Changeset 85384 in webkit

Timestamp:

Apr 29, 2011 7:56:23 PM (13 years ago)

Author:

abarth@webkit.org

Message:

2011-04-29 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

style-src should block @style
​https://bugs.webkit.org/show_bug.cgi?id=59293

Testing makes perfect.

• http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html: Added.
• http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html: Added.

2011-04-29 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

style-src should block @style
​https://bugs.webkit.org/show_bug.cgi?id=59293

This patch blocks @style when style-src doesn't have the
'unsafe-inline' token. This patch blocks the parsing of the attribute
itself. That feels vaguely like too low a level to interpose the
policy, but there didn't seem to be anywhere else natural to enforce
the policy.

Tests: http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html

http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html
http/tests/security/contentSecurityPolicy/inline-style-on-html.html

• dom/StyledElement.cpp: (WebCore::StyledElement::parseMappedAttribute):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/StyledElement.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-04-29  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        style-src should block @style
+        https://bugs.webkit.org/show_bug.cgi?id=59293
+
+        Testing makes perfect.
+
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html: Added.
+
 2011-04-29  Joseph Pecoraro  <joepeck@webkit.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-04-29  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        style-src should block @style
+        https://bugs.webkit.org/show_bug.cgi?id=59293
+
+        This patch blocks @style when style-src doesn't have the
+        'unsafe-inline' token.  This patch blocks the parsing of the attribute
+        itself.  That feels vaguely like too low a level to interpose the
+        policy, but there didn't seem to be anywhere else natural to enforce
+        the policy.
+
+        Tests: http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html
+               http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html
+               http/tests/security/contentSecurityPolicy/inline-style-on-html.html
+
+        * dom/StyledElement.cpp:
+        (WebCore::StyledElement::parseMappedAttribute):
+
 2011-04-29  Joseph Pecoraro  <joepeck@webkit.org>
 

trunk/Source/WebCore/dom/StyledElement.cpp

@@ -31 +31 @@
 #include "CSSValueKeywords.h"
 #include "ClassList.h"
+#include "ContentSecurityPolicy.h"
 #include "DOMTokenList.h"
 #include "Document.h"
@@ -241 +242 @@
         if (attr->isNull())
             destroyInlineStyleDecl();
-        else
+        else if (document()->contentSecurityPolicy()->allowInlineStyle())
             getInlineStyleDecl()->parseDeclaration(attr->value());
         setIsStyleAttributeValid();