Log Message
Refactor CSP state to prepare for having both a ReportOnly and an Enforced policy https://bugs.webkit.org/show_bug.cgi?id=85662
Reviewed by Eric Seidel. Source/WebCore: This patch refactors the ContentSecurityPolicy state into a separate DirectiveList class to prepare for https://bugs.webkit.org/show_bug.cgi?id=85561, which will cause us to need two directive lists: one for enforcement and one for monitoring. This patch shouldn't cause any change in behavior. * page/ContentSecurityPolicy.cpp: (CSPDirectiveList): (WebCore::CSPDirectiveList::header): (WebCore::CSPDirectiveList::headerType): (WebCore::CSPDirectiveList::denyIfEnforcingPolicy): (WebCore): (WebCore::CSPDirectiveList::CSPDirectiveList): (WebCore::CSPDirectiveList::create): (WebCore::CSPDirectiveList::reportViolation): (WebCore::CSPDirectiveList::logUnrecognizedDirective): (WebCore::CSPDirectiveList::checkEval): (WebCore::CSPDirectiveList::operativeDirective): (WebCore::CSPDirectiveList::checkInlineAndReportViolation): (WebCore::CSPDirectiveList::checkEvalAndReportViolation): (WebCore::CSPDirectiveList::checkSourceAndReportViolation): (WebCore::CSPDirectiveList::allowJavaScriptURLs): (WebCore::CSPDirectiveList::allowInlineEventHandlers): (WebCore::CSPDirectiveList::allowInlineScript): (WebCore::CSPDirectiveList::allowInlineStyle): (WebCore::CSPDirectiveList::allowEval): (WebCore::CSPDirectiveList::allowScriptFromSource): (WebCore::CSPDirectiveList::allowObjectFromSource): (WebCore::CSPDirectiveList::allowChildFrameFromSource): (WebCore::CSPDirectiveList::allowImageFromSource): (WebCore::CSPDirectiveList::allowStyleFromSource): (WebCore::CSPDirectiveList::allowFontFromSource): (WebCore::CSPDirectiveList::allowMediaFromSource): (WebCore::CSPDirectiveList::allowConnectFromSource): (WebCore::CSPDirectiveList::parse): (WebCore::CSPDirectiveList::parseDirective): (WebCore::CSPDirectiveList::parseReportURI): (WebCore::CSPDirectiveList::createCSPDirective): (WebCore::CSPDirectiveList::applySandboxPolicy): (WebCore::CSPDirectiveList::addDirective): (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): (WebCore::ContentSecurityPolicy::~ContentSecurityPolicy): (WebCore::ContentSecurityPolicy::copyStateFrom): (WebCore::ContentSecurityPolicy::didReceiveHeader): (WebCore::ContentSecurityPolicy::setOverrideAllowInlineStyle): (WebCore::ContentSecurityPolicy::header): (WebCore::ContentSecurityPolicy::headerType): (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): (WebCore::ContentSecurityPolicy::allowInlineScript): (WebCore::ContentSecurityPolicy::allowInlineStyle): (WebCore::ContentSecurityPolicy::allowEval): (WebCore::ContentSecurityPolicy::allowScriptFromSource): (WebCore::ContentSecurityPolicy::allowObjectFromSource): (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): (WebCore::ContentSecurityPolicy::allowImageFromSource): (WebCore::ContentSecurityPolicy::allowStyleFromSource): (WebCore::ContentSecurityPolicy::allowFontFromSource): (WebCore::ContentSecurityPolicy::allowMediaFromSource): (WebCore::ContentSecurityPolicy::allowConnectFromSource): * page/ContentSecurityPolicy.h: (WebCore): * workers/WorkerMessagingProxy.cpp: (WebCore::WorkerMessagingProxy::startWorkerContext): Source/WebKit/chromium: Update callers to the new function name. * src/SharedWorkerRepository.cpp: (WebCore::SharedWorkerScriptLoader::notifyFinished): * src/WebWorkerClientImpl.cpp: (WebKit::WebWorkerClientImpl::startWorkerContext):
Modified Paths
- trunk/Source/WebCore/ChangeLog
- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
- trunk/Source/WebCore/page/ContentSecurityPolicy.h
- trunk/Source/WebCore/workers/DefaultSharedWorkerRepository.cpp
- trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp
- trunk/Source/WebKit/chromium/ChangeLog
- trunk/Source/WebKit/chromium/src/SharedWorkerRepository.cpp
- trunk/Source/WebKit/chromium/src/WebWorkerClientImpl.cpp
Diff
Modified: trunk/Source/WebCore/ChangeLog (116176 => 116177)
--- trunk/Source/WebCore/ChangeLog 2012-05-04 21:38:10 UTC (rev 116176)
+++ trunk/Source/WebCore/ChangeLog 2012-05-04 21:40:48 UTC (rev 116177)
@@ -1,3 +1,76 @@
+2012-05-04 Adam Barth <[email protected]>
+
+ Refactor CSP state to prepare for having both a ReportOnly and an Enforced policy
+ https://bugs.webkit.org/show_bug.cgi?id=85662
+
+ Reviewed by Eric Seidel.
