- Revision
- 125983
- Author
- [email protected]
- Date
- 2012-08-19 15:39:54 -0700 (Sun, 19 Aug 2012)
Log Message
CSP 1.1: Add 'plugin-types' and 'form-action' DOM API.
https://bugs.webkit.org/show_bug.cgi?id=94415
Patch by Mike West <[email protected]> on 2012-08-19
Reviewed by Adam Barth.
Source/WebCore:
Experimental implementations of the new 'plugin-types' and 'form-action'
directives recently landed, but we neglected to add DOM API endpoints to
query their state. Those APIs have been added to the specification[1],
and this patch brings our implementation up to date.
Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html
http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html
* page/DOMSecurityPolicy.cpp:
(isAllowed):
As a drive-by, change a parameter from a KURL to a String to match
the actual template. There's no reason to stringify an empty URL
when we can just use an empty string instead.
(isAllowedWithType):
Call out to the ContentSecurityPolicy object to check the protected
resource's ability to load a given media type.
(WebCore::DOMSecurityPolicy::allowsFormAction):
Call out to the ContentSecurityPolicy object to check the protected
resource's ability to submit a form to the given URL.
(WebCore):
(WebCore::DOMSecurityPolicy::allowsPluginType):
Pipes the plugin type through 'isAllowedWithType' for resolution.
* page/DOMSecurityPolicy.h:
Add the 'allowsPluginType' and 'allowsFormAction' methods.
(DOMSecurityPolicy):
* page/DOMSecurityPolicy.idl:
Add the 'allowsPluginType' and 'allowsFormAction' methods.
LayoutTests:
* http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (125982 => 125983)
--- trunk/LayoutTests/ChangeLog 2012-08-19 21:59:12 UTC (rev 125982)
+++ trunk/LayoutTests/ChangeLog 2012-08-19 22:39:54 UTC (rev 125983)
@@ -1,3 +1,15 @@
+2012-08-19 Mike West <[email protected]>
+
+ CSP 1.1: Add 'plugin-types' and 'form-action' DOM API.
+ https://bugs.webkit.org/show_bug.cgi?id=94415
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html: Added.
+
2012-08-19 Pavel Feldman <[email protected]>
Web Inspector: load network panel lazily
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction-expected.txt (0 => 125983)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction-expected.txt 2012-08-19 22:39:54 UTC (rev 125983)
@@ -0,0 +1,3 @@
+PASS form action is allowed when no policy exists.
+PASS form action is not allowed when policy exists.
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html (0 => 125983)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html 2012-08-19 22:39:54 UTC (rev 125983)
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+ <body>
+ <script src=""
+ <script>
+ if (document.SecurityPolicy.allowsFormAction('http://example.com/'))
+ log('PASS form action is allowed when no policy exists.');
+ else
+ log('FAIL form action is not allowed when no policy exists.');
+
+
+ injectPolicy("form-action http://notexample.com;");
+
+ if (!document.SecurityPolicy.allowsFormAction('http://example.com/'))
+ log('PASS form action is not allowed when policy exists.');
+ else
+ log('FAIL form action is allowed when policy exists.');
+ </script>
+ </body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype-expected.txt (0 => 125983)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype-expected.txt 2012-08-19 22:39:54 UTC (rev 125983)
@@ -0,0 +1,3 @@
+PASS plugin type is allowed when no policy exists.
+PASS plugin type is not allowed when policy exists.
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html (0 => 125983)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html 2012-08-19 22:39:54 UTC (rev 125983)
@@ -0,0 +1,20 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+ <body>
+ <script src=""
+ <script>
+ if (document.SecurityPolicy.allowsPluginType('application/x-shockwave-flash'))
+ log('PASS plugin type is allowed when no policy exists.');
+ else
+ log('FAIL plugin type is not allowed when no policy exists.');
+
+
+ injectPolicy("plugin-types application/x-webkit-test-netscape;");
+
+ if (!document.SecurityPolicy.allowsPluginType('application/x-shockwave-flash'))
+ log('PASS plugin type is not allowed when policy exists.');
+ else
+ log('FAIL plugin type is allowed when policy exists.');
+ </script>
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (125982 => 125983)
--- trunk/Source/WebCore/ChangeLog 2012-08-19 21:59:12 UTC (rev 125982)
+++ trunk/Source/WebCore/ChangeLog 2012-08-19 22:39:54 UTC (rev 125983)
@@ -1,3 +1,38 @@
+2012-08-19 Mike West <[email protected]>
+
+ CSP 1.1: Add 'plugin-types' and 'form-action' DOM API.
+ https://bugs.webkit.org/show_bug.cgi?id=94415
+
+ Reviewed by Adam Barth.
+
+ Experimental implementations of the new 'plugin-types' and 'form-action'
+ directives recently landed, but we neglected to add DOM API endpoints to
+ query their state. Those APIs have been added to the specification[1],
+ and this patch brings our implementation up to date.
+
+ Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html
+ http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html
+
+ * page/DOMSecurityPolicy.cpp:
+ (isAllowed):
+ As a drive-by, change a parameter from a KURL to a String to match
+ the actual template. There's no reason to stringify an empty URL
+ when we can just use an empty string instead.
+ (isAllowedWithType):
+ Call out to the ContentSecurityPolicy object to check the protected
+ resource's ability to load a given media type.
