Skip to content
Find file Blame History Permalink
  • commit-queue@webkit.org's avatar
    Add a scheme registry for bypassing Content Security Policy. · 828d2390
    commit-queue@webkit.org authored 
    https://bugs.webkit.org/show_bug.cgi?id=89373

Patch by Mike West <mkwst@chromium.org> on 2012-06-19
Reviewed by Adam Barth.

.:

* Source/autotools/symbols.filter:

Source/WebCore:

The Content Security Policy specification notes that "Enforcing a CSP
policy should not interfere with the operation of user-supplied scripts
such as third-party user-agent add-ons and JavaScript bookmarklets."
(https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#processing-model)
This use case can be at least partially addressed by adding a scheme
registry for certain types of URLs whose resources should be loaded
regardless of a page's defined policy directives.

See http://crbug.com/133223 for additional context.

Test: http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html

* WebCore.exp.in:
    Exporting new symbols for use by Internals.
* page/ContentSecurityPolicy.cpp:
(WebCore::isAllowedByAllWithURL):
    Adding a check against the new SchemeRegistry method to determine
    whether or not we should proceed with checking the URL against the
    policy.
* platform/SchemeRegistry.cpp:
(WebCore::CSPBypassingSchemes):
(WebCore):
(WebCore::SchemeRegistry::registerURLSchemeAsBypassingContentSecurityPolicy):
(WebCore::SchemeRegistry::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy):
(WebCore::SchemeRegistry::schemeShouldBypassContentSecurityPolicy):
* platform/SchemeRegistry.h:
(SchemeRegistry):
    Adding the scheme registry for CSP-bypassing URL schemes.
* testing/Internals.cpp:
(WebCore):
(WebCore::Internals::registerURLSchemeAsBypassingContentSecurityPolicy):
(WebCore::Internals::removeURLSchemeRegisteredAsBypassingContentSecurityPolicy):
* testing/Internals.h:
(Internals):
* testing/Internals.idl:
    Adding a method to Internals so that we can write a layout test.

Source/WebKit/chromium:

* public/WebSecurityPolicy.h:
(WebSecurityPolicy):
* src/WebSecurityPolicy.cpp:
(WebKit::WebSecurityPolicy::registerURLSchemeAsBypassingContentSecurityPolicy):
(WebKit):

Source/WebKit2:

* win/WebKit2.def:
* win/WebKit2CFLite.def:

LayoutTests:

* http/tests/security/contentSecurityPolicy/register-bypassing-scheme-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@120684 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    828d2390