Changeset 84681 in webkit


Ignore:
Timestamp:
Apr 22, 2011 2:20:12 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-04-22 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

CSP frame-src is missing
https://bugs.webkit.org/show_bug.cgi?id=58643

Update expected result to show that this test is passing now.

  • http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt:

2011-04-22 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

CSP frame-src is missing
https://bugs.webkit.org/show_bug.cgi?id=58643

In this patch, I've audited all the callers to
SecurityOrigin::canDisplay to make sure they all the appropriate
Content-Security-Policy method as well. I'm not sure how to test all
these cases, but making this changes fixed the frame-src test.

  • loader/SubframeLoader.cpp: (WebCore::SubframeLoader::loadMediaPlayerProxyPlugin): (WebCore::SubframeLoader::createJavaAppletWidget): (WebCore::SubframeLoader::loadSubframe): (WebCore::SubframeLoader::loadPlugin):
  • loader/SubresourceLoader.cpp: (WebCore::SubresourceLoader::create):
  • loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::canRequest): (WebCore::CachedResourceLoader::requestResource):
    • While I was understanding this code, I fixed the FIXME here.
  • loader/cache/CachedResourceLoader.h:
Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r84678 r84681  
     12011-04-22  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        CSP frame-src is missing
     6        https://bugs.webkit.org/show_bug.cgi?id=58643
     7
     8        Update expected result to show that this test is passing now.
     9
     10        * http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt:
     11
    1122011-04-22  Levi Weintraub  <leviw@chromium.org>
    213

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt

    r84506 r84681  
    1 ALERT: FAIL
     1CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy.
    22
     3

  • trunk/Source/WebCore/ChangeLog

    r84680 r84681  
     12011-04-22  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        CSP frame-src is missing
     6        https://bugs.webkit.org/show_bug.cgi?id=58643
     7
     8        In this patch, I've audited all the callers to
     9        SecurityOrigin::canDisplay to make sure they all the appropriate
     10        Content-Security-Policy method as well.  I'm not sure how to test all
     11        these cases, but making this changes fixed the frame-src test.
     12
     13        * loader/SubframeLoader.cpp:
     14        (WebCore::SubframeLoader::loadMediaPlayerProxyPlugin):
     15        (WebCore::SubframeLoader::createJavaAppletWidget):
     16        (WebCore::SubframeLoader::loadSubframe):
     17        (WebCore::SubframeLoader::loadPlugin):
     18        * loader/SubresourceLoader.cpp:
     19        (WebCore::SubresourceLoader::create):
     20        * loader/cache/CachedResourceLoader.cpp:
     21        (WebCore::CachedResourceLoader::canRequest):
     22        (WebCore::CachedResourceLoader::requestResource):
     23            - While I was understanding this code, I fixed the FIXME here.
     24        * loader/cache/CachedResourceLoader.h:
     25
    1262011-04-22  Adrienne Walker  <enne@google.com>
    227

  • trunk/Source/WebCore/loader/SubframeLoader.cpp

    r83141 r84681  
    162162    }
    163163
     164    if (!m_frame->document()->contentSecurityPolicy()->allowMediaFromSource(completedURL))
     165        return 0;
     166
    164167    HTMLMediaElement* mediaElement = static_cast<HTMLMediaElement*>(node);
    165168    RenderPart* renderer = toRenderPart(node->renderer());
     
    208211            return 0;
    209212        }
     213
     214        if (!element->document()->contentSecurityPolicy()->allowObjectFromSource(codeBaseURL))
     215            return 0;
    210216    }
    211217
     
    250256        return 0;
    251257    }
     258
     259    if (!ownerElement->document()->contentSecurityPolicy()->allowChildFrameFromSource(url))
     260        return 0;
    252261
    253262    bool hideReferrer = SecurityOrigin::shouldHideReferrer(url, referrer);
     
    340349    }
    341350
     351    if (!document()->contentSecurityPolicy()->allowObjectFromSource(url))
     352        return false;
     353
    342354    FrameLoader* frameLoader = m_frame->loader();
    343355    frameLoader->checkIfRunInsecureContent(document()->securityOrigin(), url);

  • trunk/Source/WebCore/loader/SubresourceLoader.cpp

    r84260 r84681  
    7777    }
    7878
     79    // Note: We skip the Content-Security-Policy check here because we check
     80    // the Content-Security-Policy at the CachedResourceLoader layer so we can
     81    // handle different resource types differently.
     82
    7983    String outgoingReferrer;
    8084    String outgoingOrigin;

  • trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

    r84116 r84681  
    196196#endif
    197197
    198 bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url)
    199 {
     198bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload)
     199{
     200    if (!document()->securityOrigin()->canDisplay(url)) {
     201        if (!forPreload)
     202            FrameLoader::reportLocalLoadFailed(document()->frame(), url.string());
     203        LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");
     204        return 0;
     205    }
     206
    200207    // Some types of resources can be loaded only from the same origin.  Other
    201208    // types of resources, like Images, Scripts, and CSS, can be loaded from
     
    229236    //       update any security indicators.
    230237    //
     238    // FIXME: Should we consider forPreload here?
     239    //
    231240    switch (type) {
    232241    case CachedResource::Script:
     
    297306    if (!url.isValid())
    298307        return 0;
    299    
    300     if (!canRequest(type, url))
     308
     309    if (!canRequest(type, url, forPreload))
    301310        return 0;
    302 
    303     // FIXME: Figure out what is the correct way to merge this security check with the one above.
    304     if (!document()->securityOrigin()->canDisplay(url)) {
    305         if (!forPreload)
    306             FrameLoader::reportLocalLoadFailed(document()->frame(), url.string());
    307         LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");
    308         return 0;
    309     }
    310311
    311312    if (memoryCache()->disabled()) {

  • trunk/Source/WebCore/loader/cache/CachedResourceLoader.h

    r84110 r84681  
    119119   
    120120    void notifyLoadedFromMemoryCache(CachedResource*);
    121     bool canRequest(CachedResource::Type, const KURL&);
     121    bool canRequest(CachedResource::Type, const KURL&, bool forPreload = false);
    122122
    123123    void loadDoneActionTimerFired(Timer<CachedResourceLoader>*);
Note: See TracChangeset for help on using the changeset viewer.