Changeset 85451 in webkit
- Timestamp:
- May 1, 2011 6:44:27 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 6 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r85436 r85451 1 2011-05-01 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP default-src is missing 6 https://bugs.webkit.org/show_bug.cgi?id=58641 7 8 Test that default-src controls some scripting policy and that 9 script-src, if present, overrides default-src. In principle, we could 10 test the interaction of default-src with every other directive, but 11 that seems like overkill. 12 13 * http/tests/security/contentSecurityPolicy/default-src-inline-allowed-expected.txt: Added. 14 * http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html: Added. 15 * http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt: Added. 16 * http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html: Added. 17 * http/tests/security/contentSecurityPolicy/script-src-overrides-default-src-expected.txt: Added. 18 * http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html: Added. 19 1 20 2011-05-01 Justin Schuh <jschuh@chromium.org> 2 21 -
trunk/Source/WebCore/ChangeLog
r85442 r85451 1 2011-05-01 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 CSP default-src is missing 6 https://bugs.webkit.org/show_bug.cgi?id=58641 7 8 Add support for default-src. The default-src provides a default policy 9 for every directive that sends in "-src". If the more-specific 10 directive is present, it takes precedence. I also took this 11 opportunity to refactor the internals of ContentSecurityPolicy a bit to 12 reduce duplicate code. 13 14 Tests: http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html 15 http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html 16 http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html 17 18 * page/ContentSecurityPolicy.cpp: 19 (WebCore::ContentSecurityPolicy::didReceiveHeader): 20 (WebCore::ContentSecurityPolicy::checkEval): 21 (WebCore::ContentSecurityPolicy::operativeDirective): 22 (WebCore::ContentSecurityPolicy::checkInlineAndReportViolation): 23 (WebCore::ContentSecurityPolicy::checkEvalAndReportViolation): 24 (WebCore::ContentSecurityPolicy::checkSourceAndReportViolation): 25 (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): 26 (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): 27 (WebCore::ContentSecurityPolicy::allowInlineScript): 28 (WebCore::ContentSecurityPolicy::allowInlineStyle): 29 (WebCore::ContentSecurityPolicy::allowEval): 30 (WebCore::ContentSecurityPolicy::allowScriptFromSource): 31 (WebCore::ContentSecurityPolicy::allowObjectFromSource): 32 (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): 33 (WebCore::ContentSecurityPolicy::allowImageFromSource): 34 (WebCore::ContentSecurityPolicy::allowStyleFromSource): 35 (WebCore::ContentSecurityPolicy::allowFontFromSource): 36 (WebCore::ContentSecurityPolicy::allowMediaFromSource): 37 (WebCore::ContentSecurityPolicy::addDirective): 38 * page/ContentSecurityPolicy.h: 39 1 40 2011-05-01 Sam Weinig <sam@webkit.org> 2 41 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r85388 r85451 471 471 m_havePolicy = true; 472 472 473 if (! internalAllowEval()) {473 if (!checkEval(operativeDirective(m_scriptSrc.get()))) { 474 474 if (Frame* frame = m_document->frame()) 475 475 frame->script()->disableEval(); … … 509 509 } 510 510 511 bool ContentSecurityPolicy::checkEval(CSPDirective* directive) const 512 { 513 return !directive || directive->allowEval(); 514 } 515 516 CSPDirective* ContentSecurityPolicy::operativeDirective(CSPDirective* directive) const 517 { 518 return directive ? directive : m_defaultSrc.get(); 519 } 520 521 bool ContentSecurityPolicy::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage) const 522 { 523 if (!directive || directive->allowInline()) 524 return true; 525 reportViolation(directive->text(), consoleMessage); 526 return false; 527 } 528 529 bool ContentSecurityPolicy::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage) const 530 { 531 if (checkEval(directive)) 532 return true; 533 reportViolation(directive->text(), consoleMessage); 534 return false; 535 } 536 537 bool ContentSecurityPolicy::checkSourceAndReportViolation(CSPDirective* directive, const KURL& url, const String& type) const 538 { 539 if (!directive || directive->allows(url)) 540 return true; 541 reportViolation(directive->text(), makeString("Refused to load ", type, " from '", url.string(), "' because of Content-Security-Policy.\n")); 542 return false; 543 } 544 511 545 bool ContentSecurityPolicy::allowJavaScriptURLs() const 512 546 { 513 if (!m_scriptSrc || m_scriptSrc->allowInline())514 return true;515 516 547 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because of Content-Security-Policy.\n")); 517 reportViolation(m_scriptSrc->text(), consoleMessage); 518 return false; 548 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage); 519 549 } 520 550 521 551 bool ContentSecurityPolicy::allowInlineEventHandlers() const 522 552 { 523 if (!m_scriptSrc || m_scriptSrc->allowInline())524 return true;525 526 553 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because of Content-Security-Policy.\n")); 527 reportViolation(m_scriptSrc->text(), consoleMessage); 528 return false; 554 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage); 529 555 } 530 556 531 557 bool ContentSecurityPolicy::allowInlineScript() const 532 558 { 533 if (!m_scriptSrc || m_scriptSrc->allowInline())534 return true;535 536 559 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because of Content-Security-Policy.