+
+ This patch refactors the ContentSecurityPolicy state into a separate
+ DirectiveList class to prepare for
+ https://bugs.webkit.org/show_bug.cgi?id=85561, which will cause us to
+ need two directive lists: one for enforcement and one for monitoring.
+
+ This patch shouldn't cause any change in behavior.
+
+ * page/ContentSecurityPolicy.cpp:
+ (CSPDirectiveList):
+ (WebCore::CSPDirectiveList::header):
+ (WebCore::CSPDirectiveList::headerType):
+ (WebCore::CSPDirectiveList::denyIfEnforcingPolicy):
+ (WebCore):
+ (WebCore::CSPDirectiveList::CSPDirectiveList):
+ (WebCore::CSPDirectiveList::create):
+ (WebCore::CSPDirectiveList::reportViolation):
+ (WebCore::CSPDirectiveList::logUnrecognizedDirective):
+ (WebCore::CSPDirectiveList::checkEval):
+ (WebCore::CSPDirectiveList::operativeDirective):
+ (WebCore::CSPDirectiveList::checkInlineAndReportViolation):
+ (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
+ (WebCore::CSPDirectiveList::checkSourceAndReportViolation):
+ (WebCore::CSPDirectiveList::allowJavaScriptURLs):
+ (WebCore::CSPDirectiveList::allowInlineEventHandlers):
+ (WebCore::CSPDirectiveList::allowInlineScript):
+ (WebCore::CSPDirectiveList::allowInlineStyle):
+ (WebCore::CSPDirectiveList::allowEval):
+ (WebCore::CSPDirectiveList::allowScriptFromSource):
+ (WebCore::CSPDirectiveList::allowObjectFromSource):
+ (WebCore::CSPDirectiveList::allowChildFrameFromSource):
+ (WebCore::CSPDirectiveList::allowImageFromSource):
+ (WebCore::CSPDirectiveList::allowStyleFromSource):
+ (WebCore::CSPDirectiveList::allowFontFromSource):
+ (WebCore::CSPDirectiveList::allowMediaFromSource):
+ (WebCore::CSPDirectiveList::allowConnectFromSource):
+ (WebCore::CSPDirectiveList::parse):
+ (WebCore::CSPDirectiveList::parseDirective):
+ (WebCore::CSPDirectiveList::parseReportURI):
+ (WebCore::CSPDirectiveList::createCSPDirective):
+ (WebCore::CSPDirectiveList::applySandboxPolicy):
+ (WebCore::CSPDirectiveList::addDirective):
+ (WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
+ (WebCore::ContentSecurityPolicy::~ContentSecurityPolicy):
+ (WebCore::ContentSecurityPolicy::copyStateFrom):
+ (WebCore::ContentSecurityPolicy::didReceiveHeader):
+ (WebCore::ContentSecurityPolicy::setOverrideAllowInlineStyle):
+ (WebCore::ContentSecurityPolicy::header):
+ (WebCore::ContentSecurityPolicy::headerType):
+ (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
+ (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
+ (WebCore::ContentSecurityPolicy::allowInlineScript):
+ (WebCore::ContentSecurityPolicy::allowInlineStyle):
+ (WebCore::ContentSecurityPolicy::allowEval):
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource):
+ (WebCore::ContentSecurityPolicy::allowObjectFromSource):
+ (WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
+ (WebCore::ContentSecurityPolicy::allowImageFromSource):
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource):
+ (WebCore::ContentSecurityPolicy::allowFontFromSource):
+ (WebCore::ContentSecurityPolicy::allowMediaFromSource):
+ (WebCore::ContentSecurityPolicy::allowConnectFromSource):
+ * page/ContentSecurityPolicy.h:
+ (WebCore):
+ * workers/WorkerMessagingProxy.cpp:
+ (WebCore::WorkerMessagingProxy::startWorkerContext):
+
2012-05-04 Abhishek Arya <[email protected]>
ASSERT(beforeChildAnonymousContainer->isTable()); fails in RenderBlock::addChildIgnoringAnonymousColumnBlocks.
