Changeset 171150 in webkit
- Timestamp:
- Jul 16, 2014 1:31:06 PM (10 years ago)
- Location:
- trunk
- Files:
-
- 10 deleted
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r171148 r171150 1 2014-07-16 Mike West <mkwst@chromium.org> 2 3 CSP: Drop 'script-nonce' directive. 4 https://bugs.webkit.org/show_bug.cgi?id=134926 5 6 Reviewed by Darin Adler. 7 8 Dropping the nonce tests, as we're removing the functionality. 9 10 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt: Removed. 11 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html: Removed. 12 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt: Removed. 13 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html: Removed. 14 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt: Removed. 15 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html: Removed. 16 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt: Removed. 17 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html: Removed. 18 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Removed. 19 * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Removed. 20 1 21 2014-07-16 Jer Noble <jer.noble@apple.com> 2 22 -
trunk/Source/WebCore/ChangeLog
r171149 r171150 1 2014-07-16 Mike West <mkwst@chromium.org> 2 3 CSP: Drop 'script-nonce' directive. 4 https://bugs.webkit.org/show_bug.cgi?id=134926 5 6 Reviewed by Darin Adler. 7 8 This patch drops the outdated 'script-nonce' Content Security 9 Policy directive. It was removed from the spec, and replaced in 10 CSP2 with a new 'script-src' syntax. We should implement that 11 instead. 12 13 Until then, removing the outdated syntax will ensure that no one 14 ends up relying on it in WebKit's implementation. 15 16 This should have limited web-visible impact, as the feature is 17 behind the CSP_NEXT flag, which is not enabled by default. 18 19 * dom/ScriptElement.cpp: 20 (WebCore::ScriptElement::requestScript): 21 (WebCore::ScriptElement::executeScript): 22 * page/ContentSecurityPolicy.cpp: 23 (WebCore::CSPDirectiveList::allowJavaScriptURLs): 24 (WebCore::CSPDirectiveList::allowInlineEventHandlers): 25 (WebCore::CSPDirectiveList::addDirective): 26 (WebCore::NonceDirective::NonceDirective): Deleted. 27 (WebCore::NonceDirective::allows): Deleted. 28 (WebCore::NonceDirective::parse): Deleted. 29 (WebCore::CSPDirectiveList::checkNonce): Deleted. 30 (WebCore::CSPDirectiveList::checkNonceAndReportViolation): Deleted. 31 (WebCore::CSPDirectiveList::allowScriptNonce): Deleted. 32 (WebCore::isAllowedByAllWithNonce): Deleted. 33 (WebCore::ContentSecurityPolicy::allowScriptNonce): Deleted. 34 (WebCore::ContentSecurityPolicy::reportInvalidNonce): Deleted. 35 * page/ContentSecurityPolicy.h: 36 1 37 2014-07-16 Jer Noble <jer.noble@apple.com> 2 38 -
trunk/Source/WebCore/dom/ScriptElement.cpp
r170809 r171150 248 248 if (!m_element.inDocument() || &m_element.document() != &originalDocument.get()) 249 249 return false; 250 if (!m_element.document().contentSecurityPolicy()->allowScriptNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.document().url(), m_startLineNumber, m_element.document().completeURL(sourceUrl)))251 return false;252 250 253 251 ASSERT(!m_cachedScript); … … 283 281 return; 284 282 285 if (!m_element.document().contentSecurityPolicy()->allowScriptNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.document().url(), m_startLineNumber))286 return;287 288 283 if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber)) 289 284 return; -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r167594 r171150 68 68 } 69 69 70 bool isNonceCharacter(UChar c)71 {72 return (c >= 0x21 && c <= 0x7e) && c != ',' && c != ';'; // VCHAR - ',' - ';'73 }74 75 70 bool isSourceCharacter(UChar c) 76 71 { … … 125 120 static const char formAction[] = "form-action"; 126 121 static const char pluginTypes[] = "plugin-types"; 127 static const char scriptNonce[] = "script-nonce";128 122 #if ENABLE(CSP_NEXT) 129 123 static const char reflectedXSS[] = "reflected-xss"; … … 147 141 || equalIgnoringCase(name, formAction) 148 142 || equalIgnoringCase(name, pluginTypes) 149 || equalIgnoringCase(name, scriptNonce)150 143 || equalIgnoringCase(name, reflectedXSS) 151 144 #endif … … 665 658 }; 666 659 667 class NonceDirective : public CSPDirective {668 public:669 NonceDirective(const String& name, const String& value, ContentSecurityPolicy* policy)670 : CSPDirective(name, value, policy)671 {672 parse(value);673 }674 675 bool allows(const String& nonce) const676 {677 return (!m_scriptNonce.isEmpty() && nonce.stripWhiteSpace() == m_scriptNonce);678 }679 680 private:681 void parse(const String& value)682 {683 String nonce;684 auto characters = StringView(value).upconvertedCharacters();685 const UChar* position = characters;686 const UChar* end = position + value.length();687 688 skipWhile<isASCIISpace>(position, end);689 const UChar* nonceBegin = position;690 if (position == end) {691 policy()->reportInvalidNonce(String());692 m_scriptNonce = "";693 return;694 }695 skipWhile<isNonceCharacter>(position, end);696 if (nonceBegin < position)697 nonce = String(nonceBegin, position - nonceBegin);698 699 // Trim off trailing whitespace: If we're not at the end of the string, log700 // an error.701 skipWhile<isASCIISpace>(position, end);702 if (position < end) {703 policy()->reportInvalidNonce(value);704 m_scriptNonce = "";705 } else706 m_scriptNonce = nonce;707 }708 709 String m_scriptNonce;710 };711 712 660 class MediaListDirective : public CSPDirective { 713 661 public: … … 822 770 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; 823 771 bool allowEval(JSC::ExecState*, ContentSecurityPolicy::ReportingStatus) const; 824 bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL&) const;825 772 bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ContentSecurityPolicy::ReportingStatus) const; 826 773 … … 847 794 bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value); 848 795 void parseReportURI(const String& name, const String& value); 849 void parseScriptNonce(const String& name, const String& value);850 796 void parsePluginTypes(const String& name, const String& value); 851 797 void parseReflectedXSS(const String& name, const String& value); … … 861 807 bool checkEval(SourceListDirective*) const; 862 808 bool checkInline(SourceListDirective*) const; 863 bool checkNonce(NonceDirective*, const String&) const;864 809 bool checkSource(SourceListDirective*, const URL&) const; 865 810 bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const; … … 869 814 bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = 0) const; 870 815 bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const; 871 bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;872 816 873 817 bool checkSourceAndReportViolation(SourceListDirective*, const URL&, const String& effectiveDirective) const; … … 886 830 887 831 std::unique_ptr<MediaListDirective> m_pluginTypes; 888 std::unique_ptr<NonceDirective> m_scriptNonce;889 832 std::unique_ptr<SourceListDirective> m_baseURI; 890 833 std::unique_ptr<SourceListDirective> m_connectSrc; … … 946 889 } 947 890 948 bool CSPDirectiveList::checkNonce(NonceDirective* directive, const String& nonce) const949 {950 return !directive || directive->allows(nonce);951 }952 953 891 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const URL& url) const 954 892 { … … 985 923 } 986 924 return true; 987 }988 989 bool CSPDirectiveList::checkNonceAndReportViolation(NonceDirective* directive, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const990 {991 if (checkNonce(directive, nonce))992 return true;993 reportViolation(directive->text(), scriptNonce, consoleMessage + "\"" + directive->text() + "\".\n", URL(), contextURL, contextLine);994 return denyIfEnforcingPolicy();995 925 } 996 926 … … 1065 995 { 1066 996 DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "))); 1067 if (reportingStatus == ContentSecurityPolicy::SendReport) { 1068 return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true) 1069 && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine)); 1070 } else { 1071 return (checkInline(operativeDirective(m_scriptSrc.get())) 1072 && checkNonce(m_scriptNonce.get(), String())); 1073 } 997 return reportingStatus == ContentSecurityPolicy::SendReport ? 