Changeset 146758 in webkit
- Timestamp:
- Mar 25, 2013 5:20:23 AM (11 years ago)
- Location:
- trunk
- Files:
-
- 8 added
- 5 edited
- 3 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r146756 r146758 1 2013-03-25 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports. 4 https://bugs.webkit.org/show_bug.cgi?id=113039 5 6 Reviewed by Jochen Eisinger. 7 8 * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt. 9 * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt. 10 * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html: Added. 11 * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html: Added. 12 * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt: 13 * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt. 14 * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html: Added. 15 * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html: 16 * http/tests/security/contentSecurityPolicy/resources/securitypolicyviolation-test.js: Added. 17 Updating tests to cover cross-origin scenarios: load cross-origin 18 images, and cross-origin scripts that inject images. The former 19 should strip the image URL down to the origin, the latter the 20 script URL. 21 * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added. 22 * http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html: Added. 23 * platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added. 24 * platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added. 25 This patch changes the behavior of 'file:' URLs to behave similarly 26 to 'data:'/'blob:', etc. We weren't previously testing this, now we 27 are. We need platform-specific results for Chromium and GTK, since 28 those ports have enabled CSP_NEXT, which adds a field to the report. 29 1 30 2013-03-25 Zoltan Arvai <zarvai@inf.u-szeged.hu> 2 31 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt
r146757 r146758 1 CONSOLE MESSAGE: Refused to load the image 'http:// 127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".1 CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'". 2 2 3 Check that a SecurityPolicyViolationEvent is fired upon blocking an image.3 Check that a SecurityPolicyViolationEvent strips detail from cross-origin blocked URLs. 4 4 5 5 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". 6 6 7 7 8 PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html" 8 Kicking off the tests: 9 PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html" 9 10 PASS window.e.referrer is "" 10 PASS window.e.blockedURI is "http:// 127.0.0.1:8000/security/resources/abe.png"11 PASS window.e.blockedURI is "http://localhost:8000" 11 12 PASS window.e.violatedDirective is "img-src 'none'" 12 13 PASS window.e.effectiveDirective is "img-src" 13 14 PASS window.e.originalPolicy is "img-src 'none'" 14 PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block- image.html"15 PASS window.e.lineNumber is 3015 PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html" 16 PASS window.e.lineNumber is 23 16 17 PASS successfullyParsed is true 17 18 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt
r146757 r146758 1 1 CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'". 2 2 3 Check that a SecurityPolicyViolationEvent is fired upon blocking an image.3 Check that a SecurityPolicyViolationEvent strips detail from cross-origin URLs upon blocking an image injected via script. 4 4 5 5 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". 6 6 7 7 8 PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html" 8 Kicking off the tests: 9 PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html" 9 10 PASS window.e.referrer is "" 10 11 PASS window.e.blockedURI is "http://127.0.0.1:8000/security/resources/abe.png" … … 12 13 PASS window.e.effectiveDirective is "img-src" 13 14 PASS window.e.originalPolicy is "img-src 'none'" 14 PASS window.e.sourceURL is "http:// 127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"15 PASS window.e.lineNumber is 3 015 PASS window.e.sourceURL is "http://localhost:8000" 16 PASS window.e.lineNumber is 3 16 17 PASS successfullyParsed is true 17 18 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt
r146520 r146758 6 6 7 7 8 Kicking off the tests: 8 9 PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html" 9 10 PASS window.e.referrer is "" … … 13 14 PASS window.e.originalPolicy is "img-src 'none'" 14 15 PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html" 15 PASS window.e.lineNumber is 3016 PASS window.e.lineNumber is 23 16 17 PASS successfullyParsed is true 17 18 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt
r146757 r146758 1 1 CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'". 2 2 3 Check that a SecurityPolicyViolationEvent is fired upon blocking an image .3 Check that a SecurityPolicyViolationEvent is fired upon blocking an image injected via script. 4 4 5 5 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE". 6 6 7 7 8 PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html" 8 Kicking off the tests: 9 PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html" 9 10 PASS window.e.referrer is "" 10 11 PASS window.e.blockedURI is "http://127.0.0.1:8000/security/resources/abe.png" … … 12 13 PASS window.e.effectiveDirective is "img-src" 13 14 PASS window.e.originalPolicy is "img-src 'none'" 14 PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/ 1.1/securitypolicyviolation-block-image.html"15 PASS window.e.lineNumber is 3 015 PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js" 16 PASS window.e.lineNumber is 3 16 17 PASS successfullyParsed is true 17 18 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html
