Inline script and style blocked by Content Security Policy should provide more detail...
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 25 May 2012 23:29:45 +0000 (23:29 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 25 May 2012 23:29:45 +0000 (23:29 +0000)
https://bugs.webkit.org/show_bug.cgi?id=86848

Patch by Mike West <mkwst@chromium.org> on 2012-05-25
Reviewed by Adam Barth.

Source/WebCore:

This change adds a URL and line number for context to each call to
`ContentSecurityPolicy::allowInline*`, and pipes it through to the
console message generation in `CSPDirectiveList::reportViolation`.

Line numbers are not added for injected scripts (`document.write(...)`,
`document.body.appendChild`, and etc.).

Tests: http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html
       http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html
       http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html
       http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html

* bindings/ScriptControllerBase.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL):
* bindings/js/JSLazyEventListener.cpp:
(WebCore::JSLazyEventListener::initializeJSFunction):
* bindings/v8/V8LazyEventListener.cpp:
(WebCore::V8LazyEventListener::prepareListenerObject):
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::ScriptElement):
(WebCore::ScriptElement::executeScript):
* dom/ScriptElement.h:
(ScriptElement):
* dom/StyleElement.cpp:
(WebCore::StyleElement::StyleElement):
(WebCore::StyleElement::createSheet):
* dom/StyleElement.h:
(StyleElement):
* dom/StyledElement.cpp:
(WebCore::StyledElement::StyledElement):
(WebCore):
(WebCore::StyledElement::style):
(WebCore::StyledElement::styleAttributeChanged):
* dom/StyledElement.h:
(StyledElement):
* page/ContentSecurityPolicy.cpp:
(CSPDirectiveList):
(WebCore::CSPDirectiveList::reportViolation):
(WebCore::CSPDirectiveList::checkInlineAndReportViolation):
(WebCore::CSPDirectiveList::checkEvalAndReportViolation):
(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):
(WebCore::CSPDirectiveList::allowInlineScript):
(WebCore::CSPDirectiveList::allowInlineStyle):
(WebCore::CSPDirectiveList::allowEval):
(WebCore):
(WebCore::isAllowedByAllWithCallStack):
(WebCore::isAllowedByAllWithContext):
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
(WebCore::ContentSecurityPolicy::allowInlineScript):
(WebCore::ContentSecurityPolicy::allowInlineStyle):
* page/ContentSecurityPolicy.h:
(WTF):

LayoutTests:

* http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt:
* http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt.
* http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
* http/tests/security/contentSecurityPolicy/resources/inject-script.js: Added.
* http/tests/security/contentSecurityPolicy/resources/inject-style.js: Added.
* http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
* http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118585 268f45cc-cd09-0410-ab3c-d52691b4dbfc

38 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/resources/inject-script.js [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/inject-style.js [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/bindings/ScriptControllerBase.cpp
Source/WebCore/bindings/js/JSLazyEventListener.cpp
Source/WebCore/bindings/v8/V8LazyEventListener.cpp
Source/WebCore/dom/ScriptElement.cpp
Source/WebCore/dom/ScriptElement.h
Source/WebCore/dom/StyleElement.cpp
Source/WebCore/dom/StyleElement.h
Source/WebCore/dom/StyledElement.cpp
Source/WebCore/dom/StyledElement.h
Source/WebCore/page/ContentSecurityPolicy.cpp
Source/WebCore/page/ContentSecurityPolicy.h

index ccddb07..85bc742 100644 (file)
@@ -1,3 +1,36 @@
+2012-05-25  Mike West  <mkwst@chromium.org>
+
+        Inline script and style blocked by Content Security Policy should provide more detailed console errors.
+        https://bugs.webkit.org/show_bug.cgi?id=86848
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt:
+        * http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt.
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+        * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+        * http/tests/security/contentSecurityPolicy/resources/inject-script.js: Added.
+        * http/tests/security/contentSecurityPolicy/resources/inject-style.js: Added.
+        * http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
+        * http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt:
+
 2012-05-25  Joshua Bell  <jsbell@chromium.org>
 
         [Chromium] Add missing expectations needed after http://trac.webkit.org/changeset/118577/
index 7560419..0124fe8 100644 (file)
@@ -1,5 +1,5 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 11: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
-CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
+CONSOLE MESSAGE: line 14: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
 
