Changeset 82085 in webkit
- Timestamp:
- Mar 27, 2011 10:15:38 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 11 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r82068 r82085 1 2011-03-27 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Fix script-src redirect handling 6 https://bugs.webkit.org/show_bug.cgi?id=57196 7 8 Test both allow => disallow and disallow => allow redirect cases. 9 Previously, we had incorrect expectations for one of the redirect 10 cases. Also, I've updated the policy syntax to match the default-src 11 syntax. 12 13 * http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt: 14 * http/tests/security/contentSecurityPolicy/script-src-redirect.html: 15 1 16 2011-03-27 Yuta Kitamura <yutak@chromium.org> 2 17 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt
r78058 r82085 1 1 Loads an iframe which in turns tries to load an external script. The request for the script is redirected to 'localhost'. The iframe has a content security policy disabling external scripts from hosts other than 'localhost'. So the script should be allowed to run. 2 2 3 3 4 4 5 5 -------- 6 6 Frame: '<!--framePath //<!--frame0-->-->' 7 7 -------- 8 FAIL 8 PASS 9 10 -------- 11 Frame: '<!--framePath //<!--frame1-->-->' 12 -------- 13 PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect.html
r78569 r82085 13 13 Loads an iframe which in turns tries to load an external script. The request for the script is redirected to 'localhost'. The iframe has a content security policy disabling external scripts from hosts other than 'localhost'. So the script should be allowed to run. 14 14 </p> 15 <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&csp=allow%20*%3B%20script-src%20'localhost'&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php%3furl=http://localhost:8000/security/contentSecurityPolicy/resources/script.js"></iframe> 15 <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&csp=%20script-src%20localhost&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php%3furl=http://localhost:8000/security/contentSecurityPolicy/resources/script.js"></iframe> 16 <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&csp=%20script-src%20127.0.0.1&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php%3furl=http://localhost:8000/security/contentSecurityPolicy/resources/script.js"></iframe> 16 17 </body> 17 18 </html> -
trunk/Source/WebCore/ChangeLog
r82084 r82085 1 2011-03-27 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Fix script-src redirect handling 6 https://bugs.webkit.org/show_bug.cgi?id=57196 7 8 Resource-loading requirements in CSP apply to each hop in the redirect 9 chain. To make that work properly, we need to move enforcement into 10 the loader. Fortunately, we already have a choke-point in the loader 11 for enforcing this kind of policy. 12 13 * dom/ScriptElement.cpp: 14 (WebCore::ScriptElement::requestScript): 15 * html/parser/HTMLDocumentParser.cpp: 16 * html/parser/HTMLDocumentParser.h: 17 * html/parser/HTMLScriptRunnerHost.h: 18 * loader/cache/CachedResourceLoader.cpp: 19 (WebCore::CachedResourceLoader::canRequest): 20 * page/ContentSecurityPolicy.cpp: 21 (WebCore::ContentSecurityPolicy::allowScriptFromSource): 22 * page/ContentSecurityPolicy.h: 23 1 24 2011-03-27 Jer Noble <jer.noble@apple.com> 2 25 -
trunk/Source/WebCore/dom/ScriptElement.cpp
r82028 r82085 233 233 bool ScriptElement::requestScript(const String& sourceUrl) 234 234 { 235 if (!m_element->document()->contentSecurityPolicy()->canLoadExternalScriptFromSrc(sourceUrl))236 return false;237 238 235 RefPtr<Document> originalDocument = m_element->document(); 239 236 if (!m_element->dispatchBeforeLoadEvent(sourceUrl)) -
trunk/Source/WebCore/html/parser/HTMLDocumentParser.cpp
r82028 r82085 479 479 } 480 480 481 bool HTMLDocumentParser::shouldLoadExternalScriptFromSrc(const AtomicString& srcValue)482 {483 return document()->contentSecurityPolicy()->canLoadExternalScriptFromSrc(srcValue);484 }485 486 481 void HTMLDocumentParser::notifyFinished(CachedResource* cachedResource) 487 482 { -
trunk/Source/WebCore/html/parser/HTMLDocumentParser.h
r79772 r82085 109 109 virtual void watchForLoad(CachedResource*); 110 110 virtual void stopWatchingForLoad(CachedResource*); 111 virtual bool shouldLoadExternalScriptFromSrc(const AtomicString&);112 111 virtual HTMLInputStream& inputStream() { return m_input; } 113 112 -
trunk/Source/WebCore/html/parser/HTMLScriptRunnerHost.h
r66277 r82085 45 45 virtual void stopWatchingForLoad(CachedResource*) = 0; 46 46 47 // Implementors can block certain script loads (for XSSAuditor, etc.)48 virtual bool shouldLoadExternalScriptFromSrc(const AtomicString&) = 0;49 47 virtual HTMLInputStream& inputStream() = 0; 50 48 }; -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp
r80695 r82085 35 35 #include "CachedXSLStyleSheet.h" 36 36 #include "Console.h" 37 #include "ContentSecurityPolicy.h" 37 38 #include "DOMWindow.h" 38 39 #include "Document.h" … … 218 219 break; 219 220 #endif 220 default:221 ASSERT_NOT_REACHED();222 break;223 221 } 224 222 … … 254 252 break; 255 253 #endif 256 default:257 ASSERT_NOT_REACHED();258 break;259 254 } 260 255 // FIXME: Consider letting the embedder block mixed content loads. 256 257 if (type == CachedResource::Script && !m_document->contentSecurityPolicy()->allowScriptFromSource(url)) 258 return false; 259 261 260 return true; 262 261 } -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r82028 r82085 431 431 } 432 432 433 bool ContentSecurityPolicy:: canLoadExternalScriptFromSrc(const String& url) const434 { 435 return !m_scriptSrc || m_scriptSrc->allows( KURL(ParsedURLString, url));433 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const 434 { 435 return !m_scriptSrc || m_scriptSrc->allows(url); 436 436 } 437 437 -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r82028 r82085 33 33 34 34 class CSPDirective; 35 class KURL; 35 36 class SecurityOrigin; 36 37 … … 46 47 47 48 bool allowJavaScriptURLs() const; 48 // FIXME: Rename canLoadExternalScriptFromSrc to allowScriptFromURL. 49 bool canLoadExternalScriptFromSrc(const String& url) const; 49 bool allowScriptFromSource(const KURL&) const; 50 50 51 51 private:
Note: See TracChangeset
for help on using the changeset viewer.