Changeset 83205 in webkit
- Timestamp:
- Apr 7, 2011 1:51:22 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r83203 r83205 1 2011-04-07 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Implement CSP's options directive 6 https://bugs.webkit.org/show_bug.cgi?id=58014 7 8 * http/tests/security/contentSecurityPolicy/inline-script-allowed-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/inline-script-allowed.html: Added. 10 * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html: Added. 12 1 13 2011-04-07 Enrica Casucci <enrica@apple.com> 2 14 -
trunk/Source/WebCore/ChangeLog
r83204 r83205 1 2011-04-07 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Implement CSP's options directive 6 https://bugs.webkit.org/show_bug.cgi?id=58014 7 8 This patch contains the full options parser, but we only have enough of 9 CSP implemented to see the effects of disable-xss-protection. Will 10 need to do some more work before we can see eval-script in action. 11 12 Tests: http/tests/security/contentSecurityPolicy/inline-script-allowed.html 13 http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html 14 15 * page/ContentSecurityPolicy.cpp: 16 (WebCore::CSPOptions::CSPOptions): 17 (WebCore::CSPOptions::disableXSSProtection): 18 (WebCore::CSPOptions::evalScript): 19 (WebCore::CSPOptions::parse): 20 (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): 21 (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): 22 (WebCore::ContentSecurityPolicy::allowInlineScript): 23 (WebCore::ContentSecurityPolicy::addDirective): 24 * page/ContentSecurityPolicy.h: 25 1 26 2011-04-07 Alexey Proskuryakov <ap@apple.com> 2 27 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r83159 r83205 58 58 } 59 59 60 bool isOptionValueCharacter(UChar c) 61 { 62 return isASCIIAlphanumeric(c) || c == '-'; 63 } 64 60 65 bool isSchemeContinuationCharacter(UChar c) 61 66 { … … 407 412 }; 408 413 414 class CSPOptions { 415 public: 416 explicit CSPOptions(const String& value) 417 : m_disableXSSProtection(false) 418 , m_evalScript(false) 419 { 420 parse(value); 421 } 422 423 bool disableXSSProtection() const { return m_disableXSSProtection; } 424 bool evalScript() const { return m_evalScript; } 425 426 private: 427 void parse(const String&); 428 429 bool m_disableXSSProtection; 430 bool m_evalScript; 431 }; 432 433 // options = "options" *( 1*WSP option-value ) *WSP 434 // option-value = 1*( ALPHA / DIGIT / "-" ) 435 // 436 void CSPOptions::parse(const String& value) 437 { 438 DEFINE_STATIC_LOCAL(String, disableXSSProtection, ("disable-xss-protection")); 439 DEFINE_STATIC_LOCAL(String, evalScript, ("eval-script")); 440 441 const UChar* position = value.characters(); 442 const UChar* end = position + value.length(); 443 444 while (position < end) { 445 skipWhile<isASCIISpace>(position, end); 446 447 const UChar* optionsValueBegin = position; 448 449 if (!skipExactly<isOptionValueCharacter>(position, end)) 450 return; 451 452 skipWhile<isOptionValueCharacter>(position, end); 453 454 String optionsValue(optionsValueBegin, position - optionsValueBegin); 455 456 if (equalIgnoringCase(optionsValue, disableXSSProtection)) 457 m_disableXSSProtection = true; 458 else if (equalIgnoringCase(optionsValue, evalScript)) 459 m_evalScript = true; 460 } 461 } 462 409 463 ContentSecurityPolicy::ContentSecurityPolicy(SecurityOrigin* origin) 410 464 : m_havePolicy(false) … … 426 480 } 427 481 482 bool ContentSecurityPolicy::protectAgainstXSS() const 483 { 484 return m_scriptSrc && (!m_options || !m_options->disableXSSProtection()); 485 } 486 428 487 bool ContentSecurityPolicy::allowJavaScriptURLs() const 429 488 { 430 return ! m_scriptSrc;489 return !protectAgainstXSS(); 431 490 } 432 491 433 492 bool ContentSecurityPolicy::allowInlineEventHandlers() const 434 493 { 435 return ! m_scriptSrc;494 return !protectAgainstXSS(); 436 495 } 437 496 438 497 bool ContentSecurityPolicy::allowInlineScript() const 439 498 { 440 return ! m_scriptSrc;499 return !protectAgainstXSS(); 441 500 } 442 501 … … 526 585 DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src")); 527 586 DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src")); 587 DEFINE_STATIC_LOCAL(String, options, ("options")); 528 588 529 589 ASSERT(!name.isEmpty()); … … 533 593 else if (!m_objectSrc && equalIgnoringCase(name, objectSrc)) 534 594 m_objectSrc = adoptPtr(new CSPDirective(value, m_origin.get())); 535 } 536 537 } 595 else if (!m_options && equalIgnoringCase(name, options)) 596 m_options = adoptPtr(new CSPOptions(value)); 597 } 598 599 } -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r83159 r83205 33 33 34 34 class CSPDirective; 35 class CSPOptions; 35 36 class KURL; 36 37 class SecurityOrigin; … … 55 56 explicit ContentSecurityPolicy(SecurityOrigin*); 56 57 58 bool protectAgainstXSS() const; 59 57 60 void parse(const String&); 58 61 bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value); … … 63 66 OwnPtr<CSPDirective> m_scriptSrc; 64 67 OwnPtr<CSPDirective> m_objectSrc; 68 OwnPtr<CSPOptions> m_options; 65 69 }; 66 70
Note: See TracChangeset
for help on using the changeset viewer.