Changeset 99143 in webkit

Timestamp:

Nov 2, 2011 11:46:45 PM (12 years ago)

Author:

abarth@webkit.org

Message:

CSP should handle empty URLs as agreed at TPAC
​https://bugs.webkit.org/show_bug.cgi?id=71426

Reviewed by Eric Seidel.

Source/WebCore:

It was somewhat unclear how CSP should treat plugins that lacked a URL
because most of the CSP rules are URL-based. At TPAC, we decided to
treat "empty" URLs as if there were the URL of the document. That
means you can use plugins with no URL if you've included 'self' in
object-src, but you can also block them by using 'none' as your
object-src.

Tests: http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html

http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
http/tests/security/contentSecurityPolicy/object-src-none-blocked.html

• page/ContentSecurityPolicy.cpp:

(WebCore::CSPDirective::CSPDirective):
(WebCore::CSPDirective::allows):
(WebCore::ContentSecurityPolicy::createCSPDirective):

LayoutTests:

• http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html: Added.
  • Test the allow and block cases for plugins with no URL.
• http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Added.
  • Somehow these tests got deleted from the repository. This patch just re-adds them.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (4 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-11-02  Adam Barth  <abarth@webkit.org>
+
+        CSP should handle empty URLs as agreed at TPAC
+        https://bugs.webkit.org/show_bug.cgi?id=71426
+
+        Reviewed by Eric Seidel.
+
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html: Added.
+            - Test the allow and block cases for plugins with no URL.
+        * http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Added.
+            - Somehow these tests got deleted from the repository.  This patch just re-adds them.
+
 2011-11-02  Andrey Kosyakov  <caseq@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-11-02  Adam Barth  <abarth@webkit.org>
+
+        CSP should handle empty URLs as agreed at TPAC
+        https://bugs.webkit.org/show_bug.cgi?id=71426
+
+        Reviewed by Eric Seidel.
+
+        It was somewhat unclear how CSP should treat plugins that lacked a URL
+        because most of the CSP rules are URL-based.  At TPAC, we decided to
+        treat "empty" URLs as if there were the URL of the document.  That
+        means you can use plugins with no URL if you've included 'self' in
+        object-src, but you can also block them by using 'none' as your
+        object-src.
+
+        Tests: http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html
+               http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
+               http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
+               http/tests/security/contentSecurityPolicy/object-src-none-blocked.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirective::CSPDirective):
+        (WebCore::CSPDirective::allows):
+        (WebCore::ContentSecurityPolicy::createCSPDirective):
+
 2011-11-02  Adam Barth  <abarth@webkit.org>
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -459 +459 @@
 class CSPDirective {
 public:
-    CSPDirective(const String& name, const String& value, SecurityOrigin* origin)
-        : m_sourceList(origin)
+    CSPDirective(const String& name, const String& value, ScriptExecutionContext* context)
+        : m_sourceList(context->securityOrigin())
         , m_text(name + ' ' + value)
+        , m_selfURL(context->url())
     {
         m_sourceList.parse(value);
@@ -468 +469 @@
     bool allows(const KURL& url)
     {
-        return m_sourceList.matches(url);
+        return m_sourceList.matches(url.isEmpty() ? m_selfURL : url);
     }
 
@@ -479 +480 @@
     CSPSourceList m_sourceList;
     String m_text;
+    KURL m_selfURL;
 };
 
@@ -760 +762 @@
 PassOwnPtr<CSPDirective> ContentSecurityPolicy::createCSPDirective(const String& name, const String& value)
 {
-    return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext->securityOrigin()));
+    return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext));
 }