CSP: object-src directive should prohibit creation of nested browsing context
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Mar 2016 20:21:17 +0000 (20:21 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Mar 2016 20:21:17 +0000 (20:21 +0000)
https://bugs.webkit.org/show_bug.cgi?id=153153
<rdar://problem/24383209>

Reviewed by Brent Fulgham.

Source/WebCore:

Enforce the Content Security Policy object-src directive when fetching a URL for content
that will cause an HTML object or HTML embed element to act as a nested browsing context
(i.e. behave as if the content was loaded in an HTML iframe element). This makes our
enforcement of the object-src directive match the behavior of the object-src directive
in the Content Security Policy 2.0 spec., <http://www.w3.org/TR/2015/CR-CSP2-20150721/>.

Tests: http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html
       http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html
       http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html
       http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html

* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Extracted from SubframeLoader::pluginIsLoadable().
Checks if the plugin element is allowed by the Content Security Policy to load the URL and MIME type.
(WebCore::SubframeLoader::pluginIsLoadable): Extract out the logic for determining if
the plugin content is allowed to load by the Content Security Policy into SubframeLoader::isPluginContentAllowedByContentSecurityPolicy()
and make use of this function.
(WebCore::SubframeLoader::requestObject): Modified to call SubframeLoader::isPluginContentAllowedByContentSecurityPolicy()
before loading plugin content into a sub frame. If the plugin content is not allowed to load then we
mark the plugin as unavailable with the reason being that it was blocked by the Content Security Policy.
* loader/SubframeLoader.h:

LayoutTests:

Add test to ensure that we enforce the Content Security Policy object-src directive
for HTML object and HTML embed elements that behave like an HTML iframe element.

* TestExpectations: Remove entries for tests that pass.
* http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html: Added.

* http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html:
* http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html:
* http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html:
Simplify the code used in the above tests and update incorrect expected results.

* http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html: Added.
* http/tests/security/contentSecurityPolicy/resources/object-src-param.js: Removed.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@197697 268f45cc-cd09-0410-ab3c-d52691b4dbfc

22 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js [deleted file]
Source/WebCore/ChangeLog
Source/WebCore/loader/SubframeLoader.cpp
Source/WebCore/loader/SubframeLoader.h

index 4c45cef..7c2a2ce 100644 (file)
@@ -1,3 +1,35 @@
+2016-03-07  Daniel Bates  <dabates@apple.com>
+
+        CSP: object-src directive should prohibit creation of nested browsing context
+        https://bugs.webkit.org/show_bug.cgi?id=153153
+        <rdar://problem/24383209>
+
+        Reviewed by Brent Fulgham.
+
+        Add test to ensure that we enforce the Content Security Policy object-src directive
+        for HTML object and HTML embed elements that behave like an HTML iframe element.
+
+        * TestExpectations: Remove entries for tests that pass.
+        * http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html: Added.
+
+        * http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html:
+        * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html:
+        * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html:
+        Simplify the code used in the above tests and update incorrect expected results.
+
+        * http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/object-src-param.js: Removed.
+
 2016-03-07  Ryan Haddad  <ryanhaddad@apple.com>
 
         Marking js/arraybuffer-wrappers.html as a flaky timeout on Mac
index 64ce329..9af83af 100644 (file)
@@ -845,10 +845,6 @@ webkit.org/b/153151 http/tests/security/contentSecurityPolicy/icon-allowed.html
 webkit.org/b/153151 http/tests/security/contentSecurityPolicy/icon-blocked.html [ Failure ]
 webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-allowed.html # Needs testRunner.getManifestThen()
 webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-blocked.html # Needs testRunner.getManifestThen()
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html
 webkit.org/b/153154 http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html
 webkit.org/b/153155 http/tests/security/contentSecurityPolicy/style-src-blocked-error-event.html
 webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-default-src-none.html [ Failure ]
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt
new file mode 100644 (file)
index 0000000..c595f7a
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+This test passes if there is a console message saying the plugin was blocked. 
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html
new file mode 100644 (file)
index 0000000..7e7e945
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+This test passes if there is a console message saying the plugin was blocked.
+<embed src="/plugins/resources/mock-plugin.pl">
+</body>
+</html>
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt
new file mode 100644 (file)
index 0000000..ff22fde
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html b/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html
new file mode 100644 (file)
index 0000000..7e5d165
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+<embed src="resources/alert-fail.html" type="text/html">
+</body>
+</html>
index a11c6b4..baf396b 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?code' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?code' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
 
