Changeset 84457 in webkit


Ignore:
Timestamp:
Apr 20, 2011 7:33:55 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-04-20 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

CSP policy violations should log to the console
https://bugs.webkit.org/show_bug.cgi?id=58646

Now with console messages. I had to split a bunch of these tests into
smaller pieces to avoid race conditions in the new test output.

  • http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt:
  • http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/image-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html.
  • http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt.
  • http/tests/security/contentSecurityPolicy/javascript-url-allowed.html: Added.
  • http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/javascript-url-blocked.html: Added.
  • http/tests/security/contentSecurityPolicy/javascript-url-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/javascript-url.html: Removed.
  • http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/object-src-none-allowed-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none.html.
  • http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none.html.
  • http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Removed.
  • http/tests/security/contentSecurityPolicy/script-src-none-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html: Added.
  • http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html: Added.
  • http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html: Added.
  • http/tests/security/contentSecurityPolicy/script-src-self-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-self.html:
  • http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt:
  • http/tests/security/contentSecurityPolicy/style-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt:
  • media/csp-blocks-video-expected.txt:

2011-04-20 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

CSP policy violations should log to the console
https://bugs.webkit.org/show_bug.cgi?id=58646

We now log policy violations to the JavaScript console to help
developers debug what's going on with their Content-Security-Policy.

Tests: http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html

http/tests/security/contentSecurityPolicy/javascript-url-allowed.html
http/tests/security/contentSecurityPolicy/javascript-url-blocked.html
http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
http/tests/security/contentSecurityPolicy/object-src-none-blocked.html
http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html
http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html
http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html

  • dom/Document.cpp: (WebCore::Document::initSecurityContext):
  • page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): (WebCore::ContentSecurityPolicy::allowInlineScript): (WebCore::ContentSecurityPolicy::allowEval): (WebCore::ContentSecurityPolicy::allowScriptFromSource): (WebCore::ContentSecurityPolicy::allowObjectFromSource): (WebCore::ContentSecurityPolicy::allowImageFromSource): (WebCore::ContentSecurityPolicy::allowStyleFromSource): (WebCore::ContentSecurityPolicy::allowFontFromSource): (WebCore::ContentSecurityPolicy::allowMediaFromSource): (WebCore::ContentSecurityPolicy::addDirective):
  • page/ContentSecurityPolicy.h: (WebCore::ContentSecurityPolicy::create):
Location:
trunk
Files:
12 added
4 deleted
22 edited
2 copied

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r84456 r84457  
     12011-04-20  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        CSP policy violations should log to the console
     6        https://bugs.webkit.org/show_bug.cgi?id=58646
     7
     8        Now with console messages.  I had to split a bunch of these tests into
     9        smaller pieces to avoid race conditions in the new test output.
     10
     11        * http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt:
     12        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt:
     13        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt:
     14        * http/tests/security/contentSecurityPolicy/image-blocked-expected.txt:
     15        * http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
     16        * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
     17        * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html:
     18        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt: Added.
     19        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html.
     20        * http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt.
     21        * http/tests/security/contentSecurityPolicy/javascript-url-allowed.html: Added.
     22        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt: Added.
     23        * http/tests/security/contentSecurityPolicy/javascript-url-blocked.html: Added.
     24        * http/tests/security/contentSecurityPolicy/javascript-url-expected.txt: Removed.
     25        * http/tests/security/contentSecurityPolicy/javascript-url.html: Removed.
     26        * http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt:
     27        * http/tests/security/contentSecurityPolicy/object-src-none-allowed-expected.txt: Added.
     28        * http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none.html.
     29        * http/tests/security/contentSecurityPolicy/object-src-none-blocked-expected.txt: Added.
     30        * http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none.html.
     31        * http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Removed.
     32        * http/tests/security/contentSecurityPolicy/script-src-none-expected.txt:
     33        * http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
     34        * http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt:
     35        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-01-expected.txt: Added.
     36        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html: Added.
     37        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-02-expected.txt: Added.
     38        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html: Added.
     39        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-03-expected.txt: Added.
     40        * http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html: Added.
     41        * http/tests/security/contentSecurityPolicy/script-src-self-expected.txt:
     42        * http/tests/security/contentSecurityPolicy/script-src-self.html:
     43        * http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt:
     44        * http/tests/security/contentSecurityPolicy/style-blocked-expected.txt:
     45        * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt:
     46        * media/csp-blocks-video-expected.txt:
     47
    1482011-04-20  Andy Estes  <aestes@apple.com>
    249
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt

    r81425 r84457  
     1CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     2
     3CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     4
     5CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     6
    17None of these scripts should execute even though there are parse errors in the policy.
    28
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked-expected.txt

    r84073 r84457  
     1CONSOLE MESSAGE: line 1: Refused to evaluate script because of Content-Security-Policy.
     2
    13ALERT: PASS
    24
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked-expected.txt

