Changeset 84460 in webkit

Timestamp:

Apr 20, 2011 8:21:20 PM (13 years ago)

Author:

abarth@webkit.org

Message:

2011-04-20 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

CSP frame-src is missing
​https://bugs.webkit.org/show_bug.cgi?id=58643

Tests the basic functionality of frame-src.

• http/tests/security/contentSecurityPolicy/frame-src-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/frame-src-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/frame-src-blocked.html: Added.
• http/tests/security/contentSecurityPolicy/resources/alert-fail.html: Added.
• http/tests/security/contentSecurityPolicy/resources/alert-pass.html: Added.

2011-04-20 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

CSP frame-src is missing
​https://bugs.webkit.org/show_bug.cgi?id=58643

This is a first cut at an implementation of frame-src. There are a
couple things that will need to be improved:

1) I don't think we're handling in-frame navigation properly. This

patch only covers setting the src attribute of the frame, but I
think the intent of the spec is to cover navigation as well.

2) The console message is printed twice, once when we try to load the

frame and again when we attach the frame to the render tree.

I'll file bugs about these issues (blocking
​https://bugs.webkit.org/show_bug.cgi?id=53572) once this patch lands.

Tests: http/tests/security/contentSecurityPolicy/frame-src-allowed.html

http/tests/security/contentSecurityPolicy/frame-src-blocked.html

• html/HTMLFrameElementBase.cpp: (WebCore::HTMLFrameElementBase::isURLAllowed):
• page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): (WebCore::ContentSecurityPolicy::addDirective):
• page/ContentSecurityPolicy.h:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/HTMLFrameElementBase.cpp (modified) (2 diffs)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (3 diffs)
• Source/WebCore/page/ContentSecurityPolicy.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-04-20  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        CSP frame-src is missing
+        https://bugs.webkit.org/show_bug.cgi?id=58643
+
+        Tests the basic functionality of frame-src.
+
+        * http/tests/security/contentSecurityPolicy/frame-src-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/frame-src-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/frame-src-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/alert-fail.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/alert-pass.html: Added.
+
 2011-04-20  Dirk Pranke  <dpranke@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-04-20  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        CSP frame-src is missing
+        https://bugs.webkit.org/show_bug.cgi?id=58643
+
+        This is a first cut at an implementation of frame-src.  There are a
+        couple things that will need to be improved:
+
+          1) I don't think we're handling in-frame navigation properly.  This
+             patch only covers setting the src attribute of the frame, but I
+             think the intent of the spec is to cover navigation as well.
+
+          2) The console message is printed twice, once when we try to load the
+             frame and again when we attach the frame to the render tree.
+
+        I'll file bugs about these issues (blocking
+        https://bugs.webkit.org/show_bug.cgi?id=53572) once this patch lands.
+
+        Tests: http/tests/security/contentSecurityPolicy/frame-src-allowed.html
+               http/tests/security/contentSecurityPolicy/frame-src-blocked.html
+
+        * html/HTMLFrameElementBase.cpp:
+        (WebCore::HTMLFrameElementBase::isURLAllowed):
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
+        (WebCore::ContentSecurityPolicy::addDirective):
+        * page/ContentSecurityPolicy.h:
+
 2011-04-20  Jia Pu  <jpu@apple.com>
 

trunk/Source/WebCore/html/HTMLFrameElementBase.cpp

@@ -26 +26 @@
 
 #include "Attribute.h"
+#include "ContentSecurityPolicy.h"
 #include "Document.h"
 #include "EventNames.h"
@@ -76 +77 @@
             return false;
     }
+
+    // FIXME: Currently the spec is ambiguous as to whether we should check
+    // the Content-Security-Policy of the parent frame or the requester.
+    // We're using the parent frame for now, but we might have to change
+    // this if the spec changes.
+    if (!document()->contentSecurityPolicy()->allowChildFrameFromSource(completeURL))
+        return false;
 
     // We allow one level of self-reference because some sites depend on that.

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -551 +551 @@
 }
 
+bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url) const
+{
+    if (!m_frameSrc || m_frameSrc->allows(url))
+        return true;
+
+    reportViolation(makeString("Refused to load frame from '", url.string(), "' because of Content-Security-Policy.\n"));
+    return false;
+}
+
 bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const
 {
@@ -662 +671 @@
     DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
     DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src"));
+    DEFINE_STATIC_LOCAL(String, frameSrc, ("frame-src"));
     DEFINE_STATIC_LOCAL(String, imgSrc, ("img-src"));
     DEFINE_STATIC_LOCAL(String, styleSrc, ("style-src"));
@@ -674 +684 @@
     else if (!m_objectSrc && equalIgnoringCase(name, objectSrc))
         m_objectSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin()));
+    else if (!m_frameSrc && equalIgnoringCase(name, frameSrc))
+        m_frameSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin()));
     else if (!m_imgSrc && equalIgnoringCase(name, imgSrc))
         m_imgSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin()));

trunk/Source/WebCore/page/ContentSecurityPolicy.h

@@ -54 +54 @@
     bool allowScriptFromSource(const KURL&) const;
     bool allowObjectFromSource(const KURL&) const;
+    bool allowChildFrameFromSource(const KURL&) const;
     bool allowImageFromSource(const KURL&) const;
     bool allowStyleFromSource(const KURL&) const;
@@ -74 +75 @@
     OwnPtr<CSPDirective> m_scriptSrc;
     OwnPtr<CSPDirective> m_objectSrc;
+    OwnPtr<CSPDirective> m_frameSrc;
     OwnPtr<CSPDirective> m_imgSrc;
     OwnPtr<CSPDirective> m_styleSrc;