Context Navigation

← Previous Changeset
Next Changeset →

Changeset 143880 in webkit

Timestamp:

Feb 24, 2013 2:40:23 PM (11 years ago)

Author:

mkwst@chromium.org

Message:

CSP 1.1: Experiment with 'reflected-xss' directive.
https://bugs.webkit.org/show_bug.cgi?id=104479

Reviewed by Adam Barth.

Source/WebCore:

Content Security Policy 1.1 defines a 'reflected-xss' directive that
works in much the same way as WebKit's current 'X-XSS-Protection'
header[1]. This patch implements the new directive by parsing it
inside ContentSecurityPolicy, and exposing that state to XSSAuditor.

XSSAuditor now grabs the CSP directive's state, and mixes it with the
X-XSS-Protection header's state to determine how the page should be
handled. Moreover, both headers' states are now expressed in terms of
ContentSecurityPolicy::ReflectedXSSDisposition.

[1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#reflected-xss--experimental

Tests: http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html

http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html

html/parser/XSSAuditor.cpp:

(WebCore::combineXSSProtectionHeaderAndCSP):

Given both headers' states, return the state which the XSSAuditor
should use when parsing a page. Blocking overrides filtering, which
overrides disabling.

(WebCore):
(WebCore::XSSAuditor::init):

Process the 'X-XSS-Protection' header before grabbing the CSP
header's state. Both are passed into the new
combineXSSProtectionHeaderAndCSP method to generate the final
state that ought to be used.

(WebCore::XSSAuditor::XSSAuditor):
(WebCore::XSSAuditor::filterToken):

html/parser/XSSAuditor.h:

Switch to ContentSecurityPolicy::ReflectedXSSDisposition internally
in XSSAuditor.

page/ContentSecurityPolicy.cpp:

(WebCore::CSPDirectiveList::reflectedXSSDisposition):

Enum defining the possible state of the 'reflected-xss' CSP directive.

(CSPDirectiveList):
(WebCore::CSPDirectiveList::CSPDirectiveList):
(WebCore::CSPDirectiveList::parseReflectedXSS):

Given a 'reflected-xss' directive's value, set the
ReflectedXSSDisposition into a new property on the CSPDirectiveList.

(WebCore):
(WebCore::CSPDirectiveList::addDirective):

Accept 'reflected-xss' as a valid directive if we're in
experimental mode.

(WebCore::ContentSecurityPolicy::reflectedXSSDisposition):

Expose the directive's state via the public API.

(WebCore::ContentSecurityPolicy::reportInvalidReflectedXSS):

Generate console errors when invalid reflected-xss directive values
are encounted during parsing.

page/ContentSecurityPolicy.h:
platform/network/HTTPParsers.cpp:

(WebCore::parseXSSProtectionHeader):

platform/network/HTTPParsers.h:

(WebCore):

Start using ContentSecurityPolicy::ReflectedXSSDisposition rather
than the XSSProtectionDisposition enum.

LayoutTests:

http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt: Added.
http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html: Added.
http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js: Added.

(testMixedHeader):
(frameLoaded):
(frameErrored):

http/tests/security/xssAuditor/resources/echo-intertag.pl:

Added the ability to send an 'X-WebKit-CSP' header to test 'reflected-xss' behavior.

Location:

trunk

Files:

: 63 added
: 9 edited

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r143867
+                      r143880
+-02-24  Mike West  <mkwst@chromium.org>
+        CSP 1.1: Experiment with 'reflected-xss' directive.
+        https://bugs.webkit.org/show_bug.cgi?id=104479
+        Reviewed by Adam Barth.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/reflected-xss-and-xss-protection.js: Added.
+        (testMixedHeader):
+        (frameLoaded):
+        (frameErrored):
+        * http/tests/security/xssAuditor/resources/echo-intertag.pl:
+            Added the ability to send an 'X-WebKit-CSP' header to test 'reflected-xss' behavior.
 -02-24  Keishi Hattori  <keishi@webkit.org>

trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl

-                      r143644
+                      r143880
+}
+if ($cgi->param('csp') eq '_empty_') {
+    print "X-WebKit-CSP: reflected-xss\n";
+} elsif ($cgi->param('csp')) {
+    print "X-WebKit-CSP: reflected-xss " . $cgi->param('csp') . "\n";
+}
 print "Content-Type: text/html; charset=";
 print $cgi->param('charset') ? $cgi->param('charset') : "UTF-8";

