Changeset 97360 in webkit

Timestamp:

Oct 13, 2011 3:16:40 AM (13 years ago)

Author:

abarth@webkit.org

Message:

script-src * should allow all URLs
​https://bugs.webkit.org/show_bug.cgi?id=70011

Reviewed by Eric Seidel.

Source/WebCore:

This patch gets us slightly ahead of the spec. Technically, script-src
means "any host" and inherits the current scheme. However, that's not
what developers expect and it's even contradicted by examples in the
spec itself. After this patch, * matches all URLs.

Test: http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html

• page/ContentSecurityPolicy.cpp:

(WebCore::CSPSourceList::CSPSourceList):
(WebCore::CSPSourceList::matches):
(WebCore::CSPSourceList::parseSource):
(WebCore::CSPSourceList::addSourceStar):

LayoutTests:

Test that using * in script-src matches URLs with other schemes.

• http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (6 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-10-13  Adam Barth  <abarth@webkit.org>
+
+        script-src * should allow all URLs
+        https://bugs.webkit.org/show_bug.cgi?id=70011
+
+        Reviewed by Eric Seidel.
+
+        Test that using * in script-src matches URLs with other schemes.
+
+        * http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html: Added.
+
 2011-10-13  Kent Tamura  <tkent@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-10-13  Adam Barth  <abarth@webkit.org>
+
+        script-src * should allow all URLs
+        https://bugs.webkit.org/show_bug.cgi?id=70011
+
+        Reviewed by Eric Seidel.
+
+        This patch gets us slightly ahead of the spec.  Technically, script-src
+        means "any host" and inherits the current scheme.  However, that's not
+        what developers expect and it's even contradicted by examples in the
+        spec itself.  After this patch, * matches all URLs.
+
+        Test: http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPSourceList::CSPSourceList):
+        (WebCore::CSPSourceList::matches):
+        (WebCore::CSPSourceList::parseSource):
+        (WebCore::CSPSourceList::addSourceStar):
+
 2011-10-13  Kentaro Hara  <haraken@chromium.org>
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -191 +191 @@
 
     void addSourceSelf();
+    void addSourceStar();
     void addSourceUnsafeInline();
     void addSourceUnsafeEval();
@@ -196 +197 @@
     SecurityOrigin* m_origin;
     Vector<CSPSource> m_list;
+    bool m_allowStar;
     bool m_allowInline;
     bool m_allowEval;
@@ -202 +204 @@
 CSPSourceList::CSPSourceList(SecurityOrigin* origin)
     : m_origin(origin)
+    , m_allowStar(false)
     , m_allowInline(false)
     , m_allowEval(false)
@@ -214 +217 @@
 bool CSPSourceList::matches(const KURL& url)
 {
+    if (m_allowStar)
+        return true;
+
     for (size_t i = 0; i < m_list.size(); ++i) {
         if (m_list[i].matches(url))
             return true;
     }
+
     return false;
 }
@@ -263 +270 @@
     if (begin == end)
         return false;
+
+    if (end - begin == 1 && *begin == '*') {
+        addSourceStar();
+        return false;
+    }
 
     if (equalIgnoringCase("'self'", begin, end - begin)) {
@@ -428 +440 @@
 {
     m_list.append(CSPSource(m_origin->protocol(), m_origin->host(), m_origin->port(), false, false));
+}
+
+void CSPSourceList::addSourceStar()
+{
+    m_allowStar = true;
 }