Changeset 84758 in webkit


Ignore:
Timestamp:
Apr 24, 2011 11:36:55 AM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-04-24 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

Update Content-Security-Policy syntax to match new version of spec
https://bugs.webkit.org/show_bug.cgi?id=59291

Update tests to use the new syntax.

  • http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html:
  • http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html:
  • http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html:
  • http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html:
  • http/tests/security/contentSecurityPolicy/image-allowed.html:
  • http/tests/security/contentSecurityPolicy/image-blocked.html:
  • http/tests/security/contentSecurityPolicy/inline-script-allowed.html:
  • http/tests/security/contentSecurityPolicy/style-allowed.html:
  • http/tests/security/contentSecurityPolicy/style-blocked.html:
  • http/tests/security/contentSecurityPolicy/xsl-allowed.php:
  • http/tests/security/contentSecurityPolicy/xsl-blocked.php:

2011-04-24 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

Update Content-Security-Policy syntax to match new version of spec
https://bugs.webkit.org/show_bug.cgi?id=59291

Brandon removed disable-xss-protection in favor of unsafe-inline and
allow-eval in favor of unsafe-eval. This change in syntax also means
the options directive no longer exists.

  • page/ContentSecurityPolicy.cpp: (WebCore::CSPSourceList::allowInline): (WebCore::CSPSourceList::allowEval): (WebCore::CSPSourceList::CSPSourceList): (WebCore::CSPSourceList::parseSource): (WebCore::CSPSourceList::addSourceUnsafeInline): (WebCore::CSPSourceList::addSourceUnsafeEval): (WebCore::CSPDirective::allowInline): (WebCore::CSPDirective::allowEval): (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): (WebCore::ContentSecurityPolicy::allowInlineScript): (WebCore::ContentSecurityPolicy::allowEval): (WebCore::ContentSecurityPolicy::addDirective):
  • page/ContentSecurityPolicy.h:
Location:
trunk
Files:
15 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r84756 r84758  
     12011-04-24  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        Update Content-Security-Policy syntax to match new version of spec
     6        https://bugs.webkit.org/show_bug.cgi?id=59291
     7
     8        Update tests to use the new syntax.
     9
     10        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html:
     11        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html:
     12        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html:
     13        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html:
     14        * http/tests/security/contentSecurityPolicy/image-allowed.html:
     15        * http/tests/security/contentSecurityPolicy/image-blocked.html:
     16        * http/tests/security/contentSecurityPolicy/inline-script-allowed.html:
     17        * http/tests/security/contentSecurityPolicy/style-allowed.html:
     18        * http/tests/security/contentSecurityPolicy/style-blocked.html:
     19        * http/tests/security/contentSecurityPolicy/xsl-allowed.php:
     20        * http/tests/security/contentSecurityPolicy/xsl-blocked.php:
     21
    1222011-04-24  Adam Barth  <abarth@webkit.org>
    223

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html

    r84073 r84758  
    22<html>
    33<head>
    4 <meta http-equiv="X-WebKit-CSP" content="script-src 'none'; options disable-xss-protection eval-script">
     4<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'">
    55</head>
    66<pre>

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html

    r84073 r84758  
    22<html>
    33<head>
    4 <meta http-equiv="X-WebKit-CSP" content="script-src 'none'; options disable-xss-protection">
     4<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
    55</head>
    66<pre>

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html

    r84073 r84758  
    22<html>
    33<head>
    4 <meta http-equiv="X-WebKit-CSP" content="script-src 'none'; options disable-xss-protection eval-script">
     4<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'">
    55</head>
    66<pre>

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html

    r84073 r84758  
    22<html>
    33<head>
    4 <meta http-equiv="X-WebKit-CSP" content="script-src 'none'; options disable-xss-protection">
     4<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
    55</head>
    66<pre>

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed.html

    r83235 r84758  
    22<html>
    33<head>
    4 <meta http-equiv="X-WebKit-CSP" content="img-src *; script-src 'none'; options disable-xss-protection">
     4<meta http-equiv="X-WebKit-CSP" content="img-src *; script-src 'unsafe-inline'">
    55<script>
    66if (window.layoutTestController)

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked.html

    r83235 r84758  
    22<html>
    33<head>
    4 <meta http-equiv="X-WebKit-CSP" content="img-src 'none'; script-src 'none'; options disable-xss-protection">
     4<meta http-equiv="X-WebKit-CSP" content="img-src 'none'; script-src 'unsafe-inline'">
    55<script>
    66if (window.layoutTestController)

