Changeset 96621 in webkit
- Timestamp:
- Oct 4, 2011 11:30:32 AM (13 years ago)
- Location:
- trunk
- Files:
-
- 12 added
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r96620 r96621 1 2011-10-04 Sam Weinig <sam@webkit.org> 2 3 Add support for the CSP connect-src directive 4 https://bugs.webkit.org/show_bug.cgi?id=69353 5 6 Reviewed by Adam Barth. 7 8 Add CSP support for XMLHttpRequest, WebSockets and EventSource. 9 10 * http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html: Added. 12 * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt: Added. 13 * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html: Added. 14 * http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt: Added. 15 * http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html: Added. 16 * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt: Added. 17 * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html: Added. 18 * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt: Added. 19 * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html: Added. 20 * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt: Added. 21 * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html: Added. 22 1 23 2011-10-03 David Hyatt <hyatt@apple.com> 2 24 -
trunk/Source/WebCore/ChangeLog
r96620 r96621 1 2011-10-04 Sam Weinig <sam@webkit.org> 2 3 Add support for the CSP connect-src directive 4 https://bugs.webkit.org/show_bug.cgi?id=69353 5 6 Reviewed by Adam Barth. 7 8 Add CSP support for XMLHttpRequest, WebSockets and EventSource. 9 10 Tests: http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html 11 http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html 12 http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html 13 http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html 14 http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html 15 http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html 16 17 * page/ContentSecurityPolicy.cpp: 18 (WebCore::ContentSecurityPolicy::allowConnectFromSource): 19 (WebCore::ContentSecurityPolicy::addDirective): 20 * page/ContentSecurityPolicy.h: 21 Add connect-src directive parsing and predicate. 22 23 * page/EventSource.cpp: 24 (WebCore::EventSource::create): 25 * websockets/WebSocket.cpp: 26 (WebCore::WebSocket::connect): 27 * xml/XMLHttpRequest.cpp: 28 (WebCore::XMLHttpRequest::open): 29 Test allowConnectFromSource when establishing a connection. 30 1 31 2011-10-03 David Hyatt <hyatt@apple.com> 2 32 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r96550 r96621 645 645 } 646 646 647 bool ContentSecurityPolicy::allowConnectFromSource(const KURL& url) const 648 { 649 DEFINE_STATIC_LOCAL(String, type, ("connect")); 650 return checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type); 651 } 652 647 653 // policy = directive-list 648 654 // directive-list = [ directive *( ";" [ directive ] ) ] … … 749 755 DEFINE_STATIC_LOCAL(String, fontSrc, ("font-src")); 750 756 DEFINE_STATIC_LOCAL(String, mediaSrc, ("media-src")); 757 DEFINE_STATIC_LOCAL(String, connectSrc, ("connect-src")); 751 758 DEFINE_STATIC_LOCAL(String, reportURI, ("report-uri")); 752 759 … … 769 776 else if (!m_mediaSrc && equalIgnoringCase(name, mediaSrc)) 770 777 m_mediaSrc = createCSPDirective(name, value); 778 else if (!m_connectSrc && equalIgnoringCase(name, connectSrc)) 779 m_connectSrc = createCSPDirective(name, value); 771 780 else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI)) 772 781 parseReportURI(value); -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r96550 r96621 64 64 bool allowFontFromSource(const KURL&) const; 65 65 bool allowMediaFromSource(const KURL&) const; 66 bool allowConnectFromSource(const KURL&) const; 66 67 67 68 private: … … 97 98 OwnPtr<CSPDirective> m_fontSrc; 98 99 OwnPtr<CSPDirective> m_mediaSrc; 100 OwnPtr<CSPDirective> m_connectSrc; 99 101 Vector<KURL> m_reportURLs; 100 102 }; -
trunk/Source/WebCore/page/EventSource.cpp
r95901 r96621 35 35 #include "EventSource.h" 36 36 37 #include " MemoryCache.h"37 #include "ContentSecurityPolicy.h" 38 38 #include "DOMWindow.h" 39 39 #include "Event.h" 40 40 #include "EventException.h" 41 41 #include "ExceptionCode.h" 42 #include "MemoryCache.h" 43 #include "MessageEvent.h" 42 44 #include "PlatformString.h" 43 #include "MessageEvent.h"44 45 #include "ResourceError.h" 45 46 #include "ResourceRequest.h" … … 84 85 // FIXME: Should support at least some cross-origin requests. 85 86 if (!context->securityOrigin()->canRequest(fullURL)) { 87 ec = SECURITY_ERR; 88 return 0; 89 } 90 91 if (!context->contentSecurityPolicy()->allowConnectFromSource(fullURL)) { 92 // FIXME: Should this be throwing an exception? 86 93 ec = SECURITY_ERR; 87 94 return 0; -
trunk/Source/WebCore/websockets/WebSocket.cpp
r95901 r96621 38 38 #include "BlobData.h" 39 39 #include "CloseEvent.h" 40 #include "ContentSecurityPolicy.h" 40 41 #include "DOMWindow.h" 41 42 #include "Event.h" … … 194 195 scriptExecutionContext()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, "WebSocket port " + String::number(m_url.port()) + " blocked", 0, scriptExecutionContext()->securityOrigin()->toString(), 0); 195 196 m_state = CLOSED; 197 ec = SECURITY_ERR; 198 return; 199 } 200 201 if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(m_url)) { 202 m_state = CLOSED; 203 204 // FIXME: Should this be throwing an exception? 196 205 ec = SECURITY_ERR; 197 206 return; -
trunk/Source/WebCore/xml/XMLHttpRequest.cpp
r94640 r96621 25 25 #include "ArrayBuffer.h" 26 26 #include "Blob.h" 27 #include " MemoryCache.h"27 #include "ContentSecurityPolicy.h" 28 28 #include "CrossOriginAccessControl.h" 29 29 #include "DOMFormData.h" … … 39 39 #include "HTTPValidation.h" 40 40 #include "InspectorInstrumentation.h" 41 #include "MemoryCache.h" 41 42 #include "ResourceError.h" 42 43 #include "ResourceRequest.h" … … 52 53 #include "XMLHttpRequestUpload.h" 53 54 #include "markup.h" 55 #include <wtf/RefCountedLeakCounter.h> 56 #include <wtf/StdLibExtras.h> 57 #include <wtf/UnusedParam.h> 54 58 #include <wtf/text/CString.h> 55 #include <wtf/StdLibExtras.h>56 #include <wtf/RefCountedLeakCounter.h>57 #include <wtf/UnusedParam.h>58 59 59 60 #if USE(JSC) … … 427 428 } 428 429 430 if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) { 431 // FIXME: Should this be throwing an exception? 432 ec = SECURITY_ERR; 433 return; 434 } 435 429 436 m_method = uppercaseKnownHTTPMethod(method); 430 437
Note: See TracChangeset
for help on using the changeset viewer.