Changeset 85451 in webkit

Timestamp:

May 1, 2011 6:44:27 PM (13 years ago)

Author:

abarth@webkit.org

Message:

2011-05-01 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

CSP default-src is missing
​https://bugs.webkit.org/show_bug.cgi?id=58641

Test that default-src controls some scripting policy and that
script-src, if present, overrides default-src. In principle, we could
test the interaction of default-src with every other directive, but
that seems like overkill.

• http/tests/security/contentSecurityPolicy/default-src-inline-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html: Added.
• http/tests/security/contentSecurityPolicy/script-src-overrides-default-src-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html: Added.

2011-05-01 Adam Barth <​abarth@webkit.org>

Reviewed by Eric Seidel.

CSP default-src is missing
​https://bugs.webkit.org/show_bug.cgi?id=58641

Add support for default-src. The default-src provides a default policy
for every directive that sends in "-src". If the more-specific
directive is present, it takes precedence. I also took this
opportunity to refactor the internals of ContentSecurityPolicy a bit to
reduce duplicate code.

Tests: http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html

http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html
http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html

• page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::didReceiveHeader): (WebCore::ContentSecurityPolicy::checkEval): (WebCore::ContentSecurityPolicy::operativeDirective): (WebCore::ContentSecurityPolicy::checkInlineAndReportViolation): (WebCore::ContentSecurityPolicy::checkEvalAndReportViolation): (WebCore::ContentSecurityPolicy::checkSourceAndReportViolation): (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): (WebCore::ContentSecurityPolicy::allowInlineScript): (WebCore::ContentSecurityPolicy::allowInlineStyle): (WebCore::ContentSecurityPolicy::allowEval): (WebCore::ContentSecurityPolicy::allowScriptFromSource): (WebCore::ContentSecurityPolicy::allowObjectFromSource): (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): (WebCore::ContentSecurityPolicy::allowImageFromSource): (WebCore::ContentSecurityPolicy::allowStyleFromSource): (WebCore::ContentSecurityPolicy::allowFontFromSource): (WebCore::ContentSecurityPolicy::allowMediaFromSource): (WebCore::ContentSecurityPolicy::addDirective):
• page/ContentSecurityPolicy.h:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-src-overrides-default-src-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (4 diffs)
• Source/WebCore/page/ContentSecurityPolicy.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-05-01  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        CSP default-src is missing
+        https://bugs.webkit.org/show_bug.cgi?id=58641
+
+        Test that default-src controls some scripting policy and that
+        script-src, if present, overrides default-src.  In principle, we could
+        test the interaction of default-src with every other directive, but
+        that seems like overkill.
+
+        * http/tests/security/contentSecurityPolicy/default-src-inline-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/script-src-overrides-default-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html: Added.
+
 2011-05-01  Justin Schuh  <jschuh@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-05-01  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        CSP default-src is missing
+        https://bugs.webkit.org/show_bug.cgi?id=58641
+
+        Add support for default-src.  The default-src provides a default policy
+        for every directive that sends in "-src".  If the more-specific
+        directive is present, it takes precedence.  I also took this
+        opportunity to refactor the internals of ContentSecurityPolicy a bit to
+        reduce duplicate code.
+
+        Tests: http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html
+               http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html
+               http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::didReceiveHeader):
+        (WebCore::ContentSecurityPolicy::checkEval):
+        (WebCore::ContentSecurityPolicy::operativeDirective):
+        (WebCore::ContentSecurityPolicy::checkInlineAndReportViolation):
+        (WebCore::ContentSecurityPolicy::checkEvalAndReportViolation):
+        (WebCore::ContentSecurityPolicy::checkSourceAndReportViolation):
+        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
+        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
+        (WebCore::ContentSecurityPolicy::allowInlineScript):
+        (WebCore::ContentSecurityPolicy::allowInlineStyle):
+        (WebCore::ContentSecurityPolicy::allowEval):
+        (WebCore::ContentSecurityPolicy::allowScriptFromSource):
+        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
+        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
+        (WebCore::ContentSecurityPolicy::allowImageFromSource):
+        (WebCore::ContentSecurityPolicy::allowStyleFromSource):
+        (WebCore::ContentSecurityPolicy::allowFontFromSource):
+        (WebCore::ContentSecurityPolicy::allowMediaFromSource):
+        (WebCore::ContentSecurityPolicy::addDirective):
+        * page/ContentSecurityPolicy.h:
+
 2011-05-01  Sam Weinig  <sam@webkit.org>
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -471 +471 @@
     m_havePolicy = true;
 