 This test checks that we enforce all the supplied policies. This test passes if it doesn't alert fail and if the style doesn't apply.
index d685cad..02915bd 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
+CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
 
 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
 
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt
new file mode 100644 (file)
index 0000000..aa9858b
--- /dev/null
@@ -0,0 +1,3 @@
+ALERT: Pass 1 of 2
+ALERT: Pass 2 of 2
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html
new file mode 100644 (file)
index 0000000..ceb27d5
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:* 'unsafe-inline'">
+<script src="resources/dump-as-text.js"></script>
+</head>
+<body>
+<script src="resources/inject-script.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt
new file mode 100644 (file)
index 0000000..c159ea8
--- /dev/null
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
+
+CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html
new file mode 100644 (file)
index 0000000..610868b
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:*">
+<script src="resources/dump-as-text.js"></script>
+</head>
+<body>
+<script src="resources/inject-script.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt
new file mode 100644 (file)
index 0000000..43818a9
--- /dev/null
@@ -0,0 +1 @@
+PASS: 2 stylesheets on the page.
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html
new file mode 100644 (file)
index 0000000..d72fd36
--- /dev/null
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="style-src 'unsafe-inline'">
+<script src="resources/dump-as-text.js"></script>
+</head>
+<body>
+<div id="test1">
+  FAIL 1/2
+</div>
+<div id="test2">
+  FAIL 2/2
+</div>
+<script src="resources/inject-style.js"></script>
+<script>
+  if (document.styleSheets.length === 2)
+    document.write("PASS: 2 stylesheets on the page.");
+  else
+    document.write("FAIL: " + document.styleSheets.length + " stylesheets on the page (should be 2).");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt
new file mode 100644 (file)
index 0000000..e2641d1
--- /dev/null
@@ -0,0 +1,7 @@
+CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
+
+CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
+
+PASS 1/2
+PASS 2/2
+0
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html
new file mode 100644 (file)
index 0000000..a0c8f82
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="style-src 'none'">
+<script src="resources/dump-as-text.js"></script>
+</head>
+<body>
+<div id="test1">
+  PASS 1/2
+</div>
+<div id="test2">
+  PASS 2/2
+</div>
+<script src="resources/inject-style.js"></script>
+<script>
+document.write(document.styleSheets.length);
+</script>
+</body>
+</html>
index 0cead61..584a13b 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
+CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
 
 CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
 
index 5bb045c..5358c05 100644 (file)
@@ -1,7 +1,7 @@
 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
 
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
+CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
 
-CONSOLE MESSAGE: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
+CONSOLE MESSAGE: line 7: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
 
 This test passes if it doesn't alert fail.
index ed06244..954501c 100644 (file)
@@ -4,6 +4,6 @@ CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
 
 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
 
-CONSOLE MESSAGE: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
+CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
 
 This test passes if it doesn't alert fail. 
index 7325462..e7a6883 100644 (file)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
+CONSOLE MESSAGE: line 10: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
 
 PASS
index 7325462..9630d7a 100644 (file)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
+CONSOLE MESSAGE: line 5: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'".
 
 PASS
index 8e2dc33..1ca9262 100644 (file)
@@ -4,7 +4,7 @@ CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
 
 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
 
-CONSOLE MESSAGE: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'".
+CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "script-src 'none'".
 
 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
 
index 2d3b2ab..9aefa4c 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 3: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 ALERT: PASS
 CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
index 74dc5d6..a1edf3a 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 2: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 ALERT: PASS
 CSP report received:
index ace1646..cec2c28 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 1: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 ALERT: PASS
 CSP report received:
index b8050ff..56a6ef6 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 2: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 CSP report received:
 CONTENT_TYPE: application/json
index 25de8e1..8430c30 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 2: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 
 
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/inject-script.js b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/inject-script.js
new file mode 100644 (file)
index 0000000..756baff
--- /dev/null
@@ -0,0 +1,5 @@
+document.write("<script>alert('Pass 1 of 2');</script>");
+
+var s = document.createElement('script');
+s.innerText = "alert('Pass 2 of 2');";
+document.body.appendChild(s);
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/inject-style.js b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/inject-style.js
new file mode 100644 (file)
index 0000000..219d8f5
--- /dev/null
@@ -0,0 +1,5 @@
+document.write("<style>#test1 { display: none; }</style>");
+
+var s = document.createElement('style');
+s.innerText = "#test2 { display: none; }";
+document.body.appendChild(s);
index d31b1ce..fe1cc2f 100644 (file)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'none'".
+CONSOLE MESSAGE: line 3: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'none'".
 
