- Revision
- 124636
- Author
- [email protected]
- Date
- 2012-08-03 12:14:10 -0700 (Fri, 03 Aug 2012)
Log Message
Blocking a plugin via CSP should result in one (and only one) console message.
https://bugs.webkit.org/show_bug.cgi?id=92649
Patch by Mike West <[email protected]> on 2012-08-03
Reviewed by Adam Barth.
Source/WebCore:
Currently, blocking a plugin via Content Security Policy results in some
leakage of console log messages between tests. I'm unclear as to the
root cause, but the symptoms exhibited include
`SubframeLoader::requestPlugin` being called multiple times for a single
element, which in turn causes multiple console logs to be sent. These
messages tend to appear in the subsequent test, making the
`http/test/security/contentSecurityPolicy/object-src-*` set of tests
flakey indeed.
This patch addresses the issue by marking elements' plugins as
unavailable when they're blocked by CSP. No new tests have been added:
this patch should simply make the current tests actually pass.
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::requestPlugin):
We check the CSP status in `SubframeLoader::loadPlugin`, which is
called at the end of this function. Checking CSP status in both
locations is redundant.
(WebCore::SubframeLoader::loadPlugin):
If the plugin is blocked by CSP, tell the element's embedded object
renderer that the plugin is unavailable.
* platform/LocalizedStrings.cpp:
(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):
* platform/LocalizedStrings.h:
(WebCore):
* platform/blackberry/LocalizedStringsBlackBerry.cpp:
(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):
* platform/efl/LocalizedStringsEfl.cpp:
(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):
* platform/gtk/LocalizedStringsGtk.cpp:
(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):
* platform/qt/LocalizedStringsQt.cpp:
(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):
* rendering/RenderEmbeddedObject.cpp:
(WebCore::unavailablePluginReplacementText):
* rendering/RenderEmbeddedObject.h:
Return appropriate text when the plugin is blocked by CSP.
Source/WebKit/chromium:
* src/LocalizedStrings.cpp:
(WebCore::blockedPluginByContentSecurityPolicyText):
(WebCore):
Adding a stub for the newly added string.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (124635 => 124636)
--- trunk/Source/WebCore/ChangeLog 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebCore/ChangeLog 2012-08-03 19:14:10 UTC (rev 124636)
@@ -1,3 +1,53 @@
+2012-08-03 Mike West <[email protected]>
+
+ Blocking a plugin via CSP should result in one (and only one) console message.
+ https://bugs.webkit.org/show_bug.cgi?id=92649
+
+ Reviewed by Adam Barth.
+
+ Currently, blocking a plugin via Content Security Policy results in some
+ leakage of console log messages between tests. I'm unclear as to the
+ root cause, but the symptoms exhibited include
+ `SubframeLoader::requestPlugin` being called multiple times for a single
+ element, which in turn causes multiple console logs to be sent. These
+ messages tend to appear in the subsequent test, making the
+ `http/test/security/contentSecurityPolicy/object-src-*` set of tests
+ flakey indeed.
+
+ This patch addresses the issue by marking elements' plugins as
+ unavailable when they're blocked by CSP. No new tests have been added:
+ this patch should simply make the current tests actually pass.
+
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::requestPlugin):
+ We check the CSP status in `SubframeLoader::loadPlugin`, which is
+ called at the end of this function. Checking CSP status in both
+ locations is redundant.
+ (WebCore::SubframeLoader::loadPlugin):
+ If the plugin is blocked by CSP, tell the element's embedded object
+ renderer that the plugin is unavailable.
+ * platform/LocalizedStrings.cpp:
+ (WebCore::blockedPluginByContentSecurityPolicyText):
+ (WebCore):
+ * platform/LocalizedStrings.h:
+ (WebCore):
+ * platform/blackberry/LocalizedStringsBlackBerry.cpp:
+ (WebCore::blockedPluginByContentSecurityPolicyText):
+ (WebCore):
+ * platform/efl/LocalizedStringsEfl.cpp:
+ (WebCore::blockedPluginByContentSecurityPolicyText):
+ (WebCore):
+ * platform/gtk/LocalizedStringsGtk.cpp:
+ (WebCore::blockedPluginByContentSecurityPolicyText):
+ (WebCore):
+ * platform/qt/LocalizedStringsQt.cpp:
+ (WebCore::blockedPluginByContentSecurityPolicyText):
+ (WebCore):
+ * rendering/RenderEmbeddedObject.cpp:
+ (WebCore::unavailablePluginReplacementText):
+ * rendering/RenderEmbeddedObject.h:
+ Return appropriate text when the plugin is blocked by CSP.
