Changeset 146137 in webkit
- Timestamp:
- Mar 18, 2013 3:47:00 PM (11 years ago)
- Location:
- trunk
- Files:
-
- 24 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r146134 r146137 1 2013-03-18 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Add 'effective-directive' to violation reports. 4 https://bugs.webkit.org/show_bug.cgi?id=112568 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html: Added. 10 A new test that ensures that 'default-src' doesn't show up in the 11 effective directive field, even if it's the directive that was 12 actually violated. 13 * platform/chromium/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: Added. 14 * platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added. 15 * platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Added. 16 * platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Added. 17 * platform/chromium/http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added. 18 * platform/chromium/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Added. 19 * platform/chromium/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt: Added. 20 * platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Added. 21 * platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Added. 22 * platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: Added. 23 * platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: Added. 24 * platform/gtk/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: Added. 25 * platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added. 26 * platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Added. 27 * platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Added. 28 * platform/gtk/http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added. 29 * platform/gtk/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Added. 30 * platform/gtk/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt: Added. 31 * platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Added. 32 * platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Added. 33 * platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: Added. 34 * platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: Added. 35 This patch changes the output of violation reports for ports that 36 have enabled CSP_NEXT. At the moment, I think that's Chromium and 37 GTK only. 38 1 39 2013-03-18 Kenneth Russell <kbr@google.com> 2 40 -
trunk/Source/WebCore/ChangeLog
r146135 r146137 1 2013-03-18 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Add 'effective-directive' to violation reports. 4 https://bugs.webkit.org/show_bug.cgi?id=112568 5 6 Reviewed by Adam Barth. 7 8 https://dvcs.w3.org/hg/content-security-policy/rev/bc2bb0e5072a 9 introduced an 'effective-directive' field on CSP violation reports, 10 which allows developers to distinguish between resource types when 11 'default-src' is the violated directive. 12 13 This patch implements the new field behind the CSP_NEXT flag. 14 15 Test: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html 16 17 * page/ContentSecurityPolicy.cpp: 18 (WebCore::CSPDirectiveList::checkSourceAndReportViolation): 19 (WebCore::CSPDirectiveList::reportViolation): 20 These methods now accept an additional parameter to pipe the 21 effective directive from the initial callsite down into 22 ContentSecurityPolicy::reportViolation. 23 (WebCore::CSPDirectiveList::checkEvalAndReportViolation): 24 (WebCore::CSPDirectiveList::checkNonceAndReportViolation): 25 (WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation): 26 (WebCore::CSPDirectiveList::checkInlineAndReportViolation): 27 (WebCore::CSPDirectiveList::allowScriptFromSource): 28 (WebCore::CSPDirectiveList::allowObjectFromSource): 29 (WebCore::CSPDirectiveList::allowChildFrameFromSource): 30 (WebCore::CSPDirectiveList::allowImageFromSource): 31 (WebCore::CSPDirectiveList::allowStyleFromSource): 32 (WebCore::CSPDirectiveList::allowFontFromSource): 33 (WebCore::CSPDirectiveList::allowMediaFromSource): 34 (WebCore::CSPDirectiveList::allowConnectToSource): 35 (WebCore::CSPDirectiveList::allowFormAction): 36 These methods now pass the effective directive name down 37 into checkSourceAndReportViolation or reportViolation. 38 (WebCore::ContentSecurityPolicy::reportViolation): 39 * page/ContentSecurityPolicy.h: 40 This method now accepts a new parameter that carries 41 the effective directive name. If CSP_NEXT is enabled, 42 the field is added to the violation report before it's 43 sent out into the world. 44 1 45 2013-03-18 W. James MacLean <wjmaclean@chromium.org> 2 46 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r145745 r146137 117 117 static const char scriptSrc[] = "script-src"; 118 118 static const char styleSrc[] = "style-src"; 119 #if ENABLE(CSP_NEXT)120 119 static const char formAction[] = "form-action"; 121 120 static const char pluginTypes[] = "plugin-types"; 122 121 static const char scriptNonce[] = "script-nonce"; 123 122 static const char reflectedXSS[] = "reflected-xss"; 124 #endif125 123 126 124 bool isDirectiveName(const String& name) … … 863 861 864 862 SourceListDirective* operativeDirective(SourceListDirective*) const; 865 void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;863 void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const; 866 864 867 865 bool checkEval(SourceListDirective*) const; … … 877 875 bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const; 878 876 879 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& type ) const;877 bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& type, const String& effectiveDirective) const; 880 878 bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const; 881 879 … … 935 933 } 936 934 937 void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const935 void CSPDirectiveList::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const 938 936 { 939 937 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage; 940 m_policy->reportViolation(directiveText, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, state);938 m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, state); 941 939 } 942 940 … … 984 982 suffix = " Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback."; 985 983 986 reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, state);984 reportViolation(directive->text(), scriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, state); 987 985 if (!m_reportOnly) { 988 986 m_policy->reportBlockedScriptExecutionToInspector(directive->text()); … … 