   
 
index 7a5fde3..1a29479 100644 (file)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
+CONSOLE MESSAGE: line 1: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'".
 
 This test passes if it doesn't alert fail. 
index d2f765a..28260c9 100644 (file)
@@ -1,3 +1,65 @@
+2012-05-25  Mike West  <mkwst@chromium.org>
+
+        Inline script and style blocked by Content Security Policy should provide more detailed console errors.
+        https://bugs.webkit.org/show_bug.cgi?id=86848
+
+        Reviewed by Adam Barth.
+
+        This change adds a URL and line number for context to each call to
+        `ContentSecurityPolicy::allowInline*`, and pipes it through to the
+        console message generation in `CSPDirectiveList::reportViolation`.
+
+        Line numbers are not added for injected scripts (`document.write(...)`,
+        `document.body.appendChild`, and etc.).
+
+        Tests: http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html
+               http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html
+               http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html
+               http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html
+
+        * bindings/ScriptControllerBase.cpp:
+        (WebCore::ScriptController::executeIfJavaScriptURL):
+        * bindings/js/JSLazyEventListener.cpp:
+        (WebCore::JSLazyEventListener::initializeJSFunction):
+        * bindings/v8/V8LazyEventListener.cpp:
+        (WebCore::V8LazyEventListener::prepareListenerObject):
+        * dom/ScriptElement.cpp:
+        (WebCore::ScriptElement::ScriptElement):
+        (WebCore::ScriptElement::executeScript):
+        * dom/ScriptElement.h:
+        (ScriptElement):
+        * dom/StyleElement.cpp:
+        (WebCore::StyleElement::StyleElement):
+        (WebCore::StyleElement::createSheet):
+        * dom/StyleElement.h:
+        (StyleElement):
+        * dom/StyledElement.cpp:
+        (WebCore::StyledElement::StyledElement):
+        (WebCore):
+        (WebCore::StyledElement::style):
+        (WebCore::StyledElement::styleAttributeChanged):
+        * dom/StyledElement.h:
+        (StyledElement):
+        * page/ContentSecurityPolicy.cpp:
+        (CSPDirectiveList):
+        (WebCore::CSPDirectiveList::reportViolation):
+        (WebCore::CSPDirectiveList::checkInlineAndReportViolation):
+        (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
+        (WebCore::CSPDirectiveList::allowJavaScriptURLs):
+        (WebCore::CSPDirectiveList::allowInlineEventHandlers):
+        (WebCore::CSPDirectiveList::allowInlineScript):
+        (WebCore::CSPDirectiveList::allowInlineStyle):
+        (WebCore::CSPDirectiveList::allowEval):
+        (WebCore):
+        (WebCore::isAllowedByAllWithCallStack):
+        (WebCore::isAllowedByAllWithContext):
+        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
+        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
+        (WebCore::ContentSecurityPolicy::allowInlineScript):
+        (WebCore::ContentSecurityPolicy::allowInlineStyle):
+        * page/ContentSecurityPolicy.h:
+        (WTF):
+
 2012-05-25  Tim Horton  <timothy_horton@apple.com>
 
         ENABLE_CSS3_FLEXBOX is insufficient to disable all web-facing bits of the feature
index 855158a..9b006d2 100644 (file)
@@ -32,6 +32,7 @@
 #include "SecurityOrigin.h"
 #include "Settings.h"
 #include "UserGestureIndicator.h"
+#include <wtf/text/TextPosition.h>
 
 namespace WebCore {
 
@@ -75,7 +76,7 @@ bool ScriptController::executeIfJavaScriptURL(const KURL& url, ShouldReplaceDocu
 
     if (!m_frame->page()
         || !m_frame->page()->javaScriptURLsAreAllowed()
-        || !m_frame->document()->contentSecurityPolicy()->allowJavaScriptURLs()
+        || !m_frame->document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame->document()->url(), eventHandlerPosition().m_line)
         || m_frame->inViewSourceMode())
         return true;
 
index f11bf90..64f9cb9 100644 (file)
@@ -80,7 +80,7 @@ JSObject* JSLazyEventListener::initializeJSFunction(ScriptExecutionContext* exec
     if (!document->frame())
         return 0;
 