+
2012-08-03 Kentaro Hara <[email protected]>
[V8] Add an IsExecutionTerminating() check to setDOMException()
Modified: trunk/Source/WebCore/loader/SubframeLoader.cpp (124635 => 124636)
--- trunk/Source/WebCore/loader/SubframeLoader.cpp 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebCore/loader/SubframeLoader.cpp 2012-08-03 19:14:10 UTC (rev 124636)
@@ -126,8 +126,6 @@
if (m_frame->document()) {
if (m_frame->document()->isSandboxed(SandboxPlugins))
return false;
- if (!m_frame->document()->contentSecurityPolicy()->allowObjectFromSource(url))
- return false;
}
ASSERT(ownerElement->hasTagName(objectTag) || ownerElement->hasTagName(embedTag));
@@ -421,8 +419,10 @@
return false;
}
- if (!document()->contentSecurityPolicy()->allowObjectFromSource(url))
+ if (!document()->contentSecurityPolicy()->allowObjectFromSource(url)) {
+ renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
return false;
+ }
FrameLoader* frameLoader = m_frame->loader();
if (!frameLoader->checkIfRunInsecureContent(document()->securityOrigin(), url))
Modified: trunk/Source/WebCore/platform/LocalizedStrings.cpp (124635 => 124636)
--- trunk/Source/WebCore/platform/LocalizedStrings.cpp 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebCore/platform/LocalizedStrings.cpp 2012-08-03 19:14:10 UTC (rev 124636)
@@ -673,6 +673,11 @@
return WEB_UI_STRING("Plug-in Failure", "Label text to be used if plugin host process has crashed");
}
+String blockedPluginByContentSecurityPolicyText()
+{
+ return WEB_UI_STRING("Blocked Plug-in", "Label text to be used if plugin is blocked by a page's Content Security Policy");
+}
+
String insecurePluginVersionText()
{
return WEB_UI_STRING("Blocked Plug-in", "Label text to be used when an insecure plug-in version was blocked from loading");
Modified: trunk/Source/WebCore/platform/LocalizedStrings.h (124635 => 124636)
--- trunk/Source/WebCore/platform/LocalizedStrings.h 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebCore/platform/LocalizedStrings.h 2012-08-03 19:14:10 UTC (rev 124636)
@@ -167,6 +167,7 @@
String missingPluginText();
String crashedPluginText();
+ String blockedPluginByContentSecurityPolicyText();
String insecurePluginVersionText();
String multipleFileUploadText(unsigned numberOfFiles);
String unknownFileSizeText();
Modified: trunk/Source/WebCore/platform/blackberry/LocalizedStringsBlackBerry.cpp (124635 => 124636)
--- trunk/Source/WebCore/platform/blackberry/LocalizedStringsBlackBerry.cpp 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebCore/platform/blackberry/LocalizedStringsBlackBerry.cpp 2012-08-03 19:14:10 UTC (rev 124636)
@@ -572,6 +572,12 @@
return String();
}
+String blockedPluginByContentSecurityPolicyText()
+{
+ notImplemented();
+ return String();
+}
+
String insecurePluginVersionText()
{
notImplemented();
Modified: trunk/Source/WebCore/platform/efl/LocalizedStringsEfl.cpp (124635 => 124636)
--- trunk/Source/WebCore/platform/efl/LocalizedStringsEfl.cpp 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebCore/platform/efl/LocalizedStringsEfl.cpp 2012-08-03 19:14:10 UTC (rev 124636)
@@ -560,6 +560,12 @@
return String::fromUTF8("plugin crashed");
}
+String blockedPluginByContentSecurityPolicyText()
+{
+ notImplemented();
+ return String();
+}
+
String insecurePluginVersionText()
