Changeset 82147 in webkit
- Timestamp:
- Mar 28, 2011 1:16:06 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r82144 r82147 1 2011-03-28 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 script-src should block inline event handlers 6 https://bugs.webkit.org/show_bug.cgi?id=57212 7 8 * http/tests/security/contentSecurityPolicy/resources/event-handler.pl: Added. 9 * http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt: Added. 10 * http/tests/security/contentSecurityPolicy/script-src-none-inline-event.html: Added. 11 1 12 2011-03-28 David Hyatt <hyatt@apple.com> 2 13 -
trunk/Source/WebCore/ChangeLog
r82146 r82147 1 2011-03-28 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 script-src should block inline event handlers 6 https://bugs.webkit.org/show_bug.cgi?id=57212 7 8 I considered wrapping this into the canExecute check, but that approach 9 would require passing that function a bunch of context information to 10 behave correctly once we add support for the "options" directive that 11 re-enables these features. 12 13 Test: http/tests/security/contentSecurityPolicy/script-src-none-inline-event.html 14 15 * bindings/js/JSLazyEventListener.cpp: 16 (WebCore::JSLazyEventListener::initializeJSFunction): 17 - This function was a mess. I couldn't resist cleaning it up a 18 bunch. Notice that we ASSERT at the beginning of the function 19 that scriptExecutionContext is a document and that both ways of 20 getting the global object are the same when document->frame() is 21 non-zero because the document must be active and there is a 22 one-to-one relation between Frames and active Documents. 23 * bindings/v8/V8LazyEventListener.cpp: 24 (WebCore::V8LazyEventListener::prepareListenerObject): 25 * page/ContentSecurityPolicy.cpp: 26 (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): 27 * page/ContentSecurityPolicy.h: 28 1 29 2011-03-28 Jeff Miller <jeffm@apple.com> 2 30 -
trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp
r79904 r82147 21 21 #include "JSLazyEventListener.h" 22 22 23 #include "ContentSecurityPolicy.h" 23 24 #include "Frame.h" 24 25 #include "JSNode.h" … … 75 76 return 0; 76 77 77 Frame* frame = static_cast<Document*>(executionContext)->frame(); 78 if (!frame) 78 Document* document = static_cast<Document*>(executionContext); 79 80 if (!document->frame()) 79 81 return 0; 80 82 81 ScriptController* scriptController = frame->script(); 82 if (!scriptController->canExecuteScripts(AboutToExecuteScript)) 83 if (!document->contentSecurityPolicy()->allowInlineEventHandlers()) 84 return 0; 85 86 ScriptController* script = document->frame()->script(); 87 if (!script->canExecuteScripts(AboutToExecuteScript) || script->isPaused()) 83 88 return 0; 84 89 … … 86 91 if (!globalObject) 87 92 return 0; 88 89 if (executionContext->isDocument()) {90 JSDOMWindow* window = static_cast<JSDOMWindow*>(globalObject);91 Frame* frame = window->impl()->frame();92 if (!frame)93 return 0;94 // FIXME: Is this check needed for non-Document contexts?95 ScriptController* script = frame->script();96 if (!script->canExecuteScripts(AboutToExecuteScript) || script->isPaused())97 return 0;98 }99 93 100 94 ExecState* exec = globalObject->globalExec(); -
trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp
r71735 r82147 32 32 #include "V8LazyEventListener.h" 33 33 34 #include "ContentSecurityPolicy.h" 34 35 #include "Frame.h" 35 36 #include "V8Binding.h" … … 79 80 { 80 81 if (hasExistingListenerObject()) 82 return; 83 84 if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers()) 81 85 return; 82 86 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r82085 r82147 431 431 } 432 432 433 bool ContentSecurityPolicy::allowInlineEventHandlers() const 434 { 435 return !m_scriptSrc; 436 } 437 433 438 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const 434 439 { -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r82085 r82147 47 47 48 48 bool allowJavaScriptURLs() const; 49 bool allowInlineEventHandlers() const; 49 50 bool allowScriptFromSource(const KURL&) const; 50 51
Note: See TracChangeset
for help on using the changeset viewer.