Changeset 97035 in webkit
- Timestamp:
- Oct 9, 2011 6:15:21 PM (12 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 2 deleted
- 11 edited
- 3 copied
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r97034 r97035 1 2011-10-09 Adam Barth <abarth@webkit.org> 2 3 CSP should log unrecognized directives to the console 4 https://bugs.webkit.org/show_bug.cgi?id=69728 5 6 Reviewed by Sam Weinig. 7 8 Update expected results to include new console message about unrecognized directives. 9 10 * http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt: 11 * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt: 12 * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt: 13 * http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt: 14 * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt: 15 * http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt: 16 * http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt: 17 * http/tests/security/contentSecurityPolicy/script-src-none-expected.txt: 18 1 19 2011-10-09 W. James MacLean <wjmaclean@chromium.org> 2 20 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt
r97034 r97035 1 CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'. 2 1 3 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 2 4 3 Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.5 This script should not execute even though there are parse errors in the policy. 4 6 5 7 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt
r97034 r97035 1 CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'aaa'. 2 1 3 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 2 4 3 Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.5 This script should not execute even though there are parse errors in the policy. 4 6 5 7 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt
r97034 r97035 1 1 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 2 2 3 Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.3 This script should not execute even though there are parse errors in the policy. 4 4 5 5 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt
r84457 r97035 1 CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'options'. 2 1 3 CONSOLE MESSAGE: line 1: Refused to execute inline script because of Content-Security-Policy. 2 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt
r84457 r97035 1 CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'options'. 2 1 3 CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because of Content-Security-Policy. 2 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-allowed-expected.txt
r84457 r97035 1 CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'. 2 1 3 ALERT: PASS 2 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt
r84457 r97035 1 CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'. 2 1 3 CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because of Content-Security-Policy. 2 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt
r78569 r97035 1 CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'script-img'. 2 1 3 2 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt
r78058 r97035 1 CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'. 2 1 3 Loads an iframe (a) which loads an iframe (b) which in turns tries to load an external script. The iframe (a) has a content security policy disabling external scripts. As this policy does not apply to (b), the script should be executed. 2 4 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt
r84457 r97035 1 CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'. 2 1 3 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy. 2 4 -
trunk/Source/WebCore/ChangeLog
r97034 r97035 1 2011-10-09 Adam Barth <abarth@webkit.org> 2 3 CSP should log unrecognized directives to the console 4 https://bugs.webkit.org/show_bug.cgi?id=69728 5 6 Reviewed by Sam Weinig. 7 8 Several of the web developers who have been experimenting with CSP have 9 run into trouble with directives we don't support. For example, one 10 developer was confused for a while why image-src didn't do what he 11 expected. Logging a message to the console will help these folks 12 figure out what's going on. 13 14 * page/ContentSecurityPolicy.cpp: 15 (WebCore::ContentSecurityPolicy::reportUnrecognizedDirective): 16 (WebCore::ContentSecurityPolicy::addDirective): 17 * page/ContentSecurityPolicy.h: 18 1 19 2011-10-09 W. James MacLean <wjmaclean@chromium.org> 2 20 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r96667 r97035 534 534 } 535 535 536 void ContentSecurityPolicy::logUnrecognizedDirective(const String& name) const 537 { 538 String message = makeString("Unrecognized Content-Security-Policy directive '", name, "'.\n"); 539 m_scriptExecutionContext->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, 1, String(), 0); 540 } 541 536 542 bool ContentSecurityPolicy::checkEval(CSPDirective* directive) const 537 543 { … … 775 781 else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI)) 776 782 parseReportURI(value); 777 } 778 779 } 783 else 784 logUnrecognizedDirective(name); 785 } 786 787 } -
trunk/Source/WebCore/page/ContentSecurityPolicy.h
r96621 r97035 78 78 CSPDirective* operativeDirective(CSPDirective*) const; 79 79 void reportViolation(const String& directiveText, const String& consoleMessage) const; 80 void logUnrecognizedDirective(const String& name) const; 80 81 bool checkEval(CSPDirective*) const; 81 82
Note: See TracChangeset
for help on using the changeset viewer.