-
abarth@webkit.org authored
Reviewed by Eric Seidel. script-src should block inline script https://bugs.webkit.org/show_bug.cgi?id=58012 Test that script-src blocks inline script. This test uses a different approach than the existing tests for variety. * http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt: Added. * http/tests/security/contentSecurityPolicy/inline-script-blocked.html: Added. * http/tests/security/contentSecurityPolicy/resources/document-write-alert-fail.js: Added. * http/tests/security/contentSecurityPolicy/resources/dump-as-text.js: Added. 2011-04-07 Adam Barth <abarth@webkit.org> Reviewed by Eric Seidel. script-src should block inline script https://bugs.webkit.org/show_bug.cgi?id=58012 Block inline scripts at the ScriptElement layer. This should catch exactly the scripts we want to catch. Test: http/tests/security/contentSecurityPolicy/inline-script-blocked.html * dom/Document.cpp: (WebCore::Document::processHttpEquiv): - This patch also adds the ability to supply a CSP policy via a <meta> tag. We'll update the name of the header once we've finished implementing the spec. * dom/ScriptElement.cpp: (WebCore::ScriptElement::executeScript): * page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowInlineScript): * page/ContentSecurityPolicy.h: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@83159 268f45cc-cd09-0410-ab3c-d52691b4dbfc
3285b43b