998 checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true) 999 : checkInline(operativeDirective(m_scriptSrc.get())); 1074 1000 } 1075 1001 … … 1077 1003 { 1078 1004 DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute inline event handler because it violates the following Content Security Policy directive: "))); 1079 if (reportingStatus == ContentSecurityPolicy::SendReport) { 1080 return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true) 1081 && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine)); 1082 } else { 1083 return (checkInline(operativeDirective(m_scriptSrc.get())) 1084 && checkNonce(m_scriptNonce.get(), String())); 1085 } 1005 return reportingStatus == ContentSecurityPolicy::SendReport ? 1006 checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true) 1007 : checkInline(operativeDirective(m_scriptSrc.get())); 1086 1008 } 1087 1009 … … 1108 1030 checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), state) : 1109 1031 checkEval(operativeDirective(m_scriptSrc.get())); 1110 }1111 1112 bool CSPDirectiveList::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url) const1113 {1114 DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute script because it violates the following Content Security Policy directive: ")));1115 if (url.isEmpty())1116 return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, consoleMessage, contextURL, contextLine);1117 return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, "Refused to load '" + url.stringCenterEllipsizedToLength() + "' because it violates the following Content Security Policy directive: ", contextURL, contextLine);1118 1032 } 1119 1033 … … 1416 1330 else if (equalIgnoringCase(name, pluginTypes)) 1417 1331 setCSPDirective<MediaListDirective>(name, value, m_pluginTypes); 1418 else if (equalIgnoringCase(name, scriptNonce))1419 setCSPDirective<NonceDirective>(name, value, m_scriptNonce);1420 1332 else if (equalIgnoringCase(name, reflectedXSS)) 1421 1333 parseReflectedXSS(name, value); … … 1517 1429 } 1518 1430 1519 template<bool (CSPDirectiveList::*allowed)(const String&, const String&, const WTF::OrdinalNumber&, const URL&) const>1520 bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url)1521 {1522 for (size_t i = 0; i < policies.size(); ++i) {1523 if (!(policies[i].get()->*allowed)(nonce, contextURL, contextLine, url))1524 return false;1525 }1526 return true;1527 }1528 1529 1431 template<bool (CSPDirectiveList::*allowFromURL)(const URL&, ContentSecurityPolicy::ReportingStatus) const> 1530 1432 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) … … 1574 1476 } 1575 1477 return String(); 1576 }1577 1578 bool ContentSecurityPolicy::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url) const1579 {1580 return isAllowedByAllWithNonce<&CSPDirectiveList::allowScriptNonce>(m_policies, nonce, contextURL, contextLine, url);1581 1478 } 1582 1479 … … 1846 1743 } 1847 1744 1848 void ContentSecurityPolicy::reportInvalidNonce(const String& nonce) const1849 {1850 String message = makeString("Ignoring invalid Content Security Policy script nonce: '", nonce, "'.\n");1851 logToConsole(message);1852 }1853 1854 1745 void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source) const 1855 1746 { -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r167594 r171150 90 90 bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const; 91 91 bool allowEval(JSC::ExecState* = 0, ReportingStatus = SendReport) const; 92 bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& = URL()) const;93 92 bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ReportingStatus = SendReport) const; 94 93 … … 115 114 void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const; 116 115 void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const; 117 void reportInvalidNonce(const String&) const;118 116 void reportInvalidPluginTypes(const String&) const; 119 117 void reportInvalidSandboxFlags(const String&) const;
Note: See TracChangeset
for help on using the changeset viewer.