Changeset 85975 in webkit


Ignore:
Timestamp:
May 6, 2011 2:03:57 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-05-06 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

Add disable-javascript-urls CSP directive
https://bugs.webkit.org/show_bug.cgi?id=60301

  • http/tests/security/contentSecurityPolicy/javascript-urls-blocked-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/javascript-urls-blocked.html: Added.

2011-05-06 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

Add disable-javascript-urls CSP directive
https://bugs.webkit.org/show_bug.cgi?id=60301

This CSP directive is not in the CSP spec. This patch is somewhat of
an experiment to see whether this feature is useful. Based on our
implementation experience, we will coordinate with folks via the W3C to
see if this makes sense to add to the spec.

Test: http/tests/security/contentSecurityPolicy/javascript-urls-blocked.html

  • page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): (WebCore::ContentSecurityPolicy::addDirective):
  • page/ContentSecurityPolicy.h:
Location:
trunk
Files:
2 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r85972 r85975  
     12011-05-06  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        Add disable-javascript-urls CSP directive
     6        https://bugs.webkit.org/show_bug.cgi?id=60301
     7
     8        * http/tests/security/contentSecurityPolicy/javascript-urls-blocked-expected.txt: Added.
     9        * http/tests/security/contentSecurityPolicy/javascript-urls-blocked.html: Added.
     10
    1112011-05-06  Adam Barth  <abarth@webkit.org>
    212
  • trunk/Source/WebCore/ChangeLog

    r85974 r85975  
     12011-05-06  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        Add disable-javascript-urls CSP directive
     6        https://bugs.webkit.org/show_bug.cgi?id=60301
     7
     8        This CSP directive is not in the CSP spec.  This patch is somewhat of
     9        an experiment to see whether this feature is useful.  Based on our
     10        implementation experience, we will coordinate with folks via the W3C to
     11        see if this makes sense to add to the spec.
     12
     13        Test: http/tests/security/contentSecurityPolicy/javascript-urls-blocked.html
     14
     15        * page/ContentSecurityPolicy.cpp:
     16        (WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
     17        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
     18        (WebCore::ContentSecurityPolicy::addDirective):
     19        * page/ContentSecurityPolicy.h:
     20
    1212011-05-06  Brett Wilson  <brettw@chromium.org>
    222
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r85453 r85975  
    455455    : m_havePolicy(false)
    456456    , m_document(document)
     457    , m_disableJavaScriptURLs(false)
    457458{
    458459}
     
    545546{
    546547    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because of Content-Security-Policy.\n"));
     548    if (m_disableJavaScriptURLs) {
     549        reportViolation(String(), consoleMessage);
     550        return false;
     551    }
    547552    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
    548553}
     
    719724    DEFINE_STATIC_LOCAL(String, mediaSrc, ("media-src"));
    720725    DEFINE_STATIC_LOCAL(String, reportURI, ("report-uri"));
     726    DEFINE_STATIC_LOCAL(String, disableJavaScriptURLs, ("disable-javascript-urls"));
    721727
    722728    ASSERT(!name.isEmpty());
     
    740746    else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI))
    741747        parseReportURI(value);
    742 }
    743 
    744 }
     748    else if (equalIgnoringCase(name, disableJavaScriptURLs))
     749        m_disableJavaScriptURLs = true;
     750}
     751
     752}
  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r85451 r85975  
    9090    OwnPtr<CSPDirective> m_mediaSrc;
    9191
     92    // This directive is an experiment and not part of the W3C spec.
     93    // FIXME: Remove this feature when we rename from X-WebKit-CSP to
     94    // Content-Security-Policy if we don't convince the working group to adopt
     95    // the feature.
     96    bool m_disableJavaScriptURLs;
     97
    9298    Vector<KURL> m_reportURLs;
    9399};
Note: See TracChangeset for help on using the changeset viewer.