+ (WebCore::DOMSecurityPolicy::allowsFormAction):
+ Call out to the ContentSecurityPolicy object to check the protected
+ resource's ability to submit a form to the given URL.
+ (WebCore):
+ (WebCore::DOMSecurityPolicy::allowsPluginType):
+ Pipes the plugin type through 'isAllowedWithType' for resolution.
+ * page/DOMSecurityPolicy.h:
+ Add the 'allowsPluginType' and 'allowsFormAction' methods.
+ (DOMSecurityPolicy):
+ * page/DOMSecurityPolicy.idl:
+ Add the 'allowsPluginType' and 'allowsFormAction' methods.
+
2012-08-19 Pavel Feldman <[email protected]>
Web Inspector: load network panel lazily
Modified: trunk/Source/WebCore/page/DOMSecurityPolicy.cpp (125982 => 125983)
--- trunk/Source/WebCore/page/DOMSecurityPolicy.cpp 2012-08-19 21:59:12 UTC (rev 125982)
+++ trunk/Source/WebCore/page/DOMSecurityPolicy.cpp 2012-08-19 22:39:54 UTC (rev 125983)
@@ -48,6 +48,15 @@
return context->contentSecurityPolicy()->isActive();
}
+template<bool (ContentSecurityPolicy::*allowWithType)(const String&, const String&, const KURL&, ContentSecurityPolicy::ReportingStatus) const>
+bool isAllowedWithType(ScriptExecutionContext* context, const String& type)
+{
+ if (!isPolicyActiveInContext(context))
+ return true;
+
+ return (context->contentSecurityPolicy()->*allowWithType)(type, type, KURL(), ContentSecurityPolicy::SuppressReport);
+}
+
template<bool (ContentSecurityPolicy::*allowWithURL)(const KURL&, ContentSecurityPolicy::ReportingStatus) const>
bool isAllowedWithURL(ScriptExecutionContext* context, const String& url)
{
@@ -67,7 +76,7 @@
if (!isPolicyActiveInContext(context))
return true;
- return (context->contentSecurityPolicy()->*allowWithContext)(KURL(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport);
+ return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF::OrdinalNumber::beforeFirst(), ContentSecurityPolicy::SuppressReport);
}
} // namespace
@@ -125,6 +134,11 @@
return isAllowedWithURL<&ContentSecurityPolicy::allowFontFromSource>(scriptExecutionContext(), url);
}
+bool DOMSecurityPolicy::allowsFormAction(const String& url) const
+{
+ return isAllowedWithURL<&ContentSecurityPolicy::allowFormAction>(scriptExecutionContext(), url);
+}
+
bool DOMSecurityPolicy::allowsFrameFrom(const String& url) const
{
return isAllowedWithURL<&ContentSecurityPolicy::allowChildFrameFromSource>(scriptExecutionContext(), url);
@@ -145,6 +159,11 @@
return isAllowedWithURL<&ContentSecurityPolicy::allowObjectFromSource>(scriptExecutionContext(), url);
}
+bool DOMSecurityPolicy::allowsPluginType(const String& type) const
+{
+ return isAllowedWithType<&ContentSecurityPolicy::allowPluginType>(scriptExecutionContext(), type);
+}
+
bool DOMSecurityPolicy::allowsScriptFrom(const String& url) const
{
return isAllowedWithURL<&ContentSecurityPolicy::allowScriptFromSource>(scriptExecutionContext(), url);
Modified: trunk/Source/WebCore/page/DOMSecurityPolicy.h (125982 => 125983)
--- trunk/Source/WebCore/page/DOMSecurityPolicy.h 2012-08-19 21:59:12 UTC (rev 125982)
+++ trunk/Source/WebCore/page/DOMSecurityPolicy.h 2012-08-19 22:39:54 UTC (rev 125983)
@@ -55,10 +55,12 @@
bool allowsConnectionTo(const String& url) const;
bool allowsFontFrom(const String& url) const;
+ bool allowsFormAction(const String& url) const;
bool allowsFrameFrom(const String& url) const;
bool allowsImageFrom(const String& url) const;
bool allowsMediaFrom(const String& url) const;
bool allowsObjectFrom(const String& url) const;
+ bool allowsPluginType(const String& type) const;
bool allowsScriptFrom(const String& url) const;
bool allowsStyleFrom(const String& url) const;
Modified: trunk/Source/WebCore/page/DOMSecurityPolicy.idl (125982 => 125983)
--- trunk/Source/WebCore/page/DOMSecurityPolicy.idl 2012-08-19 21:59:12 UTC (rev 125982)
+++ trunk/Source/WebCore/page/DOMSecurityPolicy.idl 2012-08-19 22:39:54 UTC (rev 125983)
@@ -35,10 +35,12 @@
boolean allowsConnectionTo(in DOMString url);
boolean allowsFontFrom(in DOMString url);
+ boolean allowsFormAction(in DOMString url);
boolean allowsFrameFrom(in DOMString url);
boolean allowsImageFrom(in DOMString url);
boolean allowsMediaFrom(in DOMString url);
boolean allowsObjectFrom(in DOMString url);
+ boolean allowsPluginType(in DOMString type);
boolean allowsScriptFrom(in DOMString url);
boolean allowsStyleFrom(in DOMString url);
