Changeset 97035 in webkit


Ignore:
Timestamp:
Oct 9, 2011 6:15:21 PM (12 years ago)
Author:
abarth@webkit.org
Message:

CSP should log unrecognized directives to the console
https://bugs.webkit.org/show_bug.cgi?id=69728

Reviewed by Sam Weinig.

Source/WebCore:

Several of the web developers who have been experimenting with CSP have
run into trouble with directives we don't support. For example, one
developer was confused for a while why image-src didn't do what he
expected. Logging a message to the console will help these folks
figure out what's going on.

  • page/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::reportUnrecognizedDirective):
(WebCore::ContentSecurityPolicy::addDirective):

  • page/ContentSecurityPolicy.h:

LayoutTests:

Update expected results to include new console message about unrecognized directives.

  • http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
  • http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
  • http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt:
  • http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt:
  • http/tests/security/contentSecurityPolicy/script-src-none-expected.txt:
Location:
trunk
Files:
3 added
2 deleted
11 edited
3 copied

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r97034 r97035  
     12011-10-09  Adam Barth  <abarth@webkit.org>
     2
     3        CSP should log unrecognized directives to the console
     4        https://bugs.webkit.org/show_bug.cgi?id=69728
     5
     6        Reviewed by Sam Weinig.
     7
     8        Update expected results to include new console message about unrecognized directives.
     9
     10        * http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt:
     11        * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
     12        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
     13        * http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt:
     14        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
     15        * http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt:
     16        * http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt:
     17        * http/tests/security/contentSecurityPolicy/script-src-none-expected.txt:
     18
    1192011-10-09  W. James MacLean  <wjmaclean@chromium.org>
    220
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt

    r97034 r97035  
     1CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
     2
    13CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
    24
    3 Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
     5This script should not execute even though there are parse errors in the policy.
    46
    57
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt

    r97034 r97035  
     1CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'aaa'.
     2
    13CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
    24
    3 Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
     5This script should not execute even though there are parse errors in the policy.
    46
    57
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt

    r97034 r97035  
    11CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
    22
    3 Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
     3This script should not execute even though there are parse errors in the policy.
    44
    55
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt

    r84457 r97035  
     1CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'options'.
     2
    13CONSOLE MESSAGE: line 1: Refused to execute inline script because of Content-Security-Policy.
    24
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt

    r84457 r97035  
     1CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'options'.
     2
    13CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because of Content-Security-Policy.
    24
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt

    r84457 r97035  
     1CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
     2
    13ALERT: PASS
    24
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt

    r84457 r97035  
     1CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
     2
    13CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because of Content-Security-Policy.
    24
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt

    r78569 r97035  
     1CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'script-img'.
     2
    13
    24
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt

    r78058 r97035  
     1CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
     2
    13Loads an iframe (a) which loads an iframe (b) which in turns tries to load an external script. The iframe (a) has a content security policy disabling external scripts. As this policy does not apply to (b), the script should be executed.
    24
  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt

    r84457 r97035  
     1CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
     2
    13CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
    24
  • trunk/Source/WebCore/ChangeLog

    r97034 r97035  
     12011-10-09  Adam Barth  <abarth@webkit.org>
     2
     3        CSP should log unrecognized directives to the console
     4        https://bugs.webkit.org/show_bug.cgi?id=69728
     5
     6        Reviewed by Sam Weinig.
     7
     8        Several of the web developers who have been experimenting with CSP have
     9        run into trouble with directives we don't support.  For example, one
     10        developer was confused for a while why image-src didn't do what he
     11        expected.  Logging a message to the console will help these folks
     12        figure out what's going on.
     13
     14        * page/ContentSecurityPolicy.cpp:
     15        (WebCore::ContentSecurityPolicy::reportUnrecognizedDirective):
     16        (WebCore::ContentSecurityPolicy::addDirective):
     17        * page/ContentSecurityPolicy.h:
     18
    1192011-10-09  W. James MacLean  <wjmaclean@chromium.org>
    220
  • trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

    r96667 r97035  
    534534}
    535535
     536void ContentSecurityPolicy::logUnrecognizedDirective(const String& name) const
     537{
     538    String message = makeString("Unrecognized Content-Security-Policy directive '", name, "'.\n");
     539    m_scriptExecutionContext->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, 1, String(), 0);
     540}
     541
    536542bool ContentSecurityPolicy::checkEval(CSPDirective* directive) const
    537543{
     
    775781    else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI))
    776782        parseReportURI(value);
    777 }
    778 
    779 }
     783    else
     784        logUnrecognizedDirective(name);
     785}
     786
     787}
  • trunk/Source/WebCore/page/ContentSecurityPolicy.h

    r96621 r97035  
    7878    CSPDirective* operativeDirective(CSPDirective*) const;
    7979    void reportViolation(const String& directiveText, const String& consoleMessage) const;
     80    void logUnrecognizedDirective(const String& name) const;
    8081    bool checkEval(CSPDirective*) const;
    8182
Note: See TracChangeset for help on using the changeset viewer.