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-allowed.html

    r83205 r84758  
    22<html>
    33<head>
    4 <meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:*; options disable-xss-protection">
     4<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:* 'unsafe-inline'">
    55<script src="resources/dump-as-text.js"></script>
    66</head>

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed.html

    r83235 r84758  
    22<html>
    33<head>
    4 <meta http-equiv="X-WebKit-CSP" content="style-src *; script-src 'none'; options disable-xss-protection">
     4<meta http-equiv="X-WebKit-CSP" content="style-src *; script-src 'unsafe-inline'">
    55<link rel="stylesheet" href="resources/blue.css">
    66<script>

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked.html

    r83235 r84758  
    22<html>
    33<head>
    4 <meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'none'; options disable-xss-protection">
     4<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'">
    55<link rel="stylesheet" href="resources/blue.css">
    66<script>

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php

    r83235 r84758  
    11<?php
    22header("Content-Type: application/xhtml+xml");
    3 header("X-WebKit-CSP: style-src *; script-src 'none'; options disable-xss-protection");
     3header("X-WebKit-CSP: style-src *; script-src 'unsafe-inline'");
    44
    55echo '<?xml version="1.0" encoding="UTF-8"?>';

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php

    r83235 r84758  
    11<?php
    22header("Content-Type: application/xhtml+xml");
    3 header("X-WebKit-CSP: style-src 'none'; script-src *; options disable-xss-protection");
     3header("X-WebKit-CSP: style-src 'none'; script-src 'unsafe-inline'");
    44
    55echo '<?xml version="1.0" encoding="UTF-8"?>';

  • trunk/Source/WebCore/ChangeLog

    r84757 r84758  
     12011-04-24  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        Update Content-Security-Policy syntax to match new version of spec
     6        https://bugs.webkit.org/show_bug.cgi?id=59291
     7
     8        Brandon removed disable-xss-protection in favor of unsafe-inline and
     9        allow-eval in favor of unsafe-eval.  This change in syntax also means
     10        the options directive no longer exists.
     11
     12        * page/ContentSecurityPolicy.cpp:
     13        (WebCore::CSPSourceList::allowInline):
     14        (WebCore::CSPSourceList::allowEval):
     15        (WebCore::CSPSourceList::CSPSourceList):
     16        (WebCore::CSPSourceList::parseSource):
     17        (WebCore::CSPSourceList::addSourceUnsafeInline):
     18        (WebCore::CSPSourceList::addSourceUnsafeEval):
     19        (WebCore::CSPDirective::allowInline):
     20        (WebCore::CSPDirective::allowEval):
     21        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
     22        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
     23        (WebCore::ContentSecurityPolicy::allowInlineScript):
     24        (WebCore::ContentSecurityPolicy::allowEval):
     25        (WebCore::ContentSecurityPolicy::addDirective):
     26        * page/ContentSecurityPolicy.h:
     27
    1282011-04-24  Dan Bernstein  <mitz@apple.com>
    229

  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r84478 r84758  
    173173    void parse(const String&);
    174174    bool matches(const KURL&);
     175    bool allowInline() const { return m_allowInline; }
     176    bool allowEval() const { return m_allowEval; }
    175177
    176178private:
     
    183185
    184186    void addSourceSelf();
     187    void addSourceUnsafeInline();
     188    void addSourceUnsafeEval();
    185189
    186190    SecurityOrigin* m_origin;
    187191    Vector<CSPSource> m_list;
     192    bool m_allowInline;
     193    bool m_allowEval;
    188194};
    189195
    190196CSPSourceList::CSPSourceList(SecurityOrigin* origin)
    191197    : m_origin(origin)
     198    , m_allowInline(false)
     199    , m_allowEval(false)
    192200{
    193201}
     
    252260    if (equalIgnoringCase("'self'", begin, end - begin)) {
    253261        addSourceSelf();
     262        return false;
     263    }
     264
     265    if (equalIgnoringCase("'unsafe-inline'", begin, end - begin)) {
     266        addSourceUnsafeInline();
     267        return false;
     268    }
     269
     270    if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) {
     271        addSourceUnsafeEval();
    254272        return false;
    255273    }
     
    406424}
    407425
     426void CSPSourceList::addSourceUnsafeInline()
     427{
     428    m_allowInline = true;
     429}
     430
     431void CSPSourceList::addSourceUnsafeEval()
     432{
     433    m_allowEval = true;
     434}
     435
    408436class CSPDirective {
    409437public:
     
