Changeset 84457 in webkit
- Timestamp:
- Apr 20, 2011 7:33:55 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 12 added
- 4 deleted
- 22 edited
- 2 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r84456 r84457 1 2011-04-20 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP policy violations should log to the console 6 https://bugs.webkit.org/show_bug.cgi?id=58646 7 8 Now with console messages. I had to split a bunch of these tests into 9 smaller pieces to avoid race conditions in the new test output. 10 11 * http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt: 12 * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt: 13 * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt: 14 * http/tests/security/contentSecurityPolicy/image-blocked-expected.txt: 15 * http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt: 16 * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt: 17 * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html: 18 * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt: Added. 19 * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html. 20 * http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt. 21 * http/tests/security/contentSecurityPolicy/javascript-url-allowed.html: Added. 22 * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt: Added. 23 * http/tests/security/contentSecurityPolicy/javascript-url-blocked.html: Added. 24 * http/tests/security/contentSecurityPolicy/javascript-url-expected.txt: Removed. 25 * http/tests/security/contentSecurityPolicy/javascript-url.html: Removed. 26 * http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt: 27 * http/tests/security/contentSecurityPolicy/object-src-none-allowed-expected.txt: Added. 28 * http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none.html. 29 * http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt: Added. 30 * http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none.html. 31 * http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Removed. 32 * http/tests/security/contentSecurityPolicy/script-src-none-expected.txt: 33 * http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt: 34 * http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt: 35 * http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt: Added. 36 * http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html: Added. 37 * http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt: Added. 38 * http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html: Added. 39 * http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt: Added. 40 * http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html: Added. 41 * http/tests/security/contentSecurityPolicy/script-src-self-expected.txt: 42 * http/tests/security/contentSecurityPolicy/script-src-self.html: 43 * http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt: 44 * http/tests/security/contentSecurityPolicy/style-blocked-expected.txt: 45 * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt: 46 * media/csp-blocks-video-expected.txt: 47 1 48 2011-04-20 Andy Estes <aestes@apple.com> 2 49 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt
r81425 r84457 1 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 2 3 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 4 5 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 6 1 7 None of these scripts should execute even though there are parse errors in the policy. 2 8 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt
r84073 r84457 1 CONSOLE MESSAGE: line 1: Refused to evaluate script because of Content-Security-Policy. 2 1 3 ALERT: PASS 2 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt
r84073 r84457 1 CONSOLE MESSAGE: line 1: Refused to evaluate script because of Content-Security-Policy. 2 1 3 ALERT: PASS 2 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt
r83235 r84457 1 CONSOLE MESSAGE: line 1: Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy. 2 1 3 This test passes if it doesn't alert fail. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt
r83159 r84457 1 CONSOLE MESSAGE: line 1: Refused to execute inline script because of Content-Security-Policy. 2 3 CONSOLE MESSAGE: line 1: Refused to execute inline script because of Content-Security-Policy. 4 1 5 This test passes if it doesn't alert fail. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt
r83205 r84457 1 This test passes if it doesn't alert fail. 1 CONSOLE MESSAGE: line 1: Refused to execute inline script because of Content-Security-Policy. 2 3 CONSOLE MESSAGE: line 1: Refused to execute inline event handler because of Content-Security-Policy. 4 5 This test passes if it doesn't alert fail. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html
