Changeset 143880 in webkit
- Timestamp:
- Feb 24, 2013 2:40:23 PM (11 years ago)
- Location:
- trunk
- Files:
-
- 63 added
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r143867 r143880 1 2013-02-24 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Experiment with 'reflected-xss' directive. 4 https://bugs.webkit.org/show_bug.cgi?id=104479 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html: Added. 10 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html: Added. 12 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt: Added. 13 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html: Added. 14 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt: Added. 15 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html: Added. 16 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt: Added. 17 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html: Added. 18 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt: Added. 19 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html: Added. 20 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt: Added. 21 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html: Added. 22 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt: Added. 23 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html: Added. 24 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt: Added. 25 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html: Added. 26 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt: Added. 27 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html: Added. 28 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt: Added. 29 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html: Added. 30 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt: Added. 31 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html: Added. 32 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt: Added. 33 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html: Added. 34 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt: Added. 35 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html: Added. 36 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt: Added. 37 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html: Added. 38 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt: Added. 39 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html: Added. 40 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt: Added. 41 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html: Added. 42 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt: Added. 43 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html: Added. 44 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt: Added. 45 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html: Added. 46 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt: Added. 47 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html: Added. 48 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt: Added. 49 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html: Added. 50 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt: Added. 51 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html: Added. 52 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt: Added. 53 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html: Added. 54 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt: Added. 55 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html: Added. 56 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt: Added. 57 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html: Added. 58 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt: Added. 59 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html: Added. 60 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt: Added. 61 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html: Added. 62 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt: Added. 63 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html: Added. 64 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt: Added. 65 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html: Added. 66 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt: Added. 67 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html: Added. 68 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt: Added. 69 * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html: Added. 70 * http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js: Added. 71 (testMixedHeader): 72 (frameLoaded): 73 (frameErrored): 74 * http/tests/security/xssAuditor/resources/echo-intertag.pl: 75 Added the ability to send an 'X-WebKit-CSP' header to test 'reflected-xss' behavior. 76 1 77 2013-02-24 Keishi Hattori <keishi@webkit.org> 2 78 -
trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl
r143644 r143880 66 66 } 67 67 68 if ($cgi->param('csp') eq '_empty_') { 69 print "X-WebKit-CSP: reflected-xss\n"; 70 } elsif ($cgi->param('csp')) { 71 print "X-WebKit-CSP: reflected-xss " . $cgi->param('csp') . "\n"; 72 } 73 68 74 print "Content-Type: text/html; charset="; 69 75 print $cgi->param('charset') ? $cgi->param('charset') : "UTF-8"; -
trunk/Source/WebCore/ChangeLog
r143877 r143880 1 2013-02-24 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Experiment with 'reflected-xss' directive. 4 https://bugs.webkit.org/show_bug.cgi?id=104479 5 6 Reviewed by Adam Barth. 7 8 Content Security Policy 1.1 defines a 'reflected-xss' directive that 9 works in much the same way as WebKit's current 'X-XSS-Protection' 10 header[1]. This patch implements the new directive by parsing it 11 inside ContentSecurityPolicy, and exposing that state to XSSAuditor. 12 13 XSSAuditor now grabs the CSP directive's state, and mixes it with the 14 X-XSS-Protection header's state to determine how the page should be 15 handled. Moreover, both headers' states are now expressed in terms of 16 ContentSecurityPolicy::ReflectedXSSDisposition. 17 18 [1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#reflected-xss--experimental 19 20 Tests: http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html 21 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html 22 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html 23 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html 24 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html 25 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html 26 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html 27 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html 28 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html 29 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html 30 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html 31 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html 32 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html 33 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html 34 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html 35 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html 36 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html 37 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html 38 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html 39 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html 40 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html 41 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html 42 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html 43 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html 44 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html 45 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html 46 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html 47 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html 48 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html 49 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html 50 http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html 51 52 * html/parser/XSSAuditor.cpp: 53 (WebCore::combineXSSProtectionHeaderAndCSP): 54 Given both headers' states, return the state which the XSSAuditor 55 should use when parsing a page. Blocking overrides filtering, which 56 overrides disabling. 57 (WebCore): 58 (WebCore::XSSAuditor::init): 59 Process the 'X-XSS-Protection' header before grabbing the CSP 60 header's state. Both are passed into the new 61 combineXSSProtectionHeaderAndCSP method to generate the final 62 state that ought to be used. 63 (WebCore::XSSAuditor::XSSAuditor): 64 (WebCore::XSSAuditor::filterToken): 65 * html/parser/XSSAuditor.h: 66 Switch to ContentSecurityPolicy::ReflectedXSSDisposition internally 67 in XSSAuditor. 68 * page/ContentSecurityPolicy.cpp: 69 (WebCore::CSPDirectiveList::reflectedXSSDisposition): 70 Enum defining the possible state of the 'reflected-xss' CSP directive. 71 (CSPDirectiveList): 72 (WebCore::CSPDirectiveList::CSPDirectiveList): 73 (WebCore::CSPDirectiveList::parseReflectedXSS): 74 Given a 'reflected-xss' directive's value, set the 75 ReflectedXSSDisposition into a new property on the CSPDirectiveList. 76 (WebCore): 77 (WebCore::CSPDirectiveList::addDirective): 78 Accept 'reflected-xss' as a valid directive if we're in 79 experimental mode. 80 (WebCore::ContentSecurityPolicy::reflectedXSSDisposition): 81 Expose the directive's state via the public API. 82 (WebCore::ContentSecurityPolicy::reportInvalidReflectedXSS): 83 Generate console errors when invalid reflected-xss directive values 84 are encounted during parsing. 85 * page/ContentSecurityPolicy.h: 86 * platform/network/HTTPParsers.cpp: 87 (WebCore::parseXSSProtectionHeader): 88 * platform/network/HTTPParsers.h: 89 (WebCore): 90 Start using ContentSecurityPolicy::ReflectedXSSDisposition rather 91 than the XSSProtectionDisposition enum. 92 1 93 2013-02-24 Zan Dobersek <zdobersek@igalia.com> 2 94 -