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (116176 => 116177)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-05-04 21:38:10 UTC (rev 116176)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-05-04 21:40:48 UTC (rev 116177)
@@ -482,49 +482,99 @@
KURL m_selfURL;
};
-ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
- : m_havePolicy(false)
- , m_scriptExecutionContext(scriptExecutionContext)
+class CSPDirectiveList {
+public:
+ static PassOwnPtr<CSPDirectiveList> create(ScriptExecutionContext*, const String&, ContentSecurityPolicy::HeaderType);
+
+ const String& header() const { return m_header; }
+ ContentSecurityPolicy::HeaderType headerType() const { return m_reportOnly ? ContentSecurityPolicy::ReportOnly : ContentSecurityPolicy::EnforcePolicy; }
+
+ bool allowJavaScriptURLs() const;
+ bool allowInlineEventHandlers() const;
+ bool allowInlineScript() const;
+ bool allowInlineStyle() const;
+ bool allowEval() const;
+
+ bool allowScriptFromSource(const KURL&) const;
+ bool allowObjectFromSource(const KURL&) const;
+ bool allowChildFrameFromSource(const KURL&) const;
+ bool allowImageFromSource(const KURL&) const;
+ bool allowStyleFromSource(const KURL&) const;
+ bool allowFontFromSource(const KURL&) const;
+ bool allowMediaFromSource(const KURL&) const;
+ bool allowConnectFromSource(const KURL&) const;
+
+private:
+ explicit CSPDirectiveList(ScriptExecutionContext*);
+
+ void parse(const String&);
+
+ bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
+ void parseReportURI(const String&);
+ void addDirective(const String& name, const String& value);
+ void applySandboxPolicy(const String& sandboxPolicy);
+
+ PassOwnPtr<CSPDirective> createCSPDirective(const String& name, const String& value);
+
+ CSPDirective* operativeDirective(CSPDirective*) const;
+ void reportViolation(const String& directiveText, const String& consoleMessage) const;
+ void logUnrecognizedDirective(const String& name) const;
+ bool checkEval(CSPDirective*) const;
+
+ bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;
+ bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage) const;
+ bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
+
+ bool denyIfEnforcingPolicy() const { return m_reportOnly; }
+
+ ScriptExecutionContext* m_scriptExecutionContext;
+ String m_header;
+
+ bool m_reportOnly;
+ bool m_haveSandboxPolicy;
+
+ OwnPtr<CSPDirective> m_defaultSrc;
+ OwnPtr<CSPDirective> m_scriptSrc;
+ OwnPtr<CSPDirective> m_objectSrc;
+ OwnPtr<CSPDirective> m_frameSrc;
+ OwnPtr<CSPDirective> m_imgSrc;
+ OwnPtr<CSPDirective> m_styleSrc;
+ OwnPtr<CSPDirective> m_fontSrc;
+ OwnPtr<CSPDirective> m_mediaSrc;
+ OwnPtr<CSPDirective> m_connectSrc;
+
+ Vector<KURL> m_reportURLs;
+};
+
+CSPDirectiveList::CSPDirectiveList(ScriptExecutionContext* scriptExecutionContext)
+ : m_scriptExecutionContext(scriptExecutionContext)
, m_reportOnly(false)
, m_haveSandboxPolicy(false)
- , m_overrideInlineStyleAllowed(false)
{
}
-ContentSecurityPolicy::~ContentSecurityPolicy()
+PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ScriptExecutionContext* scriptExecutionContext, const String& header, ContentSecurityPolicy::HeaderType type)
{
-}
+ OwnPtr<CSPDirectiveList> policy = adoptPtr(new CSPDirectiveList(scriptExecutionContext));
+ policy->parse(header);
+ policy->m_header = header;
-void ContentSecurityPolicy::copyStateFrom(const ContentSecurityPolicy* other)
-{
- ASSERT(!m_havePolicy);
- if (other->m_havePolicy)
- didReceiveHeader(other->m_header, other->m_reportOnly ? ReportOnly : EnforcePolicy);
-}
-
-void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType type)
-{
- if (m_havePolicy)
- return; // The first policy wins.
