Changeset 146886 in webkit

Timestamp:

Mar 26, 2013 8:22:43 AM (11 years ago)

Author:

mkwst@chromium.org

Message:

CSP 1.1: Experiment with 'base-uri' directive.
​https://bugs.webkit.org/show_bug.cgi?id=113307

Reviewed by Jochen Eisinger.

Source/WebCore:

The 'base-uri' directive was introduced[1] as an experimental directive
in CSP 1.1 after a bit of discussion[2][3]. The exact semantics will
likely change, but it would be good for us to get some implementation
experience with the API as currently specified, and to allow folks to
play with the implementation to determine whether it meets the
requirements the way we think it might.

This patch is a first pass at that implementation: it will have no
effect on ports that haven't enabled the CSP_NEXT flag.

[1]: ​https://dvcs.w3.org/hg/content-security-policy/rev/4b89c246ea16
[2]: ​http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0022.html
[3]: ​http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0074.html

Tests: http/tests/security/contentSecurityPolicy/1.1/base-uri-allow.html

http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html

• dom/Document.cpp:

(WebCore::Document::processBaseElement):

Check that the new base URI is allowed by CSP before using it as
the document's base URI.

• page/ContentSecurityPolicy.cpp:

Add a constant for the new directive name (and, as a drive-by, split
the list into CSP 1.0 and CSP 1.1 for clarity).

(CSPDirectiveList):

Add a property to hold the base URI policy directive value.

(WebCore::CSPDirectiveList::checkSourceAndReportViolation):

Customize the error message iff we're dealing with 'base-uri'.

(WebCore::CSPDirectiveList::allowBaseURI):

Check the given URI against the 'base-uri' directive's value,
exactly as we do for every other source-list type of directive.

(WebCore::CSPDirectiveList::addDirective):

Accept 'base-uri' as a valid directive iff CSP_NEXT is set, and
the embedder has opted-in via the runtime flag.

(WebCore::ContentSecurityPolicy::allowBaseURI):

Expose an API method on ContentSecurityPolicy to check URIs against
the 'base-uri' directive's value.

LayoutTests:

• http/tests/security/contentSecurityPolicy/1.1/base-uri-allow-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/1.1/base-uri-allow.html: Added.
• http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-allow-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-allow.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (9 diffs)
• Source/WebCore/page/ContentSecurityPolicy.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-03-26  Mike West  <mkwst@chromium.org>
+
+        CSP 1.1: Experiment with 'base-uri' directive.
+        https://bugs.webkit.org/show_bug.cgi?id=113307
+
+        Reviewed by Jochen Eisinger.
+
+        * http/tests/security/contentSecurityPolicy/1.1/base-uri-allow-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/base-uri-allow.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html: Added.
+
 2013-03-26  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-03-26  Mike West  <mkwst@chromium.org>
+
+        CSP 1.1: Experiment with 'base-uri' directive.
+        https://bugs.webkit.org/show_bug.cgi?id=113307
+
+        Reviewed by Jochen Eisinger.
+
+        The 'base-uri' directive was introduced[1] as an experimental directive
+        in CSP 1.1 after a bit of discussion[2][3]. The exact semantics will
+        likely change, but it would be good for us to get some implementation
+        experience with the API as currently specified, and to allow folks to
+        play with the implementation to determine whether it meets the
+        requirements the way we think it might.
+
+        This patch is a first pass at that implementation: it will have no
+        effect on ports that haven't enabled the CSP_NEXT flag.
+
+        [1]: https://dvcs.w3.org/hg/content-security-policy/rev/4b89c246ea16
+        [2]: http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0022.html
+        [3]: http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0074.html
+
+        Tests: http/tests/security/contentSecurityPolicy/1.1/base-uri-allow.html
+               http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::processBaseElement):
+            Check that the new base URI is allowed by CSP before using it as
+            the document's base URI.
+        * page/ContentSecurityPolicy.cpp:
+            Add a constant for the new directive name (and, as a drive-by, split
+            the list into CSP 1.0 and CSP 1.1 for clarity).
+        (CSPDirectiveList):
+            Add a property to hold the base URI policy directive value.
+        (WebCore::CSPDirectiveList::checkSourceAndReportViolation):
+            Customize the error message iff we're dealing with 'base-uri'.
+        (WebCore::CSPDirectiveList::allowBaseURI):
+            Check the given URI against the 'base-uri' directive's value,
+            exactly as we do for every other source-list type of directive.
+        (WebCore::CSPDirectiveList::addDirective):
+            Accept 'base-uri' as a valid directive iff CSP_NEXT is set, and
+            the embedder has opted-in via the runtime flag.
+        (WebCore::ContentSecurityPolicy::allowBaseURI):
+            Expose an API method on ContentSecurityPolicy to check URIs against
+            the 'base-uri' directive's value.
+
 2013-03-26  Arvid Nilsson  <anilsson@rim.com>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -2765 +2765 @@
             baseElementURL = KURL(url(), strippedHref);
     }
-    if (m_baseElementURL != baseElementURL) {
+    if (m_baseElementURL != baseElementURL && contentSecurityPolicy()->allowBaseURI(baseElementURL)) {
         m_baseElementURL = baseElementURL;
         updateBaseURL();

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -107 +107 @@
 }
 
+// CSP 1.0 Directives
 static const char connectSrc[] = "connect-src";
 static const char defaultSrc[] = "default-src";
@@ -118 +119 @@
 static const char scriptSrc[] = "script-src";
 static const char styleSrc[] = "style-src";
+
+// CSP 1.1 Directives
+static const char baseURI[] = "base-uri";
 static const char formAction[] = "form-action";
 static const char pluginTypes[] = "plugin-types";
@@ -137 +141 @@
         || equalIgnoringCase(name, styleSrc)
 #if ENABLE(CSP_NEXT)
+        || equalIgnoringCase(name, baseURI)
         || equalIgnoringCase(name, formAction)
         || equalIgnoringCase(name, pluginTypes)
@@ -846 +851 @@
     bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
+    bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
 
     void gatherReportURIs(DOMStringList&) const;
@@ -900 +906 @@
     OwnPtr<MediaListDirective> m_pluginTypes;
     OwnPtr<NonceDirective> m_scriptNonce;
+    OwnPtr<SourceListDirective> m_baseURI;
     OwnPtr<SourceListDirective> m_connectSrc;
     OwnPtr<SourceListDirective> m_defaultSrc;
@@ -1049 +1056 @@
     if (type == "form")
         prefix = "Refused to send form data to '";
+    if (type == "base")
+        prefix = "Refused to set the document's base URI to '";
 
     String suffix = String();
@@ -1201 +1210 @@
         checkSourceAndReportViolation(m_formAction.get(), url, type, formAction) :
         checkSource(m_formAction.get(), url);
+}
+
+bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+    DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("base")));
+    return reportingStatus == ContentSecurityPolicy::SendReport ?
+        checkSourceAndReportViolation(m_baseURI.get(), url, type, baseURI) :
+        checkSource(m_baseURI.get(), url);
 }
 
@@ -1404 +1421 @@
 #if ENABLE(CSP_NEXT)
     else if (m_policy->experimentalFeaturesEnabled()) {
-        if (equalIgnoringCase(name, formAction))
+        if (equalIgnoringCase(name, baseURI))
+            setCSPDirective<SourceListDirective>(name, value, m_baseURI);
+        else if (equalIgnoringCase(name, formAction))
             setCSPDirective<SourceListDirective>(name, value, m_formAction);
         else if (equalIgnoringCase(name, pluginTypes))
@@ -1630 +1649 @@
 {
     return isAllowedByAllWithURL<&CSPDirectiveList::allowFormAction>(m_policies, url, reportingStatus);
+}
+
+bool ContentSecurityPolicy::allowBaseURI(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+    return isAllowedByAllWithURL<&CSPDirectiveList::allowBaseURI>(m_policies, url, reportingStatus);
 }
 

trunk/Source/WebCore/page/ContentSecurityPolicy.h

@@ -105 +105 @@
     bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const;
     bool allowFormAction(const KURL&, ReportingStatus = SendReport) const;
+    bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const;
 
     ReflectedXSSDisposition reflectedXSSDisposition() const;