Log Message
Add call stacks to Content Security Policy checks when relevant. https://bugs.webkit.org/show_bug.cgi?id=94433
Patch by Mike West <[email protected]> on 2012-08-28 Reviewed by Adam Barth. Source/WebCore: Previously, we generated stack traces only for eval-related CSP violations. As it turns out, we can call createScriptCallStack from practically anywhere. This patch takes advantage of that to generate stack traces whenever a warning is logged to the console. If we're in a _javascript_ stack, brilliant: we get a detailed warning. If not, the stack trace is empty, and we don't pass it into the console logging method. This has the advantage of giving us good developer-facing logging for any and all violations that result from script-based injection of resources. Yay! Tests: http/tests/inspector/csp-injected-content-warning-contains-stacktrace.html http/tests/inspector/csp-inline-warning-contains-stacktrace.html * bindings/js/ScriptController.cpp: (WebCore::ScriptController::initScript): * bindings/js/ScheduledAction.cpp: (WebCore::ScheduledAction::create): * bindings/v8/V8DOMWindowShell.cpp: (WebCore::V8DOMWindowShell::initContextIfNeeded): * bindings/v8/custom/V8DOMWindowCustom.cpp: (WebCore::WindowSetTimeoutImpl): Dropping stack trace from call to ContentSecurityPolicy::allowEval. * page/ContentSecurityPolicy.cpp: (CSPDirectiveList): (WebCore::CSPDirectiveList::reportViolation): (WebCore::CSPDirectiveList::checkEvalAndReportViolation): (WebCore::CSPDirectiveList::allowEval): No longer piping a stack trace through CSPDirectiveList::allowEval to reportViolation. (WebCore::ContentSecurityPolicy::didReceiveHeader): Dropping stack trace from call to ContentSecurityPolicy::allowEval. (WebCore): (WebCore::isAllowedByAll): (WebCore::ContentSecurityPolicy::allowEval): (WebCore::ContentSecurityPolicy::reportViolation): (WebCore::ContentSecurityPolicy::logToConsole): No longer piping a stack trace through ContentSecurityPolicy down to the point where it would be logged. Instead, we simply generate the stack trace just before logging it, and only pass it to addConsoleMessage if it's non-empty. * page/ContentSecurityPolicy.h: (WebCore): * page/DOMSecurityPolicy.cpp: (WebCore::DOMSecurityPolicy::allowsEval): Dropping stack trace from call to ContentSecurityPolicy::allowEval. LayoutTests: * http/tests/inspector/csp-injected-content-warning-contains-stacktrace-expected.txt: Added. * http/tests/inspector/csp-injected-content-warning-contains-stacktrace.html: Added. * http/tests/inspector/csp-inline-warning-contains-stacktrace-expected.txt: Added. * http/tests/inspector/csp-inline-warning-contains-stacktrace.html: Added. * http/tests/inspector/resources/csp-inline-test.js: Added. (thisTest): * http/tests/inspector/resources/csp-test.js: Added. (test.addMessage): (test):
Modified Paths
- trunk/LayoutTests/ChangeLog
- trunk/Source/WebCore/ChangeLog
- trunk/Source/WebCore/bindings/js/ScheduledAction.cpp
- trunk/Source/WebCore/bindings/js/ScriptController.cpp
- trunk/Source/WebCore/bindings/v8/V8DOMWindowShell.cpp
- trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp
- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp
- trunk/Source/WebCore/page/ContentSecurityPolicy.h
- trunk/Source/WebCore/page/DOMSecurityPolicy.cpp
Added Paths
- trunk/LayoutTests/http/tests/inspector/csp-injected-content-warning-contains-stacktrace-expected.txt
- trunk/LayoutTests/http/tests/inspector/csp-injected-content-warning-contains-stacktrace.html
- trunk/LayoutTests/http/tests/inspector/csp-inline-warning-contains-stacktrace-expected.txt
- trunk/LayoutTests/http/tests/inspector/csp-inline-warning-contains-stacktrace.html
- trunk/LayoutTests/http/tests/inspector/resources/csp-inline-test.js
- trunk/LayoutTests/http/tests/inspector/resources/csp-test.js
Diff
Modified: trunk/LayoutTests/ChangeLog (126851 => 126852)
--- trunk/LayoutTests/ChangeLog 2012-08-28 07:01:03 UTC (rev 126851)
+++ trunk/LayoutTests/ChangeLog 2012-08-28 07:11:28 UTC (rev 126852)
@@ -1,3 +1,20 @@
+2012-08-28 Mike West <[email protected]>
+
+ Add call stacks to Content Security Policy checks when relevant.
