Title: [97360] trunk
- Revision
- 97360
- Author
- [email protected]
- Date
- 2011-10-13 03:16:40 -0700 (Thu, 13 Oct 2011)
Log Message
script-src * should allow all URLs
https://bugs.webkit.org/show_bug.cgi?id=70011
Reviewed by Eric Seidel.
Source/WebCore:
This patch gets us slightly ahead of the spec. Technically, script-src
means "any host" and inherits the current scheme. However, that's not
what developers expect and it's even contradicted by examples in the
spec itself. After this patch, * matches all URLs.
Test: http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html
* page/ContentSecurityPolicy.cpp:
(WebCore::CSPSourceList::CSPSourceList):
(WebCore::CSPSourceList::matches):
(WebCore::CSPSourceList::parseSource):
(WebCore::CSPSourceList::addSourceStar):
LayoutTests:
Test that using * in script-src matches URLs with other schemes.
* http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (97359 => 97360)
--- trunk/LayoutTests/ChangeLog 2011-10-13 10:12:34 UTC (rev 97359)
+++ trunk/LayoutTests/ChangeLog 2011-10-13 10:16:40 UTC (rev 97360)
@@ -1,3 +1,15 @@
+2011-10-13 Adam Barth <[email protected]>
+
+ script-src * should allow all URLs
+ https://bugs.webkit.org/show_bug.cgi?id=70011
+
+ Reviewed by Eric Seidel.
+
+ Test that using * in script-src matches URLs with other schemes.
+
+ * http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html: Added.
+
2011-10-13 Kent Tamura <[email protected]>
[Chromium] Update test expectation.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme-expected.txt (0 => 97360)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme-expected.txt 2011-10-13 10:16:40 UTC (rev 97360)
@@ -0,0 +1,6 @@
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html (0 => 97360)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html 2011-10-13 10:16:40 UTC (rev 97360)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+ <iframe src=""
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (97359 => 97360)
--- trunk/Source/WebCore/ChangeLog 2011-10-13 10:12:34 UTC (rev 97359)
+++ trunk/Source/WebCore/ChangeLog 2011-10-13 10:16:40 UTC (rev 97360)
@@ -1,3 +1,23 @@
+2011-10-13 Adam Barth <[email protected]>
+
+ script-src * should allow all URLs
+ https://bugs.webkit.org/show_bug.cgi?id=70011
+
+ Reviewed by Eric Seidel.
+
+ This patch gets us slightly ahead of the spec. Technically, script-src
+ means "any host" and inherits the current scheme. However, that's not
+ what developers expect and it's even contradicted by examples in the
+ spec itself. After this patch, * matches all URLs.
+
+ Test: http/tests/security/contentSecurityPolicy/script-src-star-cross-scheme.html
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPSourceList::CSPSourceList):
+ (WebCore::CSPSourceList::matches):
+ (WebCore::CSPSourceList::parseSource):
+ (WebCore::CSPSourceList::addSourceStar):
+
2011-10-13 Kentaro Hara <[email protected]>
Implement an OverflowEvent constructor for JSC
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (97359 => 97360)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2011-10-13 10:12:34 UTC (rev 97359)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2011-10-13 10:16:40 UTC (rev 97360)
@@ -190,17 +190,20 @@
bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHasWildcard);
void addSourceSelf();
+ void addSourceStar();
void addSourceUnsafeInline();
void addSourceUnsafeEval();
SecurityOrigin* m_origin;
Vector<CSPSource> m_list;
+ bool m_allowStar;
bool m_allowInline;
bool m_allowEval;
};
CSPSourceList::CSPSourceList(SecurityOrigin* origin)
: m_origin(origin)
+ , m_allowStar(false)
, m_allowInline(false)
, m_allowEval(false)
{
@@ -213,10 +216,14 @@
bool CSPSourceList::matches(const KURL& url)
{
+ if (m_allowStar)
+ return true;
+
for (size_t i = 0; i < m_list.size(); ++i) {
if (m_list[i].matches(url))
return true;
}
+
return false;
}
@@ -263,6 +270,11 @@
if (begin == end)
return false;
+ if (end - begin == 1 && *begin == '*') {
+ addSourceStar();
+ return false;
+ }
+
if (equalIgnoringCase("'self'", begin, end - begin)) {
addSourceSelf();
return false;
@@ -429,6 +441,11 @@
m_list.append(CSPSource(m_origin->protocol(), m_origin->host(), m_origin->port(), false, false));
}
+void CSPSourceList::addSourceStar()
+{
+ m_allowStar = true;
+}
+
void CSPSourceList::addSourceUnsafeInline()
{
m_allowInline = true;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
