2011-04-07 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 8 Apr 2011 01:08:59 +0000 (01:08 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 8 Apr 2011 01:08:59 +0000 (01:08 +0000)
        Reviewed by Eric Seidel.

        Implement img-src style-src and font-src
        https://bugs.webkit.org/show_bug.cgi?id=58018

        Test a bunch of allow/block tests for these new directives.

        * http/tests/security/contentSecurityPolicy/image-allowed-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/image-allowed.html: Added.
        * http/tests/security/contentSecurityPolicy/image-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/image-blocked.html: Added.
        * http/tests/security/contentSecurityPolicy/resources/blue.css: Added.
        * http/tests/security/contentSecurityPolicy/resources/style.xsl: Added.
        * http/tests/security/contentSecurityPolicy/style-allowed-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/style-allowed.html: Added.
        * http/tests/security/contentSecurityPolicy/style-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/style-blocked.html: Added.
        * http/tests/security/contentSecurityPolicy/xsl-allowed.php: Added.
        * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/xsl-blocked.php: Added.
2011-04-07  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Implement img-src style-src and font-src
        https://bugs.webkit.org/show_bug.cgi?id=58018

        These are pretty straight forward given the rest of the infrastructure
        we've built so far.

        Tests: http/tests/security/contentSecurityPolicy/image-allowed.html
               http/tests/security/contentSecurityPolicy/image-blocked.html
               http/tests/security/contentSecurityPolicy/style-allowed.html
               http/tests/security/contentSecurityPolicy/style-blocked.html
               http/tests/security/contentSecurityPolicy/xsl-allowed.php
               http/tests/security/contentSecurityPolicy/xsl-blocked.php

        * loader/cache/CachedResourceLoader.cpp:
        (WebCore::CachedResourceLoader::canRequest):
        * page/ContentSecurityPolicy.cpp:
        (WebCore::ContentSecurityPolicy::allowImageFromSource):
        (WebCore::ContentSecurityPolicy::allowStyleFromSource):
        (WebCore::ContentSecurityPolicy::allowFontFromSource):
        (WebCore::ContentSecurityPolicy::addDirective):
        * page/ContentSecurityPolicy.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@83235 268f45cc-cd09-0410-ab3c-d52691b4dbfc

19 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/blue.css [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/style.xsl [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/page/ContentSecurityPolicy.cpp
Source/WebCore/page/ContentSecurityPolicy.h

index 9f832d9..cef116f 100644 (file)
@@ -1,3 +1,26 @@
+2011-04-07  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Implement img-src style-src and font-src
+        https://bugs.webkit.org/show_bug.cgi?id=58018
+
+        Test a bunch of allow/block tests for these new directives.
+
+        * http/tests/security/contentSecurityPolicy/image-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/image-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/image-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/image-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/blue.css: Added.
+        * http/tests/security/contentSecurityPolicy/resources/style.xsl: Added.
+        * http/tests/security/contentSecurityPolicy/style-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/style-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/style-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/style-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-allowed.php: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-blocked.php: Added.
+
 2011-04-07  Enrica Casucci  <enrica@apple.com>
 
