CSP 1.1: Add 'effective-directive' to violation reports.
authormkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Mar 2013 22:47:00 +0000 (22:47 +0000)
committermkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 18 Mar 2013 22:47:00 +0000 (22:47 +0000)
commitf069c0ebc347ece0ebf94f742c7acd2f17071df3
tree430ce96926909e6b343d090f917c9b3472d672e2
parent7308b08b5c898657d6592bb1c9481176a06af60c
CSP 1.1: Add 'effective-directive' to violation reports.
https://bugs.webkit.org/show_bug.cgi?id=112568

Reviewed by Adam Barth.

Source/WebCore:

https://dvcs.w3.org/hg/content-security-policy/rev/bc2bb0e5072a
introduced an 'effective-directive' field on CSP violation reports,
which allows developers to distinguish between resource types when
'default-src' is the violated directive.

This patch implements the new field behind the CSP_NEXT flag.

Test: http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html

* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirectiveList::checkSourceAndReportViolation):
(WebCore::CSPDirectiveList::reportViolation):
    These methods now accept an additional parameter to pipe the
    effective directive from the initial callsite down into
    ContentSecurityPolicy::reportViolation.
(WebCore::CSPDirectiveList::checkEvalAndReportViolation):
(WebCore::CSPDirectiveList::checkNonceAndReportViolation):
(WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation):
(WebCore::CSPDirectiveList::checkInlineAndReportViolation):
(WebCore::CSPDirectiveList::allowScriptFromSource):
(WebCore::CSPDirectiveList::allowObjectFromSource):
(WebCore::CSPDirectiveList::allowChildFrameFromSource):
(WebCore::CSPDirectiveList::allowImageFromSource):
(WebCore::CSPDirectiveList::allowStyleFromSource):
(WebCore::CSPDirectiveList::allowFontFromSource):
(WebCore::CSPDirectiveList::allowMediaFromSource):
(WebCore::CSPDirectiveList::allowConnectToSource):
(WebCore::CSPDirectiveList::allowFormAction):
    These methods now pass the effective directive name down
    into checkSourceAndReportViolation or reportViolation.
(WebCore::ContentSecurityPolicy::reportViolation):
* page/ContentSecurityPolicy.h:
    This method now accepts a new parameter that carries
    the effective directive name. If CSP_NEXT is enabled,
    the field is added to the violation report before it's
    sent out into the world.

LayoutTests:

* http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html: Added.
    A new test that ensures that 'default-src' doesn't show up in the
    effective directive field, even if it's the directive that was
    actually violated.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: Added.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Added.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Added.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Added.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt: Added.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Added.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Added.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: Added.
* platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-only-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt: Added.
* platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt: Added.
    This patch changes the output of violation reports for ports that
    have enabled CSP_NEXT. At the moment, I think that's Chromium and
    GTK only.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@146137 268f45cc-cd09-0410-ab3c-d52691b4dbfc
28 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.html [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-only-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt [new file with mode: 0644]
LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-data-uri-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-uri-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-only-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-only-report-uri-missing-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-inline-javascript-expected.txt [new file with mode: 0644]
LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-uri-from-javascript-expected.txt [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/ContentSecurityPolicy.cpp
Source/WebCore/page/ContentSecurityPolicy.h