996 994 if (checkNonce(directive, nonce)) 997 995 return true; 998 reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);996 reportViolation(directive->text(), scriptNonce, consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine); 999 997 return denyIfEnforcingPolicy(); 1000 998 } … … 1009 1007 message = message + " When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>')."; 1010 1008 1011 reportViolation(directive->text(), message + "\n", KURL());1009 reportViolation(directive->text(), pluginTypes, message + "\n", KURL()); 1012 1010 return denyIfEnforcingPolicy(); 1013 1011 } … … 1022 1020 suffix = makeString(" Note that '", (isScript ? "script" : "style"), "-src' was not explicitly set, so 'default-src' is used as a fallback."); 1023 1021 1024 reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine);1022 reportViolation(directive->text(), isScript ? scriptSrc : styleSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine); 1025 1023 1026 1024 if (!m_reportOnly) { … … 1032 1030 } 1033 1031 1034 bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* directive, const KURL& url, const String& type ) const1032 bool CSPDirectiveList::checkSourceAndReportViolation(SourceListDirective* directive, const KURL& url, const String& type, const String& effectiveDirective) const 1035 1033 { 1036 1034 if (checkSource(directive, url)) … … 1045 1043 String suffix = String(); 1046 1044 if (directive == m_defaultSrc) 1047 suffix = " Note that '" + type + "-src' was not explicitly set, so 'default-src' is used as a fallback.";1048 1049 reportViolation(directive->text(), prefix + url.elidedString() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\"." + suffix + "\n", url);1045 suffix = " Note that '" + effectiveDirective + "' was not explicitly set, so 'default-src' is used as a fallback."; 1046 1047 reportViolation(directive->text(), effectiveDirective, prefix + url.elidedString() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\"." + suffix + "\n", url); 1050 1048 return denyIfEnforcingPolicy(); 1051 1049 } … … 1118 1116 DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("script"))); 1119 1117 return reportingStatus == ContentSecurityPolicy::SendReport ? 1120 checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, type ) :1118 checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, type, scriptSrc) : 1121 1119 checkSource(operativeDirective(m_scriptSrc.get()), url); 1122 1120 } … … 1128 1126 return true; 1129 1127 return reportingStatus == ContentSecurityPolicy::SendReport ? 1130 checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type ) :1128 checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type, objectSrc) : 1131 1129 checkSource(operativeDirective(m_objectSrc.get()), url); 1132 1130 } … … 1138 1136 return true; 1139 1137 return reportingStatus == ContentSecurityPolicy::SendReport ? 1140 checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type ) :1138 checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type, frameSrc) : 1141 1139 checkSource(operativeDirective(m_frameSrc.get()), url); 1142 1140 } … … 1146 1144 DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("image"))); 1147 1145 return reportingStatus == ContentSecurityPolicy::SendReport ? 1148 checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, type ) :1146 checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, type, imgSrc) : 1149 1147 checkSource(operativeDirective(m_imgSrc.get()), url); 1150 1148 } … … 1154 1152 DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("style"))); 1155 1153 return reportingStatus == ContentSecurityPolicy::SendReport ? 1156 checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, type ) :1154 checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, type, styleSrc) : 1157 1155 checkSource(operativeDirective(m_styleSrc.get()), url); 1158 1156 } … … 1162 1160 DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("font"))); 1163 1161 return reportingStatus == ContentSecurityPolicy::SendReport ? 1164 checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, type ) :1162 checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, type, fontSrc) : 1165 1163 checkSource(operativeDirective(m_fontSrc.get()), url); 1166 1164 } … … 1170 1168 DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("media"))); 1171 1169 return reportingStatus == ContentSecurityPolicy::SendReport ? 1172 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type ) :1170 checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type, mediaSrc) : 1173 1171 checkSource(operativeDirective(m_mediaSrc.get()), url); 1174 1172 } … … 1178 1176 DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("connect"))); 1179 1177 return reportingStatus == ContentSecurityPolicy::SendReport ? 1180 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type ) :1178 checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type, connectSrc) : 1181 1179 checkSource(operativeDirective(m_connectSrc.get()), url); 1182 1180 } … … 1192 1190 DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("form"))); 1193 1191 return reportingStatus == ContentSecurityPolicy::SendReport ? 1194 checkSourceAndReportViolation(m_formAction.get(), url, type ) :1192 checkSourceAndReportViolation(m_formAction.get(), url, type, formAction) : 1195 1193 checkSource(m_formAction.get(), url); 1196 1194 } … … 1666 1664 } 1667 1665 1668 void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const1666 void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const 1669 1667 { 1670 1668 logToConsole(consoleMessage, contextURL, contextLine, state); … … 1698 1696 if (!directiveText.isEmpty()) 1699 1697 cspReport->setString("violated-directive", directiveText); 1698 #if ENABLE(CSP_NEXT) 1699 if (!effectiveDirective.isEmpty() && experimentalFeaturesEnabled()) 1700 cspReport->setString("effective-directive", effectiveDirective); 1701 #else 1702 UNUSED_PARAM(effectiveDirective); 1703 #endif 1700 1704 cspReport->setString("original-policy", header); 1701 1705 if (blockedURL.isValid()) -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r144571 r146137 124 124 void reportMissingReportURI(const String&) const; 125 125 void reportUnsupportedDirective(const String&) const; 126 void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;126 void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const; 127 127 128 128 void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
Note: See TracChangeset
for help on using the changeset viewer.