         Unreviewed. Updated comment in skipped list to
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed-expected.txt
new file mode 100644 (file)
index 0000000..9c70321
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed.html
new file mode 100644 (file)
index 0000000..2af90b8
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="img-src *; script-src 'none'; options disable-xss-protection">
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<img src="../resources/abe.png" onload="alert(this.width == 76 ? 'PASS' : 'FAIL')">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked-expected.txt
new file mode 100644 (file)
index 0000000..a8589f6
--- /dev/null
@@ -0,0 +1 @@
+This test passes if it doesn't alert fail. 
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked.html
new file mode 100644 (file)
index 0000000..ca37226
--- /dev/null
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="img-src 'none'; script-src 'none'; options disable-xss-protection">
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+This test passes if it doesn't alert fail.
+<img src="../resources/abe.png" onload="alert('FAIL')">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/blue.css b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/blue.css
new file mode 100644 (file)
index 0000000..54aeecc
--- /dev/null
@@ -0,0 +1,3 @@
+.target {
+    background-color: blue;
+}
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/style.xsl b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/style.xsl
new file mode 100644 (file)
index 0000000..6d83dfc
--- /dev/null
@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="2.0"
+  xmlns:xhtml="http://www.w3.org/1999/xhtml"
+  xmlns="http://www.w3.org/1999/xhtml"
+  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+  xmlns:xs="http://www.w3.org/2001/XMLSchema"
+  exclude-result-prefixes="xhtml xsl xs">
+<xsl:output method="xml" version="1.0" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.1//EN" doctype-system="http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" indent="yes"/>
+<xsl:template match="@*|node()">
+  <xsl:copy>
+    <xsl:apply-templates select="@*|node()"/>
+  </xsl:copy>
+</xsl:template>
+<xsl:template match="xhtml:div">
+  <xsl:copy>
+    Style sheet applied.
+    <xsl:apply-templates select="@*|node()"/>
+  </xsl:copy>
+</xsl:template>
+</xsl:stylesheet>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed-expected.txt
new file mode 100644 (file)
index 0000000..7ef22e9
--- /dev/null
@@ -0,0 +1 @@
+PASS
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed.html
new file mode 100644 (file)
index 0000000..dac76ac
--- /dev/null
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="style-src *; script-src 'none'; options disable-xss-protection">
+<link rel="stylesheet" href="resources/blue.css">
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<script>
+document.write(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked-expected.txt
new file mode 100644 (file)
index 0000000..7ef22e9
--- /dev/null
@@ -0,0 +1 @@
+PASS
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked.html
new file mode 100644 (file)
index 0000000..e3834ed
--- /dev/null
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'none'; options disable-xss-protection">
+<link rel="stylesheet" href="resources/blue.css">
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<script>
+document.write(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed-expected.txt
new file mode 100644 (file)
index 0000000..4afccd0
--- /dev/null
@@ -0,0 +1,2 @@
+The text below should indicate that the style sheet was applied.
+Style sheet applied.
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php b/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php
new file mode 100644 (file)
index 0000000..e3aa09e
--- /dev/null
@@ -0,0 +1,23 @@
+<?php
+header("Content-Type: application/xhtml+xml");
+header("X-WebKit-CSP: style-src *; script-src 'none'; options disable-xss-protection");
+
+echo '<?xml version="1.0" encoding="UTF-8"?>';
+echo '<?xml-stylesheet type="text/xsl" href="resources/style.xsl"?>';
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
+        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script>
+//<![CDATA[
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+//]]>
+</script>
+</head>
+<body>
+The text below should indicate that the style sheet was applied.
+<div />
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt
new file mode 100644 (file)
index 0000000..e50061b
--- /dev/null
@@ -0,0 +1,2 @@
+layer at (0,0) size 800x600
+  RenderView at (0,0) size 800x600
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php b/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php
new file mode 100644 (file)
index 0000000..e6e9e59
--- /dev/null
@@ -0,0 +1,23 @@
+<?php
+header("Content-Type: application/xhtml+xml");
+header("X-WebKit-CSP: style-src 'none'; script-src *; options disable-xss-protection");
+
+echo '<?xml version="1.0" encoding="UTF-8"?>';
+echo '<?xml-stylesheet type="text/xsl" href="resources/style.xsl"?>';
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
+        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<script>
+//<![CDATA[
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+//]]>
+</script>
+</head>
+<body>
+This test should render as a blank page because the style sheet will fail to load!
+<div />
+</body>
+</html>
index 28d197b..660c226 100644 (file)
@@ -1,3 +1,29 @@
+2011-04-07  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Implement img-src style-src and font-src
+        https://bugs.webkit.org/show_bug.cgi?id=58018
+
+        These are pretty straight forward given the rest of the infrastructure
+        we've built so far.
+
+        Tests: http/tests/security/contentSecurityPolicy/image-allowed.html
+               http/tests/security/contentSecurityPolicy/image-blocked.html
+               http/tests/security/contentSecurityPolicy/style-allowed.html
+               http/tests/security/contentSecurityPolicy/style-blocked.html
+               http/tests/security/contentSecurityPolicy/xsl-allowed.php
+               http/tests/security/contentSecurityPolicy/xsl-blocked.php
+
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::canRequest):
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowImageFromSource):
+        (WebCore::ContentSecurityPolicy::allowStyleFromSource):
+        (WebCore::ContentSecurityPolicy::allowFontFromSource):
+        (WebCore::ContentSecurityPolicy::addDirective):
+        * page/ContentSecurityPolicy.h:
+
 2011-04-07  David Levin  <levin@chromium.org>
 
         Reviewed by Darin Adler.
index a718097..f780c6c 100644 (file)
@@ -255,8 +255,32 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url
     }
     // FIXME: Consider letting the embedder block mixed content loads.
 