+ https://bugs.webkit.org/show_bug.cgi?id=94433
+
+ Reviewed by Adam Barth.
+
+ * http/tests/inspector/csp-injected-content-warning-contains-stacktrace-expected.txt: Added.
+ * http/tests/inspector/csp-injected-content-warning-contains-stacktrace.html: Added.
+ * http/tests/inspector/csp-inline-warning-contains-stacktrace-expected.txt: Added.
+ * http/tests/inspector/csp-inline-warning-contains-stacktrace.html: Added.
+ * http/tests/inspector/resources/csp-inline-test.js: Added.
+ (thisTest):
+ * http/tests/inspector/resources/csp-test.js: Added.
+ (test.addMessage):
+ (test):
+
2012-08-27 Zan Dobersek <[email protected]>
Unreviewed GTK gardening.
Added: trunk/LayoutTests/http/tests/inspector/csp-injected-content-warning-contains-stacktrace-expected.txt (0 => 126852)
--- trunk/LayoutTests/http/tests/inspector/csp-injected-content-warning-contains-stacktrace-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/csp-injected-content-warning-contains-stacktrace-expected.txt 2012-08-28 07:11:28 UTC (rev 126852)
@@ -0,0 +1,15 @@
+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+This test injects a blocked image from _javascript_. The resulting console error should contain a stack trace.
+
+
+Message[0]: csp-injected-content-warning-contains-stacktrace.html:12 Refused to load the image 'http://127.0.0.1:8000/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+Stack Trace:
+
+ 0) http://127.0.0.1:8000/inspector/csp-injected-content-warning-contains-stacktrace.html / thisTest / 12 / 25
+ 1) (internal script) / / (line number) / (column number)
+ 2) (internal script) / InjectedScript._evaluateOn / (line number) / (column number)
+ 3) (internal script) / InjectedScript._evaluateAndWrap / (line number) / (column number)
+ 4) (internal script) / InjectedScript.evaluate / (line number) / (column number)
+
Added: trunk/LayoutTests/http/tests/inspector/csp-injected-content-warning-contains-stacktrace.html (0 => 126852)
--- trunk/LayoutTests/http/tests/inspector/csp-injected-content-warning-contains-stacktrace.html (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/csp-injected-content-warning-contains-stacktrace.html 2012-08-28 07:11:28 UTC (rev 126852)
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta http-equiv="X-WebKit-CSP" content="img-src 'none'">
+ <script src=""
+ <script src=""
+ <script src=""
+ <script src=""
+ <script>
+ function thisTest() {
+ var img = document.createElement('img');
+ img.src = ""
+ document.body.appendChild(img);
+ }
+ </script>
+ </head>
+ <body _onload_="runTest()">
+ <p>This test injects a blocked image from _javascript_. The resulting console
+ error should contain a stack trace.</p>
+ </body>
+</html>
Added: trunk/LayoutTests/http/tests/inspector/csp-inline-warning-contains-stacktrace-expected.txt (0 => 126852)
--- trunk/LayoutTests/http/tests/inspector/csp-inline-warning-contains-stacktrace-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/csp-inline-warning-contains-stacktrace-expected.txt 2012-08-28 07:11:28 UTC (rev 126852)
@@ -0,0 +1,14 @@
+CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+
+This test injects an inline script from _javascript_. The resulting console error should contain a stack trace.