    r84073 r84457  
     1CONSOLE MESSAGE: line 1: Refused to evaluate script because of Content-Security-Policy.
     2
    13ALERT: PASS
    24
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt

    r83235 r84457  
     1CONSOLE MESSAGE: line 1: Refused to load image from 'http://127.0.0.1:8000/security/resources/abe.png' because of Content-Security-Policy.
     2
    13This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt

    r83159 r84457  
     1CONSOLE MESSAGE: line 1: Refused to execute inline script because of Content-Security-Policy.
     2
     3CONSOLE MESSAGE: line 1: Refused to execute inline script because of Content-Security-Policy.
     4
    15This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt

    r83205 r84457  
    1 This test passes if it doesn't alert fail. 
     1CONSOLE MESSAGE: line 1: Refused to execute inline script because of Content-Security-Policy.
     2
     3CONSOLE MESSAGE: line 1: Refused to execute inline event handler because of Content-Security-Policy.
     4
     5This test passes if it doesn't alert fail.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html

    r83205 r84457  
    55<script src="resources/dump-as-text.js"></script>
    66</head>
    7 <body onload="alert('FAIL 3 of 3')">
     7<body onload="alert('FAIL 2 of 2')">
    88This test passes if it doesn't alert fail.
    99<script>
    10 alert('FAIL 1 of 3');
     10alert('FAIL 1 of 2');
    1111</script>
    12 <iframe src="javascript:alert('FAIL 2 of 3')"></iframe>
    1312</body>
    1413</html>
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html

    r84456 r84457  
    55<script src="resources/dump-as-text.js"></script>
    66</head>
    7 <body onload="alert('FAIL 3 of 3')">
    87This test passes if it doesn't alert fail.
    9 <script>
    10 alert('FAIL 1 of 3');
    11 </script>
    12 <iframe src="javascript:alert('FAIL 2 of 3')"></iframe>
     8<iframe src="javascript:alert('FAIL')"></iframe>
    139</body>
    1410</html>
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt

    r84456 r84457  
    11ALERT: PASS
    22
    3 
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-blocked-expected.txt

    r84077 r84457  
     1CONSOLE MESSAGE: line 1: Refused to load media from 'http://127.0.0.1:8000/media/video-load-and-stall.cgi?name=../../../media/content/test.mp4&mimeType=video/mp4&stallAt=100000' because of Content-Security-Policy.
     2
    13END OF TEST
    24This test passes if it doesn't alert failure.
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt

    r78058 r84457  
     1CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     2
    13Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
    24
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt

    r82147 r84457  
     1CONSOLE MESSAGE: line 1: Refused to execute inline event handler because of Content-Security-Policy.
     2
    13 
    24
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-redirect-expected.txt

    r82085 r84457  
     1CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     2
     3CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     4
    15Loads an iframe which in turns tries to load an external script. The request for the script is redirected to 'localhost'. The iframe has a content security policy disabling external scripts from hosts other than 'localhost'. So the script should be allowed to run.
    26
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self-expected.txt

    r83953 r84457  
    1      
     1
    22
    33--------
     
    55--------
    66PASS
    7 
    8 --------
    9 Frame: '<!--framePath //<!--frame1-->-->'
    10 --------
    11 PASS
    12 
    13 --------
    14 Frame: '<!--framePath //<!--frame2-->-->'
    15 --------
    16 PASS
    17 
    18 --------
    19 Frame: '<!--framePath //<!--frame3-->-->'
    20 --------
    21 PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-self.html

    r83953 r84457  
    1111<body>
    1212  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
    13   <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://localhost:8000/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
    14   <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://127.0.0.1:8080/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
    15   <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js&csp=script-src%20'self'"></iframe>
    1613</body>
    1714</html>
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt

    r82028 r84457  
     1CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     2
     3CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     4
     5CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     6
     7CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     8
     9CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     10
     11CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     12
     13CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     14
     15CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     16
     17CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
     18
    119None of these scripts should execute even though there are parse errors in the policy.
    220
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt

    r83235 r84457  
     1CONSOLE MESSAGE: line 1: Refused to load style from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/blue.css' because of Content-Security-Policy.
     2
    13PASS
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt

    r83235 r84457  
     1CONSOLE MESSAGE: line 1: Refused to load style from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because of Content-Security-Policy.
     2
    13layer at (0,0) size 800x600
    24  RenderView at (0,0) size 800x600
  • trunk/LayoutTests/media/csp-blocks-video-expected.txt

    r84077 r84457  
     1CONSOLE MESSAGE: line 1: Refused to load media from 'test.mp4' because of Content-Security-Policy.
     2
    13END OF TEST
    24This test passes if it doesn't alert failure.
  • trunk/Source/WebCore/ChangeLog

