Skip to content
  • weinig@apple.com's avatar
    Add support for the CSP connect-src directive · 5f414e1d
    weinig@apple.com authored
    https://bugs.webkit.org/show_bug.cgi?id=69353
    
    Reviewed by Adam Barth.
    
    Add CSP support for XMLHttpRequest, WebSockets and EventSource.
    
    Source/WebCore: 
    
    Tests: http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html
           http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html
           http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html
           http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html
           http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html
           http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html
    
    * page/ContentSecurityPolicy.cpp:
    (WebCore::ContentSecurityPolicy::allowConnectFromSource):
    (WebCore::ContentSecurityPolicy::addDirective):
    * page/ContentSecurityPolicy.h:
    Add connect-src directive parsing and predicate.
    
    * page/EventSource.cpp:
    (WebCore::EventSource::create):
    * websockets/WebSocket.cpp:
    (WebCore::WebSocket::connect):
    * xml/XMLHttpRequest.cpp:
    (WebCore::XMLHttpRequest::open):
    Test allowConnectFromSource when establishing a connection.
    
    LayoutTests: 
    
    * http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt: Added.
    * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96621 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    5f414e1d