Changeset 83141 in webkit


Ignore:
Timestamp:
Apr 6, 2011 9:43:50 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-04-06 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

CSP object-src should block plugin loads
https://bugs.webkit.org/show_bug.cgi?id=57283

This change is pretty straight-forward. It's slighly unclear to me
whether this patch is correct w.r.t. the code in DocumentWriter. I've
added a FIXME comment, and I'll investigate that case more in the future.

Test: http/tests/security/contentSecurityPolicy/object-src-none.html

  • loader/DocumentWriter.cpp: (WebCore::DocumentWriter::begin):
  • loader/SubframeLoader.cpp: (WebCore::SubframeLoader::requestPlugin):
  • page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowObjectFromSource): (WebCore::ContentSecurityPolicy::addDirective):
  • page/ContentSecurityPolicy.h:

2011-04-06 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

CSP object-src should block plugin loads
https://bugs.webkit.org/show_bug.cgi?id=57283

  • http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/object-src-none.html: Added.
  • http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl: Added.
Location:
trunk
Files:
3 added
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r83140 r83141  
     12011-04-06  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        CSP object-src should block plugin loads
     6        https://bugs.webkit.org/show_bug.cgi?id=57283
     7
     8        * http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Added.
     9        * http/tests/security/contentSecurityPolicy/object-src-none.html: Added.
     10        * http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl: Added.
     11
    1122011-04-06  Beth Dakin  <bdakin@apple.com>
    213
  • trunk/Source/WebCore/ChangeLog

    r83140 r83141  
     12011-04-06  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        CSP object-src should block plugin loads
     6        https://bugs.webkit.org/show_bug.cgi?id=57283
     7
     8        This change is pretty straight-forward.  It's slighly unclear to me
     9        whether this patch is correct w.r.t. the code in DocumentWriter.  I've
     10        added a FIXME comment, and I'll investigate that case more in the future.
     11
     12        Test: http/tests/security/contentSecurityPolicy/object-src-none.html
     13
     14        * loader/DocumentWriter.cpp:
     15        (WebCore::DocumentWriter::begin):
     16        * loader/SubframeLoader.cpp:
     17        (WebCore::SubframeLoader::requestPlugin):
     18        * page/ContentSecurityPolicy.cpp:
     19        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
     20        (WebCore::ContentSecurityPolicy::addDirective):
     21        * page/ContentSecurityPolicy.h:
     22
    1232011-04-06  Beth Dakin  <bdakin@apple.com>
    224
  • trunk/Source/WebCore/loader/DocumentWriter.cpp

    r78342 r83141  
    121121    if (document->isPluginDocument() && m_frame->loader()->isSandboxed(SandboxPlugins))
    122122        document = SinkDocument::create(m_frame, url);
     123
     124    // FIXME: Do we need to consult the content security policy here about blocked plug-ins?
    123125
    124126    bool resetScripting = !(m_frame->loader()->stateMachine()->isDisplayingInitialEmptyDocument() && m_frame->document()->securityOrigin()->isSecureTransitionTo(url));
  • trunk/Source/WebCore/loader/SubframeLoader.cpp

    r82001 r83141  
    3434#include "SubframeLoader.h"
    3535
     36#include "ContentSecurityPolicy.h"
    3637#include "Frame.h"
    3738#include "FrameLoaderClient.h"
     
    110111        return false;
    111112
    112     if (m_frame->document() && m_frame->document()->securityOrigin()->isSandboxed(SandboxPlugins))
    113         return false;
     113    if (m_frame->document()) {
     114        if (m_frame->document()->securityOrigin()->isSandboxed(SandboxPlugins))
     115            return false;
     116        if (!m_frame->document()->contentSecurityPolicy()->allowObjectFromSource(url))
     117            return false;
     118    }
    114119
    115120    ASSERT(ownerElement->hasTagName(objectTag) || ownerElement->hasTagName(embedTag));
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r82147 r83141  
    441441}
    442442
     443bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
     444{
     445    return !m_objectSrc || m_objectSrc->allows(url);
     446}
     447
    443448// policy            = directive-list
    444449// directive-list    = [ directive *( ";" [ directive ] ) ]
     
    515520{
    516521    DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
     522    DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src"));
    517523
    518524    ASSERT(!name.isEmpty());
     
    520526    if (!m_scriptSrc && equalIgnoringCase(name, scriptSrc))
    521527        m_scriptSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
    522 }
    523 
    524 }
     528    else if (!m_objectSrc && equalIgnoringCase(name, objectSrc))
     529        m_objectSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
     530}
     531
     532}
  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r82147 r83141  
    4949    bool allowInlineEventHandlers() const;
    5050    bool allowScriptFromSource(const KURL&) const;
     51    bool allowObjectFromSource(const KURL&) const;
    5152
    5253private:
     
    6061    RefPtr<SecurityOrigin> m_origin;
    6162    OwnPtr<CSPDirective> m_scriptSrc;
     63    OwnPtr<CSPDirective> m_objectSrc;
    6264};
    6365
Note: See TracChangeset for help on using the changeset viewer.