trunk/Source/WebCore/ChangeLog

-                      r143877
+                      r143880
+-02-24  Mike West  <mkwst@chromium.org>
+        CSP 1.1: Experiment with 'reflected-xss' directive.
+        https://bugs.webkit.org/show_bug.cgi?id=104479
+        Reviewed by Adam Barth.
+        Content Security Policy 1.1 defines a 'reflected-xss' directive that
+        works in much the same way as WebKit's current 'X-XSS-Protection'
+        header[1]. This patch implements the new directive by parsing it
+        inside ContentSecurityPolicy, and exposing that state to XSSAuditor.
+        XSSAuditor now grabs the CSP directive's state, and mixes it with the
+        X-XSS-Protection header's state to determine how the page should be
+        handled. Moreover, both headers' states are now expressed in terms of
+        ContentSecurityPolicy::ReflectedXSSDisposition.
+        [1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#reflected-xss--experimental
+        Tests: http/tests/security/contentSecurityPolicy/1.1/reflected-xss-allow.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-allow.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-block.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-filter.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-invalid.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-allow-unset.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-allow.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-block.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-filter.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-invalid.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-block-unset.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-allow.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-block.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-filter.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-invalid.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-filter-unset.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-allow.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-block.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-filter.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-invalid.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-invalid-unset.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-allow.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-block.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-filter.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-invalid.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-and-xss-protection-unset-unset.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-block.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-empty.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-filter.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-invalid.html
+               http/tests/security/contentSecurityPolicy/1.1/reflected-xss-parsing.html
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::combineXSSProtectionHeaderAndCSP):
+            Given both headers' states, return the state which the XSSAuditor
+            should use when parsing a page. Blocking overrides filtering, which
+            overrides disabling.
+        (WebCore):
+        (WebCore::XSSAuditor::init):
+            Process the 'X-XSS-Protection' header before grabbing the CSP
+            header's state. Both are passed into the new
+            combineXSSProtectionHeaderAndCSP method to generate the final
+            state that ought to be used.
+        (WebCore::XSSAuditor::XSSAuditor):
+        (WebCore::XSSAuditor::filterToken):
+        * html/parser/XSSAuditor.h:
+            Switch to ContentSecurityPolicy::ReflectedXSSDisposition internally
+            in XSSAuditor.
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirectiveList::reflectedXSSDisposition):
+            Enum defining the possible state of the 'reflected-xss' CSP directive.
+        (CSPDirectiveList):
+        (WebCore::CSPDirectiveList::CSPDirectiveList):
+        (WebCore::CSPDirectiveList::parseReflectedXSS):
+            Given a 'reflected-xss' directive's value, set the
+            ReflectedXSSDisposition into a new property on the CSPDirectiveList.
+        (WebCore):
+        (WebCore::CSPDirectiveList::addDirective):
+            Accept 'reflected-xss' as a valid directive if we're in
+            experimental mode.
+        (WebCore::ContentSecurityPolicy::reflectedXSSDisposition):
+            Expose the directive's state via the public API.
+        (WebCore::ContentSecurityPolicy::reportInvalidReflectedXSS):
+            Generate console errors when invalid reflected-xss directive values
+            are encounted during parsing.
+        * page/ContentSecurityPolicy.h:
+        * platform/network/HTTPParsers.cpp:
+        (WebCore::parseXSSProtectionHeader):
+        * platform/network/HTTPParsers.h:
+        (WebCore):
+            Start using ContentSecurityPolicy::ReflectedXSSDisposition rather
+            than the XSSProtectionDisposition enum.
 -02-24  Zan Dobersek  <zdobersek@igalia.com>