-    if (type == CachedResource::Script && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
-        return false;
+    switch (type) {
+    case CachedResource::Script:
+        if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url))
+            return false;
+        break;
+#if ENABLE(XSLT)
+    case CachedResource::XSLStyleSheet:
+#endif
+    case CachedResource::CSSStyleSheet:
+        if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url))
+            return false;
+        break;
+    case CachedResource::ImageResource:
+        if (!m_document->contentSecurityPolicy()->allowImageFromSource(url))
+            return false;
+        break;
+    case CachedResource::FontResource: {
+        if (!m_document->contentSecurityPolicy()->allowFontFromSource(url))
+            return false;
+        break;
+    }
+#if ENABLE(LINK_PREFETCH)
+    case CachedResource::LinkPrefetch:
+        break;
+#endif
+    }
 
     return true;
 }
index a92b428..880e184 100644 (file)
@@ -509,6 +509,21 @@ bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
     return !m_objectSrc || m_objectSrc->allows(url);
 }
 
+bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const
+{
+    return !m_imgSrc || m_imgSrc->allows(url);
+}
+
+bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const
+{
+    return !m_styleSrc || m_styleSrc->allows(url);
+}
+
+bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const
+{
+    return !m_fontSrc || m_fontSrc->allows(url);
+}
+
 // policy            = directive-list
 // directive-list    = [ directive *( ";" [ directive ] ) ]
 //
@@ -584,6 +599,9 @@ void ContentSecurityPolicy::addDirective(const String& name, const String& value
 {
     DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
     DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src"));
+    DEFINE_STATIC_LOCAL(String, imgSrc, ("img-src"));
+    DEFINE_STATIC_LOCAL(String, styleSrc, ("style-src"));
+    DEFINE_STATIC_LOCAL(String, fontSrc, ("font-src"));
     DEFINE_STATIC_LOCAL(String, options, ("options"));
 
     ASSERT(!name.isEmpty());
@@ -592,6 +610,12 @@ void ContentSecurityPolicy::addDirective(const String& name, const String& value
         m_scriptSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
     else if (!m_objectSrc && equalIgnoringCase(name, objectSrc))
         m_objectSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
+    else if (!m_imgSrc && equalIgnoringCase(name, imgSrc))
+        m_imgSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
+    else if (!m_styleSrc && equalIgnoringCase(name, styleSrc))
+        m_styleSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
+    else if (!m_fontSrc && equalIgnoringCase(name, fontSrc))
+        m_fontSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
     else if (!m_options && equalIgnoringCase(name, options))
         m_options = adoptPtr(new CSPOptions(value));
 }
index 7ec4ffc..8a32d21 100644 (file)
@@ -49,8 +49,12 @@ public:
     bool allowJavaScriptURLs() const;
     bool allowInlineEventHandlers() const;
     bool allowInlineScript() const;
+
     bool allowScriptFromSource(const KURL&) const;
     bool allowObjectFromSource(const KURL&) const;
+    bool allowImageFromSource(const KURL&) const;
+    bool allowStyleFromSource(const KURL&) const;
+    bool allowFontFromSource(const KURL&) const;
 
 private:
     explicit ContentSecurityPolicy(SecurityOrigin*);
@@ -65,6 +69,9 @@ private:
     RefPtr<SecurityOrigin> m_origin;
     OwnPtr<CSPDirective> m_scriptSrc;
     OwnPtr<CSPDirective> m_objectSrc;
+    OwnPtr<CSPDirective> m_imgSrc;
+    OwnPtr<CSPDirective> m_styleSrc;
+    OwnPtr<CSPDirective> m_fontSrc;
     OwnPtr<CSPOptions> m_options;
 };