[webkit-changes] [175771] trunk/Source/WebCore

Fri, 07 Nov 2014 16:41:16 -0800

Title: [175771] trunk/Source/WebCore
Revision
175771
Author
[email protected]
Date
2014-11-07 16:40:54 -0800 (Fri, 07 Nov 2014)

Log Message

CSP is enforced for eval in report-only mode on first page load
https://bugs.webkit.org/show_bug.cgi?id=138492
rdar://problem/15782525

Reviewed by Daniel Bates.

This is covered by existing tests when running as one test per process invocation.

* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirectiveList::allowEval): Allow when in report only mode. The allowEval
function itself needs to return false, because it's used in checkEvalAndReportViolation().
(WebCore::CSPDirectiveList::allowJavaScriptURLs): Apply the same fix, although it's
not changing the behavior - this function is never called with ContentSecurityPolicy::SuppressReport.
(WebCore::CSPDirectiveList::allowInlineEventHandlers): Ditto.
(WebCore::CSPDirectiveList::allowInlineScript): Ditto.
(WebCore::CSPDirectiveList::allowInlineStyle): Ditto.
(WebCore::CSPDirectiveList::allowPluginType): Ditto.
(WebCore::CSPDirectiveList::allowScriptFromSource): Ditto.
(WebCore::CSPDirectiveList::allowObjectFromSource): Ditto.
(WebCore::CSPDirectiveList::allowChildFrameFromSource): Ditto.
(WebCore::CSPDirectiveList::allowImageFromSource): Ditto.
(WebCore::CSPDirectiveList::allowStyleFromSource): Ditto.
(WebCore::CSPDirectiveList::allowFontFromSource): Ditto.
(WebCore::CSPDirectiveList::allowMediaFromSource): Ditto.
(WebCore::CSPDirectiveList::allowConnectToSource): Ditto.
(WebCore::CSPDirectiveList::allowFormAction): Ditto.
(WebCore::CSPDirectiveList::allowBaseURI): Ditto.
(WebCore::ContentSecurityPolicy::didReceiveHeader): Remove isReportOnly() check,
which is now inside allowEval().

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (175770 => 175771)


--- trunk/Source/WebCore/ChangeLog	2014-11-08 00:06:48 UTC (rev 175770)
+++ trunk/Source/WebCore/ChangeLog	2014-11-08 00:40:54 UTC (rev 175771)
@@ -1,3 +1,35 @@
+2014-11-07  Alexey Proskuryakov  <[email protected]>
+
+        CSP is enforced for eval in report-only mode on first page load
+        https://bugs.webkit.org/show_bug.cgi?id=138492
+        rdar://problem/15782525
+
+        Reviewed by Daniel Bates.
+
+        This is covered by existing tests when running as one test per process invocation.
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirectiveList::allowEval): Allow when in report only mode. The allowEval
+        function itself needs to return false, because it's used in checkEvalAndReportViolation().
+        (WebCore::CSPDirectiveList::allowJavaScriptURLs): Apply the same fix, although it's
+        not changing the behavior - this function is never called with ContentSecurityPolicy::SuppressReport.
+        (WebCore::CSPDirectiveList::allowInlineEventHandlers): Ditto.
+        (WebCore::CSPDirectiveList::allowInlineScript): Ditto.
+        (WebCore::CSPDirectiveList::allowInlineStyle): Ditto.
+        (WebCore::CSPDirectiveList::allowPluginType): Ditto.
+        (WebCore::CSPDirectiveList::allowScriptFromSource): Ditto.
+        (WebCore::CSPDirectiveList::allowObjectFromSource): Ditto.
+        (WebCore::CSPDirectiveList::allowChildFrameFromSource): Ditto.
+        (WebCore::CSPDirectiveList::allowImageFromSource): Ditto.
+        (WebCore::CSPDirectiveList::allowStyleFromSource): Ditto.
+        (WebCore::CSPDirectiveList::allowFontFromSource): Ditto.
+        (WebCore::CSPDirectiveList::allowMediaFromSource): Ditto.
+        (WebCore::CSPDirectiveList::allowConnectToSource): Ditto.
+        (WebCore::CSPDirectiveList::allowFormAction): Ditto.
+        (WebCore::CSPDirectiveList::allowBaseURI): Ditto.
+        (WebCore::ContentSecurityPolicy::didReceiveHeader): Remove isReportOnly() check,
+        which is now inside allowEval().
+
 2014-11-07  Andreas Kling  <[email protected]>
 
         [Mac] Avoid repainting scrollbar track when the scrollbar track is transparent.

Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (175770 => 175771)


--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2014-11-08 00:06:48 UTC (rev 175770)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2014-11-08 00:40:54 UTC (rev 175771)
@@ -996,7 +996,7 @@
     DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute _javascript_ URL because it violates the following Content Security Policy directive: ")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
-        : checkInline(operativeDirective(m_scriptSrc.get()));
+        : (m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get())));
 }
 
 bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
@@ -1004,7 +1004,7 @@
     DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute inline event handler because it violates the following Content Security Policy directive: ")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
-        : checkInline(operativeDirective(m_scriptSrc.get()));
+        : (m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get())));
 }
 
 bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
@@ -1012,7 +1012,7 @@
     DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute inline script because it violates the following Content Security Policy directive: ")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true) :
-        checkInline(operativeDirective(m_scriptSrc.get()));
+        (m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get())));
 }
 
 bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
@@ -1020,7 +1020,7 @@
     DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to apply inline style because it violates the following Content Security Policy directive: ")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage, contextURL, contextLine, false) :
-        checkInline(operativeDirective(m_styleSrc.get()));
+        (m_reportOnly || checkInline(operativeDirective(m_styleSrc.get())));
 }
 
 bool CSPDirectiveList::allowEval(JSC::ExecState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) const
@@ -1028,21 +1028,21 @@
     DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to evaluate script because it violates the following Content Security Policy directive: ")));
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), state) :
-        checkEval(operativeDirective(m_scriptSrc.get()));
+        (m_reportOnly || checkEval(operativeDirective(m_scriptSrc.get())));
 }
 
 bool CSPDirectiveList::allowPluginType(const String& type, const String& typeAttribute, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkMediaTypeAndReportViolation(m_pluginTypes.get(), type, typeAttribute, "Refused to load '" + url.stringCenterEllipsizedToLength() + "' (MIME type '" + typeAttribute + "') because it violates the following Content Security Policy Directive: ") :
-        checkMediaType(m_pluginTypes.get(), type, typeAttribute);
+        (m_reportOnly || checkMediaType(m_pluginTypes.get(), type, typeAttribute));
 }
 
 bool CSPDirectiveList::allowScriptFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, scriptSrc) :
-        checkSource(operativeDirective(m_scriptSrc.get()), url);
+        (m_reportOnly || checkSource(operativeDirective(m_scriptSrc.get()), url));
 }
 
 bool CSPDirectiveList::allowObjectFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
@@ -1051,7 +1051,7 @@
         return true;
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, objectSrc) :
-        checkSource(operativeDirective(m_objectSrc.get()), url);
+        (m_reportOnly || checkSource(operativeDirective(m_objectSrc.get()), url));
 }
 
 bool CSPDirectiveList::allowChildFrameFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
@@ -1060,42 +1060,42 @@
         return true;
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, frameSrc) :
-        checkSource(operativeDirective(m_frameSrc.get()), url);
+        (m_reportOnly || checkSource(operativeDirective(m_frameSrc.get()), url));
 }
 
 bool CSPDirectiveList::allowImageFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, imgSrc) :
-        checkSource(operativeDirective(m_imgSrc.get()), url);
+        (m_reportOnly || checkSource(operativeDirective(m_imgSrc.get()), url));
 }
 
 bool CSPDirectiveList::allowStyleFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, styleSrc) :
-        checkSource(operativeDirective(m_styleSrc.get()), url);
+        (m_reportOnly || checkSource(operativeDirective(m_styleSrc.get()), url));
 }
 
 bool CSPDirectiveList::allowFontFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, fontSrc) :
-        checkSource(operativeDirective(m_fontSrc.get()), url);
+        (m_reportOnly || checkSource(operativeDirective(m_fontSrc.get()), url));
 }
 
 bool CSPDirectiveList::allowMediaFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, mediaSrc) :
-        checkSource(operativeDirective(m_mediaSrc.get()), url);
+        (m_reportOnly || checkSource(operativeDirective(m_mediaSrc.get()), url));
 }
 
 bool CSPDirectiveList::allowConnectToSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, connectSrc) :
-        checkSource(operativeDirective(m_connectSrc.get()), url);
+        (m_reportOnly || checkSource(operativeDirective(m_connectSrc.get()), url));
 }
 
 void CSPDirectiveList::gatherReportURIs(DOMStringList& list) const
@@ -1108,14 +1108,14 @@
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(m_formAction.get(), url, formAction) :
-        checkSource(m_formAction.get(), url);
+        (m_reportOnly || checkSource(m_formAction.get(), url));
 }
 
 bool CSPDirectiveList::allowBaseURI(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return reportingStatus == ContentSecurityPolicy::SendReport ?
         checkSourceAndReportViolation(m_baseURI.get(), url, baseURI) :
-        checkSource(m_baseURI.get(), url);
+        (m_reportOnly || checkSource(m_baseURI.get(), url));
 }
 
 // policy            = directive-list
@@ -1371,7 +1371,7 @@
         // header1,header2 OR header1
         //        ^                  ^
         std::unique_ptr<CSPDirectiveList> policy = CSPDirectiveList::create(this, String(begin, position - begin), type);
-        if (!policy->isReportOnly() && !policy->allowEval(0, SuppressReport))
+        if (!policy->allowEval(0, SuppressReport))
             m_scriptExecutionContext->disableEval(policy->evalDisabledErrorMessage());
 
         m_policies.append(policy.release());

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to