Diff
Modified: trunk/Source/WebCore/ChangeLog (186573 => 186574)
--- trunk/Source/WebCore/ChangeLog 2015-07-09 03:55:19 UTC (rev 186573)
+++ trunk/Source/WebCore/ChangeLog 2015-07-09 04:10:05 UTC (rev 186574)
@@ -1,3 +1,42 @@
+2015-07-08 Daniel Bates <daba...@apple.com>
+
+ Cleanup: Make ContentSecurityPolicy::ReportingStatus an enum class
+ https://bugs.webkit.org/show_bug.cgi?id=146670
+
+ Reviewed by Darin Adler.
+
+ Make calling the ContentSecurityPolicy::allow* functions less error prone by making
+ ContentSecurityPolicy::ReportingStatus an enum class. Among other benefits this will
+ prevent a caller from inadvertently passing an enumerator of ContentSecurityPolicy::ReportingStatus
+ as the boolean argument overridingContentSecurityPolicy, which is taken by the various
+ ContentSecurityPolicy::allow* functions, by causing a compile-time error (since an enum class
+ enumerator cannot be implicitly converted to an integral type).
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::initScript):
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPDirectiveList::allowJavaScriptURLs):
+ (WebCore::CSPDirectiveList::allowInlineEventHandlers):
+ (WebCore::CSPDirectiveList::allowInlineScript):
+ (WebCore::CSPDirectiveList::allowInlineStyle):
+ (WebCore::CSPDirectiveList::allowEval):
+ (WebCore::CSPDirectiveList::allowPluginType):
+ (WebCore::CSPDirectiveList::allowScriptFromSource):
+ (WebCore::CSPDirectiveList::allowObjectFromSource):
+ (WebCore::CSPDirectiveList::allowChildFrameFromSource):
+ (WebCore::CSPDirectiveList::allowImageFromSource):
+ (WebCore::CSPDirectiveList::allowStyleFromSource):
+ (WebCore::CSPDirectiveList::allowFontFromSource):
+ (WebCore::CSPDirectiveList::allowMediaFromSource):
+ (WebCore::CSPDirectiveList::allowConnectToSource):
+ (WebCore::CSPDirectiveList::allowFormAction):
+ (WebCore::CSPDirectiveList::allowBaseURI):
+ (WebCore::ContentSecurityPolicy::didReceiveHeader):
+ (WebCore::ContentSecurityPolicy::evalDisabledErrorMessage):
+ * page/ContentSecurityPolicy.h:
+ * page/DOMSecurityPolicy.cpp:
+ (WebCore::DOMSecurityPolicy::allowsEval):
+
2015-07-08 Matthew Daiter <mdai...@apple.com>
Activate DOMURLMediaStream
Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (186573 => 186574)
--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2015-07-09 03:55:19 UTC (rev 186573)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2015-07-09 04:10:05 UTC (rev 186574)
@@ -258,7 +258,7 @@
if (shouldBypassMainWorldContentSecurityPolicy)
windowShell->window()->setEvalEnabled(true);
else
- windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, shouldBypassMainWorldContentSecurityPolicy, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
+ windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, shouldBypassMainWorldContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
}
if (Page* page = m_frame.page()) {
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (186573 => 186574)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2015-07-09 03:55:19 UTC (rev 186573)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2015-07-09 04:10:05 UTC (rev 186574)
@@ -994,7 +994,7 @@
bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute _javascript_ URL because it violates the following Content Security Policy directive: ")));
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
: (m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get())));
}
@@ -1002,7 +1002,7 @@
bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute inline event handler because it violates the following Content Security Policy directive: ")));
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
: (m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get())));
}
@@ -1010,7 +1010,7 @@
bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute inline script because it violates the following Content Security Policy directive: ")));
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true) :
(m_reportOnly || checkInline(operativeDirective(m_scriptSrc.get())));
}
@@ -1018,7 +1018,7 @@
bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to apply inline style because it violates the following Content Security Policy directive: ")));
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage, contextURL, contextLine, false) :
(m_reportOnly || checkInline(operativeDirective(m_styleSrc.get())));
}
@@ -1026,21 +1026,21 @@
bool CSPDirectiveList::allowEval(JSC::ExecState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to evaluate script because it violates the following Content Security Policy directive: ")));
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), state) :
(m_reportOnly || checkEval(operativeDirective(m_scriptSrc.get())));
}
bool CSPDirectiveList::allowPluginType(const String& type, const String& typeAttribute, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkMediaTypeAndReportViolation(m_pluginTypes.get(), type, typeAttribute, "Refused to load '" + url.stringCenterEllipsizedToLength() + "' (MIME type '" + typeAttribute + "') because it violates the following Content Security Policy Directive: ") :
(m_reportOnly || checkMediaType(m_pluginTypes.get(), type, typeAttribute));
}
bool CSPDirectiveList::allowScriptFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkSourceAndReportViolation(operativeDirective(m_scriptSrc.get()), url, scriptSrc) :
(m_reportOnly || checkSource(operativeDirective(m_scriptSrc.get()), url));
}
@@ -1049,7 +1049,7 @@
{
if (url.isBlankURL())
return true;
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkSourceAndReportViolation(operativeDirective(m_objectSrc.get()), url, objectSrc) :
(m_reportOnly || checkSource(operativeDirective(m_objectSrc.get()), url));
}
@@ -1058,42 +1058,42 @@
{
if (url.isBlankURL())
return true;
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, frameSrc) :
(m_reportOnly || checkSource(operativeDirective(m_frameSrc.get()), url));
}
bool CSPDirectiveList::allowImageFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkSourceAndReportViolation(operativeDirective(m_imgSrc.get()), url, imgSrc) :
(m_reportOnly || checkSource(operativeDirective(m_imgSrc.get()), url));
}
bool CSPDirectiveList::allowStyleFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkSourceAndReportViolation(operativeDirective(m_styleSrc.get()), url, styleSrc) :
(m_reportOnly || checkSource(operativeDirective(m_styleSrc.get()), url));
}
bool CSPDirectiveList::allowFontFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkSourceAndReportViolation(operativeDirective(m_fontSrc.get()), url, fontSrc) :
(m_reportOnly || checkSource(operativeDirective(m_fontSrc.get()), url));
}
bool CSPDirectiveList::allowMediaFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, mediaSrc) :
(m_reportOnly || checkSource(operativeDirective(m_mediaSrc.get()), url));
}
bool CSPDirectiveList::allowConnectToSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, connectSrc) :
(m_reportOnly || checkSource(operativeDirective(m_connectSrc.get()), url));
}
@@ -1106,14 +1106,14 @@
bool CSPDirectiveList::allowFormAction(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkSourceAndReportViolation(m_formAction.get(), url, formAction) :
(m_reportOnly || checkSource(m_formAction.get(), url));
}
bool CSPDirectiveList::allowBaseURI(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
- return reportingStatus == ContentSecurityPolicy::SendReport ?