trunk/Source/WebCore/html/parser/XSSAuditor.cpp
r142712 r143880 29 29 30 30 #include "Console.h" 31 #include "ContentSecurityPolicy.h" 31 32 #include "DOMWindow.h" 32 33 #include "DecodeEscapeSequences.h" … … 174 175 } 175 176 177 static ContentSecurityPolicy::ReflectedXSSDisposition combineXSSProtectionHeaderAndCSP(ContentSecurityPolicy::ReflectedXSSDisposition xssProtection, ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSS) 178 { 179 ContentSecurityPolicy::ReflectedXSSDisposition result = std::max(xssProtection, reflectedXSS); 180 181 if (result == ContentSecurityPolicy::ReflectedXSSInvalid || result == ContentSecurityPolicy::FilterReflectedXSS || result == ContentSecurityPolicy::ReflectedXSSUnset) 182 return ContentSecurityPolicy::FilterReflectedXSS; 183 184 return result; 185 } 186 176 187 XSSAuditor::XSSAuditor() 177 188 : m_isEnabled(false) 178 , m_xssProtection( XSSProtectionEnabled)189 , m_xssProtection(ContentSecurityPolicy::FilterReflectedXSS) 179 190 , m_state(Uninitialized) 180 191 , m_scriptTagNestingLevel(0) … … 237 248 unsigned errorPosition = 0; 238 249 String reportURL; 239 m_xssProtection = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL); 240 241 if ((m_xssProtection == XSSProtectionEnabled || m_xssProtection == XSSProtectionBlockEnabled) && !reportURL.isEmpty()) { 242 m_reportURL = document->completeURL(reportURL); 243 if (MixedContentChecker::isMixedContent(document->securityOrigin(), m_reportURL)) { 250 KURL xssProtectionReportURL; 251 252 // Process the X-XSS-Protection header, then mix in the CSP header's value. 253 ContentSecurityPolicy::ReflectedXSSDisposition xssProtectionHeader = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL); 254 if ((xssProtectionHeader == ContentSecurityPolicy::FilterReflectedXSS || xssProtectionHeader == ContentSecurityPolicy::BlockReflectedXSS) && !reportURL.isEmpty()) { 255 xssProtectionReportURL = document->completeURL(reportURL); 256 if (MixedContentChecker::isMixedContent(document->securityOrigin(), xssProtectionReportURL)) { 244 257 errorDetails = "insecure reporting URL for secure page"; 245 m_xssProtection = XSSProtectionInvalid;246 m_reportURL = KURL();258 xssProtectionHeader = ContentSecurityPolicy::ReflectedXSSInvalid; 259 xssProtectionReportURL = KURL(); 247 260 } 248 261 } 249 250 if (m_xssProtection == XSSProtectionInvalid) { 262 if (xssProtectionHeader == ContentSecurityPolicy::ReflectedXSSInvalid) 251 263 document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Error parsing header X-XSS-Protection: " + headerValue + ": " + errorDetails + " at character position " + String::format("%u", errorPosition) + ". The default protections will be applied."); 252 m_xssProtection = XSSProtectionEnabled; 253 } 264 265 m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, document->contentSecurityPolicy()->reflectedXSSDisposition()); 266 m_reportURL = xssProtectionReportURL; // FIXME: Combine the two report URLs in some reasonable way. 254 267 255 268 FormData* httpBody = documentLoader->originalRequest().httpBody(); … … 281 294 { 282 295 ASSERT(m_state == Initialized); 283 if (!m_isEnabled || m_xssProtection == XSSProtectionDisabled)296 if (!m_isEnabled || m_xssProtection == ContentSecurityPolicy::AllowReflectedXSS) 284 297 return nullptr; 285 298 … … 295 308 296 309 if (didBlockScript) { 297 bool didBlockEntirePage = (m_xssProtection == XSSProtectionBlockEnabled);310 bool didBlockEntirePage = (m_xssProtection == ContentSecurityPolicy::BlockReflectedXSS); 298 311 OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, m_originalURL, m_originalHTTPBody, didBlockEntirePage); 299 312 if (!m_reportURL.isEmpty()) { -
trunk/Source/WebCore/html/parser/XSSAuditor.h