r83205 r84457 5 5 <script src="resources/dump-as-text.js"></script> 6 6 </head> 7 <body onload="alert('FAIL 3 of 3')">7 <body onload="alert('FAIL 2 of 2')"> 8 8 This test passes if it doesn't alert fail. 9 9 <script> 10 alert('FAIL 1 of 3');10 alert('FAIL 1 of 2'); 11 11 </script> 12 <iframe src="javascript:alert('FAIL 2 of 3')"></iframe>13 12 </body> 14 13 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html
r84456 r84457 5 5 <script src="resources/dump-as-text.js"></script> 6 6 </head> 7 <body onload="alert('FAIL 3 of 3')">8 7 This test passes if it doesn't alert fail. 9 <script> 10 alert('FAIL 1 of 3'); 11 </script> 12 <iframe src="javascript:alert('FAIL 2 of 3')"></iframe> 8 <iframe src="javascript:alert('FAIL')"></iframe> 13 9 </body> 14 10 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt
r84456 r84457 1 1 ALERT: PASS 2 2 3 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt
r84077 r84457 1 CONSOLE MESSAGE: line 1: Refused to load media from 'http://127.0.0.1:8000/media/video-load-and-stall.cgi?name=../../../media/content/test.mp4&mimeType=video/mp4&stallAt=100000' because of Content-Security-Policy. 2 1 3 END OF TEST 2 4 This test passes if it doesn't alert failure. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt
r78058 r84457 1 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 2 1 3 Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed. 2 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt
r82147 r84457 1 CONSOLE MESSAGE: line 1: Refused to execute inline event handler because of Content-Security-Policy. 2 1 3 2 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt
r82085 r84457 1 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 2 3 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 4 1 5 Loads an iframe which in turns tries to load an external script. The request for the script is redirected to 'localhost'. The iframe has a content security policy disabling external scripts from hosts other than 'localhost'. So the script should be allowed to run. 2 6 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-expected.txt
r83953 r84457 1 1 2 2 3 3 -------- … … 5 5 -------- 6 6 PASS 7 8 --------9 Frame: '<!--framePath //<!--frame1-->-->'10 --------11 PASS12 13 --------14 Frame: '<!--framePath //<!--frame2-->-->'15 --------16 PASS17 18 --------19 Frame: '<!--framePath //<!--frame3-->-->'20 --------21 PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self.html
r83953 r84457 11 11 <body> 12 12 <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe> 13 <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://localhost:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>14 <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>15 <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>16 13 </body> 17 14 </html> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt
r82028 r84457 1 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 2 3 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 4 5 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 6 7 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 8 9 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 10 11 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 12 13 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 14 15 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 16 17 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 18 1 19 None of these scripts should execute even though there are parse errors in the policy. 2 20 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt
r83235 r84457 1 CONSOLE MESSAGE: line 1: Refused to load style from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/blue.css' because of Content-Security-Policy. 2 1 3 PASS -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt
r83235 r84457 1 CONSOLE MESSAGE: line 1: Refused to load style from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because of Content-Security-Policy. 2 1 3 layer at (0,0) size 800x600 2 4 RenderView at (0,0) size 800x600 -
trunk/LayoutTests/media/csp-blocks-video-expected.txt
r84077 r84457 1 CONSOLE MESSAGE: line 1: Refused to load media from 'test.mp4' because of Content-Security-Policy. 2 1 3 END OF TEST 2 4 This test passes if it doesn't alert failure. -
trunk/Source/WebCore/ChangeLog
