Changeset 146520 in webkit


Ignore:
Timestamp:
Mar 21, 2013 2:25:36 PM (11 years ago)
Author:
mkwst@chromium.org
Message:

CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur.
https://bugs.webkit.org/show_bug.cgi?id=112783

Reviewed by Adam Barth.

Source/WebCore:

A new event type for Content Security Policy violations landed in
http://wkrev.com/146305; this patch takes that stub, and wires it up to
ContentSecurityPolicy::reportViolation such that violation events fire
when resources are blocked.

This should bring WebKit up to date with the current description of
CSP's event model in sections 3.3[1] and 3.4.1.3[2] of the editor's
draft.

[1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#processing-model
[2]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#firing-events-using-the-securitypolicyviolationevent-interface

Test: http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html

  • page/ContentSecurityPolicy.cpp:

(WebCore::gatherSecurityPolicyViolationEventData):

Populate a SecurityPolicyViolationEventInit object with the various
bits of data that should be passed into the event constructor.

This static method is strictly an implementation detail; it's not
part of ContentSecurityPolicy's public API.

(WebCore::ContentSecurityPolicy::reportViolation):

Regardless of whether the policy has set a 'report-uri' directive
or not, gather together all the data we'll need to fire an event,
create the event, and queue it up for dispatching on the Document.

LayoutTests:

  • http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r146516 r146520  
     12013-03-21  Mike West  <mkwst@chromium.org>
     2
     3        CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur.
     4        https://bugs.webkit.org/show_bug.cgi?id=112783
     5
     6        Reviewed by Adam Barth.
     7
     8        * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt: Added.
     9        * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html: Added.
     10
    1112013-03-21  Mike West  <mkwst@chromium.org>
    212
  • trunk/Source/WebCore/ChangeLog

    r146519 r146520  
     12013-03-21  Mike West  <mkwst@chromium.org>
     2
     3        CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur.
     4        https://bugs.webkit.org/show_bug.cgi?id=112783
     5
     6        Reviewed by Adam Barth.
     7
     8        A new event type for Content Security Policy violations landed in
     9        http://wkrev.com/146305; this patch takes that stub, and wires it up to
     10        ContentSecurityPolicy::reportViolation such that violation events fire
     11        when resources are blocked.
     12
     13        This should bring WebKit up to date with the current description of
     14        CSP's event model in sections 3.3[1] and 3.4.1.3[2] of the editor's
     15        draft.
     16
     17        [1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#processing-model
     18        [2]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#firing-events-using-the-securitypolicyviolationevent-interface
     19
     20        Test: http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html
     21
     22        * page/ContentSecurityPolicy.cpp:
     23        (WebCore::gatherSecurityPolicyViolationEventData):
     24            Populate a SecurityPolicyViolationEventInit object with the various
     25            bits of data that should be passed into the event constructor.
     26
     27            This static method is strictly an implementation detail; it's not
     28            part of ContentSecurityPolicy's public API.
     29        (WebCore::ContentSecurityPolicy::reportViolation):
     30            Regardless of whether the policy has set a 'report-uri' directive
     31            or not, gather together all the data we'll need to fire an event,
     32            create the event, and queue it up for dispatching on the Document.
     33
    1342013-03-21  Terry Anderson  <tdanderson@chromium.org>
    235
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r146141 r146520  
    4444#include "ScriptState.h"
    4545#include "SecurityOrigin.h"
     46#include "SecurityPolicyViolationEvent.h"
    4647#include "TextEncoding.h"
    4748#include <wtf/HashSet.h>
     
    16721673}
    16731674
     1675#if ENABLE(CSP_NEXT)
     1676static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header)
     1677{
     1678    init.documentURI = document->url().string();
     1679    init.referrer = document->referrer();
     1680    init.blockedURI = blockedURL.isValid() ? blockedURL.string() : String();
     1681    init.violatedDirective = directiveText;
     1682    init.effectiveDirective = effectiveDirective;
     1683    init.originalPolicy = header;
     1684    init.sourceURL = String();
     1685    init.lineNumber = 0;
     1686
     1687    RefPtr<ScriptCallStack> stack = createScriptCallStack(2, false);
     1688    if (!stack)
     1689        return;
     1690
     1691    const ScriptCallFrame& callFrame = getFirstNonNativeFrame(stack);
     1692
     1693    if (callFrame.lineNumber()) {
     1694        KURL source = KURL(KURL(), callFrame.sourceURL());
     1695        init.sourceURL = source.string();
     1696        init.lineNumber = callFrame.lineNumber();
     1697    }
     1698}
     1699#endif
     1700
    16741701void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const
    16751702{
    16761703    logToConsole(consoleMessage, contextURL, contextLine, state);
    1677 
    1678     if (reportURIs.isEmpty())
    1679         return;
    16801704
    16811705    // FIXME: Support sending reports from worker.
     
    16861710    Frame* frame = document->frame();
    16871711    if (!frame)
     1712        return;
     1713
     1714#if ENABLE(CSP_NEXT)
     1715    if (experimentalFeaturesEnabled()) {
     1716        // FIXME: This code means that we're gathering information like line numbers twice. Once we can bring this out from behind the flag, we should reuse the data gathered here when generating the JSON report below.
     1717        SecurityPolicyViolationEventInit init;
     1718        gatherSecurityPolicyViolationEventData(init, document, directiveText, effectiveDirective, blockedURL, header);
     1719        document->enqueueDocumentEvent(SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, init));
     1720    }
     1721#endif
     1722
     1723    if (reportURIs.isEmpty())
    16881724        return;
    16891725
Note: See TracChangeset for help on using the changeset viewer.