Reviewed by Eric Seidel.
Implement img-src style-src and font-src
https://bugs.webkit.org/show_bug.cgi?id=58018
Test a bunch of allow/block tests for these new directives.
* http/tests/security/contentSecurityPolicy/image-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/image-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/resources/blue.css: Added.
* http/tests/security/contentSecurityPolicy/resources/style.xsl: Added.
* http/tests/security/contentSecurityPolicy/style-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/style-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/style-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/style-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-allowed.php: Added.
* http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-blocked.php: Added.
2011-04-07 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel.
Implement img-src style-src and font-src
https://bugs.webkit.org/show_bug.cgi?id=58018
These are pretty straight forward given the rest of the infrastructure
we've built so far.
Tests: http/tests/security/contentSecurityPolicy/image-allowed.html
http/tests/security/contentSecurityPolicy/image-blocked.html
http/tests/security/contentSecurityPolicy/style-allowed.html
http/tests/security/contentSecurityPolicy/style-blocked.html
http/tests/security/contentSecurityPolicy/xsl-allowed.php
http/tests/security/contentSecurityPolicy/xsl-blocked.php
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest):
* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowImageFromSource):
(WebCore::ContentSecurityPolicy::allowStyleFromSource):
(WebCore::ContentSecurityPolicy::allowFontFromSource):
(WebCore::ContentSecurityPolicy::addDirective):
* page/ContentSecurityPolicy.h:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@83235
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2011-04-07 Adam Barth <abarth@webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ Implement img-src style-src and font-src
+ https://bugs.webkit.org/show_bug.cgi?id=58018
+
+ Test a bunch of allow/block tests for these new directives.
+
+ * http/tests/security/contentSecurityPolicy/image-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/image-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/blue.css: Added.
+ * http/tests/security/contentSecurityPolicy/resources/style.xsl: Added.
+ * http/tests/security/contentSecurityPolicy/style-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/style-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/style-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/style-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-allowed.php: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-blocked.php: Added.
+
2011-04-07 Enrica Casucci <enrica@apple.com>
Unreviewed. Updated comment in skipped list to
--- /dev/null
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="img-src *; script-src 'none'; options disable-xss-protection">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<img src="../resources/abe.png" onload="alert(this.width == 76 ? 'PASS' : 'FAIL')">
+</body>
+</html>
--- /dev/null
+This test passes if it doesn't alert fail.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="img-src 'none'; script-src 'none'; options disable-xss-protection">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+This test passes if it doesn't alert fail.
+<img src="../resources/abe.png" onload="alert('FAIL')">
+</body>
+</html>
--- /dev/null
+.target {
+ background-color: blue;
+}
--- /dev/null
+<?xml version="1.0"?>
+<xsl:stylesheet version="2.0"
+ xmlns:xhtml="http://www.w3.org/1999/xhtml"
+ xmlns="http://www.w3.org/1999/xhtml"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:xs="http://www.w3.org/2001/XMLSchema"
+ exclude-result-prefixes="xhtml xsl xs">
+<xsl:output method="xml" version="1.0" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.1//EN" doctype-system="http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" indent="yes"/>
+<xsl:template match="@*|node()">
+ <xsl:copy>
+ <xsl:apply-templates select="@*|node()"/>
+ </xsl:copy>
+</xsl:template>
+<xsl:template match="xhtml:div">
+ <xsl:copy>
+ Style sheet applied.
+ <xsl:apply-templates select="@*|node()"/>
+ </xsl:copy>
+</xsl:template>
+</xsl:stylesheet>
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="style-src *; script-src 'none'; options disable-xss-protection">
+<link rel="stylesheet" href="resources/blue.css">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<script>
+document.write(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+</script>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'none'; options disable-xss-protection">
+<link rel="stylesheet" href="resources/blue.css">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<script>
+document.write(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
+</script>
+</body>
+</html>
--- /dev/null
+The text below should indicate that the style sheet was applied.
+Style sheet applied.
--- /dev/null
+<?php
+header("Content-Type: application/xhtml+xml");
+header("X-WebKit-CSP: style-src *; script-src 'none'; options disable-xss-protection");
+
+echo '<?xml version="1.0" encoding="UTF-8"?>';
+echo '<?xml-stylesheet type="text/xsl" href="resources/style.xsl"?>';
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script>
+//<![CDATA[
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+//]]>
+</script>
+</head>
+<body>
+The text below should indicate that the style sheet was applied.