-
- parse(header);
- m_havePolicy = true;
- m_header = header;
-
switch (type) {
- case ReportOnly:
- m_reportOnly = true;
- return;
- case EnforcePolicy:
- ASSERT(!m_reportOnly);
+ case ContentSecurityPolicy::ReportOnly:
+ policy->m_reportOnly = true;
+ return policy.release();
+ case ContentSecurityPolicy::EnforcePolicy:
+ ASSERT(!policy->m_reportOnly);
break;
}
- if (!checkEval(operativeDirective(m_scriptSrc.get())))
- m_scriptExecutionContext->disableEval();
+ if (!policy->checkEval(policy->operativeDirective(policy->m_scriptSrc.get())))
+ scriptExecutionContext->disableEval();
+
+ return policy.release();
}
-void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage) const
+void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage) const
{
String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message);
@@ -562,23 +612,23 @@
PingLoader::reportContentSecurityPolicyViolation(frame, m_reportURLs[i], report);
}
-void ContentSecurityPolicy::logUnrecognizedDirective(const String& name) const
+void CSPDirectiveList::logUnrecognizedDirective(const String& name) const
{
String message = makeString("Unrecognized Content-Security-Policy directive '", name, "'.\n");
m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message);
}
-bool ContentSecurityPolicy::checkEval(CSPDirective* directive) const
+bool CSPDirectiveList::checkEval(CSPDirective* directive) const
{
return !directive || directive->allowEval();
}
-CSPDirective* ContentSecurityPolicy::operativeDirective(CSPDirective* directive) const
+CSPDirective* CSPDirectiveList::operativeDirective(CSPDirective* directive) const
{
return directive ? directive : m_defaultSrc.get();
}
-bool ContentSecurityPolicy::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
+bool CSPDirectiveList::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
{
if (!directive || directive->allowInline())
return true;
@@ -586,7 +636,7 @@
return denyIfEnforcingPolicy();
}
-bool ContentSecurityPolicy::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
+bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
{
if (checkEval(directive))
return true;
@@ -594,7 +644,7 @@
return denyIfEnforcingPolicy();
}
-bool ContentSecurityPolicy::checkSourceAndReportViolation(CSPDirective* directive, const KURL& url, const String& type) const
+bool CSPDirectiveList::checkSourceAndReportViolation(CSPDirective* directive, const KURL& url, const String& type) const
{
if (!directive || directive->allows(url))
return true;
@@ -602,43 +652,43 @@
return denyIfEnforcingPolicy();
}
-bool ContentSecurityPolicy::allowJavaScriptURLs() const
+bool CSPDirectiveList::allowJavaScriptURLs() const
{
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute _javascript_ URL because of Content-Security-Policy.\n"));
return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
}
-bool ContentSecurityPolicy::allowInlineEventHandlers() const
+bool CSPDirectiveList::allowInlineEventHandlers() const
{
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because of Content-Security-Policy.\n"));
return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
}
-bool ContentSecurityPolicy::allowInlineScript() const
+bool CSPDirectiveList::allowInlineScript() const
{
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because of Content-Security-Policy.\n"));
return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
}
-bool ContentSecurityPolicy::allowInlineStyle() const
+bool CSPDirectiveList::allowInlineStyle() const
{
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because of Content-Security-Policy.\n"));
- return m_overrideInlineStyleAllowed || checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage);
+ return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage);
}
-bool ContentSecurityPolicy::allowEval() const
+bool CSPDirectiveList::allowEval() const
{
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because of Content-Security-Policy.\n"));
return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
}
-bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const
+bool CSPDirectiveList::allowScriptFromSource(const KURL& url) const
{
DEFINE_STATIC_LOCAL(String, type, ("script"));
return checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, type);
}
-bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
