CSP should handle empty URLs as agreed at TPAC
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Nov 2011 06:46:45 +0000 (06:46 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Nov 2011 06:46:45 +0000 (06:46 +0000)
https://bugs.webkit.org/show_bug.cgi?id=71426

Reviewed by Eric Seidel.

Source/WebCore:

It was somewhat unclear how CSP should treat plugins that lacked a URL
because most of the CSP rules are URL-based.  At TPAC, we decided to
treat "empty" URLs as if there were the URL of the document.  That
means you can use plugins with no URL if you've included 'self' in
object-src, but you can also block them by using 'none' as your
object-src.

Tests: http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html
       http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
       http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
       http/tests/security/contentSecurityPolicy/object-src-none-blocked.html

* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirective::CSPDirective):
(WebCore::CSPDirective::allows):
(WebCore::ContentSecurityPolicy::createCSPDirective):

LayoutTests:

* http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html: Added.
    - Test the allow and block cases for plugins with no URL.
* http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Added.
    - Somehow these tests got deleted from the repository.  This patch just re-adds them.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@99143 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/ContentSecurityPolicy.cpp

index 7a5110c5ff8c9a04c834ef8a4b8316f65c19ed41..442ae7508e7056245668a1ac4599777eaa760173 100644 (file)
@@ -1,3 +1,19 @@
+2011-11-02  Adam Barth  <abarth@webkit.org>
+
+        CSP should handle empty URLs as agreed at TPAC
+        https://bugs.webkit.org/show_bug.cgi?id=71426
+
+        Reviewed by Eric Seidel.
+
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html: Added.
+            - Test the allow and block cases for plugins with no URL.
+        * http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Added.
+            - Somehow these tests got deleted from the repository.  This patch just re-adds them.
+
 2011-11-02  Andrey Kosyakov  <caseq@chromium.org>
 
         Unerviewed gardening.
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt
new file mode 100644 (file)
index 0000000..6d4b948
--- /dev/null
@@ -0,0 +1 @@
+This test passes if there isn't a console message saying the plugin was blocked. 
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html
new file mode 100644 (file)
index 0000000..7e9fcb9
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+  layoutTestController.dumpAsText();
+</script>
+<meta http-equiv="X-WebKit-CSP" content="object-src 'self'">
+</head>
+<body>
+This test passes if there isn't a console message saying the plugin was blocked.
+<object type="application/x-webkit-test-netscape"></object>
+</body>
+</html>
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt
new file mode 100644 (file)
index 0000000..0821230
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Refused to load object from '' because of Content-Security-Policy.
+
+This test passes if there is a console message saying the plugin was blocked. 
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
new file mode 100644 (file)
index 0000000..4b5f86f
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+  layoutTestController.dumpAsText();
+</script>
+<meta http-equiv="X-WebKit-CSP" content="object-src 'none'">
+</head>
+<body>
+This test passes if there is a console message saying the plugin was blocked.
+<object type="application/x-webkit-test-netscape"></object>
+</body>
+</html>
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
new file mode 100644 (file)
index 0000000..b15b3ee
--- /dev/null
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-object-data.pl?q=data:application/x-webkit-test-netscape,alertwhenloaded&csp=img-src%20'none'"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-blocked.html
new file mode 100644 (file)
index 0000000..f64f833
--- /dev/null
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-object-data.pl?q=data:application/x-webkit-test-netscape,alertwhenloaded&csp=object-src%20'none'"></iframe>
+</body>
+</html>
index b6d95c2df6e216751a1224003bb469b16a4b5b29..046fc4b5f443a3996232fa56c16157472f445a1a 100644 (file)
@@ -1,3 +1,27 @@
+2011-11-02  Adam Barth  <abarth@webkit.org>
+
+        CSP should handle empty URLs as agreed at TPAC
+        https://bugs.webkit.org/show_bug.cgi?id=71426
+
+        Reviewed by Eric Seidel.
+
+        It was somewhat unclear how CSP should treat plugins that lacked a URL
+        because most of the CSP rules are URL-based.  At TPAC, we decided to
+        treat "empty" URLs as if there were the URL of the document.  That
+        means you can use plugins with no URL if you've included 'self' in
+        object-src, but you can also block them by using 'none' as your
+        object-src.
+
+        Tests: http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html
+               http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
+               http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
+               http/tests/security/contentSecurityPolicy/object-src-none-blocked.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirective::CSPDirective):
+        (WebCore::CSPDirective::allows):
+        (WebCore::ContentSecurityPolicy::createCSPDirective):
+
 2011-11-02  Adam Barth  <abarth@webkit.org>
 
         Implement allow-popups for iframe@sandbox
index cc38a2bfd644b4394f7b1e6d31a6ded8556d8fce..e203cddd1e7557fddd99aeb036f26cb5b23aa2d9 100644 (file)
@@ -458,16 +458,17 @@ void CSPSourceList::addSourceUnsafeEval()
 
 class CSPDirective {
 public:
-    CSPDirective(const String& name, const String& value, SecurityOrigin* origin)
-        : m_sourceList(origin)
+    CSPDirective(const String& name, const String& value, ScriptExecutionContext* context)
+        : m_sourceList(context->securityOrigin())
         , m_text(name + ' ' + value)
+        , m_selfURL(context->url())
     {
         m_sourceList.parse(value);
     }
 
     bool allows(const KURL& url)
     {
-        return m_sourceList.matches(url);
+        return m_sourceList.matches(url.isEmpty() ? m_selfURL : url);
     }
 
     bool allowInline() const { return m_sourceList.allowInline(); }
@@ -478,6 +479,7 @@ public:
 private:
     CSPSourceList m_sourceList;
     String m_text;
+    KURL m_selfURL;
 };
 
 ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
@@ -759,7 +761,7 @@ void ContentSecurityPolicy::parseReportURI(const String& value)
 
 PassOwnPtr<CSPDirective> ContentSecurityPolicy::createCSPDirective(const String& name, const String& value)
 {
-    return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext->securityOrigin()));
+    return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext));
 }
 
 void ContentSecurityPolicy::addDirective(const String& name, const String& value)