Title: [124371] trunk
- Revision
- 124371
- Author
- [email protected]
- Date
- 2012-08-01 14:34:13 -0700 (Wed, 01 Aug 2012)
Log Message
CSP should correctly block plugin resources rendered in PluginDocuments.
https://bugs.webkit.org/show_bug.cgi?id=92675
Patch by Mike West <[email protected]> on 2012-08-01
Reviewed by Adam Barth.
Source/WebCore:
In certain cases, plugins aren't loaded directly, but are stuffed into a
newly-created PluginDocument before rendering. While we were already
correctly populating information that allowed us to make decisions about
that document's security origin, and already dealing with sandbox
status by creating a 'SinkDocument' that ignored plugin data, we weren't
correctly inheriting the parent frame's Content Security Policy. This
patch ensures that PluginDocuments correctly inherit their parent's
Content Security Policy, meaning that the plugin is blocked or allowed
according to the policy of the protected resource in which the
PluginDocument is embedded.
Tests: http/tests/security/contentSecurityPolicy/object-src-url-allowed.html
http/tests/security/contentSecurityPolicy/object-src-url-blocked.html
* dom/Document.cpp:
(WebCore::Document::initContentSecurityPolicy):
Populate a created PluginDocument with its frame's parent's Content
Security Policy.
LayoutTests:
* http/tests/plugins/resources/mock-plugin.pl: Added.
This lovely perl script mocks a plugin by sending a
'Content-Type application/x-webkit-test-netscape' header.
* http/tests/security/contentSecurityPolicy/object-src-url-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-url-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-url-blocked.html: Added.
Test that non-'data:' URLs that end up in PluginDocuments are also
dealt with correctly by CSP.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (124370 => 124371)
--- trunk/LayoutTests/ChangeLog 2012-08-01 21:27:00 UTC (rev 124370)
+++ trunk/LayoutTests/ChangeLog 2012-08-01 21:34:13 UTC (rev 124371)
@@ -1,3 +1,20 @@
+2012-08-01 Mike West <[email protected]>
+
+ CSP should correctly block plugin resources rendered in PluginDocuments.
+ https://bugs.webkit.org/show_bug.cgi?id=92675
+
+ Reviewed by Adam Barth.
+
+ * http/tests/plugins/resources/mock-plugin.pl: Added.
+ This lovely perl script mocks a plugin by sending a
+ 'Content-Type application/x-webkit-test-netscape' header.
+ * http/tests/security/contentSecurityPolicy/object-src-url-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-url-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-url-blocked.html: Added.
+ Test that non-'data:' URLs that end up in PluginDocuments are also
+ dealt with correctly by CSP.
+
2012-08-01 Florin Malita <[email protected]>
SVG animation not working for elements inserted after parsing is finished
Added: trunk/LayoutTests/http/tests/plugins/resources/mock-plugin.pl (0 => 124371)
--- trunk/LayoutTests/http/tests/plugins/resources/mock-plugin.pl (rev 0)
+++ trunk/LayoutTests/http/tests/plugins/resources/mock-plugin.pl 2012-08-01 21:34:13 UTC (rev 124371)
@@ -0,0 +1,5 @@
+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: application/x-webkit-test-netscape\n\n";
+print "This is a mock plugin. It does pretty much nothing.";
Property changes on: trunk/LayoutTests/http/tests/plugins/resources/mock-plugin.pl
___________________________________________________________________
Added: svn:executable
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-allowed-expected.txt (0 => 124371)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-allowed-expected.txt 2012-08-01 21:34:13 UTC (rev 124371)
@@ -0,0 +1 @@
+This test passes if there is no console message saying the plugin was blocked.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-allowed.html (0 => 124371)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-allowed.html 2012-08-01 21:34:13 UTC (rev 124371)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="X-WebKit-CSP" content="object-src 'self'">
+</head>
+<body>
+This test passes if there is no console message saying the plugin was blocked.
+<object data=""
+</body>
+</html>
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt (0 => 124371)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked-expected.txt 2012-08-01 21:34:13 UTC (rev 124371)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load the object 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+This test passes if there is a console message saying the plugin was blocked.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked.html (0 => 124371)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked.html 2012-08-01 21:34:13 UTC (rev 124371)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="X-WebKit-CSP" content="object-src 'none'">
+</head>
+<body>
+This test passes if there is a console message saying the plugin was blocked.
+<object data=""
+</body>
+</html>
+
Modified: trunk/Source/WebCore/ChangeLog (124370 => 124371)
--- trunk/Source/WebCore/ChangeLog 2012-08-01 21:27:00 UTC (rev 124370)
+++ trunk/Source/WebCore/ChangeLog 2012-08-01 21:34:13 UTC (rev 124371)
@@ -1,3 +1,29 @@
+2012-08-01 Mike West <[email protected]>
+
+ CSP should correctly block plugin resources rendered in PluginDocuments.
+ https://bugs.webkit.org/show_bug.cgi?id=92675
+
+ Reviewed by Adam Barth.
+
+ In certain cases, plugins aren't loaded directly, but are stuffed into a
+ newly-created PluginDocument before rendering. While we were already
+ correctly populating information that allowed us to make decisions about
+ that document's security origin, and already dealing with sandbox
+ status by creating a 'SinkDocument' that ignored plugin data, we weren't
+ correctly inheriting the parent frame's Content Security Policy. This
+ patch ensures that PluginDocuments correctly inherit their parent's
+ Content Security Policy, meaning that the plugin is blocked or allowed
+ according to the policy of the protected resource in which the
+ PluginDocument is embedded.
+
+ Tests: http/tests/security/contentSecurityPolicy/object-src-url-allowed.html
+ http/tests/security/contentSecurityPolicy/object-src-url-blocked.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::initContentSecurityPolicy):
+ Populate a created PluginDocument with its frame's parent's Content
+ Security Policy.
+
2012-08-01 Florin Malita <[email protected]>
SVG animation not working for elements inserted after parsing is finished
Modified: trunk/Source/WebCore/dom/Document.cpp (124370 => 124371)
--- trunk/Source/WebCore/dom/Document.cpp 2012-08-01 21:27:00 UTC (rev 124370)
+++ trunk/Source/WebCore/dom/Document.cpp 2012-08-01 21:34:13 UTC (rev 124371)
@@ -5061,8 +5061,9 @@
void Document::initContentSecurityPolicy()
{
- if (!m_frame->tree()->parent() || !shouldInheritSecurityOriginFromOwner(m_url))
+ if (!m_frame->tree()->parent() || (!shouldInheritSecurityOriginFromOwner(m_url) && !isPluginDocument()))
return;
+
contentSecurityPolicy()->copyStateFrom(m_frame->tree()->parent()->document()->contentSecurityPolicy());
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
