Changeset 82147 in webkit

Timestamp:

Mar 28, 2011 1:16:06 PM (13 years ago)

Author:

abarth@webkit.org

Message:

2011-03-28 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

script-src should block inline event handlers
​https://bugs.webkit.org/show_bug.cgi?id=57212

I considered wrapping this into the canExecute check, but that approach
would require passing that function a bunch of context information to
behave correctly once we add support for the "options" directive that
re-enables these features.

Test: http/tests/security/contentSecurityPolicy/script-src-none-inline-event.html

• bindings/js/JSLazyEventListener.cpp: (WebCore::JSLazyEventListener::initializeJSFunction):
  • This function was a mess. I couldn't resist cleaning it up a bunch. Notice that we ASSERT at the beginning of the function that scriptExecutionContext is a document and that both ways of getting the global object are the same when document->frame() is non-zero because the document must be active and there is a one-to-one relation between Frames and active Documents.
• bindings/v8/V8LazyEventListener.cpp: (WebCore::V8LazyEventListener::prepareListenerObject):
• page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
• page/ContentSecurityPolicy.h:

2011-03-28 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

script-src should block inline event handlers
​https://bugs.webkit.org/show_bug.cgi?id=57212

• http/tests/security/contentSecurityPolicy/resources/event-handler.pl: Added.
• http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/script-src-none-inline-event.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/event-handler.pl (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/JSLazyEventListener.cpp (modified) (3 diffs)
• Source/WebCore/bindings/v8/V8LazyEventListener.cpp (modified) (2 diffs)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-03-28  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        script-src should block inline event handlers
+        https://bugs.webkit.org/show_bug.cgi?id=57212
+
+        * http/tests/security/contentSecurityPolicy/resources/event-handler.pl: Added.
+        * http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/script-src-none-inline-event.html: Added.
+
 2011-03-28  David Hyatt  <hyatt@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-03-28  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        script-src should block inline event handlers
+        https://bugs.webkit.org/show_bug.cgi?id=57212
+
+        I considered wrapping this into the canExecute check, but that approach
+        would require passing that function a bunch of context information to
+        behave correctly once we add support for the "options" directive that
+        re-enables these features.
+
+        Test: http/tests/security/contentSecurityPolicy/script-src-none-inline-event.html
+
+        * bindings/js/JSLazyEventListener.cpp:
+        (WebCore::JSLazyEventListener::initializeJSFunction):
+            - This function was a mess.  I couldn't resist cleaning it up a
+              bunch.  Notice that we ASSERT at the beginning of the function
+              that scriptExecutionContext is a document and that both ways of
+              getting the global object are the same when document->frame() is
+              non-zero because the document must be active and there is a
+              one-to-one relation between Frames and active Documents.
+        * bindings/v8/V8LazyEventListener.cpp:
+        (WebCore::V8LazyEventListener::prepareListenerObject):
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
+        * page/ContentSecurityPolicy.h:
+
 2011-03-28  Jeff Miller  <jeffm@apple.com>
 

trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp

@@ -21 +21 @@
 #include "JSLazyEventListener.h"
 
+#include "ContentSecurityPolicy.h"
 #include "Frame.h"
 #include "JSNode.h"
@@ -75 +76 @@
         return 0;
 
-    Frame* frame = static_cast<Document*>(executionContext)->frame();
-    if (!frame)
+    Document* document = static_cast<Document*>(executionContext);
+
+    if (!document->frame())
         return 0;
 
-    ScriptController* scriptController = frame->script();
-    if (!scriptController->canExecuteScripts(AboutToExecuteScript))
+    if (!document->contentSecurityPolicy()->allowInlineEventHandlers())
+        return 0;
+
+    ScriptController* script = document->frame()->script();
+    if (!script->canExecuteScripts(AboutToExecuteScript) || script->isPaused())
         return 0;
 
@@ -86 +91 @@
     if (!globalObject)
         return 0;
-
-    if (executionContext->isDocument()) {
-        JSDOMWindow* window = static_cast<JSDOMWindow*>(globalObject);
-        Frame* frame = window->impl()->frame();
-        if (!frame)
-            return 0;
-        // FIXME: Is this check needed for non-Document contexts?
-        ScriptController* script = frame->script();
-        if (!script->canExecuteScripts(AboutToExecuteScript) || script->isPaused())
-            return 0;
-    }
 
     ExecState* exec = globalObject->globalExec();

trunk/Source/WebCore/bindings/v8/V8LazyEventListener.cpp

@@ -32 +32 @@
 #include "V8LazyEventListener.h"
 
+#include "ContentSecurityPolicy.h"
 #include "Frame.h"
 #include "V8Binding.h"
@@ -79 +80 @@
 {
     if (hasExistingListenerObject())
+        return;
+
+    if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers())
         return;
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -431 +431 @@
 }
 
+bool ContentSecurityPolicy::allowInlineEventHandlers() const
+{
+    return !m_scriptSrc;
+}
+
 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const
 {

trunk/Source/WebCore/page/ContentSecurityPolicy.h

@@ -47 +47 @@
 
     bool allowJavaScriptURLs() const;
+    bool allowInlineEventHandlers() const;
     bool allowScriptFromSource(const KURL&) const;