Changeset 96621 in webkit

Timestamp:

Oct 4, 2011 11:30:32 AM (13 years ago)

Author:

weinig@apple.com

Message:

Add support for the CSP connect-src directive
​https://bugs.webkit.org/show_bug.cgi?id=69353

Reviewed by Adam Barth.

Add CSP support for XMLHttpRequest, WebSockets and EventSource.

Source/WebCore:

Tests: http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html

http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html
http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html
http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html
http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html
http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html

• page/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::allowConnectFromSource):
(WebCore::ContentSecurityPolicy::addDirective):

• page/ContentSecurityPolicy.h:

Add connect-src directive parsing and predicate.

• page/EventSource.cpp:

(WebCore::EventSource::create):

• websockets/WebSocket.cpp:

(WebCore::WebSocket::connect):

• xml/XMLHttpRequest.cpp:

(WebCore::XMLHttpRequest::open):
Test allowConnectFromSource when establishing a connection.

LayoutTests:

• http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html: Added.
• http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html: Added.
• http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (3 diffs)
• Source/WebCore/page/ContentSecurityPolicy.h (modified) (2 diffs)
• Source/WebCore/page/EventSource.cpp (modified) (2 diffs)
• Source/WebCore/websockets/WebSocket.cpp (modified) (2 diffs)
• Source/WebCore/xml/XMLHttpRequest.cpp (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-10-04  Sam Weinig  <sam@webkit.org>
+
+        Add support for the CSP connect-src directive
+        https://bugs.webkit.org/show_bug.cgi?id=69353
+
+        Reviewed by Adam Barth.
+
+        Add CSP support for XMLHttpRequest, WebSockets and EventSource.
+
+        * http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html: Added.
+
 2011-10-03  David Hyatt  <hyatt@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-10-04  Sam Weinig  <sam@webkit.org>
+
+        Add support for the CSP connect-src directive
+        https://bugs.webkit.org/show_bug.cgi?id=69353
+
+        Reviewed by Adam Barth.
+
+        Add CSP support for XMLHttpRequest, WebSockets and EventSource.
+
+        Tests: http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html
+               http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html
+               http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html
+               http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html
+               http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html
+               http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowConnectFromSource):
+        (WebCore::ContentSecurityPolicy::addDirective):
+        * page/ContentSecurityPolicy.h:
+        Add connect-src directive parsing and predicate.
+
+        * page/EventSource.cpp:
+        (WebCore::EventSource::create):
+        * websockets/WebSocket.cpp:
+        (WebCore::WebSocket::connect):
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::open):
+        Test allowConnectFromSource when establishing a connection.
+
 2011-10-03  David Hyatt  <hyatt@apple.com>
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -645 +645 @@
 }
 
+bool ContentSecurityPolicy::allowConnectFromSource(const KURL& url) const
+{
+    DEFINE_STATIC_LOCAL(String, type, ("connect"));
+    return checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type);
+}
+
 // policy            = directive-list
 // directive-list    = [ directive *( ";" [ directive ] ) ]
@@ -749 +755 @@
     DEFINE_STATIC_LOCAL(String, fontSrc, ("font-src"));
     DEFINE_STATIC_LOCAL(String, mediaSrc, ("media-src"));
+    DEFINE_STATIC_LOCAL(String, connectSrc, ("connect-src"));
     DEFINE_STATIC_LOCAL(String, reportURI, ("report-uri"));
 
@@ -769 +776 @@
     else if (!m_mediaSrc && equalIgnoringCase(name, mediaSrc))
         m_mediaSrc = createCSPDirective(name, value);
+    else if (!m_connectSrc && equalIgnoringCase(name, connectSrc))
+        m_connectSrc = createCSPDirective(name, value);
     else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI))
         parseReportURI(value);

trunk/Source/WebCore/page/ContentSecurityPolicy.h

@@ -64 +64 @@
     bool allowFontFromSource(const KURL&) const;
     bool allowMediaFromSource(const KURL&) const;
+    bool allowConnectFromSource(const KURL&) const;
 
 private:
@@ -97 +98 @@
     OwnPtr<CSPDirective> m_fontSrc;
     OwnPtr<CSPDirective> m_mediaSrc;
+    OwnPtr<CSPDirective> m_connectSrc;
     Vector<KURL> m_reportURLs;
 };

trunk/Source/WebCore/page/EventSource.cpp

@@ -35 +35 @@
 #include "EventSource.h"
 
-#include "MemoryCache.h"
+#include "ContentSecurityPolicy.h"
 #include "DOMWindow.h"
 #include "Event.h"
 #include "EventException.h"
 #include "ExceptionCode.h"
+#include "MemoryCache.h"
+#include "MessageEvent.h"
 #include "PlatformString.h"
-#include "MessageEvent.h"
 #include "ResourceError.h"
 #include "ResourceRequest.h"
@@ -84 +85 @@
     // FIXME: Should support at least some cross-origin requests.
     if (!context->securityOrigin()->canRequest(fullURL)) {
+        ec = SECURITY_ERR;
+        return 0;
+    }
+
+    if (!context->contentSecurityPolicy()->allowConnectFromSource(fullURL)) {
+        // FIXME: Should this be throwing an exception?
         ec = SECURITY_ERR;
         return 0;

trunk/Source/WebCore/websockets/WebSocket.cpp

@@ -38 +38 @@
 #include "BlobData.h"
 #include "CloseEvent.h"
+#include "ContentSecurityPolicy.h"
 #include "DOMWindow.h"
 #include "Event.h"
@@ -194 +195 @@
         scriptExecutionContext()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "WebSocket port " + String::number(m_url.port()) + " blocked", 0, scriptExecutionContext()->securityOrigin()->toString(), 0);
         m_state = CLOSED;
+        ec = SECURITY_ERR;
+        return;
+    }
+
+    if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(m_url)) {
+        m_state = CLOSED;
+
+        // FIXME: Should this be throwing an exception?
         ec = SECURITY_ERR;
         return;

trunk/Source/WebCore/xml/XMLHttpRequest.cpp

@@ -25 +25 @@
 #include "ArrayBuffer.h"
 #include "Blob.h"
-#include "MemoryCache.h"
+#include "ContentSecurityPolicy.h"
 #include "CrossOriginAccessControl.h"
 #include "DOMFormData.h"
@@ -39 +39 @@
 #include "HTTPValidation.h"
 #include "InspectorInstrumentation.h"
+#include "MemoryCache.h"
 #include "ResourceError.h"
 #include "ResourceRequest.h"
@@ -52 +53 @@
 #include "XMLHttpRequestUpload.h"
 #include "markup.h"
+#include <wtf/RefCountedLeakCounter.h>
+#include <wtf/StdLibExtras.h>
+#include <wtf/UnusedParam.h>
 #include <wtf/text/CString.h>
-#include <wtf/StdLibExtras.h>
-#include <wtf/RefCountedLeakCounter.h>
-#include <wtf/UnusedParam.h>
 
 #if USE(JSC)
@@ -427 +428 @@
     }
 
+    if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) {
+        // FIXME: Should this be throwing an exception?
+        ec = SECURITY_ERR;
+        return;
+    }
+
     m_method = uppercaseKnownHTTPMethod(method);