Title: [101829] trunk
- Revision
- 101829
- Author
- [email protected]
- Date
- 2011-12-02 10:55:05 -0800 (Fri, 02 Dec 2011)
Log Message
Content-security-policy script-src not enforced on workers.
https://bugs.webkit.org/show_bug.cgi?id=73240
Reviewed by Adam Barth.
Source/WebCore:
Add a CSP check in AbstractWorker.cpp as part of resolving URL.
Test: http/tests/security/contentSecurityPolicy/worker-script-src.html
* workers/AbstractWorker.cpp:
(WebCore::AbstractWorker::resolveURL):
LayoutTests:
Added test to verify bug.
* http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/worker-script-src.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (101828 => 101829)
--- trunk/LayoutTests/ChangeLog 2011-12-02 18:52:52 UTC (rev 101828)
+++ trunk/LayoutTests/ChangeLog 2011-12-02 18:55:05 UTC (rev 101829)
@@ -1,3 +1,15 @@
+2011-12-02 Tom Sepez <[email protected]>
+
+ Content-security-policy script-src not enforced on workers.
+ https://bugs.webkit.org/show_bug.cgi?id=73240
+
+ Reviewed by Adam Barth.
+
+ Added test to verify bug.
+
+ * http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/worker-script-src.html: Added.
+
2011-12-02 Daniel Cheng <[email protected]>
[chromium] Add plumbing for supporting custom MIME types in DataTransfer.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt (0 => 101829)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src-expected.txt 2011-12-02 18:55:05 UTC (rev 101829)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' because of Content-Security-Policy.
+
+ALERT: Error: SECURITY_ERR: DOM Exception 18
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src.html (0 => 101829)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src.html 2011-12-02 18:55:05 UTC (rev 101829)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'"/>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+}
+</script>
+</head>
+<body>
+<script>
+try {
+ var foo = new Worker('http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js');
+} catch (e) {
+ alert(e);
+}
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (101828 => 101829)
--- trunk/Source/WebCore/ChangeLog 2011-12-02 18:52:52 UTC (rev 101828)
+++ trunk/Source/WebCore/ChangeLog 2011-12-02 18:55:05 UTC (rev 101829)
@@ -1,3 +1,17 @@
+2011-12-02 Tom Sepez <[email protected]>
+
+ Content-security-policy script-src not enforced on workers.
+ https://bugs.webkit.org/show_bug.cgi?id=73240
+
+ Reviewed by Adam Barth.
+
+ Add a CSP check in AbstractWorker.cpp as part of resolving URL.
+
+ Test: http/tests/security/contentSecurityPolicy/worker-script-src.html
+
+ * workers/AbstractWorker.cpp:
+ (WebCore::AbstractWorker::resolveURL):
+
2011-12-02 Daniel Cheng <[email protected]>
[chromium] Add plumbing for supporting custom MIME types in DataTransfer.
Modified: trunk/Source/WebCore/workers/AbstractWorker.cpp (101828 => 101829)
--- trunk/Source/WebCore/workers/AbstractWorker.cpp 2011-12-02 18:52:52 UTC (rev 101828)
+++ trunk/Source/WebCore/workers/AbstractWorker.cpp 2011-12-02 18:55:05 UTC (rev 101829)
@@ -34,6 +34,7 @@
#include "AbstractWorker.h"
+#include "ContentSecurityPolicy.h"
#include "ErrorEvent.h"
#include "Event.h"
#include "EventException.h"
@@ -85,6 +86,11 @@
return KURL();
}
+ if (scriptExecutionContext()->contentSecurityPolicy() && !scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL)) {
+ ec = SECURITY_ERR;
+ return KURL();
+ }
+
return scriptURL;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
