Changeset 83235 in webkit
- Timestamp:
- Apr 7, 2011 6:08:59 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 14 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r83233 r83235 1 2011-04-07 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Implement img-src style-src and font-src 6 https://bugs.webkit.org/show_bug.cgi?id=58018 7 8 Test a bunch of allow/block tests for these new directives. 9 10 * http/tests/security/contentSecurityPolicy/image-allowed-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/image-allowed.html: Added. 12 * http/tests/security/contentSecurityPolicy/image-blocked-expected.txt: Added. 13 * http/tests/security/contentSecurityPolicy/image-blocked.html: Added. 14 * http/tests/security/contentSecurityPolicy/resources/blue.css: Added. 15 * http/tests/security/contentSecurityPolicy/resources/style.xsl: Added. 16 * http/tests/security/contentSecurityPolicy/style-allowed-expected.txt: Added. 17 * http/tests/security/contentSecurityPolicy/style-allowed.html: Added. 18 * http/tests/security/contentSecurityPolicy/style-blocked-expected.txt: Added. 19 * http/tests/security/contentSecurityPolicy/style-blocked.html: Added. 20 * http/tests/security/contentSecurityPolicy/xsl-allowed.php: Added. 21 * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt: Added. 22 * http/tests/security/contentSecurityPolicy/xsl-blocked.php: Added. 23 1 24 2011-04-07 Enrica Casucci <enrica@apple.com> 2 25 -
trunk/Source/WebCore/ChangeLog
r83234 r83235 1 2011-04-07 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Implement img-src style-src and font-src 6 https://bugs.webkit.org/show_bug.cgi?id=58018 7 8 These are pretty straight forward given the rest of the infrastructure 9 we've built so far. 10 11 Tests: http/tests/security/contentSecurityPolicy/image-allowed.html 12 http/tests/security/contentSecurityPolicy/image-blocked.html 13 http/tests/security/contentSecurityPolicy/style-allowed.html 14 http/tests/security/contentSecurityPolicy/style-blocked.html 15 http/tests/security/contentSecurityPolicy/xsl-allowed.php 16 http/tests/security/contentSecurityPolicy/xsl-blocked.php 17 18 * loader/cache/CachedResourceLoader.cpp: 19 (WebCore::CachedResourceLoader::canRequest): 20 * page/ContentSecurityPolicy.cpp: 21 (WebCore::ContentSecurityPolicy::allowImageFromSource): 22 (WebCore::ContentSecurityPolicy::allowStyleFromSource): 23 (WebCore::ContentSecurityPolicy::allowFontFromSource): 24 (WebCore::ContentSecurityPolicy::addDirective): 25 * page/ContentSecurityPolicy.h: 26 1 27 2011-04-07 David Levin <levin@chromium.org> 2 28 -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp
r82630 r83235 256 256 // FIXME: Consider letting the embedder block mixed content loads. 257 257 258 if (type == CachedResource::Script && !m_document->contentSecurityPolicy()->allowScriptFromSource(url)) 259 return false; 258 switch (type) { 259 case CachedResource::Script: 260 if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url)) 261 return false; 262 break; 263 #if ENABLE(XSLT) 264 case CachedResource::XSLStyleSheet: 265 #endif 266 case CachedResource::CSSStyleSheet: 267 if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url)) 268 return false; 269 break; 270 case CachedResource::ImageResource: 271 if (!m_document->contentSecurityPolicy()->allowImageFromSource(url)) 272 return false; 273 break; 274 case CachedResource::FontResource: { 275 if (!m_document->contentSecurityPolicy()->allowFontFromSource(url)) 276 return false; 277 break; 278 } 279 #if ENABLE(LINK_PREFETCH) 280 case CachedResource::LinkPrefetch: 281 break; 282 #endif 283 } 260 284 261 285 return true; -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r83205 r83235 510 510 } 511 511 512 bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const 513 { 514 return !m_imgSrc || m_imgSrc->allows(url); 515 } 516 517 bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const 518 { 519 return !m_styleSrc || m_styleSrc->allows(url); 520 } 521 522 bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const 523 { 524 return !m_fontSrc || m_fontSrc->allows(url); 525 } 526 512 527 // policy = directive-list 513 528 // directive-list = [ directive *( ";" [ directive ] ) ] … … 585 600 DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src")); 586 601 DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src")); 602 DEFINE_STATIC_LOCAL(String, imgSrc, ("img-src")); 603 DEFINE_STATIC_LOCAL(String, styleSrc, ("style-src")); 604 DEFINE_STATIC_LOCAL(String, fontSrc, ("font-src")); 587 605 DEFINE_STATIC_LOCAL(String, options, ("options")); 588 606 … … 593 611 else if (!m_objectSrc && equalIgnoringCase(name, objectSrc)) 594 612 m_objectSrc = adoptPtr(new CSPDirective(value, m_origin.get())); 613 else if (!m_imgSrc && equalIgnoringCase(name, imgSrc)) 614 m_imgSrc = adoptPtr(new CSPDirective(value, m_origin.get())); 615 else if (!m_styleSrc && equalIgnoringCase(name, styleSrc)) 616 m_styleSrc = adoptPtr(new CSPDirective(value, m_origin.get())); 617 else if (!m_fontSrc && equalIgnoringCase(name, fontSrc)) 618 m_fontSrc = adoptPtr(new CSPDirective(value, m_origin.get())); 595 619 else if (!m_options && equalIgnoringCase(name, options)) 596 620 m_options = adoptPtr(new CSPOptions(value)); -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r83205 r83235 50 50 bool allowInlineEventHandlers() const; 51 51 bool allowInlineScript() const; 52 52 53 bool allowScriptFromSource(const KURL&) const; 53 54 bool allowObjectFromSource(const KURL&) const; 55 bool allowImageFromSource(const KURL&) const; 56 bool allowStyleFromSource(const KURL&) const; 57 bool allowFontFromSource(const KURL&) const; 54 58 55 59 private: … … 66 70 OwnPtr<CSPDirective> m_scriptSrc; 67 71 OwnPtr<CSPDirective> m_objectSrc; 72 OwnPtr<CSPDirective> m_imgSrc; 73 OwnPtr<CSPDirective> m_styleSrc; 74 OwnPtr<CSPDirective> m_fontSrc; 68 75 OwnPtr<CSPOptions> m_options; 69 76 };
Note: See TracChangeset
for help on using the changeset viewer.