[webkit-changes] [97388] trunk

Thu, 13 Oct 2011 13:03:24 -0700

Title: [97388] trunk
Revision
97388
Author
[email protected]
Date
2011-10-13 13:03:36 -0700 (Thu, 13 Oct 2011)

Log Message

Move XSTL to script-src in Content-Security-Policy
https://bugs.webkit.org/show_bug.cgi?id=63637

Reviewed by Eric Seidel.

Source/WebCore:

The spec was unclear about how to treat XSLT.  My reading was that they
should fall under style-src, but further discussion on the mailing list
settled on using script-src because an XSLT can inject arbitrary DOM
and script into a page, which is more risky than including style.

Tests: http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php
       http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php

* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest):

LayoutTests:

* http/tests/security/contentSecurityPolicy/xsl-allowed.php:
* http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/xsl-blocked.php:
* http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php: Added.
* http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (97387 => 97388)


--- trunk/LayoutTests/ChangeLog	2011-10-13 19:47:27 UTC (rev 97387)
+++ trunk/LayoutTests/ChangeLog	2011-10-13 20:03:36 UTC (rev 97388)
@@ -1,3 +1,18 @@
+2011-10-13  Adam Barth  <[email protected]>
+
+        Move XSTL to script-src in Content-Security-Policy
+        https://bugs.webkit.org/show_bug.cgi?id=63637
+
+        Reviewed by Eric Seidel.
+
+        * http/tests/security/contentSecurityPolicy/xsl-allowed.php:
+        * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/xsl-blocked.php:
+        * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php: Added.
+
 2011-10-13  Simon Fraser  <[email protected]>
 
         Rebase some editing/spelling results for Lion.

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php (97387 => 97388)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php	2011-10-13 19:47:27 UTC (rev 97387)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php	2011-10-13 20:03:36 UTC (rev 97388)
@@ -1,6 +1,6 @@
 <?php
 header("Content-Type: application/xhtml+xml");
-header("X-WebKit-CSP: style-src *; script-src 'unsafe-inline'");
+header("X-WebKit-CSP: script-src * 'unsafe-inline'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';
 echo '<?xml-stylesheet type="text/xsl" href=""

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt (97387 => 97388)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt	2011-10-13 19:47:27 UTC (rev 97387)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt	2011-10-13 20:03:36 UTC (rev 97388)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: line 1: Refused to load style from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because of Content-Security-Policy.
+CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because of Content-Security-Policy.
 
 layer at (0,0) size 800x600
   RenderView at (0,0) size 800x600

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php (97387 => 97388)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php	2011-10-13 19:47:27 UTC (rev 97387)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php	2011-10-13 20:03:36 UTC (rev 97388)
@@ -1,6 +1,6 @@
 <?php
 header("Content-Type: application/xhtml+xml");
-header("X-WebKit-CSP: style-src 'none'; script-src 'unsafe-inline'");
+header("X-WebKit-CSP: script-src 'unsafe-inline'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';
 echo '<?xml-stylesheet type="text/xsl" href=""

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt (0 => 97388)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1-expected.txt	2011-10-13 20:03:36 UTC (rev 97388)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style.xsl' because of Content-Security-Policy.
+
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600

Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php (from rev 97387, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php) (0 => 97388)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php	2011-10-13 20:03:36 UTC (rev 97388)
@@ -0,0 +1,23 @@
+<?php
+header("Content-Type: application/xhtml+xml");
+header("X-WebKit-CSP: style-src *; script-src 'unsafe-inline'");
+
+echo '<?xml version="1.0" encoding="UTF-8"?>';
+echo '<?xml-stylesheet type="text/xsl" href=""
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
+        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script>
+//<![CDATA[
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+//]]>
+</script>
+</head>
+<body>
+This test should render as a blank page because the style sheet will fail to load!
+<div />
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2-expected.txt (0 => 97388)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2-expected.txt	2011-10-13 20:03:36 UTC (rev 97388)
@@ -0,0 +1,2 @@
+The text below should indicate that the style sheet was applied.
+Style sheet applied.

Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php (from rev 97387, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php) (0 => 97388)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php	2011-10-13 20:03:36 UTC (rev 97388)
@@ -0,0 +1,23 @@
+<?php
+header("Content-Type: application/xhtml+xml");
+header("X-WebKit-CSP: style-src 'none'; script-src * 'unsafe-inline'");
+
+echo '<?xml version="1.0" encoding="UTF-8"?>';
+echo '<?xml-stylesheet type="text/xsl" href=""
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
+        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script>
+//<![CDATA[
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+//]]>
+</script>
+</head>
+<body>
+The text below should indicate that the style sheet was applied.
+<div />
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (97387 => 97388)


--- trunk/Source/WebCore/ChangeLog	2011-10-13 19:47:27 UTC (rev 97387)
+++ trunk/Source/WebCore/ChangeLog	2011-10-13 20:03:36 UTC (rev 97388)
@@ -1,3 +1,21 @@
+2011-10-13  Adam Barth  <[email protected]>
+
+        Move XSTL to script-src in Content-Security-Policy
+        https://bugs.webkit.org/show_bug.cgi?id=63637
+
+        Reviewed by Eric Seidel.
+
+        The spec was unclear about how to treat XSLT.  My reading was that they
+        should fall under style-src, but further discussion on the mailing list
+        settled on using script-src because an XSLT can inject arbitrary DOM
+        and script into a page, which is more risky than including style.
+
+        Tests: http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php
+               http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php
+
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::canRequest):
+
 2011-10-13  Zeno Albisser  <[email protected]>
 
         [Qt] QtWebKit build error for Mac 32bit

Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (97387 => 97388)


--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp	2011-10-13 19:47:27 UTC (rev 97387)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp	2011-10-13 20:03:36 UTC (rev 97388)
@@ -289,16 +289,14 @@
     if (!checkInsecureContent(type, url))
         return false;
 
-    // FIXME: Consider letting the embedder block mixed content loads.
-
     switch (type) {
+#if ENABLE(XSLT)
+    case CachedResource::XSLStyleSheet:
+#endif
     case CachedResource::Script:
         if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url))
             return false;
         break;
-#if ENABLE(XSLT)
-    case CachedResource::XSLStyleSheet:
-#endif
     case CachedResource::CSSStyleSheet:
         if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url))
             return false;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to