+bool CSPDirectiveList::allowObjectFromSource(const KURL& url) const
{
DEFINE_STATIC_LOCAL(String, type, ("object"));
if (url.protocolIs("about"))
@@ -646,7 +696,7 @@
return checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, type);
}
-bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url) const
+bool CSPDirectiveList::allowChildFrameFromSource(const KURL& url) const
{
DEFINE_STATIC_LOCAL(String, type, ("frame"));
if (url.protocolIs("about"))
@@ -654,48 +704,41 @@
return checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, type);
}
-bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const
+bool CSPDirectiveList::allowImageFromSource(const KURL& url) const
{
DEFINE_STATIC_LOCAL(String, type, ("image"));
return checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, type);
}
-bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const
+bool CSPDirectiveList::allowStyleFromSource(const KURL& url) const
{
DEFINE_STATIC_LOCAL(String, type, ("style"));
return checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, type);
}
-bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const
+bool CSPDirectiveList::allowFontFromSource(const KURL& url) const
{
DEFINE_STATIC_LOCAL(String, type, ("font"));
return checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, type);
}
-bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const
+bool CSPDirectiveList::allowMediaFromSource(const KURL& url) const
{
DEFINE_STATIC_LOCAL(String, type, ("media"));
return checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type);
}
-bool ContentSecurityPolicy::allowConnectFromSource(const KURL& url) const
+bool CSPDirectiveList::allowConnectFromSource(const KURL& url) const
{
DEFINE_STATIC_LOCAL(String, type, ("connect"));
return checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type);
}
-void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value)
-{
- m_overrideInlineStyleAllowed = value;
-}
-
// policy = directive-list
// directive-list = [ directive *( ";" [ directive ] ) ]
//
-void ContentSecurityPolicy::parse(const String& policy)
+void CSPDirectiveList::parse(const String& policy)
{
- ASSERT(!m_havePolicy);
-
if (policy.isEmpty())
return;
@@ -721,7 +764,7 @@
// directive-name = 1*( ALPHA / DIGIT / "-" )
// directive-value = *( WSP / <VCHAR except ";"> )
//
-bool ContentSecurityPolicy::parseDirective(const UChar* begin, const UChar* end, String& name, String& value)
+bool CSPDirectiveList::parseDirective(const UChar* begin, const UChar* end, String& name, String& value)
{
ASSERT(name.isEmpty());
ASSERT(value.isEmpty());
@@ -760,7 +803,7 @@
return true;
}
-void ContentSecurityPolicy::parseReportURI(const String& value)
+void CSPDirectiveList::parseReportURI(const String& value)
{
const UChar* position = value.characters();
const UChar* end = position + value.length();
@@ -778,19 +821,19 @@
}
}
-PassOwnPtr<CSPDirective> ContentSecurityPolicy::createCSPDirective(const String& name, const String& value)
+PassOwnPtr<CSPDirective> CSPDirectiveList::createCSPDirective(const String& name, const String& value)
{
return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext));
}
-void ContentSecurityPolicy::applySandboxPolicy(const String& sandboxPolicy)
+void CSPDirectiveList::applySandboxPolicy(const String& sandboxPolicy)
{
ASSERT(!m_haveSandboxPolicy);
m_haveSandboxPolicy = true;
m_scriptExecutionContext->enforceSandboxFlags(SecurityContext::parseSandboxPolicy(sandboxPolicy));
}
-void ContentSecurityPolicy::addDirective(const String& name, const String& value)
+void CSPDirectiveList::addDirective(const String& name, const String& value)
{
DEFINE_STATIC_LOCAL(String, defaultSrc, ("default-src"));
DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
@@ -832,4 +875,108 @@
logUnrecognizedDirective(name);
}
+ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
+ : m_scriptExecutionContext(scriptExecutionContext)
+ , m_overrideInlineStyleAllowed(false)
+{
}
+
+ContentSecurityPolicy::~ContentSecurityPolicy()
+{
+}
+
+void ContentSecurityPolicy::copyStateFrom(const ContentSecurityPolicy* other)
+{
+ ASSERT(!m_policy);
+ if (other->m_policy)
+ didReceiveHeader(other->header(), other->headerType());
+}
+
+void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType type)
+{
+ if (m_policy)
+ return; // The first policy wins.
