Changeset 142506 in webkit
- Timestamp:
- Feb 11, 2013 1:29:46 PM (11 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r142500 r142506 1 2013-02-11 Mike West <mkwst@chromium.org> 2 3 CSP reports for blocked 'data:' URLs should report the scheme only. 4 https://bugs.webkit.org/show_bug.cgi?id=109429 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html: Added. 10 1 11 2013-02-11 Julien Chaffraix <jchaffraix@webkit.org> 2 12 -
trunk/Source/WebCore/ChangeLog
r142505 r142506 1 2013-02-11 Mike West <mkwst@chromium.org> 2 3 CSP reports for blocked 'data:' URLs should report the scheme only. 4 https://bugs.webkit.org/show_bug.cgi?id=109429 5 6 Reviewed by Adam Barth. 7 8 https://dvcs.w3.org/hg/content-security-policy/rev/001dc8e8bcc3 changed 9 the CSP 1.1 spec to require that blocked URLs that don't refer to 10 generally resolvable schemes (e.g. 'data:', 'javascript:', etc.) be 11 stripped down to their scheme in violation reports. 12 13 Test: http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html 14 15 * page/ContentSecurityPolicy.cpp: 16 (WebCore::ContentSecurityPolicy::reportViolation): 17 If the blocked URL is a web-resolvable scheme, apply the current 18 stripping logic to it, otherwise, strip it to the scheme only. 19 * platform/KURL.h: 20 (KURL): 21 Move KURL::isHierarchical() out into KURL's public API. 22 1 23 2013-02-11 Simon Fraser <simon.fraser@apple.com> 2 24 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r139085 r142506 1632 1632 cspReport->setString("original-policy", header); 1633 1633 if (blockedURL.isValid()) 1634 cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString()); 1634 if (blockedURL.isHierarchical()) 1635 cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString()); 1636 else 1637 cspReport->setString("blocked-uri", blockedURL.protocol()); 1635 1638 else 1636 1639 cspReport->setString("blocked-uri", String()); -
trunk/Source/WebCore/platform/KURL.h
r142381 r142506 121 121 122 122 bool canSetPathname() const { return isHierarchical(); } 123 bool isHierarchical() const; 123 124 124 125 #if USE(GOOGLEURL) … … 232 233 private: 233 234 void invalidate(); 234 bool isHierarchical() const;235 235 static bool protocolIs(const String&, const char*); 236 236 #if USE(GOOGLEURL)
Note: See TracChangeset
for help on using the changeset viewer.