-    if (!document->contentSecurityPolicy()->allowInlineEventHandlers())
+    if (!document->contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL, m_position.m_line))
         return 0;
 
     ScriptController* script = document->frame()->script();
index 7332318..ef4592e 100644 (file)
@@ -105,7 +105,7 @@ void V8LazyEventListener::prepareListenerObject(ScriptExecutionContext* context)
     if (hasExistingListenerObject())
         return;
 
-    if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers())
+    if (context->isDocument() && !static_cast<Document*>(context)->contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL, m_position.m_line))
         return;
 
     v8::HandleScope handleScope;
index aefdddb..746e6c3 100644 (file)
 #include "ScriptRunner.h"
 #include "ScriptSourceCode.h"
 #include "ScriptValue.h"
+#include "ScriptableDocumentParser.h"
 #include "SecurityOrigin.h"
 #include "Settings.h"
 #include "Text.h"
 #include <wtf/StdLibExtras.h>
 #include <wtf/text/StringBuilder.h>
 #include <wtf/text/StringHash.h>
+#include <wtf/text/TextPosition.h>
 
 #if ENABLE(SVG)
 #include "SVGNames.h"
@@ -58,6 +60,7 @@ namespace WebCore {
 ScriptElement::ScriptElement(Element* element, bool parserInserted, bool alreadyStarted)
     : m_element(element)
     , m_cachedScript(0)
+    , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
     , m_parserInserted(parserInserted)
     , m_isExternalScript(false)
     , m_alreadyStarted(alreadyStarted)
@@ -70,6 +73,8 @@ ScriptElement::ScriptElement(Element* element, bool parserInserted, bool already
     , m_requestUsesAccessControl(false)
 {
     ASSERT(m_element);
+    if (parserInserted && m_element->document()->scriptableDocumentParser() && !m_element->document()->isInDocumentWrite())
+        m_startLineNumber = m_element->document()->scriptableDocumentParser()->lineNumber();
 }
 
 ScriptElement::~ScriptElement()
@@ -276,7 +281,7 @@ void ScriptElement::executeScript(const ScriptSourceCode& sourceCode)
     if (sourceCode.isEmpty())
         return;
 
-    if (!m_isExternalScript && !m_element->document()->contentSecurityPolicy()->allowInlineScript())
+    if (!m_isExternalScript && !m_element->document()->contentSecurityPolicy()->allowInlineScript(m_element->document()->url(), m_startLineNumber))
         return;
 
     RefPtr<Document> document = m_element->document();
index 6bec56d..5f98d75 100644 (file)
@@ -93,6 +93,7 @@ private:
 
     Element* m_element;
     CachedResourceHandle<CachedScript> m_cachedScript;
+    WTF::OrdinalNumber m_startLineNumber;
     bool m_parserInserted : 1;
     bool m_isExternalScript : 1;
     bool m_alreadyStarted : 1;
index 090c40c..dd4de29 100644 (file)
@@ -30,6 +30,7 @@
 #include "ScriptableDocumentParser.h"
 #include "StyleSheetContents.h"
 #include <wtf/text/StringBuilder.h>
+#include <wtf/text/TextPosition.h>
 
 namespace WebCore {
 
@@ -48,10 +49,10 @@ static bool isCSS(Element* element, const AtomicString& type)
 StyleElement::StyleElement(Document* document, bool createdByParser)
     : m_createdByParser(createdByParser)
     , m_loading(false)
-    , m_startLineNumber(0)
+    , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
 {
-    if (createdByParser && document && document->scriptableDocumentParser())
-        m_startLineNumber = document->scriptableDocumentParser()->lineNumber().zeroBasedInt();
+    if (createdByParser && document && document->scriptableDocumentParser() && !document->isInDocumentWrite())
+        m_startLineNumber = document->scriptableDocumentParser()->lineNumber();
 }
 
 StyleElement::~StyleElement()
@@ -144,7 +145,7 @@ void StyleElement::clearSheet()
     m_sheet = 0;
 }
 