+ return reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport ?
checkSourceAndReportViolation(m_baseURI.get(), url, baseURI) :
(m_reportOnly || checkSource(m_baseURI.get(), url));
}
@@ -1371,7 +1371,7 @@
// header1,header2 OR header1
// ^ ^
std::unique_ptr<CSPDirectiveList> policy = CSPDirectiveList::create(this, String(begin, position - begin), type);
- if (!policy->allowEval(0, SuppressReport))
+ if (!policy->allowEval(0, ContentSecurityPolicy::ReportingStatus::SuppressReport))
m_scriptExecutionContext->disableEval(policy->evalDisabledErrorMessage());
m_policies.append(policy.release());
@@ -1469,7 +1469,7 @@
String ContentSecurityPolicy::evalDisabledErrorMessage() const
{
for (auto& policy : m_policies) {
- if (!policy->allowEval(0, SuppressReport))
+ if (!policy->allowEval(0, ContentSecurityPolicy::ReportingStatus::SuppressReport))
return policy->evalDisabledErrorMessage();
}
return String();
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (186573 => 186574)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.h 2015-07-09 03:55:19 UTC (rev 186573)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h 2015-07-09 04:10:05 UTC (rev 186574)
@@ -63,7 +63,7 @@
PrefixedEnforce
};
- enum ReportingStatus {
+ enum class ReportingStatus {
SendReport,
SuppressReport
};
@@ -84,23 +84,23 @@
const String& deprecatedHeader() const;
HeaderType deprecatedHeaderType() const;
- bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowEval(JSC::ExecState* = nullptr, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
+ bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowEval(JSC::ExecState* = nullptr, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
- bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowMediaFromSource(const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
- bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false, ReportingStatus = SendReport) const;
+ bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowMediaFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
ReflectedXSSDisposition reflectedXSSDisposition() const;
Modified: trunk/Source/WebCore/page/DOMSecurityPolicy.cpp (186573 => 186574)
--- trunk/Source/WebCore/page/DOMSecurityPolicy.cpp 2015-07-09 03:55:19 UTC (rev 186573)
+++ trunk/Source/WebCore/page/DOMSecurityPolicy.cpp 2015-07-09 04:10:05 UTC (rev 186574)
@@ -54,7 +54,7 @@
return true;
bool overrideContentSecurityPolicy = false;
- return (context->contentSecurityPolicy()->*allowWithType)(type, type, URL(), overrideContentSecurityPolicy, ContentSecurityPolicy::SuppressReport);
+ return (context->contentSecurityPolicy()->*allowWithType)(type, type, URL(), overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus::SuppressReport);
}
template<bool (ContentSecurityPolicy::*allowWithURL)(const URL&, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus) const>
@@ -68,7 +68,7 @@
return false; // FIXME: Figure out how to throw a _javascript_ error.
bool overrideContentSecurityPolicy = false;
- return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, overrideContentSecurityPolicy, ContentSecurityPolicy::SuppressReport);
+ return (context->contentSecurityPolicy()->*allowWithURL)(parsedURL, overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus::SuppressReport);
}
template<bool (ContentSecurityPolicy::*allowWithContext)(const String&, const WTF::OrdinalNumber&, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus) const>
@@ -78,7 +78,7 @@
return true;
bool overrideContentSecurityPolicy = false;
- return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF::OrdinalNumber::beforeFirst(), overrideContentSecurityPolicy, ContentSecurityPolicy::SuppressReport);
+ return (context->contentSecurityPolicy()->*allowWithContext)(String(), WTF::OrdinalNumber::beforeFirst(), overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus::SuppressReport);
}
} // namespace
@@ -123,7 +123,7 @@
return true;
bool overrideContentSecurityPolicy = false;
- return scriptExecutionContext()->contentSecurityPolicy()->allowEval(0, overrideContentSecurityPolicy, ContentSecurityPolicy::SuppressReport);
+ return scriptExecutionContext()->contentSecurityPolicy()->allowEval(0, overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus::SuppressReport);
}