+
+Message[0]: csp-inline-test.js:4 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+
+Stack Trace:
+
+ 0) http://127.0.0.1:8000/inspector/resources/csp-inline-test.js / thisTest / 4 / 19
+ 1) (internal script) / / (line number) / (column number)
+ 2) (internal script) / InjectedScript._evaluateOn / (line number) / (column number)
+ 3) (internal script) / InjectedScript._evaluateAndWrap / (line number) / (column number)
+ 4) (internal script) / InjectedScript.evaluate / (line number) / (column number)
+
Added: trunk/LayoutTests/http/tests/inspector/csp-inline-warning-contains-stacktrace.html (0 => 126852)
--- trunk/LayoutTests/http/tests/inspector/csp-inline-warning-contains-stacktrace.html (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/csp-inline-warning-contains-stacktrace.html 2012-08-28 07:11:28 UTC (rev 126852)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta http-equiv="X-WebKit-CSP" content="script-src 'self'">
+ <script src=""
+ <script src=""
+ <script src=""
+ <script src=""
+ <script src=""
+ </head>
+ <body>
+ <p>This test injects an inline script from _javascript_. The resulting
+ console error should contain a stack trace.</p>
+ </body>
+</html>
Added: trunk/LayoutTests/http/tests/inspector/resources/csp-inline-test.js (0 => 126852)
--- trunk/LayoutTests/http/tests/inspector/resources/csp-inline-test.js (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/resources/csp-inline-test.js 2012-08-28 07:11:28 UTC (rev 126852)
@@ -0,0 +1,6 @@
+function thisTest() {
+ var s = document.createElement('script');
+ s.innerText = "alert('FAIL.');"
+ document.body.appendChild(s);
+}
+window._onload_ = runTest;
Added: trunk/LayoutTests/http/tests/inspector/resources/csp-test.js (0 => 126852)
--- trunk/LayoutTests/http/tests/inspector/resources/csp-test.js (rev 0)
+++ trunk/LayoutTests/http/tests/inspector/resources/csp-test.js 2012-08-28 07:11:28 UTC (rev 126852)
@@ -0,0 +1,33 @@
+function test() {
+ InspectorTest.addConsoleSniffer(addMessage, true);
+
+ var messageCount = 0;
+ function addMessage(message) {
+ if (messageCount++)
+ return;
+ var messages = WebInspector.consoleView.messages;
+ for (var i = 0; i < messages.length; ++i) {
+ var m = messages[i];
+ InspectorTest.addResult("Message[" + i + "]: " + WebInspector.displayNameForURL(m.url) + ":" + m.line + " " + m.message);
+ var trace = m.stackTrace;
+ if (!trace) {
+ InspectorTest.addResult("FAIL: no stack trace attached to message #" + i);
+ } else {
+ InspectorTest.addResult("Stack Trace:\n");
+ for (var j = 0; j < trace.length; j++) {
+ var url = ""
+ var lineNumber = trace[j].lineNumber;
+ var columnNumber = trace[j].columnNumber;
+ if (!trace[j].url) {
+ url = "" script)";
+ lineNumber = "(line number)";
+ columnNumber = "(column number)";
+ }
+ InspectorTest.addResult(" " + j + ") " + url + " / " + trace[j].functionName + " / " + lineNumber + " / " + columnNumber);
+ }
+ }
+ }
+ InspectorTest.completeTest();
+ }
+ InspectorTest.evaluateInPage("thisTest()");
+}
Modified: trunk/Source/WebCore/ChangeLog (126851 => 126852)
--- trunk/Source/WebCore/ChangeLog 2012-08-28 07:01:03 UTC (rev 126851)
+++ trunk/Source/WebCore/ChangeLog 2012-08-28 07:11:28 UTC (rev 126852)
@@ -1,3 +1,58 @@
+2012-08-28 Mike West <[email protected]>
+
+ Add call stacks to Content Security Policy checks when relevant.
+ https://bugs.webkit.org/show_bug.cgi?id=94433
+
+ Reviewed by Adam Barth.
+
+ Previously, we generated stack traces only for eval-related CSP
+ violations. As it turns out, we can call createScriptCallStack from
+ practically anywhere. This patch takes advantage of that to generate
+ stack traces whenever a warning is logged to the console. If we're in
+ a _javascript_ stack, brilliant: we get a detailed warning. If not, the
+ stack trace is empty, and we don't pass it into the console logging
+ method.