-void StyleElement::createSheet(Element* e, int startLineNumber, const String& text)
+void StyleElement::createSheet(Element* e, WTF::OrdinalNumber startLineNumber, const String& text)
 {
     ASSERT(e);
     ASSERT(e->inDocument());
@@ -157,7 +158,7 @@ void StyleElement::createSheet(Element* e, int startLineNumber, const String& te
 
     // If type is empty or CSS, this is a CSS style sheet.
     const AtomicString& type = this->type();
-    if (document->contentSecurityPolicy()->allowInlineStyle() && isCSS(e, type)) {
+    if (document->contentSecurityPolicy()->allowInlineStyle(e->document()->url(), startLineNumber) && isCSS(e, type)) {
         RefPtr<MediaQuerySet> mediaQueries;
         if (e->isHTMLElement())
             mediaQueries = MediaQuerySet::createAllowingDescriptionSyntax(media());
@@ -173,8 +174,7 @@ void StyleElement::createSheet(Element* e, int startLineNumber, const String& te
             m_sheet = CSSStyleSheet::createInline(e, KURL(), document->inputEncoding());
             m_sheet->setMediaQueries(mediaQueries.release());
             m_sheet->setTitle(e->title());
-    
-            m_sheet->contents()->parseStringAtLine(text, startLineNumber);
+            m_sheet->contents()->parseStringAtLine(text, startLineNumber.zeroBasedInt());
 
             m_loading = false;
         }
index 3c31abb..6dd48ec 100644 (file)
@@ -22,6 +22,7 @@
 #define StyleElement_h
 
 #include "CSSStyleSheet.h"
+#include <wtf/text/TextPosition.h>
 
 namespace WebCore {
 
@@ -52,13 +53,13 @@ protected:
     RefPtr<CSSStyleSheet> m_sheet;
 
 private:
-    void createSheet(Element*, int startLineNumber, const String& text = String());
+    void createSheet(Element*, WTF::OrdinalNumber startLineNumber, const String& text = String());
     void process(Element*);
     void clearSheet();
 
     bool m_createdByParser;
     bool m_loading;
-    int m_startLineNumber;
+    WTF::OrdinalNumber m_startLineNumber;
 };
 
 }
index a992644..43747b8 100644 (file)
 #include "Document.h"
 #include "HTMLNames.h"
 #include "HTMLParserIdioms.h"
+#include "ScriptableDocumentParser.h"
 #include "StylePropertySet.h"
 #include "StyleResolver.h"
 #include <wtf/HashFunctions.h>
+#include <wtf/text/TextPosition.h>
 
 using namespace std;
 
@@ -126,13 +128,21 @@ void StyledElement::updateStyleAttribute() const
         const_cast<StyledElement*>(this)->setAttribute(styleAttr, inlineStyle->asText(), InUpdateStyleAttribute);
 }
 
+StyledElement::StyledElement(const QualifiedName& name, Document* document, ConstructionType type)
+    : Element(name, document, type)
+    , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
+{
+    if (document && document->scriptableDocumentParser() && !document->isInDocumentWrite())
+        m_startLineNumber = document->scriptableDocumentParser()->lineNumber();
+}
+
 StyledElement::~StyledElement()
 {
     destroyInlineStyle();
 }
 
-CSSStyleDeclaration* StyledElement::style() 
-{ 
+CSSStyleDeclaration* StyledElement::style()
+{
     return ensureAttributeData()->ensureMutableInlineStyle(this)->ensureInlineCSSStyleDeclaration(this); 
 }
 
@@ -173,7 +183,7 @@ void StyledElement::styleAttributeChanged(const AtomicString& newStyleString, Sh
     if (shouldReparse) {
         if (newStyleString.isNull())
             destroyInlineStyle();
-        else if (document()->contentSecurityPolicy()->allowInlineStyle())
+        else if (document()->contentSecurityPolicy()->allowInlineStyle(document()->url(), m_startLineNumber))
             ensureAttributeData()->updateInlineStyleAvoidingMutation(this, newStyleString);
         setIsStyleAttributeValid();
     }
index 6cf4145..4736a98 100644 (file)
@@ -27,6 +27,7 @@
 