\n")); 537 reportViolation(m_scriptSrc->text(), consoleMessage); 538 return false; 560 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage); 539 561 } 540 562 541 563 bool ContentSecurityPolicy::allowInlineStyle() const 542 564 { 543 if (!m_styleSrc || m_styleSrc->allowInline())544 return true;545 546 565 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because of Content-Security-Policy.\n")); 547 reportViolation(m_styleSrc->text(), consoleMessage); 548 return false; 549 } 550 551 bool ContentSecurityPolicy::internalAllowEval() const 552 { 553 return !m_scriptSrc || m_scriptSrc->allowEval(); 566 return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage); 554 567 } 555 568 556 569 bool ContentSecurityPolicy::allowEval() const 557 570 { 558 if (internalAllowEval())559 return true;560 561 571 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because of Content-Security-Policy.\n")); 562 reportViolation(m_scriptSrc->text(), consoleMessage); 563 return false; 572 return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage); 564 573 } 565 574 566 575 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const 567 576 { 568 if (!m_scriptSrc || m_scriptSrc->allows(url)) 569 return true; 570 571 reportViolation(m_scriptSrc->text(), makeString("Refused to load script from '", url.string(), "' because of Content-Security-Policy.\n")); 572 return false; 577 DEFINE_STATIC_LOCAL(String, type, ("script")); 578 return checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, type); 573 579 } 574 580 575 581 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const 576 582 { 577 if (!m_objectSrc || m_objectSrc->allows(url)) 578 return true; 579 580 reportViolation(m_objectSrc->text(), makeString("Refused to load object from '", url.string(), "' because of Content-Security-Policy.\n")); 581 return false; 583 DEFINE_STATIC_LOCAL(String, type, ("object")); 584 return checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type); 582 585 } 583 586 584 587 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url) const 585 588 { 586 if (!m_frameSrc || m_frameSrc->allows(url)) 587 return true; 588 589 reportViolation(m_frameSrc->text(), makeString("Refused to load frame from '", url.string(), "' because of Content-Security-Policy.\n")); 590 return false; 589 DEFINE_STATIC_LOCAL(String, type, ("frame")); 590 return checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type); 591 591 } 592 592 593 593 bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const 594 594 { 595 if (!m_imgSrc || m_imgSrc->allows(url)) 596 return true; 597 598 reportViolation(m_imgSrc->text(), makeString("Refused to load image from '", url.string(), "' because of Content-Security-Policy.\n")); 599 return false; 595 DEFINE_STATIC_LOCAL(String, type, ("image")); 596 return checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, type); 600 597 } 601 598 602 599 bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const 603 600 { 604 if (!m_styleSrc || m_styleSrc->allows(url)) 605 return true; 606 607 reportViolation(m_styleSrc->text(), makeString("Refused to load style from '", url.string(), "' because of Content-Security-Policy.\n")); 608 return false; 601 DEFINE_STATIC_LOCAL(String, type, ("style")); 602 return checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, type); 609 603 } 610 604 611 605 bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const 612 606 { 613 if (!m_fontSrc || m_fontSrc->allows(url)) 614 return true; 615 616 reportViolation(m_fontSrc->text(), makeString("Refused to load font from '", url.string(), "' because of Content-Security-Policy.\n")); 617 return false; 607 DEFINE_STATIC_LOCAL(String, type, ("font")); 608 return checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, type); 618 609 } 619 610 620 611 bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const 621 612 { 622 if (!m_mediaSrc || m_mediaSrc->allows(url)) 623 return true; 624 625 reportViolation(m_mediaSrc->text(), makeString("Refused to load media from '", url.string(), "' because of Content-Security-Policy.\n")); 626 return false; 613 DEFINE_STATIC_LOCAL(String, type, ("media")); 614 return checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type); 627 615 } 628 616 … … 723 711 void ContentSecurityPolicy::addDirective(const String& name, const String& value) 724 712 { 713 DEFINE_STATIC_LOCAL(String, defaultSrc, ("default-src")); 725 714 DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src")); 726 715 DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src")); … … 734 723 ASSERT(!name.isEmpty()); 735 724 736 if (!m_scriptSrc && equalIgnoringCase(name, scriptSrc)) 725 if (!m_defaultSrc && equalIgnoringCase(name, defaultSrc)) 726 m_defaultSrc = createCSPDirective(name, value); 727 else if (!m_scriptSrc && equalIgnoringCase(name, scriptSrc)) 737 728 m_scriptSrc = createCSPDirective(name, value); 738 729 else if (!m_objectSrc && equalIgnoringCase(name, objectSrc)) -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r85388 r85451 70 70 PassOwnPtr<CSPDirective> createCSPDirective(const String& name, const String& value); 71 71 72 CSPDirective* operativeDirective(CSPDirective*) const; 72 73 void reportViolation(const String& directiveText, const String& consoleMessage) const; 73 bool internalAllowEval() const; 74 bool checkEval(CSPDirective*) const; 75 76 bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const; 77 bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage) const; 78 bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const; 74 79 75 80 bool m_havePolicy; 76 81 Document* m_document; 77 82 83 OwnPtr<CSPDirective> m_defaultSrc; 78 84 OwnPtr<CSPDirective> m_scriptSrc; 79 85 OwnPtr<CSPDirective> m_objectSrc;
Note: See TracChangeset
for help on using the changeset viewer.