    420448    }
    421449
     450    bool allowInline() const { return m_sourceList.allowInline(); }
     451    bool allowEval() const { return m_sourceList.allowEval(); }
     452
    422453    const String& text() { return m_text; }
    423454
     
    426457    String m_text;
    427458};
    428 
    429 class CSPOptions {
    430 public:
    431     explicit CSPOptions(const String& value)
    432         : m_disableXSSProtection(false)
    433         , m_evalScript(false)
    434     {
    435         parse(value);
    436     }
    437 
    438     bool disableXSSProtection() const { return m_disableXSSProtection; }
    439     bool evalScript() const { return m_evalScript; }
    440 
    441 private:
    442     void parse(const String&);
    443 
    444     bool m_disableXSSProtection;
    445     bool m_evalScript;
    446 };
    447 
    448 // options           = "options" *( 1*WSP option-value ) *WSP
    449 // option-value      = 1*( ALPHA / DIGIT / "-" )
    450 //
    451 void CSPOptions::parse(const String& value)
    452 {
    453     DEFINE_STATIC_LOCAL(String, disableXSSProtection, ("disable-xss-protection"));
    454     DEFINE_STATIC_LOCAL(String, evalScript, ("eval-script"));
    455 
    456     const UChar* position = value.characters();
    457     const UChar* end = position + value.length();
    458 
    459     while (position < end) {
    460         skipWhile<isASCIISpace>(position, end);
    461 
    462         const UChar* optionsValueBegin = position;
    463 
    464         if (!skipExactly<isOptionValueCharacter>(position, end))
    465             return;
    466 
    467         skipWhile<isOptionValueCharacter>(position, end);
    468 
    469         String optionsValue(optionsValueBegin, position - optionsValueBegin);
    470 
    471         if (equalIgnoringCase(optionsValue, disableXSSProtection))
    472             m_disableXSSProtection = true;
    473         else if (equalIgnoringCase(optionsValue, evalScript))
    474             m_evalScript = true;
    475     }
    476 }
    477459
    478460ContentSecurityPolicy::ContentSecurityPolicy(Document* document)
     
    527509}
    528510
    529 bool ContentSecurityPolicy::protectAgainstXSS() const
    530 {
    531     return m_scriptSrc && (!m_options || !m_options->disableXSSProtection());
    532 }
    533 
    534511bool ContentSecurityPolicy::allowJavaScriptURLs() const
    535512{
    536     if (!protectAgainstXSS())
     513    if (!m_scriptSrc || m_scriptSrc->allowInline())
    537514        return true;
    538515
     
    544521bool ContentSecurityPolicy::allowInlineEventHandlers() const
    545522{
    546     if (!protectAgainstXSS())
     523    if (!m_scriptSrc || m_scriptSrc->allowInline())
    547524        return true;
    548525
     
    554531bool ContentSecurityPolicy::allowInlineScript() const
    555532{
    556     if (!protectAgainstXSS())
     533    if (!m_scriptSrc || m_scriptSrc->allowInline())
    557534        return true;
    558535
     
    564541bool ContentSecurityPolicy::allowEval() const
    565542{
    566     if (!m_scriptSrc || (m_options && m_options->evalScript()))
     543    if (!m_scriptSrc || m_scriptSrc->allowEval())
    567544        return true;
    568545
     
    739716    DEFINE_STATIC_LOCAL(String, mediaSrc, ("media-src"));
    740717    DEFINE_STATIC_LOCAL(String, reportURI, ("report-uri"));
    741     DEFINE_STATIC_LOCAL(String, options, ("options"));
    742718
    743719    ASSERT(!name.isEmpty());
     
    759735    else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI))
    760736        parseReportURI(value);
    761     else if (!m_options && equalIgnoringCase(name, options))
    762         m_options = adoptPtr(new CSPOptions(value));
    763 }
    764 
    765 }
     737}
     738
     739}

  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r84478 r84758  
    3333
    3434class CSPDirective;
    35 class CSPOptions;
    3635class Document;
    3736class KURL;
     
    6362    explicit ContentSecurityPolicy(Document*);
    6463
    65     bool protectAgainstXSS() const;
    66 
    6764    void parse(const String&);
    6865    bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
     
    8481    OwnPtr<CSPDirective> m_fontSrc;
    8582    OwnPtr<CSPDirective> m_mediaSrc;
    86     OwnPtr<CSPOptions> m_options;
    8783
    8884    Vector<KURL> m_reportURLs;
Note: See TracChangeset for help on using the changeset viewer.