Changeset 84681 in webkit
- Timestamp:
- Apr 22, 2011 2:20:12 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r84678 r84681 1 2011-04-22 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP frame-src is missing 6 https://bugs.webkit.org/show_bug.cgi?id=58643 7 8 Update expected result to show that this test is passing now. 9 10 * http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt: 11 1 12 2011-04-22 Levi Weintraub <leviw@chromium.org> 2 13 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked-expected.txt
r84506 r84681 1 ALERT: FAIL 1 CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. 2 2 3 -
trunk/Source/WebCore/ChangeLog
r84680 r84681 1 2011-04-22 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP frame-src is missing 6 https://bugs.webkit.org/show_bug.cgi?id=58643 7 8 In this patch, I've audited all the callers to 9 SecurityOrigin::canDisplay to make sure they all the appropriate 10 Content-Security-Policy method as well. I'm not sure how to test all 11 these cases, but making this changes fixed the frame-src test. 12 13 * loader/SubframeLoader.cpp: 14 (WebCore::SubframeLoader::loadMediaPlayerProxyPlugin): 15 (WebCore::SubframeLoader::createJavaAppletWidget): 16 (WebCore::SubframeLoader::loadSubframe): 17 (WebCore::SubframeLoader::loadPlugin): 18 * loader/SubresourceLoader.cpp: 19 (WebCore::SubresourceLoader::create): 20 * loader/cache/CachedResourceLoader.cpp: 21 (WebCore::CachedResourceLoader::canRequest): 22 (WebCore::CachedResourceLoader::requestResource): 23 - While I was understanding this code, I fixed the FIXME here. 24 * loader/cache/CachedResourceLoader.h: 25 1 26 2011-04-22 Adrienne Walker <enne@google.com> 2 27 -
trunk/Source/WebCore/loader/SubframeLoader.cpp
r83141 r84681 162 162 } 163 163 164 if (!m_frame->document()->contentSecurityPolicy()->allowMediaFromSource(completedURL)) 165 return 0; 166 164 167 HTMLMediaElement* mediaElement = static_cast<HTMLMediaElement*>(node); 165 168 RenderPart* renderer = toRenderPart(node->renderer()); … … 208 211 return 0; 209 212 } 213 214 if (!element->document()->contentSecurityPolicy()->allowObjectFromSource(codeBaseURL)) 215 return 0; 210 216 } 211 217 … … 250 256 return 0; 251 257 } 258 259 if (!ownerElement->document()->contentSecurityPolicy()->allowChildFrameFromSource(url)) 260 return 0; 252 261 253 262 bool hideReferrer = SecurityOrigin::shouldHideReferrer(url, referrer); … … 340 349 } 341 350 351 if (!document()->contentSecurityPolicy()->allowObjectFromSource(url)) 352 return false; 353 342 354 FrameLoader* frameLoader = m_frame->loader(); 343 355 frameLoader->checkIfRunInsecureContent(document()->securityOrigin(), url); -
trunk/Source/WebCore/loader/SubresourceLoader.cpp
r84260 r84681 77 77 } 78 78 79 // Note: We skip the Content-Security-Policy check here because we check 80 // the Content-Security-Policy at the CachedResourceLoader layer so we can 81 // handle different resource types differently. 82 79 83 String outgoingReferrer; 80 84 String outgoingOrigin; -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp
r84116 r84681 196 196 #endif 197 197 198 bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url) 199 { 198 bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url, bool forPreload) 199 { 200 if (!document()->securityOrigin()->canDisplay(url)) { 201 if (!forPreload) 202 FrameLoader::reportLocalLoadFailed(document()->frame(), url.string()); 203 LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay"); 204 return 0; 205 } 206 200 207 // Some types of resources can be loaded only from the same origin. Other 201 208 // types of resources, like Images, Scripts, and CSS, can be loaded from … … 229 236 // update any security indicators. 230 237 // 238 // FIXME: Should we consider forPreload here? 239 // 231 240 switch (type) { 232 241 case CachedResource::Script: … … 297 306 if (!url.isValid()) 298 307 return 0; 299 300 if (!canRequest(type, url ))308 309 if (!canRequest(type, url, forPreload)) 301 310 return 0; 302 303 // FIXME: Figure out what is the correct way to merge this security check with the one above.304 if (!document()->securityOrigin()->canDisplay(url)) {305 if (!forPreload)306 FrameLoader::reportLocalLoadFailed(document()->frame(), url.string());307 LOG(ResourceLoading, "CachedResourceLoader::requestResource URL was not allowed by SecurityOrigin::canDisplay");308 return 0;309 }310 311 311 312 if (memoryCache()->disabled()) { -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.h
r84110 r84681 119 119 120 120 void notifyLoadedFromMemoryCache(CachedResource*); 121 bool canRequest(CachedResource::Type, const KURL& );121 bool canRequest(CachedResource::Type, const KURL&, bool forPreload = false); 122 122 123 123 void loadDoneActionTimerFired(Timer<CachedResourceLoader>*);
Note: See TracChangeset
for help on using the changeset viewer.