-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
 This test passes if there is a console message saying the plugin was blocked. 
index e7ba845..371b6d1 100644 (file)
@@ -1,13 +1,18 @@
 <!DOCTYPE html>
 <html>
 <head>
-<script src="resources/object-src-param.js"></script>
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
+<script src="/js-test-resources/plugin.js"></script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText()
+</script>
 </head>
 <body>
 This test passes if there is a console message saying the plugin was blocked.
-<script>
-    appendObjectElement('code');
-</script>
+<object type="application/x-webkit-test-netscape">
+    <param name="code" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?code">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
 </body>
 </html>
index 5d885c3..053d55a 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?movie' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?movie' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
 
-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
 This test passes if there is a console message saying the plugin was blocked. 
index e9f938c..1921041 100644 (file)
@@ -1,13 +1,18 @@
 <!DOCTYPE html>
 <html>
 <head>
-<script src="resources/object-src-param.js"></script>
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
+<script src="/js-test-resources/plugin.js"></script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
 </head>
 <body>
 This test passes if there is a console message saying the plugin was blocked.
-<script>
-    appendObjectElement('movie');
-</script>
+<object type="application/x-webkit-test-netscape">
+    <param name="movie" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?movie">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
 </body>
 </html>
index 6b75755..c4acc9a 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?src' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?src' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
 
-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
 This test passes if there is a console message saying the plugin was blocked. 
index def6f51..4a76743 100644 (file)
@@ -1,13 +1,18 @@
 <!DOCTYPE html>
 <html>
 <head>
-<script src="resources/object-src-param.js"></script>
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
+<script src="/js-test-resources/plugin.js"></script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
 </head>
 <body>
 This test passes if there is a console message saying the plugin was blocked.
-<script>
-    appendObjectElement('src');
-</script>
+<object type="application/x-webkit-test-netscape">
+    <param name="src" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?src">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
 </body>
 </html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt
new file mode 100644 (file)
index 0000000..ff22fde
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html
new file mode 100644 (file)
index 0000000..88c6ae4
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<object type="application/x-non-existent-plugin">
+    <param name="src" value="resources/alert-fail.html">
+</object>
+</body>
+</html>
index e020e88..11148ae 100644 (file)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?url' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?url' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
 
-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
 This test passes if there is a console message saying the plugin was blocked. 
index d4e78d2..58a3fcb 100644 (file)
@@ -1,13 +1,18 @@
 <!DOCTYPE html>
 <html>
 <head>
-<script src="resources/object-src-param.js"></script>
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
+<script src="/js-test-resources/plugin.js"></script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
 </head>
 <body>
 This test passes if there is a console message saying the plugin was blocked.
-<script>
-    appendObjectElement('url');
-</script>
+<object type="application/x-webkit-test-netscape">
+    <param name="url" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?url">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
 </body>
 </html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt
new file mode 100644 (file)
index 0000000..ff22fde
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html
new file mode 100644 (file)
index 0000000..8e0ba8a
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+<object data="resources/alert-fail.html" type="text/html"></object>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js
deleted file mode 100644 (file)
index 44a7f7c..0000000
+++ /dev/null
@@ -1,29 +0,0 @@
-if (window.testRunner) {
-    testRunner.dumpAsText();
-    testRunner.waitUntilDone();
-}
-
-function appendObjectElement(type) {
-    window.onload = function () {
-        var o = document.createElement('object');
-        o.setAttribute('type', 'application/x-webkit-test-netscape');
-        o.addEventListener('load', function () {
-            console.log('FAIL: The object should have been blocked.');
-            if (window.testRunner)
-                testRunner.notifyDone();
-        });
-        o.addEventListener('error', function () {
-            console.log('PASS: Error occurred, so load was correctly blocked.');
-            if (window.testRunner)
-                testRunner.notifyDone();
-        });
-
-        var p = document.createElement('param');
-        p.setAttribute('value', 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?' + type);
-        p.setAttribute('name', type);
-
-        o.appendChild(p);
-
-        document.body.appendChild(o);
-    };
-}
index fa30b05..c1bcef0 100644 (file)
@@ -1,3 +1,33 @@
+2016-03-07  Daniel Bates  <dabates@apple.com>
+
+        CSP: object-src directive should prohibit creation of nested browsing context
+        https://bugs.webkit.org/show_bug.cgi?id=153153
+        <rdar://problem/24383209>
+
+        Reviewed by Brent Fulgham.
+
+        Enforce the Content Security Policy object-src directive when fetching a URL for content
+        that will cause an HTML object or HTML embed element to act as a nested browsing context
+        (i.e. behave as if the content was loaded in an HTML iframe element). This makes our
+        enforcement of the object-src directive match the behavior of the object-src directive
+        in the Content Security Policy 2.0 spec., <http://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+        Tests: http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html
+               http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html
+               http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html
+               http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html
+
+        * loader/SubframeLoader.cpp:
+        (WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Extracted from SubframeLoader::pluginIsLoadable().
+        Checks if the plugin element is allowed by the Content Security Policy to load the URL and MIME type.
+        (WebCore::SubframeLoader::pluginIsLoadable): Extract out the logic for determining if
+        the plugin content is allowed to load by the Content Security Policy into SubframeLoader::isPluginContentAllowedByContentSecurityPolicy()
+        and make use of this function.
+        (WebCore::SubframeLoader::requestObject): Modified to call SubframeLoader::isPluginContentAllowedByContentSecurityPolicy()
+        before loading plugin content into a sub frame. If the plugin content is not allowed to load then we
+        mark the plugin as unavailable with the reason being that it was blocked by the Content Security Policy.
+        * loader/SubframeLoader.h:
+
 2016-03-06  Gavin Barraclough  <barraclough@apple.com>
 