-    if (!internalAllowEval()) {
+    if (!checkEval(operativeDirective(m_scriptSrc.get()))) {
         if (Frame* frame = m_document->frame())
             frame->script()->disableEval();
@@ -509 +509 @@
 }
 
+bool ContentSecurityPolicy::checkEval(CSPDirective* directive) const
+{
+    return !directive || directive->allowEval();
+}
+
+CSPDirective* ContentSecurityPolicy::operativeDirective(CSPDirective* directive) const
+{
+    return directive ? directive : m_defaultSrc.get();
+}
+
+bool ContentSecurityPolicy::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
+{
+    if (!directive || directive->allowInline())
+        return true;
+    reportViolation(directive->text(), consoleMessage);
+    return false;
+}
+
+bool ContentSecurityPolicy::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
+{
+    if (checkEval(directive))
+        return true;
+    reportViolation(directive->text(), consoleMessage);
+    return false;
+}
+
+bool ContentSecurityPolicy::checkSourceAndReportViolation(CSPDirective* directive, const KURL& url, const String& type) const
+{
+    if (!directive || directive->allows(url))
+        return true;
+    reportViolation(directive->text(), makeString("Refused to load ", type, " from '", url.string(), "' because of Content-Security-Policy.\n"));
+    return false;
+}
+
 bool ContentSecurityPolicy::allowJavaScriptURLs() const
 {
-    if (!m_scriptSrc || m_scriptSrc->allowInline())
-        return true;
-
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because of Content-Security-Policy.\n"));
-    reportViolation(m_scriptSrc->text(), consoleMessage);
-    return false;
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
 }
 
 bool ContentSecurityPolicy::allowInlineEventHandlers() const
 {
-    if (!m_scriptSrc || m_scriptSrc->allowInline())
-        return true;
-
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because of Content-Security-Policy.\n"));
-    reportViolation(m_scriptSrc->text(), consoleMessage);
-    return false;
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
 }
 
 bool ContentSecurityPolicy::allowInlineScript() const
 {
-    if (!m_scriptSrc || m_scriptSrc->allowInline())
-        return true;
-
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because of Content-Security-Policy.\n"));
-    reportViolation(m_scriptSrc->text(), consoleMessage);
-    return false;
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
 }
 
 bool ContentSecurityPolicy::allowInlineStyle() const
 {
-    if (!m_styleSrc || m_styleSrc->allowInline())
-        return true;
-
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because of Content-Security-Policy.\n"));
-    reportViolation(m_styleSrc->text(), consoleMessage);
-    return false;
-}
-
-bool ContentSecurityPolicy::internalAllowEval() const
-{
-    return !m_scriptSrc || m_scriptSrc->allowEval();
+    return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage);
 }
 
 bool ContentSecurityPolicy::allowEval() const
 {
-    if (internalAllowEval())
-        return true;
-
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because of Content-Security-Policy.\n"));
-    reportViolation(m_scriptSrc->text(), consoleMessage);
-    return false;
+    return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
 }
 
 bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const
 {
-    if (!m_scriptSrc || m_scriptSrc->allows(url))
-        return true;
-
-    reportViolation(m_scriptSrc->text(), makeString("Refused to load script from '", url.string(), "' because of Content-Security-Policy.\n"));
-    return false;
+    DEFINE_STATIC_LOCAL(String, type, ("script"));
+    return checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, type);
 }
 
