Changeset 84460 in webkit
- Timestamp:
- Apr 20, 2011 8:21:20 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 6 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r84458 r84460 1 2011-04-20 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP frame-src is missing 6 https://bugs.webkit.org/show_bug.cgi?id=58643 7 8 Tests the basic functionality of frame-src. 9 10 * http/tests/security/contentSecurityPolicy/frame-src-allowed-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/frame-src-allowed.html: Added. 12 * http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt: Added. 13 * http/tests/security/contentSecurityPolicy/frame-src-blocked.html: Added. 14 * http/tests/security/contentSecurityPolicy/resources/alert-fail.html: Added. 15 * http/tests/security/contentSecurityPolicy/resources/alert-pass.html: Added. 16 1 17 2011-04-20 Dirk Pranke <dpranke@chromium.org> 2 18 -
trunk/Source/WebCore/ChangeLog
r84459 r84460 1 2011-04-20 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP frame-src is missing 6 https://bugs.webkit.org/show_bug.cgi?id=58643 7 8 This is a first cut at an implementation of frame-src. There are a 9 couple things that will need to be improved: 10 11 1) I don't think we're handling in-frame navigation properly. This 12 patch only covers setting the src attribute of the frame, but I 13 think the intent of the spec is to cover navigation as well. 14 15 2) The console message is printed twice, once when we try to load the 16 frame and again when we attach the frame to the render tree. 17 18 I'll file bugs about these issues (blocking 19 https://bugs.webkit.org/show_bug.cgi?id=53572) once this patch lands. 20 21 Tests: http/tests/security/contentSecurityPolicy/frame-src-allowed.html 22 http/tests/security/contentSecurityPolicy/frame-src-blocked.html 23 24 * html/HTMLFrameElementBase.cpp: 25 (WebCore::HTMLFrameElementBase::isURLAllowed): 26 * page/ContentSecurityPolicy.cpp: 27 (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): 28 (WebCore::ContentSecurityPolicy::addDirective): 29 * page/ContentSecurityPolicy.h: 30 1 31 2011-04-20 Jia Pu <jpu@apple.com> 2 32 -
trunk/Source/WebCore/html/HTMLFrameElementBase.cpp
r81038 r84460 26 26 27 27 #include "Attribute.h" 28 #include "ContentSecurityPolicy.h" 28 29 #include "Document.h" 29 30 #include "EventNames.h" … … 76 77 return false; 77 78 } 79 80 // FIXME: Currently the spec is ambiguous as to whether we should check 81 // the Content-Security-Policy of the parent frame or the requester. 82 // We're using the parent frame for now, but we might have to change 83 // this if the spec changes. 84 if (!document()->contentSecurityPolicy()->allowChildFrameFromSource(completeURL)) 85 return false; 78 86 79 87 // We allow one level of self-reference because some sites depend on that. -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r84457 r84460 551 551 } 552 552 553 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url) const 554 { 555 if (!m_frameSrc || m_frameSrc->allows(url)) 556 return true; 557 558 reportViolation(makeString("Refused to load frame from '", url.string(), "' because of Content-Security-Policy.\n")); 559 return false; 560 } 561 553 562 bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const 554 563 { … … 662 671 DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src")); 663 672 DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src")); 673 DEFINE_STATIC_LOCAL(String, frameSrc, ("frame-src")); 664 674 DEFINE_STATIC_LOCAL(String, imgSrc, ("img-src")); 665 675 DEFINE_STATIC_LOCAL(String, styleSrc, ("style-src")); … … 674 684 else if (!m_objectSrc && equalIgnoringCase(name, objectSrc)) 675 685 m_objectSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin())); 686 else if (!m_frameSrc && equalIgnoringCase(name, frameSrc)) 687 m_frameSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin())); 676 688 else if (!m_imgSrc && equalIgnoringCase(name, imgSrc)) 677 689 m_imgSrc = adoptPtr(new CSPDirective(value, m_document->securityOrigin())); -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r84457 r84460 54 54 bool allowScriptFromSource(const KURL&) const; 55 55 bool allowObjectFromSource(const KURL&) const; 56 bool allowChildFrameFromSource(const KURL&) const; 56 57 bool allowImageFromSource(const KURL&) const; 57 58 bool allowStyleFromSource(const KURL&) const; … … 74 75 OwnPtr<CSPDirective> m_scriptSrc; 75 76 OwnPtr<CSPDirective> m_objectSrc; 77 OwnPtr<CSPDirective> m_frameSrc; 76 78 OwnPtr<CSPDirective> m_imgSrc; 77 79 OwnPtr<CSPDirective> m_styleSrc;
Note: See TracChangeset
for help on using the changeset viewer.