Add support for the CSP connect-src directive
authorweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 4 Oct 2011 18:30:32 +0000 (18:30 +0000)
committerweinig@apple.com <weinig@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 4 Oct 2011 18:30:32 +0000 (18:30 +0000)
commita4959bd9917964dc38ee9770a1b420877fbdf00f
tree49c3a0f4470b241fa50aea5274dea29dc1183399
parent58526b2325fdba31d3fc0a8513eefaf74a73124f
Add support for the CSP connect-src directive
https://bugs.webkit.org/show_bug.cgi?id=69353

Reviewed by Adam Barth.

Add CSP support for XMLHttpRequest, WebSockets and EventSource.

Source/WebCore:

Tests: http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html
       http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html
       http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html
       http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html
       http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html
       http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html

* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowConnectFromSource):
(WebCore::ContentSecurityPolicy::addDirective):
* page/ContentSecurityPolicy.h:
Add connect-src directive parsing and predicate.

* page/EventSource.cpp:
(WebCore::EventSource::create):
* websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::open):
Test allowConnectFromSource when establishing a connection.

LayoutTests:

* http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@96621 268f45cc-cd09-0410-ab3c-d52691b4dbfc
19 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/ContentSecurityPolicy.cpp
Source/WebCore/page/ContentSecurityPolicy.h
Source/WebCore/page/EventSource.cpp
Source/WebCore/websockets/WebSocket.cpp
Source/WebCore/xml/XMLHttpRequest.cpp