2011-04-29 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 30 Apr 2011 02:22:35 +0000 (02:22 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 30 Apr 2011 02:22:35 +0000 (02:22 +0000)
commitfb4f62d9705afb7ae70494c5a4715d45aecb7f0a
tree59ddc9606e5f799b18aab06a2fbc245318c12253
parent039ecdc5469116e4cbdb528399275278df4edc2b
2011-04-29  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        style-src should block inline style from <style>
        https://bugs.webkit.org/show_bug.cgi?id=59292

        Testing makes perfect.

        * http/tests/security/contentSecurityPolicy/inline-style-allowed-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-allowed.html: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-blocked.html: Added.
2011-04-29  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        style-src should block inline style from <style>
        https://bugs.webkit.org/show_bug.cgi?id=59292

        The spec has been updated to allow blocking of inline styles with
        style-src.  This will help folks defend against tricky CSS3 injections.

        This patch covers the <style> case.  The next patch will cover the
        @style case.

        Tests: http/tests/security/contentSecurityPolicy/inline-style-allowed.html
               http/tests/security/contentSecurityPolicy/inline-style-blocked.html

        * dom/StyleElement.cpp:
        (WebCore::StyleElement::createSheet):
        * page/ContentSecurityPolicy.cpp:
        (WebCore::ContentSecurityPolicy::allowInlineStyle):
        * page/ContentSecurityPolicy.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@85381 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/StyleElement.cpp
Source/WebCore/page/ContentSecurityPolicy.cpp
Source/WebCore/page/ContentSecurityPolicy.h