2011-04-29 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 30 Apr 2011 02:56:23 +0000 (02:56 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 30 Apr 2011 02:56:23 +0000 (02:56 +0000)
commit2a600d515bdd9cfe5643815b3a0028dd657f7573
treebe215b02c8265e9f508774d363e98faa76c67b54
parentcb3b92f0927864fb1cfd9bf5f0fdd95a503d5c41
2011-04-29  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        style-src should block @style
        https://bugs.webkit.org/show_bug.cgi?id=59293

        Testing makes perfect.

        * http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html: Added.
2011-04-29  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        style-src should block @style
        https://bugs.webkit.org/show_bug.cgi?id=59293

        This patch blocks @style when style-src doesn't have the
        'unsafe-inline' token.  This patch blocks the parsing of the attribute
        itself.  That feels vaguely like too low a level to interpose the
        policy, but there didn't seem to be anywhere else natural to enforce
        the policy.

        Tests: http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html
               http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html
               http/tests/security/contentSecurityPolicy/inline-style-on-html.html

        * dom/StyledElement.cpp:
        (WebCore::StyledElement::parseMappedAttribute):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@85384 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/StyledElement.cpp