    r84454 r84457  
     12011-04-20  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        CSP policy violations should log to the console
     6        https://bugs.webkit.org/show_bug.cgi?id=58646
     7
     8        We now log policy violations to the JavaScript console to help
     9        developers debug what's going on with their Content-Security-Policy.
     10
     11        Tests: http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html
     12               http/tests/security/contentSecurityPolicy/javascript-url-allowed.html
     13               http/tests/security/contentSecurityPolicy/javascript-url-blocked.html
     14               http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
     15               http/tests/security/contentSecurityPolicy/object-src-none-blocked.html
     16               http/tests/security/contentSecurityPolicy/script-src-self-blocked-01.html
     17               http/tests/security/contentSecurityPolicy/script-src-self-blocked-02.html
     18               http/tests/security/contentSecurityPolicy/script-src-self-blocked-03.html
     19
     20        * dom/Document.cpp:
     21        (WebCore::Document::initSecurityContext):
     22        * page/ContentSecurityPolicy.cpp:
     23        (WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
     24        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
     25        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
     26        (WebCore::ContentSecurityPolicy::allowInlineScript):
     27        (WebCore::ContentSecurityPolicy::allowEval):
     28        (WebCore::ContentSecurityPolicy::allowScriptFromSource):
     29        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
     30        (WebCore::ContentSecurityPolicy::allowImageFromSource):
     31        (WebCore::ContentSecurityPolicy::allowStyleFromSource):
     32        (WebCore::ContentSecurityPolicy::allowFontFromSource):
     33        (WebCore::ContentSecurityPolicy::allowMediaFromSource):
     34        (WebCore::ContentSecurityPolicy::addDirective):
     35        * page/ContentSecurityPolicy.h:
     36        (WebCore::ContentSecurityPolicy::create):
     37
    1382011-04-20  Dan Bernstein  <mitz@apple.com>
    239
  • trunk/Source/WebCore/dom/Document.cpp

    r84394 r84457  
    44174417        m_cookieURL = KURL(ParsedURLString, "");
    44184418        ScriptExecutionContext::setSecurityOrigin(SecurityOrigin::createEmpty());
    4419         m_contentSecurityPolicy = ContentSecurityPolicy::create();
     4419        m_contentSecurityPolicy = ContentSecurityPolicy::create(this);
    44204420        return;
    44214421    }
     
    44254425    m_cookieURL = m_url;
    44264426    ScriptExecutionContext::setSecurityOrigin(SecurityOrigin::create(m_url, m_frame->loader()->sandboxFlags()));
    4427     m_contentSecurityPolicy = ContentSecurityPolicy::create(securityOrigin());
     4427    m_contentSecurityPolicy = ContentSecurityPolicy::create(this);
    44284428
    44294429    if (SecurityOrigin::allowSubstituteDataAccessToLocal()) {
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r84077 r84457  
    2727#include "ContentSecurityPolicy.h"
    2828
     29#include "DOMWindow.h"
    2930#include "Document.h"
     31#include "Frame.h"
    3032#include "NotImplemented.h"
    3133#include "SecurityOrigin.h"
     34#include <wtf/text/StringConcatenate.h>
    3235
    3336namespace WebCore {
     
    460463}
    461464
    462 ContentSecurityPolicy::ContentSecurityPolicy(SecurityOrigin* origin)
     465ContentSecurityPolicy::ContentSecurityPolicy(Document* document)
    463466    : m_havePolicy(false)
    464     , m_origin(origin)
     467    , m_document(document)
    465468{
    466469}
     
    479482}
    480483
     484void ContentSecurityPolicy::reportViolation(const String& consoleMessage) const
     485{
     486    if (Frame* frame = m_document->frame())
     487        frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
     488}
     489
    481490bool ContentSecurityPolicy::protectAgainstXSS() const
    482491{
     
    486495bool ContentSecurityPolicy::allowJavaScriptURLs() const
    487496{
    488     return !protectAgainstXSS();
     497    if (!protectAgainstXSS())
     498        return true;
     499
     500    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because of Content-Security-Policy.\n"));
     501    reportViolation(consoleMessage);
     502    return false;
    489503}
    490504
    491505bool ContentSecurityPolicy::allowInlineEventHandlers() const
    492506{
    493     return !protectAgainstXSS();
     507    if (!protectAgainstXSS())
     508        return true;
     509
     510    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because of Content-Security-Policy.\n"));
     511    reportViolation(consoleMessage);
     512    return false;
    494513}
    495514
    496515bool ContentSecurityPolicy::allowInlineScript() const
    497516{
    498     return !protectAgainstXSS();
     517    if (!protectAgainstXSS())
     518        return true;
     519
     520    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because of Content-Security-Policy.\n"));
     521    reportViolation(consoleMessage);
     522    return false;
    499523}
    500524
    501525bool ContentSecurityPolicy::allowEval() const
    502526{
    503     return !m_scriptSrc || (m_options && m_options->evalScript());
     527    if (!m_scriptSrc || (m_options && m_options->evalScript()))
     528        return true;
     529
     530    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because of Content-Security-Policy.\n"));
     531    reportViolation(consoleMessage);
     532    return false;
    504533}
    505534
    506535bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const
    507536{
    508     return !m_scriptSrc || m_scriptSrc->allows(url);
     537    if (!m_scriptSrc || m_scriptSrc->allows(url))
     538        return true;
     539
     540    reportViolation(makeString("Refused to load script from '", url.string(), "' because of Content-Security-Policy.\n"));
     541    return false;
    509542}
    510543
    511544bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
    512545{
    513     return !m_objectSrc || m_objectSrc->allows(url);
     546    if (!m_objectSrc || m_objectSrc->allows(url))
     547        return true;
     548
     549    reportViolation(makeString("Refused to load object from '", url.string(), "' because of Content-Security-Policy.\n"));
     550    return false;
    514551}
    515552
    516553bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const
    517554{
    518     return !m_imgSrc || m_imgSrc->allows(url);
     555    if (!m_imgSrc || m_imgSrc->allows(url))
     556        return true;
     557
     558    reportViolation(makeString("Refused to load image from '", url.string(), "' because of Content-Security-Policy.\n"));
     559    return false;
    519560}
    520561
    521562bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const
    522563{
    523     return !m_styleSrc || m_styleSrc->allows(url);
     564    if (!m_styleSrc || m_styleSrc->allows(url))
     565        return true;
     566
     567    reportViolation(makeString("Refused to load style from '", url.string(), "' because of Content-Security-Policy.\n"));
     568    return false;
    524569}
    525570
    526571bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const
    527572{
    528     return !m_fontSrc || m_fontSrc->allows(url);
     573    if (!m_fontSrc || m_fontSrc->allows(url))
     574        return true;
     575
     576    reportViolation(makeString("Refused to load font from '", url.string(), "' because of Content-Security-Policy.\n"));
     577    return false;
    529578}
    530579
    531580bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const
    532581{
    533     return !m_mediaSrc || m_mediaSrc->allows(url);
     582    if (!m_mediaSrc || m_mediaSrc->allows(url))
     583        return true;
     584
     585    reportViolation(makeString("Refused to load media from '", url.string(), "' because of Content-Security-Policy.\n"));
     586    return false;
    534587}
    535588
     
    618671
    619672    if (!m_scriptSrc && equalIgnoringCase(name, scriptSrc))
    620         m_scriptSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
     673        m_scriptSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin()));
    621674    else if (!m_objectSrc && equalIgnoringCase(name, objectSrc))
    622         m_objectSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
     675        m_objectSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin()));
    623676    else if (!m_imgSrc && equalIgnoringCase(name, imgSrc))
    624         m_imgSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
     677        m_imgSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin()));
    625678    else if (!m_styleSrc && equalIgnoringCase(name, styleSrc))
    626         m_styleSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
     679        m_styleSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin()));
    627680    else if (!m_fontSrc && equalIgnoringCase(name, fontSrc))
    628         m_fontSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
     681        m_fontSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin()));
    629682    else if (!m_mediaSrc && equalIgnoringCase(name, mediaSrc))
    630         m_mediaSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
     683        m_mediaSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin()));
    631684    else if (!m_options && equalIgnoringCase(name, options))
    632685        m_options = adoptPtr(new CSPOptions(value));
  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r84077 r84457  
    3434class CSPDirective;
    3535class CSPOptions;
     36class Document;
    3637class KURL;
    37 class SecurityOrigin;
    3838
    3939class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> {
    4040public:
    41     static PassRefPtr<ContentSecurityPolicy> create(SecurityOrigin* origin = 0)
     41    static PassRefPtr<ContentSecurityPolicy> create(Document* document)
    4242    {
    43         return adoptRef(new ContentSecurityPolicy(origin));
     43        return adoptRef(new ContentSecurityPolicy(document));
    4444    }
    4545    ~ContentSecurityPolicy();
     
    6060
    6161private:
    62     explicit ContentSecurityPolicy(SecurityOrigin*);
     62    explicit ContentSecurityPolicy(Document*);
    6363
    6464    bool protectAgainstXSS() const;
     
    6868    void addDirective(const String& name, const String& value);
    6969
     70    void reportViolation(const String& consoleMessage) const;
     71
    7072    bool m_havePolicy;
    71     RefPtr<SecurityOrigin> m_origin;
     73    Document* m_document;
    7274    OwnPtr<CSPDirective> m_scriptSrc;
    7375    OwnPtr<CSPDirective> m_objectSrc;
Note: See TracChangeset for help on using the changeset viewer.