{
notImplemented();
Modified: trunk/Source/WebCore/platform/gtk/LocalizedStringsGtk.cpp (124635 => 124636)
--- trunk/Source/WebCore/platform/gtk/LocalizedStringsGtk.cpp 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebCore/platform/gtk/LocalizedStringsGtk.cpp 2012-08-03 19:14:10 UTC (rev 124636)
@@ -473,6 +473,12 @@
return String::fromUTF8(_("Plug-in Failure"));
}
+String blockedPluginByContentSecurityPolicyText()
+{
+ notImplemented();
+ return String();
+}
+
String insecurePluginVersionText()
{
notImplemented();
Modified: trunk/Source/WebCore/platform/qt/LocalizedStringsQt.cpp (124635 => 124636)
--- trunk/Source/WebCore/platform/qt/LocalizedStringsQt.cpp 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebCore/platform/qt/LocalizedStringsQt.cpp 2012-08-03 19:14:10 UTC (rev 124636)
@@ -445,6 +445,12 @@
return String();
}
+String blockedPluginByContentSecurityPolicyText()
+{
+ notImplemented();
+ return String();
+}
+
String insecurePluginVersionText()
{
notImplemented();
Modified: trunk/Source/WebCore/rendering/RenderEmbeddedObject.cpp (124635 => 124636)
--- trunk/Source/WebCore/rendering/RenderEmbeddedObject.cpp 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebCore/rendering/RenderEmbeddedObject.cpp 2012-08-03 19:14:10 UTC (rev 124636)
@@ -109,6 +109,8 @@
return missingPluginText();
case RenderEmbeddedObject::PluginCrashed:
return crashedPluginText();
+ case RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy:
+ return blockedPluginByContentSecurityPolicyText();
case RenderEmbeddedObject::InsecurePluginVersion:
return insecurePluginVersionText();
}
Modified: trunk/Source/WebCore/rendering/RenderEmbeddedObject.h (124635 => 124636)
--- trunk/Source/WebCore/rendering/RenderEmbeddedObject.h 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebCore/rendering/RenderEmbeddedObject.h 2012-08-03 19:14:10 UTC (rev 124636)
@@ -39,6 +39,7 @@
enum PluginUnavailabilityReason {
PluginMissing,
PluginCrashed,
+ PluginBlockedByContentSecurityPolicy,
InsecurePluginVersion
};
void setPluginUnavailabilityReason(PluginUnavailabilityReason);
Modified: trunk/Source/WebKit/chromium/ChangeLog (124635 => 124636)
--- trunk/Source/WebKit/chromium/ChangeLog 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebKit/chromium/ChangeLog 2012-08-03 19:14:10 UTC (rev 124636)
@@ -1,3 +1,15 @@
+2012-08-03 Mike West <[email protected]>
+
+ Blocking a plugin via CSP should result in one (and only one) console message.
+ https://bugs.webkit.org/show_bug.cgi?id=92649
+
+ Reviewed by Adam Barth.
+
+ * src/LocalizedStrings.cpp:
+ (WebCore::blockedPluginByContentSecurityPolicyText):
+ (WebCore):
+ Adding a stub for the newly added string.
+
2012-08-03 Oli Lan <[email protected]>
[chromium] Add a test to WebFrameTest for selectRange and visiblePositionForWindowPoint.
Modified: trunk/Source/WebKit/chromium/src/LocalizedStrings.cpp (124635 => 124636)
--- trunk/Source/WebKit/chromium/src/LocalizedStrings.cpp 2012-08-03 19:00:13 UTC (rev 124635)
+++ trunk/Source/WebKit/chromium/src/LocalizedStrings.cpp 2012-08-03 19:14:10 UTC (rev 124636)
@@ -215,6 +215,12 @@
return String("Plug-in Failure");
}
+String blockedPluginByContentSecurityPolicyText()
+{
+ notImplemented();
+ return String();
+}
+
String insecurePluginVersionText()
{
notImplemented();