 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
 {
-    if (!m_objectSrc || m_objectSrc->allows(url))
-        return true;
-
-    reportViolation(m_objectSrc->text(), makeString("Refused to load object from '", url.string(), "' because of Content-Security-Policy.\n"));
-    return false;
+    DEFINE_STATIC_LOCAL(String, type, ("object"));
+    return checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type);
 }
 
 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url) const
 {
-    if (!m_frameSrc || m_frameSrc->allows(url))
-        return true;
-
-    reportViolation(m_frameSrc->text(), makeString("Refused to load frame from '", url.string(), "' because of Content-Security-Policy.\n"));
-    return false;
+    DEFINE_STATIC_LOCAL(String, type, ("frame"));
+    return checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type);
 }
 
 bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const
 {
-    if (!m_imgSrc || m_imgSrc->allows(url))
-        return true;
-
-    reportViolation(m_imgSrc->text(), makeString("Refused to load image from '", url.string(), "' because of Content-Security-Policy.\n"));
-    return false;
+    DEFINE_STATIC_LOCAL(String, type, ("image"));
+    return checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, type);
 }
 
 bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const
 {
-    if (!m_styleSrc || m_styleSrc->allows(url))
-        return true;
-
-    reportViolation(m_styleSrc->text(), makeString("Refused to load style from '", url.string(), "' because of Content-Security-Policy.\n"));
-    return false;
+    DEFINE_STATIC_LOCAL(String, type, ("style"));
+    return checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, type);
 }
 
 bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const
 {
-    if (!m_fontSrc || m_fontSrc->allows(url))
-        return true;
-
-    reportViolation(m_fontSrc->text(), makeString("Refused to load font from '", url.string(), "' because of Content-Security-Policy.\n"));
-    return false;
+    DEFINE_STATIC_LOCAL(String, type, ("font"));
+    return checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, type);
 }
 
 bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const
 {
-    if (!m_mediaSrc || m_mediaSrc->allows(url))
-        return true;
-
-    reportViolation(m_mediaSrc->text(), makeString("Refused to load media from '", url.string(), "' because of Content-Security-Policy.\n"));
-    return false;
+    DEFINE_STATIC_LOCAL(String, type, ("media"));
+    return checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type);
 }
 
@@ -723 +711 @@
 void ContentSecurityPolicy::addDirective(const String& name, const String& value)
 {
+    DEFINE_STATIC_LOCAL(String, defaultSrc, ("default-src"));
     DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
     DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src"));
@@ -734 +723 @@
     ASSERT(!name.isEmpty());
 
-    if (!m_scriptSrc && equalIgnoringCase(name, scriptSrc))
+    if (!m_defaultSrc && equalIgnoringCase(name, defaultSrc))
+        m_defaultSrc = createCSPDirective(name, value);
+    else if (!m_scriptSrc && equalIgnoringCase(name, scriptSrc))
         m_scriptSrc = createCSPDirective(name, value);
     else if (!m_objectSrc && equalIgnoringCase(name, objectSrc))

trunk/Source/WebCore/page/ContentSecurityPolicy.h

@@ -70 +70 @@
     PassOwnPtr<CSPDirective> createCSPDirective(const String& name, const String& value);
 
+    CSPDirective* operativeDirective(CSPDirective*) const;
     void reportViolation(const String& directiveText, const String& consoleMessage) const;
-    bool internalAllowEval() const;
+    bool checkEval(CSPDirective*) const;
+
+    bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;
+    bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage) const;
+    bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
 
     bool m_havePolicy;
     Document* m_document;
 
+    OwnPtr<CSPDirective> m_defaultSrc;
     OwnPtr<CSPDirective> m_scriptSrc;
     OwnPtr<CSPDirective> m_objectSrc;