r142522 r143880 102 102 KURL m_documentURL; 103 103 bool m_isEnabled; 104 XSSProtectionDisposition m_xssProtection;104 ContentSecurityPolicy::ReflectedXSSDisposition m_xssProtection; 105 105 106 106 String m_originalURL; -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r142506 r143880 121 121 static const char pluginTypes[] = "plugin-types"; 122 122 static const char scriptNonce[] = "script-nonce"; 123 static const char reflectedXSS[] = "reflected-xss"; 123 124 #endif 124 125 … … 140 141 || equalIgnoringCase(name, pluginTypes) 141 142 || equalIgnoringCase(name, scriptNonce) 143 || equalIgnoringCase(name, reflectedXSS) 142 144 #endif 143 145 ); … … 840 842 void gatherReportURIs(DOMStringList&) const; 841 843 const String& evalDisabledErrorMessage() { return m_evalDisabledErrorMessage; } 844 ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; } 842 845 843 846 private: … … 850 853 void parseScriptNonce(const String& name, const String& value); 851 854 void parsePluginTypes(const String& name, const String& value); 855 void parseReflectedXSS(const String& name, const String& value); 852 856 void addDirective(const String& name, const String& value); 853 857 void applySandboxPolicy(const String& name, const String& sandboxPolicy); … … 884 888 bool m_reportOnly; 885 889 bool m_haveSandboxPolicy; 890 ContentSecurityPolicy::ReflectedXSSDisposition m_reflectedXSSDisposition; 886 891 887 892 OwnPtr<MediaListDirective> m_pluginTypes; … … 909 914 , m_reportOnly(false) 910 915 , m_haveSandboxPolicy(false) 916 , m_reflectedXSSDisposition(ContentSecurityPolicy::ReflectedXSSUnset) 911 917 { 912 918 m_reportOnly = (type == ContentSecurityPolicy::ReportStableDirectives || type == ContentSecurityPolicy::ReportAllDirectives); … … 1314 1320 if (!invalidTokens.isNull()) 1315 1321 m_policy->reportInvalidSandboxFlags(invalidTokens); 1322 } 1323 1324 void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value) 1325 { 1326 if (m_reflectedXSSDisposition != ContentSecurityPolicy::ReflectedXSSUnset) { 1327 m_policy->reportDuplicateDirective(name); 1328 m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid; 1329 return; 1330 } 1331 1332 if (value.isEmpty()) { 1333 m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid; 1334 m_policy->reportInvalidReflectedXSS(value); 1335 return; 1336 } 1337 1338 const UChar* position = value.characters(); 1339 const UChar* end = position + value.length(); 1340 1341 skipWhile<isASCIISpace>(position, end); 1342 const UChar* begin = position; 1343 skipWhile<isNotASCIISpace>(position, end); 1344 1345 // value1 1346 // ^ 1347 if (equalIgnoringCase("allow", begin, position - begin)) 1348 m_reflectedXSSDisposition = ContentSecurityPolicy::AllowReflectedXSS; 1349 else if (equalIgnoringCase("filter", begin, position - begin)) 1350 m_reflectedXSSDisposition = ContentSecurityPolicy::FilterReflectedXSS; 1351 else if (equalIgnoringCase("block", begin, position - begin)) 1352 m_reflectedXSSDisposition = ContentSecurityPolicy::BlockReflectedXSS; 1353 else { 1354 m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid; 1355 m_policy->reportInvalidReflectedXSS(value); 1356 return; 1357 } 1358 1359 skipWhile<isASCIISpace>(position, end); 1360 if (position == end && m_reflectedXSSDisposition != ContentSecurityPolicy::ReflectedXSSUnset) 1361 return; 1362 1363 // value1 value2 1364 // ^ 1365 m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid; 1366 m_policy->reportInvalidReflectedXSS(value); 1316 1367 } 1317 1368 … … 1350 1401 else if (equalIgnoringCase(name, scriptNonce)) 1351 1402 setCSPDirective<NonceDirective>(name, value, m_scriptNonce); 1403 else if (equalIgnoringCase(name, reflectedXSS)) 1404 parseReflectedXSS(name, value); 1352 1405 } 1353 1406 #endif … … 1570 1623 { 1571 1624 return !m_policies.isEmpty(); 1625 } 1626 1627 ContentSecurityPolicy::ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const 1628 { 1629 ReflectedXSSDisposition disposition = ReflectedXSSUnset; 1630 for (size_t i = 0; i < m_policies.size(); ++i) { 1631 if (m_policies[i]->reflectedXSSDisposition() > disposition) 1632 disposition = std::max(disposition, m_policies[i]->reflectedXSSDisposition()); 1633 } 1634 return disposition; 1572 1635 } 1573 1636 … … 1706 1769 } 1707 1770 1771 void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue) const 1772 { 1773 logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Value values are \"allow\", \"filter\", and \"block\"."); 1774 } 1775 1708 1776 void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const 1709 1777 { -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r136305 r143880 72 72 }; 73 73 74 // Be sure to update the behavior of XSSAuditor::combineXSSProtectionHeaderAndCSP whenever you change this enum's content or ordering. 75 enum ReflectedXSSDisposition { 76 ReflectedXSSUnset = 0, 77 AllowReflectedXSS, 78 ReflectedXSSInvalid, 79 FilterReflectedXSS, 80 BlockReflectedXSS 81 }; 82 74 83 void didReceiveHeader(const String&, HeaderType); 75 84 … … 97 106 bool allowFormAction(const KURL&, ReportingStatus = SendReport) const; 98 107 108 ReflectedXSSDisposition reflectedXSSDisposition() const; 109 99 110 void setOverrideAllowInlineStyle(bool); 100 111 … … 110 121 void reportInvalidSandboxFlags(const String&) const; 111 122 void reportInvalidSourceExpression(const String& directiveName, const String& source) const; 123 void reportInvalidReflectedXSS(const String&) const; 112 124 void reportUnsupportedDirective(const String&) const; 113 125 void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const; -
