CSP should handle empty URLs as agreed at TPAC
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Nov 2011 06:46:45 +0000 (06:46 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Nov 2011 06:46:45 +0000 (06:46 +0000)
commit7f385381de4dc89226690b095a84a4f4033c5b70
treee663ee1321b1490c2f6ae74c32086e03d1d94e59
parent13057012c13c3661dcadfd2500b1dcb8ab69c095
CSP should handle empty URLs as agreed at TPAC
https://bugs.webkit.org/show_bug.cgi?id=71426

Reviewed by Eric Seidel.

Source/WebCore:

It was somewhat unclear how CSP should treat plugins that lacked a URL
because most of the CSP rules are URL-based.  At TPAC, we decided to
treat "empty" URLs as if there were the URL of the document.  That
means you can use plugins with no URL if you've included 'self' in
object-src, but you can also block them by using 'none' as your
object-src.

Tests: http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html
       http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
       http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
       http/tests/security/contentSecurityPolicy/object-src-none-blocked.html

* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirective::CSPDirective):
(WebCore::CSPDirective::allows):
(WebCore::ContentSecurityPolicy::createCSPDirective):

LayoutTests:

* http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html: Added.
    - Test the allow and block cases for plugins with no URL.
* http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Added.
    - Somehow these tests got deleted from the repository.  This patch just re-adds them.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@99143 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/ContentSecurityPolicy.cpp