[webkit-changes] [125614] trunk

Tue, 14 Aug 2012 15:26:47 -0700

Title: [125614] trunk
Revision
125614
Author
[email protected]
Date
2012-08-14 15:27:08 -0700 (Tue, 14 Aug 2012)

Log Message

Tighten up parsing the 'script-nonce' CSP directive value.
https://bugs.webkit.org/show_bug.cgi?id=93783

Patch by Mike West <[email protected]> on 2012-08-14
Reviewed by Adam Barth.

Source/WebCore:

Currently we're accepting any non-whitespace character. This patch
limits the valid characters to VCHAR minus ',' and ';', and pulls the
validity check out into a named function for clarity.

Test: http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html

* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirectiveList::parseScriptNonce):

LayoutTests:

* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (125613 => 125614)


--- trunk/LayoutTests/ChangeLog	2012-08-14 22:14:47 UTC (rev 125613)
+++ trunk/LayoutTests/ChangeLog	2012-08-14 22:27:08 UTC (rev 125614)
@@ -1,3 +1,13 @@
+2012-08-14  Mike West  <[email protected]>
+
+        Tighten up parsing the 'script-nonce' CSP directive value.
+        https://bugs.webkit.org/show_bug.cgi?id=93783
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Added.
+
 2012-08-14  Adam Barth  <[email protected]>
 
         Delete DOMWindow::m_url

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt (0 => 125614)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt	2012-08-14 22:27:08 UTC (rev 125614)
@@ -0,0 +1,18 @@
+All of these scripts should execute, as all the nonces are valid.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+PASS

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html (0 => 125614)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html	2012-08-14 22:27:08 UTC (rev 125614)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=''></script>
+<script>
+var tests = [
+    ['yes', 'script-src 127.0.0.1:8000; script-nonce 1/1;', 'resources/script.js', '1/1'],
+    ['yes', 'script-src 127.0.0.1:8000; script-nonce {};', 'resources/script.js', '{}'],
+    ['yes', 'script-src 127.0.0.1:8000; script-nonce /\\;', 'resources/script.js', '/\\'],
+];
+</script>
+</head>
+<body _onload_="test()">
+  <p>
+      All of these scripts should execute, as all the nonces are valid.
+  </p>

Modified: trunk/Source/WebCore/ChangeLog (125613 => 125614)


--- trunk/Source/WebCore/ChangeLog	2012-08-14 22:14:47 UTC (rev 125613)
+++ trunk/Source/WebCore/ChangeLog	2012-08-14 22:27:08 UTC (rev 125614)
@@ -1,3 +1,19 @@
+2012-08-14  Mike West  <[email protected]>
+
+        Tighten up parsing the 'script-nonce' CSP directive value.
+        https://bugs.webkit.org/show_bug.cgi?id=93783
+
+        Reviewed by Adam Barth.
+
+        Currently we're accepting any non-whitespace character. This patch
+        limits the valid characters to VCHAR minus ',' and ';', and pulls the
+        validity check out into a named function for clarity.
+
+        Test: http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirectiveList::parseScriptNonce):
+
 2012-08-14  Adam Barth  <[email protected]>
 
         Delete DOMWindow::m_url

Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (125613 => 125614)


--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2012-08-14 22:14:47 UTC (rev 125613)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2012-08-14 22:27:08 UTC (rev 125614)
@@ -61,6 +61,11 @@
     return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR
 }
 
+bool isNonceCharacter(UChar c)
+{
+    return (c >= 0x21 && c <= 0x7e) && c != ',' && c != ';'; // VCHAR - ',' - ';'
+}
+
 bool isSourceCharacter(UChar c)
 {
     return !isASCIISpace(c);
@@ -998,7 +1003,7 @@
         m_scriptNonce = "";
         return;
     }
-    skipWhile<isNotASCIISpace>(position, end);
+    skipWhile<isNonceCharacter>(position, end);
     if (nonceBegin < position)
         nonce = String(nonceBegin, position - nonceBegin);
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to