Changeset 84758 in webkit
- Timestamp:
- Apr 24, 2011 11:36:55 AM (13 years ago)
- Location:
- trunk
- Files:
-
- 15 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r84756 r84758 1 2011-04-24 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Update Content-Security-Policy syntax to match new version of spec 6 https://bugs.webkit.org/show_bug.cgi?id=59291 7 8 Update tests to use the new syntax. 9 10 * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html: 11 * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html: 12 * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html: 13 * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html: 14 * http/tests/security/contentSecurityPolicy/image-allowed.html: 15 * http/tests/security/contentSecurityPolicy/image-blocked.html: 16 * http/tests/security/contentSecurityPolicy/inline-script-allowed.html: 17 * http/tests/security/contentSecurityPolicy/style-allowed.html: 18 * http/tests/security/contentSecurityPolicy/style-blocked.html: 19 * http/tests/security/contentSecurityPolicy/xsl-allowed.php: 20 * http/tests/security/contentSecurityPolicy/xsl-blocked.php: 21 1 22 2011-04-24 Adam Barth <abarth@webkit.org> 2 23 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html
r84073 r84758 2 2 <html> 3 3 <head> 4 <meta http-equiv="X-WebKit-CSP" content="script-src ' none'; options disable-xss-protection eval-script">4 <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'"> 5 5 </head> 6 6 <pre> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html
r84073 r84758 2 2 <html> 3 3 <head> 4 <meta http-equiv="X-WebKit-CSP" content="script-src ' none'; options disable-xss-protection">4 <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'"> 5 5 </head> 6 6 <pre> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html
r84073 r84758 2 2 <html> 3 3 <head> 4 <meta http-equiv="X-WebKit-CSP" content="script-src ' none'; options disable-xss-protection eval-script">4 <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'"> 5 5 </head> 6 6 <pre> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html
r84073 r84758 2 2 <html> 3 3 <head> 4 <meta http-equiv="X-WebKit-CSP" content="script-src ' none'; options disable-xss-protection">4 <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'"> 5 5 </head> 6 6 <pre> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed.html
r83235 r84758 2 2 <html> 3 3 <head> 4 <meta http-equiv="X-WebKit-CSP" content="img-src *; script-src ' none'; options disable-xss-protection">4 <meta http-equiv="X-WebKit-CSP" content="img-src *; script-src 'unsafe-inline'"> 5 5 <script> 6 6 if (window.layoutTestController) -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked.html
r83235 r84758 2 2 <html> 3 3 <head> 4 <meta http-equiv="X-WebKit-CSP" content="img-src 'none'; script-src ' none'; options disable-xss-protection">4 <meta http-equiv="X-WebKit-CSP" content="img-src 'none'; script-src 'unsafe-inline'"> 5 5 <script> 6 6 if (window.layoutTestController) -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-allowed.html
r83205 r84758 2 2 <html> 3 3 <head> 4 <meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:* ; options disable-xss-protection">4 <meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:* 'unsafe-inline'"> 5 5 <script src="resources/dump-as-text.js"></script> 6 6 </head> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed.html
r83235 r84758 2 2 <html> 3 3 <head> 4 <meta http-equiv="X-WebKit-CSP" content="style-src *; script-src ' none'; options disable-xss-protection">4 <meta http-equiv="X-WebKit-CSP" content="style-src *; script-src 'unsafe-inline'"> 5 5 <link rel="stylesheet" href="resources/blue.css"> 6 6 <script> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked.html
r83235 r84758 2 2 <html> 3 3 <head> 4 <meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src ' none'; options disable-xss-protection">4 <meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'"> 5 5 <link rel="stylesheet" href="resources/blue.css"> 6 6 <script> -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php
r83235 r84758 1 1 <?php 2 2 header("Content-Type: application/xhtml+xml"); 3 header("X-WebKit-CSP: style-src *; script-src ' none'; options disable-xss-protection");3 header("X-WebKit-CSP: style-src *; script-src 'unsafe-inline'"); 4 4 5 5 echo '<?xml version="1.0" encoding="UTF-8"?>'; -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php
r83235 r84758 1 1 <?php 2 2 header("Content-Type: application/xhtml+xml"); 3 header("X-WebKit-CSP: style-src 'none'; script-src *; options disable-xss-protection");3 header("X-WebKit-CSP: style-src 'none'; script-src 'unsafe-inline'"); 4 4 5 5 echo '<?xml version="1.0" encoding="UTF-8"?>'; -
trunk/Source/WebCore/ChangeLog
