-
abarth@webkit.org authored
Reviewed by Eric Seidel. CSP object-src should block plugin loads https://bugs.webkit.org/show_bug.cgi?id=57283 This change is pretty straight-forward. It's slighly unclear to me whether this patch is correct w.r.t. the code in DocumentWriter. I've added a FIXME comment, and I'll investigate that case more in the future. Test: http/tests/security/contentSecurityPolicy/object-src-none.html * loader/DocumentWriter.cpp: (WebCore::DocumentWriter::begin): * loader/SubframeLoader.cpp: (WebCore::SubframeLoader::requestPlugin): * page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowObjectFromSource): (WebCore::ContentSecurityPolicy::addDirective): * page/ContentSecurityPolicy.h: 2011-04-06 Adam Barth <abarth@webkit.org> Reviewed by Eric Seidel. CSP object-src should block plugin loads https://bugs.webkit.org/show_bug.cgi?id=57283 * http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Added. * http/tests/security/contentSecurityPolicy/object-src-none.html: Added. * http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@83141 268f45cc-cd09-0410-ab3c-d52691b4dbfc
15f9e21f