trunk/Source/WebCore/html/parser/XSSAuditor.cpp

-                      r142712
+                      r143880
 #include "Console.h"
+#include "ContentSecurityPolicy.h"
 #include "DOMWindow.h"
 #include "DecodeEscapeSequences.h"
 …
+}
+static ContentSecurityPolicy::ReflectedXSSDisposition combineXSSProtectionHeaderAndCSP(ContentSecurityPolicy::ReflectedXSSDisposition xssProtection, ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSS)
+{
+    ContentSecurityPolicy::ReflectedXSSDisposition result = std::max(xssProtection, reflectedXSS);
+    if (result == ContentSecurityPolicy::ReflectedXSSInvalid || result == ContentSecurityPolicy::FilterReflectedXSS || result == ContentSecurityPolicy::ReflectedXSSUnset)
+        return ContentSecurityPolicy::FilterReflectedXSS;
+    return result;
+}
 XSSAuditor::XSSAuditor()
     : m_isEnabled(false)
     , m_xssProtection(XSSProtectionEnabled)
+    , m_xssProtection(ContentSecurityPolicy::FilterReflectedXSS)
     , m_state(Uninitialized)
     , m_scriptTagNestingLevel(0)
 …
         unsigned errorPosition = 0;
         String reportURL;
+        m_xssProtection = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL);
+        if ((m_xssProtection == XSSProtectionEnabled || m_xssProtection == XSSProtectionBlockEnabled) && !reportURL.isEmpty()) {
+            m_reportURL = document->completeURL(reportURL);
+            if (MixedContentChecker::isMixedContent(document->securityOrigin(), m_reportURL)) {
+        KURL xssProtectionReportURL;
+        // Process the X-XSS-Protection header, then mix in the CSP header's value.
+        ContentSecurityPolicy::ReflectedXSSDisposition xssProtectionHeader = parseXSSProtectionHeader(headerValue, errorDetails, errorPosition, reportURL);
+        if ((xssProtectionHeader == ContentSecurityPolicy::FilterReflectedXSS || xssProtectionHeader == ContentSecurityPolicy::BlockReflectedXSS) && !reportURL.isEmpty()) {
+            xssProtectionReportURL = document->completeURL(reportURL);
+            if (MixedContentChecker::isMixedContent(document->securityOrigin(), xssProtectionReportURL)) {
                 errorDetails = "insecure reporting URL for secure page";
                 m_xssProtection = XSSProtectionInvalid;
                 m_reportURL = KURL();
+                xssProtectionHeader = ContentSecurityPolicy::ReflectedXSSInvalid;
+                xssProtectionReportURL = KURL();
+            }
+        }
+        if (m_xssProtection == XSSProtectionInvalid) {
+        if (xssProtectionHeader == ContentSecurityPolicy::ReflectedXSSInvalid)
             document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, "Error parsing header X-XSS-Protection: " + headerValue + ": "  + errorDetails + " at character position " + String::format("%u", errorPosition) + ". The default protections will be applied.");
+            m_xssProtection = XSSProtectionEnabled;
+        }
+        m_xssProtection = combineXSSProtectionHeaderAndCSP(xssProtectionHeader, document->contentSecurityPolicy()->reflectedXSSDisposition());
+        m_reportURL = xssProtectionReportURL; // FIXME: Combine the two report URLs in some reasonable way.
         FormData* httpBody = documentLoader->originalRequest().httpBody();
 …
+{
     ASSERT(m_state == Initialized);
     if (!m_isEnabled || m_xssProtection == XSSProtectionDisabled)
+    if (!m_isEnabled || m_xssProtection == ContentSecurityPolicy::AllowReflectedXSS)
         return nullptr;
 …
     if (didBlockScript) {
         bool didBlockEntirePage = (m_xssProtection == XSSProtectionBlockEnabled);
+        bool didBlockEntirePage = (m_xssProtection == ContentSecurityPolicy::BlockReflectedXSS);
         OwnPtr<XSSInfo> xssInfo = XSSInfo::create(m_reportURL, m_originalURL, m_originalHTTPBody, didBlockEntirePage);
         if (!m_reportURL.isEmpty()) {

trunk/Source/WebCore/html/parser/XSSAuditor.h

r142522	r143880
102	102	KURL m_documentURL;
103	103	bool m_isEnabled;
104		~~XSSProtection~~Disposition m_xssProtection;
	104	ContentSecurityPolicy::ReflectedXSSDisposition m_xssProtection;
105	105
106	106	String m_originalURL;