r146520 r146758 4 4 <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> 5 5 <script src="/js-test-resources/js-test-pre.js"></script> 6 <script src="../resources/securitypolicyviolation-test.js"></script> 6 7 <script> 7 8 description('Check that a SecurityPolicyViolationEvent is fired upon blocking an image.'); 8 9 9 window.jsTestIsAsync = true; 10 var expectations = { 11 'documentURI': document.location.toString(), 12 'referrer': document.referrer, 13 'blockedURI': 'http://127.0.0.1:8000/security/resources/abe.png', 14 'violatedDirective': 'img-src \'none\'', 15 'effectiveDirective': 'img-src', 16 'originalPolicy': 'img-src \'none\'', 17 'sourceURL': document.location.toString(), 18 'lineNumber': 23 19 }; 10 20 11 document.addEventListener('securitypolicyviolation', function handleEvent(e) { 12 var expectations = { 13 'documentURI': document.location.toString(), 14 'referrer': document.referrer, 15 'blockedURI': 'http://127.0.0.1:8000/security/resources/abe.png', 16 'violatedDirective': 'img-src \'none\'', 17 'effectiveDirective': 'img-src', 18 'originalPolicy': 'img-src \'none\'', 19 'sourceURL': document.location.toString(), 20 'lineNumber': 30 21 }; 22 window.e = e; 23 for (key in expectations) 24 shouldBe('window.e.' + key, JSON.stringify(expectations[key])); 25 finishJSTest(); 26 }); 27 28 window.onload = function () { 21 function run() { 29 22 var img = document.createElement('img'); 30 23 img.src = '/security/resources/abe.png'; 31 24 document.body.appendChild(img); 32 } ;25 } 33 26 </script> 34 27 <script src="/js-test-resources/js-test-post.js"></script> -
trunk/Source/WebCore/ChangeLog
r146757 r146758 1 2013-03-25 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports. 4 https://bugs.webkit.org/show_bug.cgi?id=113039 5 6 Reviewed by Jochen Eisinger. 7 8 I'd originally assumed that we didn't need to be quite so careful when 9 handing URLs to JavaScript via SecurityPolicyViolationEvents. This was 10 a mistake. Cross-origin URLs aren't accessible to JavaScript currently 11 and there's no reason that we should begin exposing them via an event. 12 13 This patch extracts the stripping logic from the existing reports into 14 stripURLForUseInReport(), and uses that new method when populating the 15 event and report objects. 16 17 Relatedly, we were doing the wrong thing with 'file:' URLs, which this 18 patch made clear. Now they're treated the same as 'data:' et al. 19 20 Spec: https://dvcs.w3.org/hg/content-security-policy/rev/45f6ccaba0ef 21 22 Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html 23 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html 24 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html 25 http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html 26 27 * page/ContentSecurityPolicy.cpp: 28 (WebCore::stripURLForUseInReport): 29 Extract the logic from blockedURI out into a reusable method: 30 cross-origin URLs are stripped down to the ASCII serialization of 31 their origin, and non-heirarchical (and 'file:') URLs are stripped 32 down to the ASCII serialization of their protocol. 33 (WebCore::gatherSecurityPolicyViolationEventData): 34 (WebCore::ContentSecurityPolicy::reportViolation): 35 Use ::stripURLForUseInReport for blockedURL and sourceFile 36 attributes in these two methods. 37 1 38 2013-03-25 Eugene Klyuchnikov <eustas@chromium.org> 2 39 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r146755 r146758 1673 1673 } 1674 1674 1675 static String stripURLForUseInReport(Document* document, const KURL& url) 1676 { 1677 if (!url.isValid()) 1678 return String(); 1679 if (!url.isHierarchical() || url.protocolIs("file")) 1680 return url.protocol(); 1681 return document->securityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString(); 1682 } 1683 1675 1684 #if ENABLE(CSP_NEXT) 1676 1685 static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header) … … 1678 1687 init.documentURI = document->url().string(); 1679 1688 init.referrer = document->referrer(); 1680 init.blockedURI = blockedURL.isValid() ? blockedURL.string() : String();1689 init.blockedURI = stripURLForUseInReport(document, blockedURL); 1681 1690 init.violatedDirective = directiveText; 1682 1691 init.effectiveDirective = effectiveDirective; … … 1693 1702 if (callFrame.lineNumber()) { 1694 1703 KURL source = KURL(ParsedURLString, callFrame.sourceURL()); 1695 init.sourceURL = s ource.string();1704 init.sourceURL = stripURLForUseInReport(document, source); 1696 1705 init.lineNumber = callFrame.lineNumber(); 1697 1706 } … … 1745 1754 #endif 1746 1755 cspReport->setString("original-policy", header); 1747 if (blockedURL.isValid()) 1748 if (blockedURL.isHierarchical()) 1749 cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString()); 1750 else 1751 cspReport->setString("blocked-uri", blockedURL.protocol()); 1752 else 1753 cspReport->setString("blocked-uri", String()); 1756 cspReport->setString("blocked-uri", stripURLForUseInReport(document, blockedURL)); 1754 1757 1755 1758 RefPtr<ScriptCallStack> stack = createScriptCallStack(2, false); … … 1759 1762 if (callFrame.lineNumber()) { 1760 1763 KURL source = KURL(ParsedURLString, callFrame.sourceURL()); 1761 cspReport->setString("source-file", document->securityOrigin()->canRequest(source) ? source.strippedForUseAsReferrer() : SecurityOrigin::create(source)->toString());1764 cspReport->setString("source-file", stripURLForUseInReport(document, source)); 1762 1765 cspReport->setNumber("line-number", callFrame.lineNumber()); 1763 1766 }
Note: See TracChangeset
for help on using the changeset viewer.