Skip to content
Find file Blame History Permalink
  • commit-queue@webkit.org's avatar
    'self' in a CSP directive should match blob: and filesystem: URLs. · 3fde8622
    commit-queue@webkit.org authored 
    https://bugs.webkit.org/show_bug.cgi?id=94918

Patch by Mike West <mkwst@chromium.org> on 2012-08-27
Reviewed by Adam Barth.

Source/WebCore:

'blob:' and 'filesystem:' URLs are same-origin with the page on which
they were created. Currently, we're using the wrong URL for comparison
when matching against CSP directive source lists. This patch adjusts the
matching logic to compare against the blob's inner URL, rather than
directly against the blob itself.

Tests: http/tests/security/contentSecurityPolicy/blob-urls-match-self.html
       http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
       http/tests/security/contentSecurityPolicy/source-list-parsing-08.html

* page/ContentSecurityPolicy.cpp:
(WebCore::CSPSourceList::matches):
    If we should use the inner URL of a given resource, extract it into
    a local variable, and pass that into CSPSource for comparison.
* page/SecurityOrigin.cpp:
(WebCore::SecurityOrigin::shouldUseInnerURL):
(WebCore::SecurityOrigin::extractInnerURL):
    Move shouldUseInnerURL and extractInnerURL to SecurityOrigin's
    public signature.
(WebCore::shouldTreatAsUniqueOrigin):
(WebCore::SecurityOrigin::create):
(WebCore::SecurityOrigin::isSecure):
    shouldUseInnerURL and extractInnerURL are now static methods of
    SecurityOrigin: updating calls to mathc.
* page/SecurityOrigin.h:

LayoutTests:

* http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/blob-urls-match-self.html: Added.
* http/tests/security/contentSecurityPolicy/filesystem-urls-match-self-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html: Added.
    Test the new functionality.
* http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:
(test):
    Adding support for data: URLs.
* http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/source-list-parsing-08.html: Added.
    Adding data: URL tests to ensure that grabbing the inner URL of the
    URL to test doesn't inadvertently regress that behavior.
* platform/efl/Skipped:
* platform/mac/Skipped:
* platform/qt/Skipped:
* platform/win/Skipped:
    Skipping filessytem test on ports where it's not enabled.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@126785 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    3fde8622