[webkit-changes] [99143] trunk

Wed, 02 Nov 2011 23:47:01 -0700

Title: [99143] trunk
Revision
99143
Author
[email protected]
Date
2011-11-02 23:46:45 -0700 (Wed, 02 Nov 2011)

Log Message

CSP should handle empty URLs as agreed at TPAC
https://bugs.webkit.org/show_bug.cgi?id=71426

Reviewed by Eric Seidel.

Source/WebCore:

It was somewhat unclear how CSP should treat plugins that lacked a URL
because most of the CSP rules are URL-based.  At TPAC, we decided to
treat "empty" URLs as if there were the URL of the document.  That
means you can use plugins with no URL if you've included 'self' in
object-src, but you can also block them by using 'none' as your
object-src.

Tests: http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html
       http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
       http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
       http/tests/security/contentSecurityPolicy/object-src-none-blocked.html

* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirective::CSPDirective):
(WebCore::CSPDirective::allows):
(WebCore::ContentSecurityPolicy::createCSPDirective):

LayoutTests:

* http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html: Added.
    - Test the allow and block cases for plugins with no URL.
* http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Added.
    - Somehow these tests got deleted from the repository.  This patch just re-adds them.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (99142 => 99143)


--- trunk/LayoutTests/ChangeLog	2011-11-03 06:40:34 UTC (rev 99142)
+++ trunk/LayoutTests/ChangeLog	2011-11-03 06:46:45 UTC (rev 99143)
@@ -1,3 +1,19 @@
+2011-11-02  Adam Barth  <[email protected]>
+
+        CSP should handle empty URLs as agreed at TPAC
+        https://bugs.webkit.org/show_bug.cgi?id=71426
+
+        Reviewed by Eric Seidel.
+
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html: Added.
+            - Test the allow and block cases for plugins with no URL.
+        * http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Added.
+            - Somehow these tests got deleted from the repository.  This patch just re-adds them.
+
 2011-11-02  Andrey Kosyakov  <[email protected]>
 
         Unerviewed gardening.

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt (0 => 99143)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt	2011-11-03 06:46:45 UTC (rev 99143)
@@ -0,0 +1 @@
+This test passes if there isn't a console message saying the plugin was blocked.

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html (0 => 99143)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html	2011-11-03 06:46:45 UTC (rev 99143)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+  layoutTestController.dumpAsText();
+</script>
+<meta http-equiv="X-WebKit-CSP" content="object-src 'self'">
+</head>
+<body>
+This test passes if there isn't a console message saying the plugin was blocked.
+<object type="application/x-webkit-test-netscape"></object>
+</body>
+</html>
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt (0 => 99143)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt	2011-11-03 06:46:45 UTC (rev 99143)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Refused to load object from '' because of Content-Security-Policy.
+
+This test passes if there is a console message saying the plugin was blocked.

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html (0 => 99143)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html	2011-11-03 06:46:45 UTC (rev 99143)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+  layoutTestController.dumpAsText();
+</script>
+<meta http-equiv="X-WebKit-CSP" content="object-src 'none'">
+</head>
+<body>
+This test passes if there is a console message saying the plugin was blocked.
+<object type="application/x-webkit-test-netscape"></object>
+</body>
+</html>
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-allowed.html (0 => 99143)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-allowed.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-allowed.html	2011-11-03 06:46:45 UTC (rev 99143)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+  <iframe src=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked.html (0 => 99143)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked.html	2011-11-03 06:46:45 UTC (rev 99143)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+  <iframe src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (99142 => 99143)


--- trunk/Source/WebCore/ChangeLog	2011-11-03 06:40:34 UTC (rev 99142)
+++ trunk/Source/WebCore/ChangeLog	2011-11-03 06:46:45 UTC (rev 99143)
@@ -1,5 +1,29 @@
 2011-11-02  Adam Barth  <[email protected]>
 
+        CSP should handle empty URLs as agreed at TPAC
+        https://bugs.webkit.org/show_bug.cgi?id=71426
+
+        Reviewed by Eric Seidel.
+
+        It was somewhat unclear how CSP should treat plugins that lacked a URL
+        because most of the CSP rules are URL-based.  At TPAC, we decided to
+        treat "empty" URLs as if there were the URL of the document.  That
+        means you can use plugins with no URL if you've included 'self' in
+        object-src, but you can also block them by using 'none' as your
+        object-src.
+
+        Tests: http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html
+               http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
+               http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
+               http/tests/security/contentSecurityPolicy/object-src-none-blocked.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirective::CSPDirective):
+        (WebCore::CSPDirective::allows):
+        (WebCore::ContentSecurityPolicy::createCSPDirective):
+
+2011-11-02  Adam Barth  <[email protected]>
+
         Implement allow-popups for iframe@sandbox
         https://bugs.webkit.org/show_bug.cgi?id=66505

Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (99142 => 99143)


--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2011-11-03 06:40:34 UTC (rev 99142)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2011-11-03 06:46:45 UTC (rev 99143)
@@ -458,16 +458,17 @@
 
 class CSPDirective {
 public:
-    CSPDirective(const String& name, const String& value, SecurityOrigin* origin)
-        : m_sourceList(origin)
+    CSPDirective(const String& name, const String& value, ScriptExecutionContext* context)
+        : m_sourceList(context->securityOrigin())
         , m_text(name + ' ' + value)
+        , m_selfURL(context->url())
     {
         m_sourceList.parse(value);
     }
 
     bool allows(const KURL& url)
     {
-        return m_sourceList.matches(url);
+        return m_sourceList.matches(url.isEmpty() ? m_selfURL : url);
     }
 
     bool allowInline() const { return m_sourceList.allowInline(); }
@@ -478,6 +479,7 @@
 private:
     CSPSourceList m_sourceList;
     String m_text;
+    KURL m_selfURL;
 };
 
 ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
@@ -759,7 +761,7 @@
 
 PassOwnPtr<CSPDirective> ContentSecurityPolicy::createCSPDirective(const String& name, const String& value)
 {
-    return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext->securityOrigin()));
+    return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext));
 }
 
 void ContentSecurityPolicy::addDirective(const String& name, const String& value)

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to