r84454 r84457 1 2011-04-20 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP policy violations should log to the console 6 https://bugs.webkit.org/show_bug.cgi?id=58646 7 8 We now log policy violations to the JavaScript console to help 9 developers debug what's going on with their Content-Security-Policy. 10 11 Tests: http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html 12 http/tests/security/contentSecurityPolicy/javascript-url-allowed.html 13 http/tests/security/contentSecurityPolicy/javascript-url-blocked.html 14 http/tests/security/contentSecurityPolicy/object-src-none-allowed.html 15 http/tests/security/contentSecurityPolicy/object-src-none-blocked.html 16 http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html 17 http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html 18 http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html 19 20 * dom/Document.cpp: 21 (WebCore::Document::initSecurityContext): 22 * page/ContentSecurityPolicy.cpp: 23 (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): 24 (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): 25 (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): 26 (WebCore::ContentSecurityPolicy::allowInlineScript): 27 (WebCore::ContentSecurityPolicy::allowEval): 28 (WebCore::ContentSecurityPolicy::allowScriptFromSource): 29 (WebCore::ContentSecurityPolicy::allowObjectFromSource): 30 (WebCore::ContentSecurityPolicy::allowImageFromSource): 31 (WebCore::ContentSecurityPolicy::allowStyleFromSource): 32 (WebCore::ContentSecurityPolicy::allowFontFromSource): 33 (WebCore::ContentSecurityPolicy::allowMediaFromSource): 34 (WebCore::ContentSecurityPolicy::addDirective): 35 * page/ContentSecurityPolicy.h: 36 (WebCore::ContentSecurityPolicy::create): 37 1 38 2011-04-20 Dan Bernstein <mitz@apple.com> 2 39 -
trunk/Source/WebCore/dom/Document.cpp
r84394 r84457 4417 4417 m_cookieURL = KURL(ParsedURLString, ""); 4418 4418 ScriptExecutionContext::setSecurityOrigin(SecurityOrigin::createEmpty()); 4419 m_contentSecurityPolicy = ContentSecurityPolicy::create( );4419 m_contentSecurityPolicy = ContentSecurityPolicy::create(this); 4420 4420 return; 4421 4421 } … … 4425 4425 m_cookieURL = m_url; 4426 4426 ScriptExecutionContext::setSecurityOrigin(SecurityOrigin::create(m_url, m_frame->loader()->sandboxFlags())); 4427 m_contentSecurityPolicy = ContentSecurityPolicy::create( securityOrigin());4427 m_contentSecurityPolicy = ContentSecurityPolicy::create(this); 4428 4428 4429 4429 if (SecurityOrigin::allowSubstituteDataAccessToLocal()) { -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r84077 r84457 27 27 #include "ContentSecurityPolicy.h" 28 28 29 #include "DOMWindow.h" 29 30 #include "Document.h" 31 #include "Frame.h" 30 32 #include "NotImplemented.h" 31 33 #include "SecurityOrigin.h" 34 #include <wtf/text/StringConcatenate.h> 32 35 33 36 namespace WebCore { … … 460 463 } 461 464 462 ContentSecurityPolicy::ContentSecurityPolicy( SecurityOrigin* origin)465 ContentSecurityPolicy::ContentSecurityPolicy(Document* document) 463 466 : m_havePolicy(false) 464 , m_ origin(origin)467 , m_document(document) 465 468 { 466 469 } … … 479 482 } 480 483 484 void ContentSecurityPolicy::reportViolation(const String& consoleMessage) const 485 { 486 if (Frame* frame = m_document->frame()) 487 frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); 488 } 489 481 490 bool ContentSecurityPolicy::protectAgainstXSS() const 482 491 { … … 486 495 bool ContentSecurityPolicy::allowJavaScriptURLs() const 487 496 { 488 return !protectAgainstXSS(); 497 if (!protectAgainstXSS()) 498 return true; 499 500 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because of Content-Security-Policy.\n")); 501 reportViolation(consoleMessage); 502 return false; 489 503 } 490 504 491 505 bool ContentSecurityPolicy::allowInlineEventHandlers() const 492 506 { 493 return !protectAgainstXSS(); 507 if (!protectAgainstXSS()) 508 return true; 509 510 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because of Content-Security-Policy.\n")); 511 reportViolation(consoleMessage); 512 return false; 494 513 } 495 514 496 515 bool ContentSecurityPolicy::allowInlineScript() const 497 516 { 498 return !protectAgainstXSS(); 517 if (!protectAgainstXSS()) 518 return true; 519 520 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because of Content-Security-Policy.\n")); 521 reportViolation(consoleMessage); 522 return false; 499 523 } 500 524 501 525 bool ContentSecurityPolicy::allowEval() const 502 526 { 503 return !m_scriptSrc || (m_options && m_options->evalScript()); 527 if (!m_scriptSrc || (m_options && m_options->evalScript())) 528 return true; 529 530 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because of Content-Security-Policy.