+
+ This has the advantage of giving us good developer-facing logging for
+ any and all violations that result from script-based injection of
+ resources. Yay!
+
+ Tests: http/tests/inspector/csp-injected-content-warning-contains-stacktrace.html
+ http/tests/inspector/csp-inline-warning-contains-stacktrace.html
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::initScript):
+ * bindings/js/ScheduledAction.cpp:
+ (WebCore::ScheduledAction::create):
+ * bindings/v8/V8DOMWindowShell.cpp:
+ (WebCore::V8DOMWindowShell::initContextIfNeeded):
+ * bindings/v8/custom/V8DOMWindowCustom.cpp:
+ (WebCore::WindowSetTimeoutImpl):
+ Dropping stack trace from call to ContentSecurityPolicy::allowEval.
+ * page/ContentSecurityPolicy.cpp:
+ (CSPDirectiveList):
+ (WebCore::CSPDirectiveList::reportViolation):
+ (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
+ (WebCore::CSPDirectiveList::allowEval):
+ No longer piping a stack trace through CSPDirectiveList::allowEval
+ to reportViolation.
+ (WebCore::ContentSecurityPolicy::didReceiveHeader):
+ Dropping stack trace from call to ContentSecurityPolicy::allowEval.
+ (WebCore):
+ (WebCore::isAllowedByAll):
+ (WebCore::ContentSecurityPolicy::allowEval):
+ (WebCore::ContentSecurityPolicy::reportViolation):
+ (WebCore::ContentSecurityPolicy::logToConsole):
+ No longer piping a stack trace through ContentSecurityPolicy down to
+ the point where it would be logged. Instead, we simply generate the
+ stack trace just before logging it, and only pass it to
+ addConsoleMessage if it's non-empty.
+ * page/ContentSecurityPolicy.h:
+ (WebCore):
+ * page/DOMSecurityPolicy.cpp:
+ (WebCore::DOMSecurityPolicy::allowsEval):
+ Dropping stack trace from call to ContentSecurityPolicy::allowEval.
+
2012-08-27 Andrey Kosyakov <[email protected]>
Web Inspector: persist the state of glue records to parents button of Timeline panel
Modified: trunk/Source/WebCore/bindings/js/ScheduledAction.cpp (126851 => 126852)
--- trunk/Source/WebCore/bindings/js/ScheduledAction.cpp 2012-08-28 07:01:03 UTC (rev 126851)
+++ trunk/Source/WebCore/bindings/js/ScheduledAction.cpp 2012-08-28 07:11:28 UTC (rev 126852)
@@ -55,8 +55,7 @@
JSValue v = exec->argument(0);
CallData callData;
if (getCallData(v, callData) == CallTypeNone) {
- RefPtr<ScriptCallStack> callStack(createScriptCallStackForInspector(exec));
- if (policy && !policy->allowEval(callStack.release()))
+ if (policy && !policy->allowEval())
return nullptr;
UString string = v.toString(exec)->value(exec);
if (exec->hadException())
Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (126851 => 126852)
--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2012-08-28 07:01:03 UTC (rev 126851)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2012-08-28 07:11:28 UTC (rev 126852)
@@ -222,7 +222,7 @@
windowShell->window()->updateDocument();
if (m_frame->document())
- windowShell->window()->setEvalEnabled(m_frame->document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport));
+ windowShell->window()->setEvalEnabled(m_frame->document()->contentSecurityPolicy()->allowEval(ContentSecurityPolicy::SuppressReport));
if (Page* page = m_frame->page()) {
attachDebugger(windowShell, page->debugger());
Modified: trunk/Source/WebCore/bindings/v8/V8DOMWindowShell.cpp (126851 => 126852)
--- trunk/Source/WebCore/bindings/v8/V8DOMWindowShell.cpp 2012-08-28 07:01:03 UTC (rev 126851)
+++ trunk/Source/WebCore/bindings/v8/V8DOMWindowShell.cpp 2012-08-28 07:11:28 UTC (rev 126852)
@@ -320,7 +320,7 @@
setSecurityToken();
if (m_frame->document())
- context->AllowCodeGenerationFromStrings(m_frame->document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport));
+ context->AllowCodeGenerationFromStrings(m_frame->document()->contentSecurityPolicy()->allowEval(ContentSecurityPolicy::SuppressReport));