trunk/Source/WebCore/platform/network/HTTPParsers.cpp
r142683 r143880 34 34 #include "HTTPParsers.h" 35 35 36 #include "ContentSecurityPolicy.h" 36 37 #include <wtf/DateMath.h> 37 38 #include <wtf/text/CString.h> … … 341 342 } 342 343 343 XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL)344 ContentSecurityPolicy::ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL) 344 345 { 345 346 DEFINE_STATIC_LOCAL(String, failureReasonInvalidToggle, (ASCIILiteral("expected 0 or 1"))); … … 355 356 356 357 if (!skipWhiteSpace(header, pos, false)) 357 return XSSProtectionEnabled;358 return ContentSecurityPolicy::ReflectedXSSUnset; 358 359 359 360 if (header[pos] == '0') 360 return XSSProtectionDisabled;361 return ContentSecurityPolicy::AllowReflectedXSS; 361 362 362 363 if (header[pos++] != '1') { 363 364 failureReason = failureReasonInvalidToggle; 364 return XSSProtectionInvalid;365 } 366 367 XSSProtectionDisposition result = XSSProtectionEnabled;365 return ContentSecurityPolicy::ReflectedXSSInvalid; 366 } 367 368 ContentSecurityPolicy::ReflectedXSSDisposition result = ContentSecurityPolicy::FilterReflectedXSS; 368 369 bool modeDirectiveSeen = false; 369 370 bool reportDirectiveSeen = false; … … 377 378 failureReason = failureReasonInvalidSeparator; 378 379 failurePosition = pos; 379 return XSSProtectionInvalid;380 return ContentSecurityPolicy::ReflectedXSSInvalid; 380 381 } 381 382 … … 388 389 failureReason = failureReasonDuplicateMode; 389 390 failurePosition = pos; 390 return XSSProtectionInvalid;391 return ContentSecurityPolicy::ReflectedXSSInvalid; 391 392 } 392 393 modeDirectiveSeen = true; … … 394 395 failureReason = failureReasonInvalidEquals; 395 396 failurePosition = pos; 396 return XSSProtectionInvalid;397 return ContentSecurityPolicy::ReflectedXSSInvalid; 397 398 } 398 399 if (!skipToken(header, pos, "block")) { 399 400 failureReason = failureReasonInvalidMode; 400 401 failurePosition = pos; 401 return XSSProtectionInvalid;402 } 403 result = XSSProtectionBlockEnabled;402 return ContentSecurityPolicy::ReflectedXSSInvalid; 403 } 404 result = ContentSecurityPolicy::BlockReflectedXSS; 404 405 } else if (skipToken(header, pos, "report")) { 405 406 if (reportDirectiveSeen) { 406 407 failureReason = failureReasonDuplicateReport; 407 408 failurePosition = pos; 408 return XSSProtectionInvalid;409 return ContentSecurityPolicy::ReflectedXSSInvalid; 409 410 } 410 411 reportDirectiveSeen = true; … … 412 413 failureReason = failureReasonInvalidEquals; 413 414 failurePosition = pos; 414 return XSSProtectionInvalid;415 return ContentSecurityPolicy::ReflectedXSSInvalid; 415 416 } 416 417 size_t startPos = pos; … … 418 419 failureReason = failureReasonInvalidReport; 419 420 failurePosition = pos; 420 return XSSProtectionInvalid;421 return ContentSecurityPolicy::ReflectedXSSInvalid; 421 422 } 422 423 reportURL = header.substring(startPos, pos - startPos); … … 425 426 failureReason = failureReasonInvalidDirective; 426 427 failurePosition = pos; 427 return XSSProtectionInvalid;428 return ContentSecurityPolicy::ReflectedXSSInvalid; 428 429 } 429 430 } -
trunk/Source/WebCore/platform/network/HTTPParsers.h
r142683 r143880 32 32 #define HTTPParsers_h 33 33 34 #include "ContentSecurityPolicy.h" 34 35 #include <wtf/Forward.h> 35 36 #include <wtf/Vector.h> … … 39 40 class HTTPHeaderMap; 40 41 class ResourceResponseBase; 41 42 enum XSSProtectionDisposition {43 XSSProtectionInvalid,44 XSSProtectionDisabled,45 XSSProtectionEnabled,46 XSSProtectionBlockEnabled47 };48 42 49 43 typedef enum { … … 69 63 String extractCharsetFromMediaType(const String&); 70 64 void findCharsetInMediaType(const String& mediaType, unsigned int& charsetPos, unsigned int& charsetLen, unsigned int start = 0); 71 XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL);65 ContentSecurityPolicy::ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL); 72 66 String extractReasonPhraseFromHTTPStatusLine(const String&); 73 67
Note: See TracChangeset
for help on using the changeset viewer.