Changeset 146520 in webkit
- Timestamp:
- Mar 21, 2013 2:25:36 PM (11 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r146516 r146520 1 2013-03-21 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur. 4 https://bugs.webkit.org/show_bug.cgi?id=112783 5 6 Reviewed by Adam Barth. 7 8 * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html: Added. 10 1 11 2013-03-21 Mike West <mkwst@chromium.org> 2 12 -
trunk/Source/WebCore/ChangeLog
r146519 r146520 1 2013-03-21 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur. 4 https://bugs.webkit.org/show_bug.cgi?id=112783 5 6 Reviewed by Adam Barth. 7 8 A new event type for Content Security Policy violations landed in 9 http://wkrev.com/146305; this patch takes that stub, and wires it up to 10 ContentSecurityPolicy::reportViolation such that violation events fire 11 when resources are blocked. 12 13 This should bring WebKit up to date with the current description of 14 CSP's event model in sections 3.3[1] and 3.4.1.3[2] of the editor's 15 draft. 16 17 [1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#processing-model 18 [2]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#firing-events-using-the-securitypolicyviolationevent-interface 19 20 Test: http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html 21 22 * page/ContentSecurityPolicy.cpp: 23 (WebCore::gatherSecurityPolicyViolationEventData): 24 Populate a SecurityPolicyViolationEventInit object with the various 25 bits of data that should be passed into the event constructor. 26 27 This static method is strictly an implementation detail; it's not 28 part of ContentSecurityPolicy's public API. 29 (WebCore::ContentSecurityPolicy::reportViolation): 30 Regardless of whether the policy has set a 'report-uri' directive 31 or not, gather together all the data we'll need to fire an event, 32 create the event, and queue it up for dispatching on the Document. 33 1 34 2013-03-21 Terry Anderson <tdanderson@chromium.org> 2 35 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r146141 r146520 44 44 #include "ScriptState.h" 45 45 #include "SecurityOrigin.h" 46 #include "SecurityPolicyViolationEvent.h" 46 47 #include "TextEncoding.h" 47 48 #include <wtf/HashSet.h> … … 1672 1673 } 1673 1674 1675 #if ENABLE(CSP_NEXT) 1676 static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header) 1677 { 1678 init.documentURI = document->url().string(); 1679 init.referrer = document->referrer(); 1680 init.blockedURI = blockedURL.isValid() ? blockedURL.string() : String(); 1681 init.violatedDirective = directiveText; 1682 init.effectiveDirective = effectiveDirective; 1683 init.originalPolicy = header; 1684 init.sourceURL = String(); 1685 init.lineNumber = 0; 1686 1687 RefPtr<ScriptCallStack> stack = createScriptCallStack(2, false); 1688 if (!stack) 1689 return; 1690 1691 const ScriptCallFrame& callFrame = getFirstNonNativeFrame(stack); 1692 1693 if (callFrame.lineNumber()) { 1694 KURL source = KURL(KURL(), callFrame.sourceURL()); 1695 init.sourceURL = source.string(); 1696 init.lineNumber = callFrame.lineNumber(); 1697 } 1698 } 1699 #endif 1700 1674 1701 void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const 1675 1702 { 1676 1703 logToConsole(consoleMessage, contextURL, contextLine, state); 1677 1678 if (reportURIs.isEmpty())1679 return;1680 1704 1681 1705 // FIXME: Support sending reports from worker. … … 1686 1710 Frame* frame = document->frame(); 1687 1711 if (!frame) 1712 return; 1713 1714 #if ENABLE(CSP_NEXT) 1715 if (experimentalFeaturesEnabled()) { 1716 // FIXME: This code means that we're gathering information like line numbers twice. Once we can bring this out from behind the flag, we should reuse the data gathered here when generating the JSON report below. 1717 SecurityPolicyViolationEventInit init; 1718 gatherSecurityPolicyViolationEventData(init, document, directiveText, effectiveDirective, blockedURL, header); 1719 document->enqueueDocumentEvent(SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, init)); 1720 } 1721 #endif 1722 1723 if (reportURIs.isEmpty()) 1688 1724 return; 1689 1725
Note: See TracChangeset
for help on using the changeset viewer.