Diff
Modified: trunk/Source/WebCore/ChangeLog (96549 => 96550)
--- trunk/Source/WebCore/ChangeLog 2011-10-03 22:31:24 UTC (rev 96549)
+++ trunk/Source/WebCore/ChangeLog 2011-10-03 22:35:34 UTC (rev 96550)
@@ -1,3 +1,38 @@
+2011-10-03 Sam Weinig <[email protected]>
+
+ Move ContentSecurityPolicy to the ScriptExecutionContext to prepare it for working with XHR and workers
+ https://bugs.webkit.org/show_bug.cgi?id=69294
+
+ Reviewed by Darin Adler.
+
+ * dom/Document.cpp:
+ (WebCore::Document::initSecurityContext):
+ Initialize the ContentSecurityPolicy by calling down to the ScriptExecutionContext.
+
+ * dom/Document.h:
+ Move the ContentSecurityPolicy member and getter from here to ScriptExecutionContext.h.
+
+ * dom/ScriptExecutionContext.cpp:
+ (WebCore::ScriptExecutionContext::setContentSecurityPolicy):
+ * dom/ScriptExecutionContext.h:
+ (WebCore::ScriptExecutionContext::contentSecurityPolicy):
+ Add ContentSecurityPolicy member and getter/setter.
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
+ (WebCore::ContentSecurityPolicy::didReceiveHeader):
+ (WebCore::ContentSecurityPolicy::reportViolation):
+ (WebCore::ContentSecurityPolicy::parseReportURI):
+ (WebCore::ContentSecurityPolicy::createCSPDirective):
+ * page/ContentSecurityPolicy.h:
+ (WebCore::ContentSecurityPolicy::create):
+ Replace Document with ScriptExecutionContext. Add temporary checked casts to document
+ where necessary.
+
+ * workers/WorkerContext.cpp:
+ (WebCore::WorkerContext::WorkerContext):
+ Add initialization of the ContentSecurityPolicy.
+
2011-10-03 Anders Carlsson <[email protected]>
Remove custom scrollbar painting hooks
Modified: trunk/Source/WebCore/dom/Document.cpp (96549 => 96550)
--- trunk/Source/WebCore/dom/Document.cpp 2011-10-03 22:31:24 UTC (rev 96549)
+++ trunk/Source/WebCore/dom/Document.cpp 2011-10-03 22:35:34 UTC (rev 96550)
@@ -4502,7 +4502,7 @@
// This can occur via document.implementation.createDocument().
m_cookieURL = KURL(ParsedURLString, "");
ScriptExecutionContext::setSecurityOrigin(SecurityOrigin::createEmpty());
- m_contentSecurityPolicy = ContentSecurityPolicy::create(this);
+ ScriptExecutionContext::setContentSecurityPolicy(ContentSecurityPolicy::create(this));
return;
}
@@ -4510,7 +4510,7 @@
// loading URL with a fresh content security policy.
m_cookieURL = m_url;
ScriptExecutionContext::setSecurityOrigin(SecurityOrigin::create(m_url, m_frame->loader()->sandboxFlags()));
- m_contentSecurityPolicy = ContentSecurityPolicy::create(this);
+ ScriptExecutionContext::setContentSecurityPolicy(ContentSecurityPolicy::create(this));
if (SecurityOrigin::allowSubstituteDataAccessToLocal()) {
// If this document was loaded with substituteData, then the document can
@@ -4557,7 +4557,7 @@
// https://bugs.webkit.org/show_bug.cgi?id=15313
ScriptExecutionContext::setSecurityOrigin(ownerFrame->document()->securityOrigin());
// FIXME: Consider moving m_contentSecurityPolicy into SecurityOrigin.