+ m_policy = CSPDirectiveList::create(m_scriptExecutionContext, header, type);
+}
+
+void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value)
+{
+ m_overrideInlineStyleAllowed = value;
+}
+
+const String& ContentSecurityPolicy::header() const
+{
+ return m_policy ? m_policy->header() : emptyString();
+}
+
+ContentSecurityPolicy::HeaderType ContentSecurityPolicy::headerType() const
+{
+ return m_policy ? m_policy->headerType() : EnforcePolicy;
+}
+
+bool ContentSecurityPolicy::allowJavaScriptURLs() const
+{
+ return !m_policy || m_policy->allowJavaScriptURLs();
+}
+
+bool ContentSecurityPolicy::allowInlineEventHandlers() const
+{
+ return !m_policy || m_policy->allowInlineEventHandlers();
+}
+
+bool ContentSecurityPolicy::allowInlineScript() const
+{
+ return !m_policy || m_policy->allowInlineScript();
+}
+
+bool ContentSecurityPolicy::allowInlineStyle() const
+{
+ return !m_policy || m_overrideInlineStyleAllowed || m_policy->allowInlineStyle();
+}
+
+bool ContentSecurityPolicy::allowEval() const
+{
+ return !m_policy || m_policy->allowEval();
+}
+
+bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const
+{
+ return !m_policy || m_policy->allowScriptFromSource(url);
+}
+
+bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
+{
+ return !m_policy || m_policy->allowObjectFromSource(url);
+}
+
+bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url) const
+{
+ return !m_policy || m_policy->allowChildFrameFromSource(url);
+}
+
+bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const
+{
+ return !m_policy || m_policy->allowImageFromSource(url);
+}
+
+bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const
+{
+ return !m_policy || m_policy->allowStyleFromSource(url);
+}
+
+bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const
+{
+ return !m_policy || m_policy->allowFontFromSource(url);
+}
+
+bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const
+{
+ return !m_policy || m_policy->allowMediaFromSource(url);
+}
+
+bool ContentSecurityPolicy::allowConnectFromSource(const KURL& url) const
+{
+ return !m_policy || m_policy->allowConnectFromSource(url);
+}
+
+}
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (116176 => 116177)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.h 2012-05-04 21:38:10 UTC (rev 116176)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h 2012-05-04 21:40:48 UTC (rev 116177)
@@ -33,7 +33,7 @@
namespace WebCore {
-class CSPDirective;
+class CSPDirectiveList;
class ScriptExecutionContext;
class KURL;
@@ -53,9 +53,10 @@
};
void didReceiveHeader(const String&, HeaderType);
- String policy() { return m_header; }
- HeaderType headerType() { return m_reportOnly ? ReportOnly : EnforcePolicy; }
+ const String& header() const;
+ HeaderType headerType() const;
+
bool allowJavaScriptURLs() const;
bool allowInlineEventHandlers() const;
bool allowInlineScript() const;
@@ -76,42 +77,9 @@
private:
explicit ContentSecurityPolicy(ScriptExecutionContext*);
- void parse(const String&);
- bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
- void parseReportURI(const String&);
- void addDirective(const String& name, const String& value);
- void applySandboxPolicy(const String& sandboxPolicy);
-
- PassOwnPtr<CSPDirective> createCSPDirective(const String& name, const String& value);
-
- CSPDirective* operativeDirective(CSPDirective*) const;
- void reportViolation(const String& directiveText, const String& consoleMessage) const;
- void logUnrecognizedDirective(const String& name) const;
- bool checkEval(CSPDirective*) const;
-
- bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;
- bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage) const;
- bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
-
- bool denyIfEnforcingPolicy() const { return m_reportOnly; }
-
- bool m_havePolicy;
ScriptExecutionContext* m_scriptExecutionContext;
-
- bool m_reportOnly;
- String m_header;
- OwnPtr<CSPDirective> m_defaultSrc;
- OwnPtr<CSPDirective> m_scriptSrc;
- OwnPtr<CSPDirective> m_objectSrc;
- OwnPtr<CSPDirective> m_frameSrc;
- OwnPtr<CSPDirective> m_imgSrc;
- OwnPtr<CSPDirective> m_styleSrc;
- OwnPtr<CSPDirective> m_fontSrc;
- OwnPtr<CSPDirective> m_mediaSrc;
- OwnPtr<CSPDirective> m_connectSrc;
- bool m_haveSandboxPolicy;
bool m_overrideInlineStyleAllowed;
