Changeset 85975 in webkit
- Timestamp:
- May 6, 2011 2:03:57 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r85972 r85975 1 2011-05-06 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Add disable-javascript-urls CSP directive 6 https://bugs.webkit.org/show_bug.cgi?id=60301 7 8 * http/tests/security/contentSecurityPolicy/javascript-urls-blocked-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/javascript-urls-blocked.html: Added. 10 1 11 2011-05-06 Adam Barth <abarth@webkit.org> 2 12 -
trunk/Source/WebCore/ChangeLog
r85974 r85975 1 2011-05-06 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Add disable-javascript-urls CSP directive 6 https://bugs.webkit.org/show_bug.cgi?id=60301 7 8 This CSP directive is not in the CSP spec. This patch is somewhat of 9 an experiment to see whether this feature is useful. Based on our 10 implementation experience, we will coordinate with folks via the W3C to 11 see if this makes sense to add to the spec. 12 13 Test: http/tests/security/contentSecurityPolicy/javascript-urls-blocked.html 14 15 * page/ContentSecurityPolicy.cpp: 16 (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): 17 (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): 18 (WebCore::ContentSecurityPolicy::addDirective): 19 * page/ContentSecurityPolicy.h: 20 1 21 2011-05-06 Brett Wilson <brettw@chromium.org> 2 22 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r85453 r85975 455 455 : m_havePolicy(false) 456 456 , m_document(document) 457 , m_disableJavaScriptURLs(false) 457 458 { 458 459 } … … 545 546 { 546 547 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because of Content-Security-Policy.\n")); 548 if (m_disableJavaScriptURLs) { 549 reportViolation(String(), consoleMessage); 550 return false; 551 } 547 552 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage); 548 553 } … … 719 724 DEFINE_STATIC_LOCAL(String, mediaSrc, ("media-src")); 720 725 DEFINE_STATIC_LOCAL(String, reportURI, ("report-uri")); 726 DEFINE_STATIC_LOCAL(String, disableJavaScriptURLs, ("disable-javascript-urls")); 721 727 722 728 ASSERT(!name.isEmpty()); … … 740 746 else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI)) 741 747 parseReportURI(value); 742 } 743 744 } 748 else if (equalIgnoringCase(name, disableJavaScriptURLs)) 749 m_disableJavaScriptURLs = true; 750 } 751 752 } -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r85451 r85975 90 90 OwnPtr<CSPDirective> m_mediaSrc; 91 91 92 // This directive is an experiment and not part of the W3C spec. 93 // FIXME: Remove this feature when we rename from X-WebKit-CSP to 94 // Content-Security-Policy if we don't convince the working group to adopt 95 // the feature. 96 bool m_disableJavaScriptURLs; 97 92 98 Vector<KURL> m_reportURLs; 93 99 };
Note: See TracChangeset
for help on using the changeset viewer.