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

-                      r142506
+                      r143880
 static const char pluginTypes[] = "plugin-types";
 static const char scriptNonce[] = "script-nonce";
+static const char reflectedXSS[] = "reflected-xss";
 #endif
 …
         || equalIgnoringCase(name, pluginTypes)
         || equalIgnoringCase(name, scriptNonce)
+        || equalIgnoringCase(name, reflectedXSS)
 #endif
     );
 …
     void gatherReportURIs(DOMStringList&) const;
     const String& evalDisabledErrorMessage() { return m_evalDisabledErrorMessage; }
+    ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
 private:
 …
     void parseScriptNonce(const String& name, const String& value);
     void parsePluginTypes(const String& name, const String& value);
+    void parseReflectedXSS(const String& name, const String& value);
     void addDirective(const String& name, const String& value);
     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
 …
     bool m_reportOnly;
     bool m_haveSandboxPolicy;
+    ContentSecurityPolicy::ReflectedXSSDisposition m_reflectedXSSDisposition;
     OwnPtr<MediaListDirective> m_pluginTypes;
 …
     , m_reportOnly(false)
     , m_haveSandboxPolicy(false)
+    , m_reflectedXSSDisposition(ContentSecurityPolicy::ReflectedXSSUnset)
+{
     m_reportOnly = (type == ContentSecurityPolicy::ReportStableDirectives || type == ContentSecurityPolicy::ReportAllDirectives);
 …
     if (!invalidTokens.isNull())
         m_policy->reportInvalidSandboxFlags(invalidTokens);
+}
+void CSPDirectiveList::parseReflectedXSS(const String& name, const String& value)
+{
+    if (m_reflectedXSSDisposition != ContentSecurityPolicy::ReflectedXSSUnset) {
+        m_policy->reportDuplicateDirective(name);
+        m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
+        return;
+    }
+    if (value.isEmpty()) {
+        m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
+        m_policy->reportInvalidReflectedXSS(value);
+        return;
+    }
+    const UChar* position = value.characters();
+    const UChar* end = position + value.length();
+    skipWhile<isASCIISpace>(position, end);
+    const UChar* begin = position;
+    skipWhile<isNotASCIISpace>(position, end);
+    // value1
+    //       ^
+    if (equalIgnoringCase("allow", begin, position - begin))
+        m_reflectedXSSDisposition = ContentSecurityPolicy::AllowReflectedXSS;
+    else if (equalIgnoringCase("filter", begin, position - begin))
+        m_reflectedXSSDisposition = ContentSecurityPolicy::FilterReflectedXSS;
+    else if (equalIgnoringCase("block", begin, position - begin))
+        m_reflectedXSSDisposition = ContentSecurityPolicy::BlockReflectedXSS;
+    else {
+        m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
+        m_policy->reportInvalidReflectedXSS(value);
+        return;
+    }
+    skipWhile<isASCIISpace>(position, end);
+    if (position == end && m_reflectedXSSDisposition != ContentSecurityPolicy::ReflectedXSSUnset)
+        return;
+    // value1 value2
+    //        ^
+    m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
+    m_policy->reportInvalidReflectedXSS(value);
+}
 …
         else if (equalIgnoringCase(name, scriptNonce))
             setCSPDirective<NonceDirective>(name, value, m_scriptNonce);
+        else if (equalIgnoringCase(name, reflectedXSS))
+            parseReflectedXSS(name, value);
+    }
 #endif
 …
+{
     return !m_policies.isEmpty();
+}
+ContentSecurityPolicy::ReflectedXSSDisposition ContentSecurityPolicy::reflectedXSSDisposition() const
+{
+    ReflectedXSSDisposition disposition = ReflectedXSSUnset;
+    for (size_t i = 0; i < m_policies.size(); ++i) {
+        if (m_policies[i]->reflectedXSSDisposition() > disposition)
+            disposition = std::max(disposition, m_policies[i]->reflectedXSSDisposition());
+    }
+    return disposition;
+}
 …
+}
+void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue) const
+{
+    logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Value values are \"allow\", \"filter\", and \"block\".");
+}
 void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const
+{

trunk/Source/WebCore/page/ContentSecurityPolicy.h

-                      r136305
+                      r143880
     };
+    // Be sure to update the behavior of XSSAuditor::combineXSSProtectionHeaderAndCSP whenever you change this enum's content or ordering.
+    enum ReflectedXSSDisposition {
+        ReflectedXSSUnset = 0,
+        AllowReflectedXSS,
+        ReflectedXSSInvalid,
+        FilterReflectedXSS,
+        BlockReflectedXSS
+    };
     void didReceiveHeader(const String&, HeaderType);
 …
     bool allowFormAction(const KURL&, ReportingStatus = SendReport) const;
+    ReflectedXSSDisposition reflectedXSSDisposition() const;
     void setOverrideAllowInlineStyle(bool);
 …
     void reportInvalidSandboxFlags(const String&) const;
     void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
+    void reportInvalidReflectedXSS(const String&) const;
     void reportUnsupportedDirective(const String&) const;
     void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;

