Changeset 85381 in webkit


Ignore:
Timestamp:
Apr 29, 2011 7:22:35 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-04-29 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

style-src should block inline style from <style>
https://bugs.webkit.org/show_bug.cgi?id=59292

Testing makes perfect.

  • http/tests/security/contentSecurityPolicy/inline-style-allowed-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/inline-style-allowed.html: Added.
  • http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/inline-style-blocked.html: Added.

2011-04-29 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

style-src should block inline style from <style>
https://bugs.webkit.org/show_bug.cgi?id=59292

The spec has been updated to allow blocking of inline styles with
style-src. This will help folks defend against tricky CSS3 injections.

This patch covers the <style> case. The next patch will cover the
@style case.

Tests: http/tests/security/contentSecurityPolicy/inline-style-allowed.html

http/tests/security/contentSecurityPolicy/inline-style-blocked.html

  • dom/StyleElement.cpp: (WebCore::StyleElement::createSheet):
  • page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowInlineStyle):
  • page/ContentSecurityPolicy.h:
Location:
trunk
Files:
4 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r85379 r85381  
     12011-04-29  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        style-src should block inline style from <style>
     6        https://bugs.webkit.org/show_bug.cgi?id=59292
     7
     8        Testing makes perfect.
     9
     10        * http/tests/security/contentSecurityPolicy/inline-style-allowed-expected.txt: Added.
     11        * http/tests/security/contentSecurityPolicy/inline-style-allowed.html: Added.
     12        * http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt: Added.
     13        * http/tests/security/contentSecurityPolicy/inline-style-blocked.html: Added.
     14
    1152011-04-29  Sam Weinig  <sam@webkit.org>
    216
  • trunk/Source/WebCore/ChangeLog

    r85378 r85381  
     12011-04-29  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        style-src should block inline style from <style>
     6        https://bugs.webkit.org/show_bug.cgi?id=59292
     7
     8        The spec has been updated to allow blocking of inline styles with
     9        style-src.  This will help folks defend against tricky CSS3 injections.
     10
     11        This patch covers the <style> case.  The next patch will cover the
     12        @style case.
     13
     14        Tests: http/tests/security/contentSecurityPolicy/inline-style-allowed.html
     15               http/tests/security/contentSecurityPolicy/inline-style-blocked.html
     16
     17        * dom/StyleElement.cpp:
     18        (WebCore::StyleElement::createSheet):
     19        * page/ContentSecurityPolicy.cpp:
     20        (WebCore::ContentSecurityPolicy::allowInlineStyle):
     21        * page/ContentSecurityPolicy.h:
     22
    1232011-04-29  Chris Evans  <cevans@chromium.org>
    224
  • trunk/Source/WebCore/dom/StyleElement.cpp

    r82054 r85381  
    2323
    2424#include "Attribute.h"
     25#include "ContentSecurityPolicy.h"
    2526#include "Document.h"
    2627#include "Element.h"
     
    3738    return nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE;
    3839}
    39    
     40
     41static bool isCSS(Element* element, const AtomicString& type)
     42{
     43    return type.isEmpty() || (element->isHTMLElement() ? equalIgnoringCase(type, "text/css") : (type == "text/css"));
     44}
     45
    4046StyleElement::StyleElement(Document* document, bool createdByParser)
    4147    : m_createdByParser(createdByParser)
     
    141147    // If type is empty or CSS, this is a CSS style sheet.
    142148    const AtomicString& type = this->type();
    143     if (type.isEmpty() || (e->isHTMLElement() ? equalIgnoringCase(type, "text/css") : (type == "text/css"))) {
     149    if (document->contentSecurityPolicy()->allowInlineStyle() && isCSS(e, type)) {
    144150        RefPtr<MediaList> mediaList = MediaList::create(media(), e->isHTMLElement());
    145151        MediaQueryEvaluator screenEval("screen", true);
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r84760 r85381  
    534534}
    535535
     536bool ContentSecurityPolicy::allowInlineStyle() const
     537{
     538    if (!m_styleSrc || m_styleSrc->allowInline())
     539        return true;
     540
     541    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because of Content-Security-Policy.\n"));
     542    reportViolation(m_styleSrc->text(), consoleMessage);
     543    return false;
     544}
     545
    536546bool ContentSecurityPolicy::allowEval() const
    537547{
  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r84758 r85381  
    4949    bool allowInlineEventHandlers() const;
    5050    bool allowInlineScript() const;
     51    bool allowInlineStyle() const;
    5152    bool allowEval() const;
    5253
Note: See TracChangeset for help on using the changeset viewer.