 #include "Element.h"
 #include "StylePropertySet.h"
+#include <wtf/text/TextPosition.h>
 
 namespace WebCore {
 
@@ -62,10 +63,7 @@ public:
     void styleAttributeChanged(const AtomicString& newStyleString, ShouldReparseStyleAttribute = ReparseStyleAttribute);
 
 protected:
-    StyledElement(const QualifiedName& name, Document* document, ConstructionType type)
-        : Element(name, document, type)
-    {
-    }
+    StyledElement(const QualifiedName&, Document*, ConstructionType);
 
     virtual void attributeChanged(const Attribute&) OVERRIDE;
     virtual void parseAttribute(const Attribute&);
@@ -95,6 +93,8 @@ private:
         if (attributeData())
             attributeData()->destroyInlineStyle(this);
     }
+
+    WTF::OrdinalNumber m_startLineNumber;
 };
 
 inline const SpaceSplitString& StyledElement::classNames() const
index 45f76b0..2d75ad5 100644 (file)
 #include "FormData.h"
 #include "FormDataList.h"
 #include "Frame.h"
+#include "InspectorInstrumentation.h"
 #include "InspectorValues.h"
 #include "PingLoader.h"
 #include "ScriptCallStack.h"
 #include "SecurityOrigin.h"
 #include "TextEncoding.h"
+#include <wtf/text/TextPosition.h>
 #include <wtf/text/WTFString.h>
 
 namespace WebCore {
@@ -490,10 +492,10 @@ public:
     const String& header() const { return m_header; }
     ContentSecurityPolicy::HeaderType headerType() const { return m_reportOnly ? ContentSecurityPolicy::ReportOnly : ContentSecurityPolicy::EnforcePolicy; }
 
-    bool allowJavaScriptURLs() const;
-    bool allowInlineEventHandlers() const;
-    bool allowInlineScript() const;
-    bool allowInlineStyle() const;
+    bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     bool allowEval(PassRefPtr<ScriptCallStack>) const;
 
     bool allowScriptFromSource(const KURL&) const;
@@ -518,12 +520,12 @@ private:
     PassOwnPtr<CSPDirective> createCSPDirective(const String& name, const String& value);
 
     CSPDirective* operativeDirective(CSPDirective*) const;
-    void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), PassRefPtr<ScriptCallStack> = 0) const;
+    void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
     void logUnrecognizedDirective(const String& name) const;
     bool checkEval(CSPDirective*) const;
 
-    bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;
-    bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, PassRefPtr<ScriptCallStack>) const;
+    bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool checkEvalAndReportViolation(CSPDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const;
     bool checkSourceAndReportViolation(CSPDirective*, const KURL&, const String& type) const;
 
     bool denyIfEnforcingPolicy() const { return m_reportOnly; }
@@ -575,10 +577,10 @@ PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ScriptExecutionContext* sc
     return policy.release();
 }
 
-void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, PassRefPtr<ScriptCallStack> callStack) const
+void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
 {
     String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
-    m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, String(), 0, callStack);
+    m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, contextURL, contextLine.oneBasedInt(), callStack);
 
     if (m_reportURIs.isEmpty())
         return;
@@ -638,19 +640,19 @@ CSPDirective* CSPDirectiveList::operativeDirective(CSPDirective* directive) cons
     return directive ? directive : m_defaultSrc.get();
 }
 
-bool CSPDirectiveList::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage) const
+bool CSPDirectiveList::checkInlineAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     if (!directive || directive->allowInline())
         return true;
-    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n");
+    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
     return denyIfEnforcingPolicy();
 }
 
-bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage, PassRefPtr<ScriptCallStack> callStack) const
+bool CSPDirectiveList::checkEvalAndReportViolation(CSPDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const
 {
     if (checkEval(directive))
         return true;
-    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), callStack);
+    reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine, callStack);
     return denyIfEnforcingPolicy();
 }
 
@@ -663,34 +665,34 @@ bool CSPDirectiveList::checkSourceAndReportViolation(CSPDirective* directive, co
     return denyIfEnforcingPolicy();
 }
 
-bool CSPDirectiveList::allowJavaScriptURLs() const
+bool CSPDirectiveList::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "));
-    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
 }
 
-bool CSPDirectiveList::allowInlineEventHandlers() const
+bool CSPDirectiveList::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline event handler because it violates the following Content Security Policy directive: "));
-    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
 }
 
-bool CSPDirectiveList::allowInlineScript() const
+bool CSPDirectiveList::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute inline script because it violates the following Content Security Policy directive: "));
-    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage);
+    return checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine);
 }
 