\n")); 531 reportViolation(consoleMessage); 532 return false; 504 533 } 505 534 506 535 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const 507 536 { 508 return !m_scriptSrc || m_scriptSrc->allows(url); 537 if (!m_scriptSrc || m_scriptSrc->allows(url)) 538 return true; 539 540 reportViolation(makeString("Refused to load script from '", url.string(), "' because of Content-Security-Policy.\n")); 541 return false; 509 542 } 510 543 511 544 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const 512 545 { 513 return !m_objectSrc || m_objectSrc->allows(url); 546 if (!m_objectSrc || m_objectSrc->allows(url)) 547 return true; 548 549 reportViolation(makeString("Refused to load object from '", url.string(), "' because of Content-Security-Policy.\n")); 550 return false; 514 551 } 515 552 516 553 bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const 517 554 { 518 return !m_imgSrc || m_imgSrc->allows(url); 555 if (!m_imgSrc || m_imgSrc->allows(url)) 556 return true; 557 558 reportViolation(makeString("Refused to load image from '", url.string(), "' because of Content-Security-Policy.\n")); 559 return false; 519 560 } 520 561 521 562 bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const 522 563 { 523 return !m_styleSrc || m_styleSrc->allows(url); 564 if (!m_styleSrc || m_styleSrc->allows(url)) 565 return true; 566 567 reportViolation(makeString("Refused to load style from '", url.string(), "' because of Content-Security-Policy.\n")); 568 return false; 524 569 } 525 570 526 571 bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const 527 572 { 528 return !m_fontSrc || m_fontSrc->allows(url); 573 if (!m_fontSrc || m_fontSrc->allows(url)) 574 return true; 575 576 reportViolation(makeString("Refused to load font from '", url.string(), "' because of Content-Security-Policy.\n")); 577 return false; 529 578 } 530 579 531 580 bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const 532 581 { 533 return !m_mediaSrc || m_mediaSrc->allows(url); 582 if (!m_mediaSrc || m_mediaSrc->allows(url)) 583 return true; 584 585 reportViolation(makeString("Refused to load media from '", url.string(), "' because of Content-Security-Policy.\n")); 586 return false; 534 587 } 535 588 … … 618 671 619 672 if (!m_scriptSrc && equalIgnoringCase(name, scriptSrc)) 620 m_scriptSrc = adoptPtr(new CSPDirective(value, m_ origin.get()));673 m_scriptSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin())); 621 674 else if (!m_objectSrc && equalIgnoringCase(name, objectSrc)) 622 m_objectSrc = adoptPtr(new CSPDirective(value, m_ origin.get()));675 m_objectSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin())); 623 676 else if (!m_imgSrc && equalIgnoringCase(name, imgSrc)) 624 m_imgSrc = adoptPtr(new CSPDirective(value, m_ origin.get()));677 m_imgSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin())); 625 678 else if (!m_styleSrc && equalIgnoringCase(name, styleSrc)) 626 m_styleSrc = adoptPtr(new CSPDirective(value, m_ origin.get()));679 m_styleSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin())); 627 680 else if (!m_fontSrc && equalIgnoringCase(name, fontSrc)) 628 m_fontSrc = adoptPtr(new CSPDirective(value, m_ origin.get()));681 m_fontSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin())); 629 682 else if (!m_mediaSrc && equalIgnoringCase(name, mediaSrc)) 630 m_mediaSrc = adoptPtr(new CSPDirective(value, m_ origin.get()));683 m_mediaSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin())); 631 684 else if (!m_options && equalIgnoringCase(name, options)) 632 685 m_options = adoptPtr(new CSPOptions(value)); -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r84077 r84457 34 34 class CSPDirective; 35 35 class CSPOptions; 36 class Document; 36 37 class KURL; 37 class SecurityOrigin;38 38 39 39 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> { 40 40 public: 41 static PassRefPtr<ContentSecurityPolicy> create( SecurityOrigin* origin = 0)41 static PassRefPtr<ContentSecurityPolicy> create(Document* document) 42 42 { 43 return adoptRef(new ContentSecurityPolicy( origin));43 return adoptRef(new ContentSecurityPolicy(document)); 44 44 } 45 45 ~ContentSecurityPolicy(); … … 60 60 61 61 private: 62 explicit ContentSecurityPolicy( SecurityOrigin*);62 explicit ContentSecurityPolicy(Document*); 63 63 64 64 bool protectAgainstXSS() const; … … 68 68 void addDirective(const String& name, const String& value); 69 69 70 void reportViolation(const String& consoleMessage) const; 71 70 72 bool m_havePolicy; 71 RefPtr<SecurityOrigin> m_origin;73 Document* m_document; 72 74 OwnPtr<CSPDirective> m_scriptSrc; 73 75 OwnPtr<CSPDirective> m_objectSrc;
Note: See TracChangeset
for help on using the changeset viewer.