Changeset 85993 in webkit
- Timestamp:
- May 6, 2011 7:13:06 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r85992 r85993 1 2011-05-06 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Implement "Report-Only" mode for CSP 6 https://bugs.webkit.org/show_bug.cgi?id=60402 7 8 * http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/report-only.html: Added. 10 1 11 2011-05-06 Kenji Imasaki <imasaki@chromium.org> 2 12 -
trunk/Source/WebCore/ChangeLog
r85990 r85993 1 2011-05-06 Adam Barth <abarth@webkit.org> 2 3 Reviewed by Eric Seidel. 4 5 Implement "Report-Only" mode for CSP 6 https://bugs.webkit.org/show_bug.cgi?id=60402 7 8 This mode lets web sites try out CSP by getting violation reports (and 9 console spam) without actually changing the behavior of their web sites. 10 11 Test: http/tests/security/contentSecurityPolicy/report-only.html 12 13 * dom/Document.cpp: 14 (WebCore::Document::processHttpEquiv): 15 * loader/FrameLoader.cpp: 16 (WebCore::FrameLoader::didBeginDocument): 17 * page/ContentSecurityPolicy.cpp: 18 (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): 19 (WebCore::ContentSecurityPolicy::didReceiveHeader): 20 (WebCore::ContentSecurityPolicy::reportViolation): 21 (WebCore::ContentSecurityPolicy::checkInlineAndReportViolation): 22 (WebCore::ContentSecurityPolicy::checkEvalAndReportViolation): 23 (WebCore::ContentSecurityPolicy::checkSourceAndReportViolation): 24 (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): 25 * page/ContentSecurityPolicy.h: 26 1 27 2011-05-06 Beth Dakin <bdakin@apple.com> 2 28 -
trunk/Source/WebCore/dom/Document.cpp
r85894 r85993 2636 2636 } 2637 2637 } else if (equalIgnoringCase(equiv, "x-webkit-csp")) 2638 contentSecurityPolicy()->didReceiveHeader(content); 2638 contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::EnforcePolicy); 2639 else if (equalIgnoringCase(equiv, "x-webkit-csp-report-only")) 2640 contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::ReportOnly); 2639 2641 } 2640 2642 -
trunk/Source/WebCore/loader/FrameLoader.cpp
r85785 r85993 720 720 String contentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP"); 721 721 if (!contentSecurityPolicy.isEmpty()) 722 m_frame->document()->contentSecurityPolicy()->didReceiveHeader(contentSecurityPolicy); 722 m_frame->document()->contentSecurityPolicy()->didReceiveHeader(contentSecurityPolicy, ContentSecurityPolicy::EnforcePolicy); 723 724 String reportOnlyContentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP-Report-Only"); 725 if (!contentSecurityPolicy.isEmpty()) 726 m_frame->document()->contentSecurityPolicy()->didReceiveHeader(reportOnlyContentSecurityPolicy, ContentSecurityPolicy::ReportOnly); 723 727 } 724 728 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r85975 r85993 455 455 : m_havePolicy(false) 456 456 , m_document(document) 457 , m_reportOnly(false) 457 458 , m_disableJavaScriptURLs(false) 458 459 { … … 463 464 } 464 465 465 void ContentSecurityPolicy::didReceiveHeader(const String& header )466 void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType type) 466 467 { 467 468 if (m_havePolicy) … … 470 471 parse(header); 471 472 m_havePolicy = true; 473 474 switch (type) { 475 case ReportOnly: 476 m_reportOnly = true; 477 return; 478 case EnforcePolicy: 479 ASSERT(!m_reportOnly); 480 break; 481 } 472 482 473 483 if (!checkEval(operativeDirective(m_scriptSrc.get()))) { … … 483 493 return; 484 494 485 frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); 495 String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage; 496 frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, 1, String()); 486 497 487 498 if (m_reportURLs.isEmpty()) … … 524 535 return true; 525 536 reportViolation(directive->text(), consoleMessage); 526 return false;537 return denyIfEnforcingPolicy(); 527 538 } 528 539 … … 532 543 return true; 533 544 reportViolation(directive->text(), consoleMessage); 534 return false;545 return denyIfEnforcingPolicy(); 535 546 } 536 547 … … 540 551 return true; 541 552 reportViolation(directive->text(), makeString("Refused to load ", type, " from '", url.string(), "' because of Content-Security-Policy.\n")); 542 return false;553 return denyIfEnforcingPolicy(); 543 554 } 544 555 … … 548 559 if (m_disableJavaScriptURLs) { 549 560 reportViolation(String(), consoleMessage); 550 return false;561 return denyIfEnforcingPolicy(); 551 562 } 552 563 return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage); -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r85975 r85993 44 44 ~ContentSecurityPolicy(); 45 45 46 void didReceiveHeader(const String&); 46 enum HeaderType { 47 ReportOnly, 48 EnforcePolicy 49 }; 50 51 void didReceiveHeader(const String&, HeaderType); 47 52 48 53 bool allowJavaScriptURLs() const; … … 78 83 bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const; 79 84 85 bool denyIfEnforcingPolicy() const { return m_reportOnly; } 86 80 87 bool m_havePolicy; 81 88 Document* m_document; 82 89 90 bool m_reportOnly; 83 91 OwnPtr<CSPDirective> m_defaultSrc; 84 92 OwnPtr<CSPDirective> m_scriptSrc;
Note: See TracChangeset
for help on using the changeset viewer.