https://bugs.webkit.org/show_bug.cgi?id=71426
Reviewed by Eric Seidel.
Source/WebCore:
It was somewhat unclear how CSP should treat plugins that lacked a URL
because most of the CSP rules are URL-based. At TPAC, we decided to
treat "empty" URLs as if there were the URL of the document. That
means you can use plugins with no URL if you've included 'self' in
object-src, but you can also block them by using 'none' as your
object-src.
Tests: http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html
http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
http/tests/security/contentSecurityPolicy/object-src-none-blocked.html
* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirective::CSPDirective):
(WebCore::CSPDirective::allows):
(WebCore::ContentSecurityPolicy::createCSPDirective):
LayoutTests:
* http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html: Added.
- Test the allow and block cases for plugins with no URL.
* http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Added.
- Somehow these tests got deleted from the repository. This patch just re-adds them.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@99143
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2011-11-02 Adam Barth <abarth@webkit.org>
+
+ CSP should handle empty URLs as agreed at TPAC
+ https://bugs.webkit.org/show_bug.cgi?id=71426
+
+ Reviewed by Eric Seidel.
+
+ * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html: Added.
+ - Test the allow and block cases for plugins with no URL.
+ * http/tests/security/contentSecurityPolicy/object-src-none-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-none-blocked.html: Added.
+ - Somehow these tests got deleted from the repository. This patch just re-adds them.
+
2011-11-02 Andrey Kosyakov <caseq@chromium.org>
Unerviewed gardening.
--- /dev/null
+This test passes if there isn't a console message saying the plugin was blocked.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<meta http-equiv="X-WebKit-CSP" content="object-src 'self'">
+</head>
+<body>
+This test passes if there isn't a console message saying the plugin was blocked.
+<object type="application/x-webkit-test-netscape"></object>
+</body>
+</html>
+
--- /dev/null
+CONSOLE MESSAGE: line 1: Refused to load object from '' because of Content-Security-Policy.
+
+This test passes if there is a console message saying the plugin was blocked.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<meta http-equiv="X-WebKit-CSP" content="object-src 'none'">
+</head>
+<body>
+This test passes if there is a console message saying the plugin was blocked.
+<object type="application/x-webkit-test-netscape"></object>
+</body>
+</html>
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+ <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-object-data.pl?q=data:application/x-webkit-test-netscape,alertwhenloaded&csp=img-src%20'none'"></iframe>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+ <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-object-data.pl?q=data:application/x-webkit-test-netscape,alertwhenloaded&csp=object-src%20'none'"></iframe>
+</body>
+</html>
+2011-11-02 Adam Barth <abarth@webkit.org>
+
+ CSP should handle empty URLs as agreed at TPAC
+ https://bugs.webkit.org/show_bug.cgi?id=71426
+
+ Reviewed by Eric Seidel.
+
+ It was somewhat unclear how CSP should treat plugins that lacked a URL
+ because most of the CSP rules are URL-based. At TPAC, we decided to
+ treat "empty" URLs as if there were the URL of the document. That
+ means you can use plugins with no URL if you've included 'self' in
+ object-src, but you can also block them by using 'none' as your
+ object-src.
+
+ Tests: http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html
+ http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
+ http/tests/security/contentSecurityPolicy/object-src-none-allowed.html
+ http/tests/security/contentSecurityPolicy/object-src-none-blocked.html
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPDirective::CSPDirective):
+ (WebCore::CSPDirective::allows):
+ (WebCore::ContentSecurityPolicy::createCSPDirective):
+
2011-11-02 Adam Barth <abarth@webkit.org>
Implement allow-popups for iframe@sandbox
class CSPDirective {
public:
- CSPDirective(const String& name, const String& value, SecurityOrigin* origin)
- : m_sourceList(origin)
+ CSPDirective(const String& name, const String& value, ScriptExecutionContext* context)
+ : m_sourceList(context->securityOrigin())
, m_text(name + ' ' + value)
+ , m_selfURL(context->url())
{
m_sourceList.parse(value);
}
bool allows(const KURL& url)
{
- return m_sourceList.matches(url);
+ return m_sourceList.matches(url.isEmpty() ? m_selfURL : url);
}
bool allowInline() const { return m_sourceList.allowInline(); }
private:
CSPSourceList m_sourceList;
String m_text;
+ KURL m_selfURL;
};
ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
PassOwnPtr<CSPDirective> ContentSecurityPolicy::createCSPDirective(const String& name, const String& value)
{
- return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext->securityOrigin()));
+ return adoptPtr(new CSPDirective(name, value, m_scriptExecutionContext));
}
void ContentSecurityPolicy::addDirective(const String& name, const String& value)