Skip to content
  • commit-queue@webkit.org's avatar
    Support paths in Content Security Policy directives. · 699a4584
    commit-queue@webkit.org authored
    https://bugs.webkit.org/show_bug.cgi?id=89750
    
    Patch by Mike West <mkwst@chromium.org> on 2012-09-20
    Reviewed by Adam Barth.
    
    Source/WebCore:
    
    In CSP 1.0, paths are simply ignored: 'script-src
    http://example.com/path/to/a/file' would allow script to be loaded from
    http://example.com/path/to/a/file/javascript.js, but also from
    http://example.com/javascript.js.
    
    This patch is an experimental implementation of more granular path
    support in CSP source lists as proposed in the current editor's draft of
    CSP 1.1. Paths are treated as specifying directories in which resources
    can be found, and are implicitly terminated with a '/': in other words,
    'script-src http://a.com/path' is the same as
    'script-src http://a.com/path/'. Moreover, paths cannot contain either
    '?' or '#' characters.
    
    This is implemented outside the CSP_NEXT flag. All ports will be
    effected.
    
    Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#matching
    
    Tests: http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html
           http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html
    
    * page/ContentSecurityPolicy.cpp:
    (WebCore::CSPSource::CSPSource):
        Store a path along with each CSP source.
    (WebCore::CSPSource::matches):
        Check the path when comparing a URL to the source.
    (WebCore::CSPSource::pathMatches):
        Compare the URL-decoded version of the resource to validate against
        the source's stored path. If the resource's path begins with the
        stored path, then it matches! If not, it doesn't.
    (CSPSource):
        Store a path along with each CSP source.
    (WebCore::CSPSourceList::parse):
        Pass a 'path' in when creating CSPSource objects.
    (WebCore::CSPSourceList::parsePath):
        Actually parse the path, flagging errors if '?' or '#' are present,
        URL-decoding the result, and ensuring that a terminal '/' is
        added if necessary.
    (WebCore::CSPSourceList::addSourceSelf):
        Ensure that 'self' sources have an empty path.
    * page/ContentSecurityPolicy.h:
        Dropping the "ignored path component" console warning.
    
    LayoutTests:
    
    * http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt:
    * http/tests/security/contentSecurityPolicy/source-list-parsing-05.html:
    * http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt:
    * http/tests/security/contentSecurityPolicy/source-list-parsing-06.html:
        The behavior of these tests changes based on the new functionality.
    * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt: Added.
    * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html: Added.
    * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt: Added.
    * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html: Added.
        New tests for various path cases.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129143 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    699a4584