- Vector<KURL> m_reportURLs;
+ OwnPtr<CSPDirectiveList> m_policy;
};
}
Modified: trunk/Source/WebCore/workers/DefaultSharedWorkerRepository.cpp (116176 => 116177)
--- trunk/Source/WebCore/workers/DefaultSharedWorkerRepository.cpp 2012-05-04 21:38:10 UTC (rev 116176)
+++ trunk/Source/WebCore/workers/DefaultSharedWorkerRepository.cpp 2012-05-04 21:40:48 UTC (rev 116177)
@@ -322,7 +322,7 @@
InspectorInstrumentation::scriptImported(m_worker->scriptExecutionContext(), m_scriptLoader->identifier(), m_scriptLoader->script());
DefaultSharedWorkerRepository::instance().workerScriptLoaded(*m_proxy, m_worker->scriptExecutionContext()->userAgent(m_scriptLoader->url()),
m_scriptLoader->script(), m_port.release(),
- m_worker->scriptExecutionContext()->contentSecurityPolicy()->policy(),
+ m_worker->scriptExecutionContext()->contentSecurityPolicy()->header(),
m_worker->scriptExecutionContext()->contentSecurityPolicy()->headerType());
}
m_worker->unsetPendingActivity(m_worker.get());
Modified: trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp (116176 => 116177)
--- trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp 2012-05-04 21:38:10 UTC (rev 116176)
+++ trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp 2012-05-04 21:40:48 UTC (rev 116177)
@@ -272,7 +272,7 @@
void WorkerMessagingProxy::startWorkerContext(const KURL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode)
{
RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode,
- m_scriptExecutionContext->contentSecurityPolicy()->policy(),
+ m_scriptExecutionContext->contentSecurityPolicy()->header(),
m_scriptExecutionContext->contentSecurityPolicy()->headerType());
workerThreadCreated(thread);
thread->start();
Modified: trunk/Source/WebKit/chromium/ChangeLog (116176 => 116177)
--- trunk/Source/WebKit/chromium/ChangeLog 2012-05-04 21:38:10 UTC (rev 116176)
+++ trunk/Source/WebKit/chromium/ChangeLog 2012-05-04 21:40:48 UTC (rev 116177)
@@ -1,3 +1,17 @@
+2012-05-04 Adam Barth <[email protected]>
+
+ Refactor CSP state to prepare for having both a ReportOnly and an Enforced policy
+ https://bugs.webkit.org/show_bug.cgi?id=85662
+
+ Reviewed by Eric Seidel.
+
+ Update callers to the new function name.
+
+ * src/SharedWorkerRepository.cpp:
+ (WebCore::SharedWorkerScriptLoader::notifyFinished):
+ * src/WebWorkerClientImpl.cpp:
+ (WebKit::WebWorkerClientImpl::startWorkerContext):
+
2012-05-04 Sami Kyostila <[email protected]>
[chromium] Revert compositor layer scrolling
Modified: trunk/Source/WebKit/chromium/src/SharedWorkerRepository.cpp (116176 => 116177)
--- trunk/Source/WebKit/chromium/src/SharedWorkerRepository.cpp 2012-05-04 21:38:10 UTC (rev 116176)
+++ trunk/Source/WebKit/chromium/src/SharedWorkerRepository.cpp 2012-05-04 21:40:48 UTC (rev 116177)
@@ -171,7 +171,7 @@
InspectorInstrumentation::scriptImported(m_worker->scriptExecutionContext(), m_scriptLoader->identifier(), m_scriptLoader->script());
// Pass the script off to the worker, then send a connect event.
m_webWorker->startWorkerContext(m_url, m_name, m_worker->scriptExecutionContext()->userAgent(m_url), m_scriptLoader->script(),
- m_worker->scriptExecutionContext()->contentSecurityPolicy()->policy(),
+ m_worker->scriptExecutionContext()->contentSecurityPolicy()->header(),
static_cast<WebKit::WebContentSecurityPolicyType>(m_worker->scriptExecutionContext()->contentSecurityPolicy()->headerType()),
m_responseAppCacheID);
sendConnect();
Modified: trunk/Source/WebKit/chromium/src/WebWorkerClientImpl.cpp (116176 => 116177)
--- trunk/Source/WebKit/chromium/src/WebWorkerClientImpl.cpp 2012-05-04 21:38:10 UTC (rev 116176)
+++ trunk/Source/WebKit/chromium/src/WebWorkerClientImpl.cpp 2012-05-04 21:40:48 UTC (rev 116177)
@@ -87,7 +87,7 @@
void WebWorkerClientImpl::startWorkerContext(const KURL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode)
{
RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode,
- m_scriptExecutionContext->contentSecurityPolicy()->policy(),
+ m_scriptExecutionContext->contentSecurityPolicy()->header(),
m_scriptExecutionContext->contentSecurityPolicy()->headerType());
m_proxy->workerThreadCreated(thread);
thread->start();
_______________________________________________ webkit-changes mailing list [email protected] http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