         Convert DOMTimer to std::chrono::milliseconds
index 5a09cfd..39b79a8 100644 (file)
@@ -104,6 +104,20 @@ bool SubframeLoader::resourceWillUsePlugin(const String& url, const String& mime
     return shouldUsePlugin(completedURL, mimeType, false, useFallback);
 }
 
+bool SubframeLoader::isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType) const
+{
+    if (!document())
+        return true;
+
+    ASSERT(document()->contentSecurityPolicy());
+    const ContentSecurityPolicy& contentSecurityPolicy = *document()->contentSecurityPolicy();
+
+    String declaredMimeType = document()->isPluginDocument() && document()->ownerElement() ?
+        document()->ownerElement()->fastGetAttribute(HTMLNames::typeAttr) : pluginElement.fastGetAttribute(HTMLNames::typeAttr);
+    bool isInUserAgentShadowTree = pluginElement.isInUserAgentShadowTree();
+    return contentSecurityPolicy.allowObjectFromSource(url, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, url, isInUserAgentShadowTree);
+}
+
 bool SubframeLoader::pluginIsLoadable(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType)
 {
     if (MIMETypeRegistry::isJavaAppletMIMEType(mimeType)) {
@@ -122,12 +136,7 @@ bool SubframeLoader::pluginIsLoadable(HTMLPlugInImageElement& pluginElement, con
             return false;
         }
 
-        String declaredMimeType = document()->isPluginDocument() && document()->ownerElement() ?
-            document()->ownerElement()->fastGetAttribute(HTMLNames::typeAttr) :
-            pluginElement.fastGetAttribute(HTMLNames::typeAttr);
-        bool isInUserAgentShadowTree = pluginElement.isInUserAgentShadowTree();
-        if (!document()->contentSecurityPolicy()->allowObjectFromSource(url, isInUserAgentShadowTree)
-            || !document()->contentSecurityPolicy()->allowPluginType(mimeType, declaredMimeType, url, isInUserAgentShadowTree)) {
+        if (!isPluginContentAllowedByContentSecurityPolicy(pluginElement, url, mimeType)) {
             RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject();
             renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
             return false;
@@ -227,6 +236,12 @@ bool SubframeLoader::requestObject(HTMLPlugInImageElement& ownerElement, const S
         return success;
     }
 
+    if (!isPluginContentAllowedByContentSecurityPolicy(ownerElement, completedURL, mimeType)) {
+        RenderEmbeddedObject* renderer = ownerElement.renderEmbeddedObject();
+        renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
+        return false;
+    }
+
     // If the plug-in element already contains a subframe, loadOrRedirectSubframe will re-use it. Otherwise,
     // it will create a new frame and set it as the RenderWidget's Widget, causing what was previously 
     // in the widget to be torn down.
index 39291fc..9dc8bc4 100644 (file)
@@ -77,6 +77,8 @@ private:
     Frame* loadSubframe(HTMLFrameOwnerElement&, const URL&, const String& name, const String& referrer);
     bool loadPlugin(HTMLPlugInImageElement&, const URL&, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues, bool useFallback);
 
+    bool isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement&, const URL&, const String& mimeType) const;
+
     bool shouldUsePlugin(const URL&, const String& mimeType, bool hasFallback, bool& useFallback);
     bool pluginIsLoadable(HTMLPlugInImageElement&, const URL&, const String& mimeType);