-bool CSPDirectiveList::allowInlineStyle() const
+bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to apply inline style because it violates the following Content Security Policy directive: "));
-    return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage);
+    return checkInlineAndReportViolation(operativeDirective(m_styleSrc.get()), consoleMessage, contextURL, contextLine);
 }
 
 bool CSPDirectiveList::allowEval(PassRefPtr<ScriptCallStack> callStack) const
 {
     DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to evaluate script because it violates the following Content Security Policy directive: "));
-    return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, callStack);
+    return checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), callStack);
 }
 
 bool CSPDirectiveList::allowScriptFromSource(const KURL& url) const
@@ -923,21 +925,21 @@ ContentSecurityPolicy::HeaderType ContentSecurityPolicy::deprecatedHeaderType()
     return m_policies.isEmpty() ? EnforcePolicy : m_policies[0]->headerType();
 }
 
-template<bool (CSPDirectiveList::*allowed)() const>
-bool isAllowedByAll(const CSPDirectiveListVector& policies)
+template<bool (CSPDirectiveList::*allowed)(PassRefPtr<ScriptCallStack>) const>
+bool isAllowedByAllWithCallStack(const CSPDirectiveListVector& policies, PassRefPtr<ScriptCallStack> callStack)
 {
     for (size_t i = 0; i < policies.size(); ++i) {
-        if (!(policies[i].get()->*allowed)())
+        if (!(policies[i].get()->*allowed)(callStack))
             return false;
     }
     return true;
 }
 
-template<bool (CSPDirectiveList::*allowed)(PassRefPtr<ScriptCallStack>) const>
-bool isAllowedByAllWithCallStack(const CSPDirectiveListVector& policies, PassRefPtr<ScriptCallStack> callStack)
+template<bool (CSPDirectiveList::*allowed)(const String&, const WTF::OrdinalNumber&) const>
+bool isAllowedByAllWithContext(const CSPDirectiveListVector& policies, const String& contextURL, const WTF::OrdinalNumber& contextLine)
 {
     for (size_t i = 0; i < policies.size(); ++i) {
-        if (!(policies[i].get()->*allowed)(callStack))
+        if (!(policies[i].get()->*allowed)(contextURL, contextLine))
             return false;
     }
     return true;
@@ -953,26 +955,26 @@ bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& u
     return true;
 }
 
-bool ContentSecurityPolicy::allowJavaScriptURLs() const
+bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
-    return isAllowedByAll<&CSPDirectiveList::allowJavaScriptURLs>(m_policies);
+    return isAllowedByAllWithContext<&CSPDirectiveList::allowJavaScriptURLs>(m_policies, contextURL, contextLine);
 }
 
-bool ContentSecurityPolicy::allowInlineEventHandlers() const
+bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
-    return isAllowedByAll<&CSPDirectiveList::allowInlineEventHandlers>(m_policies);
+    return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineEventHandlers>(m_policies, contextURL, contextLine);
 }
 
-bool ContentSecurityPolicy::allowInlineScript() const
+bool ContentSecurityPolicy::allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
-    return isAllowedByAll<&CSPDirectiveList::allowInlineScript>(m_policies);
+    return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineScript>(m_policies, contextURL, contextLine);
 }
 
-bool ContentSecurityPolicy::allowInlineStyle() const
+bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const
 {
     if (m_overrideInlineStyleAllowed)
         return true;
-    return isAllowedByAll<&CSPDirectiveList::allowInlineStyle>(m_policies);
+    return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine);
 }
 
 bool ContentSecurityPolicy::allowEval(PassRefPtr<ScriptCallStack> callStack) const
index 19c465e..7ac60d9 100644 (file)
 #include <wtf/Vector.h>
 #include <wtf/text/WTFString.h>
 
+namespace WTF {
+class OrdinalNumber;
+}
+
 namespace WebCore {
 
 class CSPDirectiveList;
@@ -62,10 +66,10 @@ public:
     const String& deprecatedHeader() const;
     HeaderType deprecatedHeaderType() const;
 
-    bool allowJavaScriptURLs() const;
-    bool allowInlineEventHandlers() const;
-    bool allowInlineScript() const;
-    bool allowInlineStyle() const;
+    bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
+    bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     bool allowEval(PassRefPtr<ScriptCallStack>) const;
 
     bool allowScriptFromSource(const KURL&) const;