Changeset 85993 in webkit


Ignore:
Timestamp:
May 6, 2011 7:13:06 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-05-06 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

Implement "Report-Only" mode for CSP
https://bugs.webkit.org/show_bug.cgi?id=60402

  • http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/report-only.html: Added.

2011-05-06 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel.

Implement "Report-Only" mode for CSP
https://bugs.webkit.org/show_bug.cgi?id=60402

This mode lets web sites try out CSP by getting violation reports (and
console spam) without actually changing the behavior of their web sites.

Test: http/tests/security/contentSecurityPolicy/report-only.html

  • dom/Document.cpp: (WebCore::Document::processHttpEquiv):
  • loader/FrameLoader.cpp: (WebCore::FrameLoader::didBeginDocument):
  • page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): (WebCore::ContentSecurityPolicy::didReceiveHeader): (WebCore::ContentSecurityPolicy::reportViolation): (WebCore::ContentSecurityPolicy::checkInlineAndReportViolation): (WebCore::ContentSecurityPolicy::checkEvalAndReportViolation): (WebCore::ContentSecurityPolicy::checkSourceAndReportViolation): (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
  • page/ContentSecurityPolicy.h:
Location:
trunk
Files:
2 added
6 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r85992 r85993  
     12011-05-06  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        Implement "Report-Only" mode for CSP
     6        https://bugs.webkit.org/show_bug.cgi?id=60402
     7
     8        * http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added.
     9        * http/tests/security/contentSecurityPolicy/report-only.html: Added.
     10
    1112011-05-06  Kenji Imasaki  <imasaki@chromium.org>
    212

  • trunk/Source/WebCore/ChangeLog

    r85990 r85993  
     12011-05-06  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Eric Seidel.
     4
     5        Implement "Report-Only" mode for CSP
     6        https://bugs.webkit.org/show_bug.cgi?id=60402
     7
     8        This mode lets web sites try out CSP by getting violation reports (and
     9        console spam) without actually changing the behavior of their web sites.
     10
     11        Test: http/tests/security/contentSecurityPolicy/report-only.html
     12
     13        * dom/Document.cpp:
     14        (WebCore::Document::processHttpEquiv):
     15        * loader/FrameLoader.cpp:
     16        (WebCore::FrameLoader::didBeginDocument):
     17        * page/ContentSecurityPolicy.cpp:
     18        (WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
     19        (WebCore::ContentSecurityPolicy::didReceiveHeader):
     20        (WebCore::ContentSecurityPolicy::reportViolation):
     21        (WebCore::ContentSecurityPolicy::checkInlineAndReportViolation):
     22        (WebCore::ContentSecurityPolicy::checkEvalAndReportViolation):
     23        (WebCore::ContentSecurityPolicy::checkSourceAndReportViolation):
     24        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
     25        * page/ContentSecurityPolicy.h:
     26
    1272011-05-06  Beth Dakin  <bdakin@apple.com>
    228

  • trunk/Source/WebCore/dom/Document.cpp

    r85894 r85993  
    26362636        }
    26372637    } else if (equalIgnoringCase(equiv, "x-webkit-csp"))
    2638         contentSecurityPolicy()->didReceiveHeader(content);
     2638        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::EnforcePolicy);
     2639    else if (equalIgnoringCase(equiv, "x-webkit-csp-report-only"))
     2640        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::ReportOnly);
    26392641}
    26402642

  • trunk/Source/WebCore/loader/FrameLoader.cpp

    r85785 r85993  
    720720        String contentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP");
    721721        if (!contentSecurityPolicy.isEmpty())
    722             m_frame->document()->contentSecurityPolicy()->didReceiveHeader(contentSecurityPolicy);
     722            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(contentSecurityPolicy, ContentSecurityPolicy::EnforcePolicy);
     723
     724        String reportOnlyContentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP-Report-Only");
     725        if (!contentSecurityPolicy.isEmpty())
     726            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(reportOnlyContentSecurityPolicy, ContentSecurityPolicy::ReportOnly);
    723727    }
    724728

  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r85975 r85993  
    455455    : m_havePolicy(false)
    456456    , m_document(document)
     457    , m_reportOnly(false)
    457458    , m_disableJavaScriptURLs(false)
    458459{
     
    463464}
    464465
    465 void ContentSecurityPolicy::didReceiveHeader(const String& header)
     466void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType type)
    466467{
    467468    if (m_havePolicy)
     
    470471    parse(header);
    471472    m_havePolicy = true;
     473
     474    switch (type) {
     475    case ReportOnly:
     476        m_reportOnly = true;
     477        return;
     478    case EnforcePolicy:
     479        ASSERT(!m_reportOnly);
     480        break;
     481    }
    472482
    473483    if (!checkEval(operativeDirective(m_scriptSrc.get()))) {
     
    483493        return;
    484494
    485     frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
     495    String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
     496    frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, 1, String());
    486497
    487498    if (m_reportURLs.isEmpty())
     
    524535        return true;
    525536    reportViolation(directive->text(), consoleMessage);
    526     return false;
     537    return denyIfEnforcingPolicy();
    527538}
    528539
     
    532543        return true;
    533544    reportViolation(directive->text(), consoleMessage);
    534     return false;
     545    return denyIfEnforcingPolicy();
    535546}
    536547
     
    540551        return true;
    541552    reportViolation(directive->text(), makeString("Refused to load ", type, " from '", url.string(), "' because of Content-Security-Policy.\n"));
    542     return false;
     553    return denyIfEnforcingPolicy();
    543554}
    544555
     
    548559    if (m_disableJavaScriptURLs) {
    549560        reportViolation(String(), consoleMessage);
    550         return false;
     561        return denyIfEnforcingPolicy();
    551562    }
    552563    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);

  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r85975 r85993  
    4444    ~ContentSecurityPolicy();
    4545
    46     void didReceiveHeader(const String&);
     46    enum HeaderType {
     47        ReportOnly,
     48        EnforcePolicy
     49    };
     50
     51    void didReceiveHeader(const String&, HeaderType);
    4752
    4853    bool allowJavaScriptURLs() const;
     
    7883    bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
    7984
     85    bool denyIfEnforcingPolicy() const { return m_reportOnly; }
     86
    8087    bool m_havePolicy;
    8188    Document* m_document;
    8289
     90    bool m_reportOnly;
    8391    OwnPtr<CSPDirective> m_defaultSrc;
    8492    OwnPtr<CSPDirective> m_scriptSrc;
Note: See TracChangeset for help on using the changeset viewer.