- m_contentSecurityPolicy = ownerFrame->document()->contentSecurityPolicy();
+ ScriptExecutionContext::setContentSecurityPolicy(ownerFrame->document()->contentSecurityPolicy());
}
}
Modified: trunk/Source/WebCore/dom/Document.h (96549 => 96550)
--- trunk/Source/WebCore/dom/Document.h 2011-10-03 22:31:24 UTC (rev 96549)
+++ trunk/Source/WebCore/dom/Document.h 2011-10-03 22:35:34 UTC (rev 96550)
@@ -65,7 +65,6 @@
class CanvasRenderingContext;
class CharacterData;
class Comment;
-class ContentSecurityPolicy;
class DOMImplementation;
class DOMSelection;
class DOMWindow;
@@ -1092,8 +1091,6 @@
void initDNSPrefetch();
- ContentSecurityPolicy* contentSecurityPolicy() { return m_contentSecurityPolicy.get(); }
-
unsigned wheelEventHandlerCount() const { return m_wheelEventHandlerCount; }
void didAddWheelEventHandler();
void didRemoveWheelEventHandler();
@@ -1406,8 +1403,6 @@
#if ENABLE(REQUEST_ANIMATION_FRAME)
OwnPtr<ScriptedAnimationController> m_scriptedAnimationController;
#endif
-
- RefPtr<ContentSecurityPolicy> m_contentSecurityPolicy;
};
// Put these methods here, because they require the Document definition, but we really want to inline them.
Modified: trunk/Source/WebCore/dom/ScriptExecutionContext.cpp (96549 => 96550)
--- trunk/Source/WebCore/dom/ScriptExecutionContext.cpp 2011-10-03 22:31:24 UTC (rev 96549)
+++ trunk/Source/WebCore/dom/ScriptExecutionContext.cpp 2011-10-03 22:35:34 UTC (rev 96550)
@@ -30,6 +30,7 @@
#include "ActiveDOMObject.h"
#include "Blob.h"
#include "BlobURL.h"
+#include "ContentSecurityPolicy.h"
#include "DOMTimer.h"
#include "DOMURL.h"
#include "Database.h"
@@ -315,6 +316,11 @@
m_securityOrigin = securityOrigin;
}
+void ScriptExecutionContext::setContentSecurityPolicy(PassRefPtr<ContentSecurityPolicy> contentSecurityPolicy)
+{
+ m_contentSecurityPolicy = contentSecurityPolicy;
+}
+
bool ScriptExecutionContext::sanitizeScriptError(String& errorMessage, int& lineNumber, String& sourceURL)
{
KURL targetURL = completeURL(sourceURL);
Modified: trunk/Source/WebCore/dom/ScriptExecutionContext.h (96549 => 96550)
--- trunk/Source/WebCore/dom/ScriptExecutionContext.h 2011-10-03 22:31:24 UTC (rev 96549)
+++ trunk/Source/WebCore/dom/ScriptExecutionContext.h 2011-10-03 22:35:34 UTC (rev 96550)
@@ -48,6 +48,7 @@
namespace WebCore {
class Blob;
+ class ContentSecurityPolicy;
class DOMTimer;
class DOMURL;
class EventListener;
@@ -96,6 +97,7 @@
virtual String userAgent(const KURL&) const = 0;
SecurityOrigin* securityOrigin() const { return m_securityOrigin.get(); }
+ ContentSecurityPolicy* contentSecurityPolicy() { return m_contentSecurityPolicy.get(); }
bool sanitizeScriptError(String& errorMessage, int& lineNumber, String& sourceURL);
void reportException(const String& errorMessage, int lineNumber, const String& sourceURL, PassRefPtr<ScriptCallStack>);
@@ -174,6 +176,8 @@
// that already contains content.
void setSecurityOrigin(PassRefPtr<SecurityOrigin>);
+ void setContentSecurityPolicy(PassRefPtr<ContentSecurityPolicy>);
+
private:
virtual const KURL& virtualURL() const = 0;
virtual KURL virtualCompleteURL(const String&) const = 0;
@@ -185,6 +189,7 @@
void closeMessagePorts();
RefPtr<SecurityOrigin> m_securityOrigin;
+ RefPtr<ContentSecurityPolicy> m_contentSecurityPolicy;
HashSet<MessagePort*> m_messagePorts;
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (96549 => 96550)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2011-10-03 22:31:24 UTC (rev 96549)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2011-10-03 22:35:34 UTC (rev 96550)
@@ -463,9 +463,9 @@
String m_text;
};
-ContentSecurityPolicy::ContentSecurityPolicy(Document* document)
+ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
: m_havePolicy(false)
- , m_document(document)
+ , m_scriptExecutionContext(scriptExecutionContext)
, m_reportOnly(false)
{
}
@@ -492,14 +492,22 @@
}
if (!checkEval(operativeDirective(m_scriptSrc.get()))) {
- if (Frame* frame = m_document->frame())
- frame->script()->disableEval();
+ // FIXME: Support disabling eval for Workers.