m_frame->loader()->client()->didCreateScriptContext(m_context.get(), 0, 0);
Modified: trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp (126851 => 126852)
--- trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp 2012-08-28 07:01:03 UTC (rev 126851)
+++ trunk/Source/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp 2012-08-28 07:11:28 UTC (rev 126852)
@@ -128,8 +128,7 @@
id = DOMTimer::install(scriptContext, action.release(), timeout, singleShot);
} else {
- RefPtr<ScriptCallStack> callStack(createScriptCallStackForInspector());
- if (imp->document() && !imp->document()->contentSecurityPolicy()->allowEval(callStack.release()))
+ if (imp->document() && !imp->document()->contentSecurityPolicy()->allowEval())
return v8Integer(0, args.GetIsolate());
ASSERT(imp->frame());
id = DOMTimer::install(scriptContext, adoptPtr(new ScheduledAction(imp->frame()->script()->currentWorldContext(), functionString)), timeout, singleShot);
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (126851 => 126852)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-08-28 07:01:03 UTC (rev 126851)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-08-28 07:11:28 UTC (rev 126852)
@@ -38,6 +38,7 @@
#include "PingLoader.h"
#include "SchemeRegistry.h"
#include "ScriptCallStack.h"
+#include "ScriptCallStackFactory.h"
#include "SecurityOrigin.h"
#include "TextEncoding.h"
#include <wtf/HashSet.h>
@@ -710,7 +711,7 @@
bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
- bool allowEval(PassRefPtr<ScriptCallStack>, ContentSecurityPolicy::ReportingStatus) const;
+ bool allowEval(ContentSecurityPolicy::ReportingStatus) const;
bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL&) const;
bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ContentSecurityPolicy::ReportingStatus) const;
@@ -742,7 +743,7 @@
void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&);
SourceListDirective* operativeDirective(SourceListDirective*) const;
- void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
+ void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst()) const;
bool checkEval(SourceListDirective*) const;
bool checkInline(SourceListDirective*) const;
@@ -750,7 +751,7 @@
bool checkSource(SourceListDirective*, const KURL&) const;
bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
- bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
+ bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst()) const;
bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& type) const;
@@ -805,10 +806,10 @@
return directives.release();
}
-void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
+void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
{
String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
- m_policy->reportViolation(directiveText, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, callStack);
+ m_policy->reportViolation(directiveText, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine);
}
bool CSPDirectiveList::checkEval(SourceListDirective* directive) const
@@ -845,11 +846,11 @@
return directive ? directive : m_defaultSrc.get();
}
-bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
+bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
{
if (checkEval(directive))
return true;
- reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine, callStack);
+ reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
return denyIfEnforcingPolicy();
}
@@ -937,11 +938,11 @@
checkInline(operativeDirective(m_styleSrc.get()));
}
-bool CSPDirectiveList::allowEval(PassRefPtr<ScriptCallStack> callStack, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool CSPDirectiveList::allowEval(ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because it violates the following Content Security Policy directive: "));
return reportingStatus == ContentSecurityPolicy::SendReport ?
- checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), callStack) :
+ checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst()) :
checkEval(operativeDirective(m_scriptSrc.get()));
}
@@ -1257,7 +1258,7 @@
begin = position;
}
- if (!allowEval(0, SuppressReport))
+ if (!allowEval(SuppressReport))
m_scriptExecutionContext->disableEval();
}
@@ -1276,11 +1277,11 @@
return m_policies.isEmpty() ? EnforcePolicy : m_policies[0]->headerType();
}
-template<bool (CSPDirectiveList::*allowed)(PassRefPtr<ScriptCallStack>, ContentSecurityPolicy::ReportingStatus) const>
-bool isAllowedByAllWithCallStack(const CSPDirectiveListVector& policies, PassRefPtr<ScriptCallStack> callStack, ContentSecurityPolicy::ReportingStatus reportingStatus)
+template<bool (CSPDirectiveList::*allowed)( ContentSecurityPolicy::ReportingStatus) const>
+bool isAllowedByAll(const CSPDirectiveListVector& policies, ContentSecurityPolicy::ReportingStatus reportingStatus)
{
for (size_t i = 0; i < policies.size(); ++i) {
- if (!(policies[i].get()->*allowed)(callStack, reportingStatus))
+ if (!(policies[i].get()->*allowed)(reportingStatus))
return false;
}
return true;
@@ -1341,9 +1342,9 @@
return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine, reportingStatus);
}
-bool ContentSecurityPolicy::allowEval(PassRefPtr<ScriptCallStack> callStack, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+bool ContentSecurityPolicy::allowEval(ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- return isAllowedByAllWithCallStack<&CSPDirectiveList::allowEval>(m_policies, callStack, reportingStatus);
+ return isAllowedByAll<&CSPDirectiveList::allowEval>(m_policies, reportingStatus);
}
bool ContentSecurityPolicy::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& url) const
@@ -1436,9 +1437,9 @@
m_scriptExecutionContext->enforceSandboxFlags(mask);
}
-void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
+void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
{
- logToConsole(consoleMessage, contextURL, contextLine, callStack);
+ logToConsole(consoleMessage, contextURL, contextLine);
if (reportURIs.isEmpty())
return;
@@ -1522,9 +1523,12 @@
logToConsole(message);
}
-void ContentSecurityPolicy::logToConsole(const String& message, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
+void ContentSecurityPolicy::logToConsole(const String& message, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
{
- m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, contextURL, contextLine.oneBasedInt(), callStack);
+ RefPtr<ScriptCallStack> callStack;
+ if (InspectorInstrumentation::hasFrontends())
+ callStack = createScriptCallStack(ScriptCallStack::maxCallStackSizeToCapture, true);
+ m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, contextURL, contextLine.oneBasedInt(), (callStack && callStack->size() > 0) ? callStack : 0);
}
}
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (126851 => 126852)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.h 2012-08-28 07:01:03 UTC (rev 126851)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h 2012-08-28 07:11:28 UTC (rev 126852)
@@ -40,7 +40,6 @@
namespace WebCore {
class CSPDirectiveList;
-class ScriptCallStack;
class DOMStringList;
class ScriptExecutionContext;
class SecurityOrigin;
@@ -79,7 +78,7 @@
bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
- bool allowEval(PassRefPtr<ScriptCallStack>, ReportingStatus = SendReport) const;
+ bool allowEval(ReportingStatus = SendReport) const;
bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL& = KURL()) const;
bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ReportingStatus = SendReport) const;
@@ -104,7 +103,7 @@
void reportInvalidPluginTypes(const String&) const;
void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
void reportUnrecognizedDirective(const String&) const;
- void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
+ void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst()) const;
const KURL& url() const;
KURL completeURL(const String&) const;
@@ -114,7 +113,7 @@
private:
explicit ContentSecurityPolicy(ScriptExecutionContext*);
- void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
+ void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst()) const;
ScriptExecutionContext* m_scriptExecutionContext;
bool m_overrideInlineStyleAllowed;
Modified: trunk/Source/WebCore/page/DOMSecurityPolicy.cpp (126851 => 126852)
--- trunk/Source/WebCore/page/DOMSecurityPolicy.cpp 2012-08-28 07:01:03 UTC (rev 126851)
+++ trunk/Source/WebCore/page/DOMSecurityPolicy.cpp 2012-08-28 07:11:28 UTC (rev 126852)
@@ -120,7 +120,7 @@
if (!isActive())
return true;
- return scriptExecutionContext()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport);
+ return scriptExecutionContext()->contentSecurityPolicy()->allowEval(ContentSecurityPolicy::SuppressReport);
}
_______________________________________________ webkit-changes mailing list [email protected] http://lists.webkit.org/mailman/listinfo/webkit-changes