+<div />
+</body>
+</html>
--- /dev/null
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
--- /dev/null
+<?php
+header("Content-Type: application/xhtml+xml");
+header("X-WebKit-CSP: style-src 'none'; script-src *; options disable-xss-protection");
+
+echo '<?xml version="1.0" encoding="UTF-8"?>';
+echo '<?xml-stylesheet type="text/xsl" href="resources/style.xsl"?>';
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script>
+//<![CDATA[
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+//]]>
+</script>
+</head>
+<body>
+This test should render as a blank page because the style sheet will fail to load!
+<div />
+</body>
+</html>
+2011-04-07 Adam Barth <abarth@webkit.org>
+
+ Reviewed by Eric Seidel.
+
+ Implement img-src style-src and font-src
+ https://bugs.webkit.org/show_bug.cgi?id=58018
+
+ These are pretty straight forward given the rest of the infrastructure
+ we've built so far.
+
+ Tests: http/tests/security/contentSecurityPolicy/image-allowed.html
+ http/tests/security/contentSecurityPolicy/image-blocked.html
+ http/tests/security/contentSecurityPolicy/style-allowed.html
+ http/tests/security/contentSecurityPolicy/style-blocked.html
+ http/tests/security/contentSecurityPolicy/xsl-allowed.php
+ http/tests/security/contentSecurityPolicy/xsl-blocked.php
+
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::canRequest):
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowImageFromSource):
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource):
+ (WebCore::ContentSecurityPolicy::allowFontFromSource):
+ (WebCore::ContentSecurityPolicy::addDirective):
+ * page/ContentSecurityPolicy.h:
+
2011-04-07 David Levin <levin@chromium.org>
Reviewed by Darin Adler.
}
// FIXME: Consider letting the embedder block mixed content loads.
- if (type == CachedResource::Script && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
- return false;
+ switch (type) {
+ case CachedResource::Script:
+ if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+ return false;
+ break;
+#if ENABLE(XSLT)
+ case CachedResource::XSLStyleSheet:
+#endif
+ case CachedResource::CSSStyleSheet:
+ if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url))
+ return false;
+ break;
+ case CachedResource::ImageResource:
+ if (!m_document->contentSecurityPolicy()->allowImageFromSource(url))
+ return false;
+ break;
+ case CachedResource::FontResource: {
+ if (!m_document->contentSecurityPolicy()->allowFontFromSource(url))
+ return false;
+ break;
+ }
+#if ENABLE(LINK_PREFETCH)
+ case CachedResource::LinkPrefetch:
+ break;
+#endif
+ }
return true;
}
return !m_objectSrc || m_objectSrc->allows(url);
}
+bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const
+{
+ return !m_imgSrc || m_imgSrc->allows(url);
+}
+
+bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const
+{
+ return !m_styleSrc || m_styleSrc->allows(url);
+}
+
+bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const
+{
+ return !m_fontSrc || m_fontSrc->allows(url);
+}
+
// policy = directive-list
// directive-list = [ directive *( ";" [ directive ] ) ]
//
{
DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src"));
+ DEFINE_STATIC_LOCAL(String, imgSrc, ("img-src"));
+ DEFINE_STATIC_LOCAL(String, styleSrc, ("style-src"));
+ DEFINE_STATIC_LOCAL(String, fontSrc, ("font-src"));
DEFINE_STATIC_LOCAL(String, options, ("options"));
ASSERT(!name.isEmpty());
m_scriptSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
else if (!m_objectSrc && equalIgnoringCase(name, objectSrc))
m_objectSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
+ else if (!m_imgSrc && equalIgnoringCase(name, imgSrc))
+ m_imgSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
+ else if (!m_styleSrc && equalIgnoringCase(name, styleSrc))
+ m_styleSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
+ else if (!m_fontSrc && equalIgnoringCase(name, fontSrc))
+ m_fontSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
else if (!m_options && equalIgnoringCase(name, options))
m_options = adoptPtr(new CSPOptions(value));
}
bool allowJavaScriptURLs() const;
bool allowInlineEventHandlers() const;
bool allowInlineScript() const;
+
bool allowScriptFromSource(const KURL&) const;
bool allowObjectFromSource(const KURL&) const;
+ bool allowImageFromSource(const KURL&) const;
+ bool allowStyleFromSource(const KURL&) const;
+ bool allowFontFromSource(const KURL&) const;
private:
explicit ContentSecurityPolicy(SecurityOrigin*);
RefPtr<SecurityOrigin> m_origin;
OwnPtr<CSPDirective> m_scriptSrc;
OwnPtr<CSPDirective> m_objectSrc;
+ OwnPtr<CSPDirective> m_imgSrc;
+ OwnPtr<CSPDirective> m_styleSrc;
+ OwnPtr<CSPDirective> m_fontSrc;
OwnPtr<CSPOptions> m_options;
};
git://git.webkit.org / WebKit-https.git / commitdiff