+ if (m_scriptExecutionContext->isDocument()) {
+ if (Frame* frame = static_cast<Document*>(m_scriptExecutionContext)->frame())
+ frame->script()->disableEval();
+ }
}
}
void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage) const
{
- Frame* frame = m_document->frame();
+ // FIXME: Support reporting violations for Workers.
+ if (!m_scriptExecutionContext->isDocument())
+ return;
+
+ Document* document = static_cast<Document*>(m_scriptExecutionContext);
+ Frame* frame = document->frame();
if (!frame)
return;
@@ -520,7 +528,7 @@
// harmless information.
FormDataList reportList(UTF8Encoding());
- reportList.appendData("document-url", m_document->url());
+ reportList.appendData("document-url", document->url());
if (!directiveText.isEmpty())
reportList.appendData("violated-directive", directiveText);
@@ -720,14 +728,14 @@
if (urlBegin < position) {
String url = "" position - urlBegin);
- m_reportURLs.append(m_document->completeURL(url));
+ m_reportURLs.append(m_scriptExecutionContext->completeURL(url));
}
}
}
PassOwnPtr<CSPDirective> ContentSecurityPolicy::createCSPDirective(const String& name, const String& value)
{
- return adoptPtr(new CSPDirective(name, value, m_document->securityOrigin()));
+ return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext->securityOrigin()));
}
void ContentSecurityPolicy::addDirective(const String& name, const String& value)
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (96549 => 96550)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.h 2011-10-03 22:31:24 UTC (rev 96549)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h 2011-10-03 22:35:34 UTC (rev 96550)
@@ -32,14 +32,14 @@
namespace WebCore {
class CSPDirective;
-class Document;
+class ScriptExecutionContext;
class KURL;
class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> {
public:
- static PassRefPtr<ContentSecurityPolicy> create(Document* document)
+ static PassRefPtr<ContentSecurityPolicy> create(ScriptExecutionContext* scriptExecutionContext)
{
- return adoptRef(new ContentSecurityPolicy(document));
+ return adoptRef(new ContentSecurityPolicy(scriptExecutionContext));
}
~ContentSecurityPolicy();
@@ -65,7 +65,7 @@
bool allowMediaFromSource(const KURL&) const;
private:
- explicit ContentSecurityPolicy(Document*);
+ explicit ContentSecurityPolicy(ScriptExecutionContext*);
void parse(const String&);
bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
@@ -85,7 +85,7 @@
bool denyIfEnforcingPolicy() const { return m_reportOnly; }
bool m_havePolicy;
- Document* m_document;
+ ScriptExecutionContext* m_scriptExecutionContext;
bool m_reportOnly;
OwnPtr<CSPDirective> m_defaultSrc;
Modified: trunk/Source/WebCore/workers/WorkerContext.cpp (96549 => 96550)
--- trunk/Source/WebCore/workers/WorkerContext.cpp 2011-10-03 22:31:24 UTC (rev 96549)
+++ trunk/Source/WebCore/workers/WorkerContext.cpp 2011-10-03 22:35:34 UTC (rev 96550)
@@ -33,6 +33,7 @@
#include "AbstractDatabase.h"
#include "ActiveDOMObject.h"
+#include "ContentSecurityPolicy.h"
#include "Database.h"
#include "DatabaseCallback.h"
#include "DatabaseSync.h"
@@ -114,6 +115,10 @@
, m_closing(false)
{
setSecurityOrigin(SecurityOrigin::create(url));
+
+ // FIXME: This should probably adopt the ContentSecurityPolicy of the document
+ // that created this worker or use the header that came with the worker script.
+ setContentSecurityPolicy(ContentSecurityPolicy::create(this));
}
WorkerContext::~WorkerContext()
