Changeset 85384 in webkit
- Timestamp:
- Apr 29, 2011 7:56:23 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 6 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r85382 r85384 1 2011-04-29 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 style-src should block @style 6 https://bugs.webkit.org/show_bug.cgi?id=59293 7 8 Testing makes perfect. 9 10 * http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html: Added. 12 * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt: Added. 13 * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html: Added. 14 * http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html-expected.txt: Added. 15 * http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html: Added. 16 1 17 2011-04-29 Joseph Pecoraro <joepeck@webkit.org> 2 18 -
trunk/Source/WebCore/ChangeLog
r85382 r85384 1 2011-04-29 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 style-src should block @style 6 https://bugs.webkit.org/show_bug.cgi?id=59293 7 8 This patch blocks @style when style-src doesn't have the 9 'unsafe-inline' token. This patch blocks the parsing of the attribute 10 itself. That feels vaguely like too low a level to interpose the 11 policy, but there didn't seem to be anywhere else natural to enforce 12 the policy. 13 14 Tests: http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html 15 http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html 16 http/tests/security/contentSecurityPolicy/inline-style-on-html.html 17 18 * dom/StyledElement.cpp: 19 (WebCore::StyledElement::parseMappedAttribute): 20 1 21 2011-04-29 Joseph Pecoraro <joepeck@webkit.org> 2 22 -
trunk/Source/WebCore/dom/StyledElement.cpp
r83209 r85384 31 31 #include "CSSValueKeywords.h" 32 32 #include "ClassList.h" 33 #include "ContentSecurityPolicy.h" 33 34 #include "DOMTokenList.h" 34 35 #include "Document.h" … … 241 242 if (attr->isNull()) 242 243 destroyInlineStyleDecl(); 243 else 244 else if (document()->contentSecurityPolicy()->allowInlineStyle()) 244 245 getInlineStyleDecl()->parseDeclaration(attr->value()); 245 246 setIsStyleAttributeValid();
Note: See TracChangeset
for help on using the changeset viewer.