Changeset 97360 in webkit
- Timestamp:
- Oct 13, 2011 3:16:40 AM (13 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r97359 r97360 1 2011-10-13 Adam Barth <abarth@webkit.org> 2 3 script-src * should allow all URLs 4 https://bugs.webkit.org/show_bug.cgi?id=70011 5 6 Reviewed by Eric Seidel. 7 8 Test that using * in script-src matches URLs with other schemes. 9 10 * http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html: Added. 12 1 13 2011-10-13 Kent Tamura <tkent@chromium.org> 2 14 -
trunk/Source/WebCore/ChangeLog
r97356 r97360 1 2011-10-13 Adam Barth <abarth@webkit.org> 2 3 script-src * should allow all URLs 4 https://bugs.webkit.org/show_bug.cgi?id=70011 5 6 Reviewed by Eric Seidel. 7 8 This patch gets us slightly ahead of the spec. Technically, script-src 9 means "any host" and inherits the current scheme. However, that's not 10 what developers expect and it's even contradicted by examples in the 11 spec itself. After this patch, * matches all URLs. 12 13 Test: http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html 14 15 * page/ContentSecurityPolicy.cpp: 16 (WebCore::CSPSourceList::CSPSourceList): 17 (WebCore::CSPSourceList::matches): 18 (WebCore::CSPSourceList::parseSource): 19 (WebCore::CSPSourceList::addSourceStar): 20 1 21 2011-10-13 Kentaro Hara <haraken@chromium.org> 2 22 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r97035 r97360 191 191 192 192 void addSourceSelf(); 193 void addSourceStar(); 193 194 void addSourceUnsafeInline(); 194 195 void addSourceUnsafeEval(); … … 196 197 SecurityOrigin* m_origin; 197 198 Vector<CSPSource> m_list; 199 bool m_allowStar; 198 200 bool m_allowInline; 199 201 bool m_allowEval; … … 202 204 CSPSourceList::CSPSourceList(SecurityOrigin* origin) 203 205 : m_origin(origin) 206 , m_allowStar(false) 204 207 , m_allowInline(false) 205 208 , m_allowEval(false) … … 214 217 bool CSPSourceList::matches(const KURL& url) 215 218 { 219 if (m_allowStar) 220 return true; 221 216 222 for (size_t i = 0; i < m_list.size(); ++i) { 217 223 if (m_list[i].matches(url)) 218 224 return true; 219 225 } 226 220 227 return false; 221 228 } … … 263 270 if (begin == end) 264 271 return false; 272 273 if (end - begin == 1 && *begin == '*') { 274 addSourceStar(); 275 return false; 276 } 265 277 266 278 if (equalIgnoringCase("'self'", begin, end - begin)) { … … 428 440 { 429 441 m_list.append(CSPSource(m_origin->protocol(), m_origin->host(), m_origin->port(), false, false)); 442 } 443 444 void CSPSourceList::addSourceStar() 445 { 446 m_allowStar = true; 430 447 } 431 448
Note: See TracChangeset
for help on using the changeset viewer.