2011-04-29 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 30 Apr 2011 02:22:35 +0000 (02:22 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 30 Apr 2011 02:22:35 +0000 (02:22 +0000)
        Reviewed by Eric Seidel.

        style-src should block inline style from <style>
        https://bugs.webkit.org/show_bug.cgi?id=59292

        Testing makes perfect.

        * http/tests/security/contentSecurityPolicy/inline-style-allowed-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-allowed.html: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/inline-style-blocked.html: Added.
2011-04-29  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        style-src should block inline style from <style>
        https://bugs.webkit.org/show_bug.cgi?id=59292

        The spec has been updated to allow blocking of inline styles with
        style-src.  This will help folks defend against tricky CSS3 injections.

        This patch covers the <style> case.  The next patch will cover the
        @style case.

        Tests: http/tests/security/contentSecurityPolicy/inline-style-allowed.html
               http/tests/security/contentSecurityPolicy/inline-style-blocked.html

        * dom/StyleElement.cpp:
        (WebCore::StyleElement::createSheet):
        * page/ContentSecurityPolicy.cpp:
        (WebCore::ContentSecurityPolicy::allowInlineStyle):
        * page/ContentSecurityPolicy.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@85381 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/StyleElement.cpp
Source/WebCore/page/ContentSecurityPolicy.cpp
Source/WebCore/page/ContentSecurityPolicy.h

index 2f3c2ba..44c3129 100644 (file)
@@ -1,3 +1,17 @@
+2011-04-29  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        style-src should block inline style from <style>
+        https://bugs.webkit.org/show_bug.cgi?id=59292
+
+        Testing makes perfect.
+
+        * http/tests/security/contentSecurityPolicy/inline-style-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/inline-style-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/inline-style-blocked.html: Added.
+
 2011-04-29  Sam Weinig  <sam@webkit.org>
 
         Add tests using layoutTestController.setPrivateBrowsingEnabled to the WebKit2
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed-expected.txt
new file mode 100644 (file)
index 0000000..7ef22e9
--- /dev/null
@@ -0,0 +1 @@
+PASS
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed.html
new file mode 100644 (file)
index 0000000..1287f02
--- /dev/null
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="style-src 'unsafe-inline'; script-src 'unsafe-inline'">
+<style>
+.target {
+    background-color: blue;
+}
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</head>
+<body class="target">
+<script>
+document.write(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt
new file mode 100644 (file)
index 0000000..34e9704
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Refused to apply inline style because of Content-Security-Policy.
+
+PASS
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked.html
new file mode 100644 (file)
index 0000000..93e6b25
--- /dev/null
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'">
+<style>
+.target {
+    background-color: blue;
+}
+</style>
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+</head>
+<body class="target">
+<script>
+document.write(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
+</script>
+</body>
+</html>
index 437269d..267d5da 100644 (file)
@@ -1,3 +1,25 @@
+2011-04-29  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        style-src should block inline style from <style>
+        https://bugs.webkit.org/show_bug.cgi?id=59292
+
+        The spec has been updated to allow blocking of inline styles with
+        style-src.  This will help folks defend against tricky CSS3 injections.
+
+        This patch covers the <style> case.  The next patch will cover the
+        @style case.
+
+        Tests: http/tests/security/contentSecurityPolicy/inline-style-allowed.html
+               http/tests/security/contentSecurityPolicy/inline-style-blocked.html
+
+        * dom/StyleElement.cpp:
+        (WebCore::StyleElement::createSheet):
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowInlineStyle):
+        * page/ContentSecurityPolicy.h:
+
 2011-04-29  Chris Evans  <cevans@chromium.org>
 
         Reviewed by Adam Barth.
index 9892ed7..5b0e2ad 100644 (file)
@@ -22,6 +22,7 @@
 #include "StyleElement.h"
 
 #include "Attribute.h"
+#include "ContentSecurityPolicy.h"
 #include "Document.h"
 #include "Element.h"
 #include "MediaList.h"
@@ -36,7 +37,12 @@ static bool isValidStyleChild(Node* node)
     Node::NodeType nodeType = node->nodeType();
     return nodeType == Node::TEXT_NODE || nodeType == Node::CDATA_SECTION_NODE;
 }
-    
+
+static bool isCSS(Element* element, const AtomicString& type)
+{
+    return type.isEmpty() || (element->isHTMLElement() ? equalIgnoringCase(type, "text/css") : (type == "text/css"));
+}
+
 StyleElement::StyleElement(Document* document, bool createdByParser)
     : m_createdByParser(createdByParser)
     , m_loading(false)
@@ -140,7 +146,7 @@ void StyleElement::createSheet(Element* e, int startLineNumber, const String& te
 
     // If type is empty or CSS, this is a CSS style sheet.
     const AtomicString& type = this->type();
-    if (type.isEmpty() || (e->isHTMLElement() ? equalIgnoringCase(type, "text/css") : (type == "text/css"))) {
+    if (document->contentSecurityPolicy()->allowInlineStyle() && isCSS(e, type)) {
         RefPtr<MediaList> mediaList = MediaList::create(media(), e->isHTMLElement());
         MediaQueryEvaluator screenEval("screen", true);
         MediaQueryEvaluator printEval("print", true);
index e9e80d6..67f26a2 100644 (file)
@@ -533,6 +533,16 @@ bool ContentSecurityPolicy::allowInlineScript() const
     return false;
 }
 
+bool ContentSecurityPolicy::allowInlineStyle() const
+{
+    if (!m_styleSrc || m_styleSrc->allowInline())
+        return true;
+
+    DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because of Content-Security-Policy.\n"));
+    reportViolation(m_styleSrc->text(), consoleMessage);
+    return false;
+}
+
 bool ContentSecurityPolicy::allowEval() const
 {
     if (!m_scriptSrc || m_scriptSrc->allowEval())
index f947893..f50e1d3 100644 (file)
@@ -48,6 +48,7 @@ public:
     bool allowJavaScriptURLs() const;
     bool allowInlineEventHandlers() const;
     bool allowInlineScript() const;
+    bool allowInlineStyle() const;
     bool allowEval() const;
 
     bool allowScriptFromSource(const KURL&) const;