r84757 r84758 1 2011-04-24 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Update Content-Security-Policy syntax to match new version of spec 6 https://bugs.webkit.org/show_bug.cgi?id=59291 7 8 Brandon removed disable-xss-protection in favor of unsafe-inline and 9 allow-eval in favor of unsafe-eval. This change in syntax also means 10 the options directive no longer exists. 11 12 * page/ContentSecurityPolicy.cpp: 13 (WebCore::CSPSourceList::allowInline): 14 (WebCore::CSPSourceList::allowEval): 15 (WebCore::CSPSourceList::CSPSourceList): 16 (WebCore::CSPSourceList::parseSource): 17 (WebCore::CSPSourceList::addSourceUnsafeInline): 18 (WebCore::CSPSourceList::addSourceUnsafeEval): 19 (WebCore::CSPDirective::allowInline): 20 (WebCore::CSPDirective::allowEval): 21 (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): 22 (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): 23 (WebCore::ContentSecurityPolicy::allowInlineScript): 24 (WebCore::ContentSecurityPolicy::allowEval): 25 (WebCore::ContentSecurityPolicy::addDirective): 26 * page/ContentSecurityPolicy.h: 27 1 28 2011-04-24 Dan Bernstein <mitz@apple.com> 2 29 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r84478 r84758 173 173 void parse(const String&); 174 174 bool matches(const KURL&); 175 bool allowInline() const { return m_allowInline; } 176 bool allowEval() const { return m_allowEval; } 175 177 176 178 private: … … 183 185 184 186 void addSourceSelf(); 187 void addSourceUnsafeInline(); 188 void addSourceUnsafeEval(); 185 189 186 190 SecurityOrigin* m_origin; 187 191 Vector<CSPSource> m_list; 192 bool m_allowInline; 193 bool m_allowEval; 188 194 }; 189 195 190 196 CSPSourceList::CSPSourceList(SecurityOrigin* origin) 191 197 : m_origin(origin) 198 , m_allowInline(false) 199 , m_allowEval(false) 192 200 { 193 201 } … … 252 260 if (equalIgnoringCase("'self'", begin, end - begin)) { 253 261 addSourceSelf(); 262 return false; 263 } 264 265 if (equalIgnoringCase("'unsafe-inline'", begin, end - begin)) { 266 addSourceUnsafeInline(); 267 return false; 268 } 269 270 if (equalIgnoringCase("'unsafe-eval'", begin, end - begin)) { 271 addSourceUnsafeEval(); 254 272 return false; 255 273 } … … 406 424 } 407 425 426 void CSPSourceList::addSourceUnsafeInline() 427 { 428 m_allowInline = true; 429 } 430 431 void CSPSourceList::addSourceUnsafeEval() 432 { 433 m_allowEval = true; 434 } 435 408 436 class CSPDirective { 409 437 public: … … 420 448 } 421 449 450 bool allowInline() const { return m_sourceList.allowInline(); } 451 bool allowEval() const { return m_sourceList.allowEval(); } 452 422 453 const String& text() { return m_text; } 423 454 … … 426 457 String m_text; 427 458 }; 428 429 class CSPOptions {430 public:431 explicit CSPOptions(const String& value)432 : m_disableXSSProtection(false)433 , m_evalScript(false)434 {435 parse(value);436 }437 438 bool disableXSSProtection() const { return m_disableXSSProtection; }439 bool evalScript() const { return m_evalScript; }440 441 private:442 void parse(const String&);443 444 bool m_disableXSSProtection;445 bool m_evalScript;446 };447 448 // options = "options" *( 1*WSP option-value ) *WSP449 // option-value = 1*( ALPHA / DIGIT / "-" )450 //451 void CSPOptions::parse(const String& value)452 {453 DEFINE_STATIC_LOCAL(String, disableXSSProtection, ("disable-xss-protection"));454 DEFINE_STATIC_LOCAL(String, evalScript, ("eval-script"));455 456 const UChar* position = value.characters();457 const UChar* end = position + value.length();458 459 while (position < end) {460 skipWhile<isASCIISpace>(position, end);461 462 const UChar* optionsValueBegin = position;463 464 if (!skipExactly<isOptionValueCharacter>(position, end))465 return;466 467 skipWhile<isOptionValueCharacter>(position, end);468 469 String optionsValue(optionsValueBegin, position - optionsValueBegin);470 471 if (equalIgnoringCase(optionsValue, disableXSSProtection))472 m_disableXSSProtection = true;473 else if (equalIgnoringCase(optionsValue, evalScript))474 m_evalScript = true;475 }476 }477 459 478 460 ContentSecurityPolicy::ContentSecurityPolicy(Document* document) … … 527 509 } 528 510 529 bool ContentSecurityPolicy::protectAgainstXSS() const530 {531 return m_scriptSrc && (!m_options || !m_options->disableXSSProtection());532 }533 534 511 bool ContentSecurityPolicy::allowJavaScriptURLs() const 535 512 { 536 if (! protectAgainstXSS())513 if (!m_scriptSrc || m_scriptSrc->allowInline()) 537 514 return true; 538 515 … … 544 521 bool ContentSecurityPolicy::allowInlineEventHandlers() const 545 522 { 546 if (! protectAgainstXSS())523 if (!m_scriptSrc || m_scriptSrc->allowInline()) 547 524 return true; 548 525 … … 554 531 bool ContentSecurityPolicy::allowInlineScript() const 555 532 { 556 if (! protectAgainstXSS())533 if (!m_scriptSrc || m_scriptSrc->allowInline()) 557 534 return true; 558 535 … … 564 541 bool ContentSecurityPolicy::allowEval() const 565 542 { 566 if (!m_scriptSrc || (m_options && m_options->evalScript()))543 if (!m_scriptSrc || m_scriptSrc->allowEval()) 567 544 return true; 568 545 … … 739 716 DEFINE_STATIC_LOCAL(String, mediaSrc, ("media-src")); 740 717 DEFINE_STATIC_LOCAL(String, reportURI, ("report-uri")); 741 DEFINE_STATIC_LOCAL(String, options, ("options"));742 718 743 719 ASSERT(!name.isEmpty()); … … 759 735 else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI)) 760 736 parseReportURI(value); 761 else if (!m_options && equalIgnoringCase(name, options)) 762 m_options = adoptPtr(new CSPOptions(value)); 763 } 764 765 } 737 } 738 739 } -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r84478 r84758 33 33 34 34 class CSPDirective; 35 class CSPOptions;36 35 class Document; 37 36 class KURL; … … 63 62 explicit ContentSecurityPolicy(Document*); 64 63 65 bool protectAgainstXSS() const;66 67 64 void parse(const String&); 68 65 bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value); … … 84 81 OwnPtr<CSPDirective> m_fontSrc; 85 82 OwnPtr<CSPDirective> m_mediaSrc; 86 OwnPtr<CSPOptions> m_options;87 83 88 84 Vector<KURL> m_reportURLs;
Note: See TracChangeset
for help on using the changeset viewer.