEURL)
@@ -232 +233 @@
 private:
     void invalidate();
-    bool isHierarchical() const;
     static bool protocolIs(const String&, const char*);
 #if USE(GOOGLEURL)