Changeset 99143 in webkit
- Timestamp:
- Nov 2, 2011 11:46:45 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 6 added
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r99142 r99143 1 2011-11-02 Adam Barth <abarth@webkit.org> 2 3 CSP should handle empty URLs as agreed at TPAC 4 https://bugs.webkit.org/show_bug.cgi?id=71426 5 6 Reviewed by Eric Seidel. 7 8 * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt: Added. 9 * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html: Added. 10 * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: Added. 11 * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html: Added. 12 - Test the allow and block cases for plugins with no URL. 13 * http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Added. 14 * http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Added. 15 - Somehow these tests got deleted from the repository. This patch just re-adds them. 16 1 17 2011-11-02 Andrey Kosyakov <caseq@chromium.org> 2 18 -
trunk/Source/WebCore/ChangeLog
r99138 r99143 1 2011-11-02 Adam Barth <abarth@webkit.org> 2 3 CSP should handle empty URLs as agreed at TPAC 4 https://bugs.webkit.org/show_bug.cgi?id=71426 5 6 Reviewed by Eric Seidel. 7 8 It was somewhat unclear how CSP should treat plugins that lacked a URL 9 because most of the CSP rules are URL-based. At TPAC, we decided to 10 treat "empty" URLs as if there were the URL of the document. That 11 means you can use plugins with no URL if you've included 'self' in 12 object-src, but you can also block them by using 'none' as your 13 object-src. 14 15 Tests: http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html 16 http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html 17 http/tests/security/contentSecurityPolicy/object-src-none-allowed.html 18 http/tests/security/contentSecurityPolicy/object-src-none-blocked.html 19 20 * page/ContentSecurityPolicy.cpp: 21 (WebCore::CSPDirective::CSPDirective): 22 (WebCore::CSPDirective::allows): 23 (WebCore::ContentSecurityPolicy::createCSPDirective): 24 1 25 2011-11-02 Adam Barth <abarth@webkit.org> 2 26 -
trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
r97360 r99143 459 459 class CSPDirective { 460 460 public: 461 CSPDirective(const String& name, const String& value, S ecurityOrigin* origin)462 : m_sourceList( origin)461 CSPDirective(const String& name, const String& value, ScriptExecutionContext* context) 462 : m_sourceList(context->securityOrigin()) 463 463 , m_text(name + ' ' + value) 464 , m_selfURL(context->url()) 464 465 { 465 466 m_sourceList.parse(value); … … 468 469 bool allows(const KURL& url) 469 470 { 470 return m_sourceList.matches(url );471 return m_sourceList.matches(url.isEmpty() ? m_selfURL : url); 471 472 } 472 473 … … 479 480 CSPSourceList m_sourceList; 480 481 String m_text; 482 KURL m_selfURL; 481 483 }; 482 484 … … 760 762 PassOwnPtr<CSPDirective> ContentSecurityPolicy::createCSPDirective(const String& name, const String& value) 761 763 { 762 return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext ->securityOrigin()));764 return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext)); 763 765 } 764 766
Note: See TracChangeset
for help on using the changeset viewer.