trunk/Source/WebCore/platform/network/HTTPParsers.cpp

-                      r142683
+                      r143880
 #include "HTTPParsers.h"
+#include "ContentSecurityPolicy.h"
 #include <wtf/DateMath.h>
 #include <wtf/text/CString.h>
 …
+}
 XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL)
+ContentSecurityPolicy::ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL)
+{
     DEFINE_STATIC_LOCAL(String, failureReasonInvalidToggle, (ASCIILiteral("expected 0 or 1")));
 …
     if (!skipWhiteSpace(header, pos, false))
         return XSSProtectionEnabled;
+        return ContentSecurityPolicy::ReflectedXSSUnset;
     if (header[pos] == '0')
         return XSSProtectionDisabled;
+        return ContentSecurityPolicy::AllowReflectedXSS;
     if (header[pos++] != '1') {
         failureReason = failureReasonInvalidToggle;
         return XSSProtectionInvalid;
+    }
     XSSProtectionDisposition result = XSSProtectionEnabled;
+        return ContentSecurityPolicy::ReflectedXSSInvalid;
+    }
+    ContentSecurityPolicy::ReflectedXSSDisposition result = ContentSecurityPolicy::FilterReflectedXSS;
     bool modeDirectiveSeen = false;
     bool reportDirectiveSeen = false;
 …
             failureReason = failureReasonInvalidSeparator;
             failurePosition = pos;
             return XSSProtectionInvalid;
+            return ContentSecurityPolicy::ReflectedXSSInvalid;
+        }
 …
                 failureReason = failureReasonDuplicateMode;
                 failurePosition = pos;
                 return XSSProtectionInvalid;
+                return ContentSecurityPolicy::ReflectedXSSInvalid;
+            }
             modeDirectiveSeen = true;
 …
                 failureReason = failureReasonInvalidEquals;
                 failurePosition = pos;
                 return XSSProtectionInvalid;
+                return ContentSecurityPolicy::ReflectedXSSInvalid;
+            }
             if (!skipToken(header, pos, "block")) {
                 failureReason = failureReasonInvalidMode;
                 failurePosition = pos;
                 return XSSProtectionInvalid;
+            }
             result = XSSProtectionBlockEnabled;
+                return ContentSecurityPolicy::ReflectedXSSInvalid;
+            }
+            result = ContentSecurityPolicy::BlockReflectedXSS;
         } else if (skipToken(header, pos, "report")) {
             if (reportDirectiveSeen) {
                 failureReason = failureReasonDuplicateReport;
                 failurePosition = pos;
                 return XSSProtectionInvalid;
+                return ContentSecurityPolicy::ReflectedXSSInvalid;
+            }
             reportDirectiveSeen = true;
 …
                 failureReason = failureReasonInvalidEquals;
                 failurePosition = pos;
                 return XSSProtectionInvalid;
+                return ContentSecurityPolicy::ReflectedXSSInvalid;
+            }
             size_t startPos = pos;
 …
                 failureReason = failureReasonInvalidReport;
                 failurePosition = pos;
                 return XSSProtectionInvalid;
+                return ContentSecurityPolicy::ReflectedXSSInvalid;
+            }
             reportURL = header.substring(startPos, pos - startPos);
 …
             failureReason = failureReasonInvalidDirective;
             failurePosition = pos;
             return XSSProtectionInvalid;
+            return ContentSecurityPolicy::ReflectedXSSInvalid;
+        }
+    }

trunk/Source/WebCore/platform/network/HTTPParsers.h

-                      r142683
+                      r143880
 #define HTTPParsers_h
+#include "ContentSecurityPolicy.h"
 #include <wtf/Forward.h>
 #include <wtf/Vector.h>
 …
 class HTTPHeaderMap;
 class ResourceResponseBase;
-enum XSSProtectionDisposition {
-    XSSProtectionInvalid,
-    XSSProtectionDisabled,
-    XSSProtectionEnabled,
-    XSSProtectionBlockEnabled
-};
 typedef enum {
 …
 String extractCharsetFromMediaType(const String&);
 void findCharsetInMediaType(const String& mediaType, unsigned int& charsetPos, unsigned int& charsetLen, unsigned int start = 0);
 XSSProtectionDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL);
+ContentSecurityPolicy::ReflectedXSSDisposition parseXSSProtectionHeader(const String& header, String& failureReason, unsigned& failurePosition, String& reportURL);
 String extractReasonPhraseFromHTTPStatusLine(const String&);

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 143880 in webkit

Legend:

Download in other formats: