Changeset 146886 in webkit
- Timestamp:
- Mar 26, 2013 8:22:43 AM (11 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r146883 r146886 1 2013-03-26 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Experiment with 'base-uri' directive. 4 https://bugs.webkit.org/show_bug.cgi?id=113307 5 6 Reviewed by Jochen Eisinger. 7 8 * http/tests/security/contentSecurityPolicy/1.1/base-uri-allow-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/1.1/base-uri-allow.html: Added. 10 * http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html: Added. 12 1 13 2013-03-26 Sheriff Bot <webkit.review.bot@gmail.com> 2 14 -
trunk/Source/WebCore/ChangeLog
r146885 r146886 1 2013-03-26 Mike West <mkwst@chromium.org> 2 3 CSP 1.1: Experiment with 'base-uri' directive. 4 https://bugs.webkit.org/show_bug.cgi?id=113307 5 6 Reviewed by Jochen Eisinger. 7 8 The 'base-uri' directive was introduced[1] as an experimental directive 9 in CSP 1.1 after a bit of discussion[2][3]. The exact semantics will 10 likely change, but it would be good for us to get some implementation 11 experience with the API as currently specified, and to allow folks to 12 play with the implementation to determine whether it meets the 13 requirements the way we think it might. 14 15 This patch is a first pass at that implementation: it will have no 16 effect on ports that haven't enabled the CSP_NEXT flag. 17 18 [1]: https://dvcs.w3.org/hg/content-security-policy/rev/4b89c246ea16 19 [2]: http://lists.w3.org/Archives/Public/public-webappsec/2012Oct/0022.html 20 [3]: http://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0074.html 21 22 Tests: http/tests/security/contentSecurityPolicy/1.1/base-uri-allow.html 23 http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html 24 25 * dom/Document.cpp: 26 (WebCore::Document::processBaseElement): 27 Check that the new base URI is allowed by CSP before using it as 28 the document's base URI. 29 * page/ContentSecurityPolicy.cpp: 30 Add a constant for the new directive name (and, as a drive-by, split 31 the list into CSP 1.0 and CSP 1.1 for clarity). 32 (CSPDirectiveList): 33 Add a property to hold the base URI policy directive value. 34 (WebCore::CSPDirectiveList::checkSourceAndReportViolation): 35 Customize the error message iff we're dealing with 'base-uri'. 36 (WebCore::CSPDirectiveList::allowBaseURI): 37 Check the given URI against the 'base-uri' directive's value, 38 exactly as we do for every other source-list type of directive. 39 (WebCore::CSPDirectiveList::addDirective): 40 Accept 'base-uri' as a valid directive iff CSP_NEXT is set, and 41 the embedder has opted-in via the runtime flag. 42 (WebCore::ContentSecurityPolicy::allowBaseURI): 43 Expose an API method on ContentSecurityPolicy to check URIs against 44 the 'base-uri' directive's value. 45 1 46 2013-03-26 Arvid Nilsson <anilsson@rim.com> 2 47 -
trunk/Source/WebCore/dom/Document.cpp
r146787 r146886 2765 2765 baseElementURL = KURL(url(), strippedHref); 2766 2766 } 2767 if (m_baseElementURL != baseElementURL ) {2767 if (m_baseElementURL != baseElementURL && contentSecurityPolicy()->allowBaseURI(baseElementURL)) { 2768 2768 m_baseElementURL = baseElementURL; 2769 2769 updateBaseURL(); -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r146763 r146886 107 107 } 108 108 109 // CSP 1.0 Directives 109 110 static const char connectSrc[] = "connect-src"; 110 111 static const char defaultSrc[] = "default-src"; … … 118 119 static const char scriptSrc[] = "script-src"; 119 120 static const char styleSrc[] = "style-src"; 121 122 // CSP 1.1 Directives 123 static const char baseURI[] = "base-uri"; 120 124 static const char formAction[] = "form-action"; 121 125 static const char pluginTypes[] = "plugin-types"; … … 137 141 || equalIgnoringCase(name, styleSrc) 138 142 #if ENABLE(CSP_NEXT) 143 || equalIgnoringCase(name, baseURI) 139 144 || equalIgnoringCase(name, formAction) 140 145 || equalIgnoringCase(name, pluginTypes) … … 846 851 bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 847 852 bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 853 bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const; 848 854 849 855 void gatherReportURIs(DOMStringList&) const; … … 900 906 OwnPtr<MediaListDirective> m_pluginTypes; 901 907 OwnPtr<NonceDirective> m_scriptNonce; 908 OwnPtr<SourceListDirective> m_baseURI; 902 909 OwnPtr<SourceListDirective> m_connectSrc; 903 910 OwnPtr<SourceListDirective> m_defaultSrc; … … 1049 1056 if (type == "form") 1050 1057 prefix = "Refused to send form data to '"; 1058 if (type == "base") 1059 prefix = "Refused to set the document's base URI to '"; 1051 1060 1052 1061 String suffix = String(); … … 1201 1210 checkSourceAndReportViolation(m_formAction.get(), url, type, formAction) : 1202 1211 checkSource(m_formAction.get(), url); 1212 } 1213 1214 bool CSPDirectiveList::allowBaseURI(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1215 { 1216 DEFINE_STATIC_LOCAL(String, type, (ASCIILiteral("base"))); 1217 return reportingStatus == ContentSecurityPolicy::SendReport ? 1218 checkSourceAndReportViolation(m_baseURI.get(), url, type, baseURI) : 1219 checkSource(m_baseURI.get(), url); 1203 1220 } 1204 1221 … … 1404 1421 #if ENABLE(CSP_NEXT) 1405 1422 else if (m_policy->experimentalFeaturesEnabled()) { 1406 if (equalIgnoringCase(name, formAction)) 1423 if (equalIgnoringCase(name, baseURI)) 1424 setCSPDirective<SourceListDirective>(name, value, m_baseURI); 1425 else if (equalIgnoringCase(name, formAction)) 1407 1426 setCSPDirective<SourceListDirective>(name, value, m_formAction); 1408 1427 else if (equalIgnoringCase(name, pluginTypes)) … … 1630 1649 { 1631 1650 return isAllowedByAllWithURL<&CSPDirectiveList::allowFormAction>(m_policies, url, reportingStatus); 1651 } 1652 1653 bool ContentSecurityPolicy::allowBaseURI(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const 1654 { 1655 return isAllowedByAllWithURL<&CSPDirectiveList::allowBaseURI>(m_policies, url, reportingStatus); 1632 1656 } 1633 1657 -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r146137 r146886 105 105 bool allowConnectToSource(const KURL&, ReportingStatus = SendReport) const; 106 106 bool allowFormAction(const KURL&, ReportingStatus = SendReport) const; 107 bool allowBaseURI(const KURL&, ReportingStatus = SendReport) const; 107 108 108 109 ReflectedXSSDisposition reflectedXSSDisposition() const;
Note: See TracChangeset
for help on using the changeset viewer.