-
abarth@webkit.org authored
Reviewed by Eric Seidel. CSP's script-src should block JavaScript URLs https://bugs.webkit.org/show_bug.cgi?id=54787 Test how various CSP policies affect JavaScript URLs. We could test more contexts in the future, but this is a start. * http/tests/security/contentSecurityPolicy/javascript-url-expected.txt: Added. * http/tests/security/contentSecurityPolicy/javascript-url.html: Added. * http/tests/security/contentSecurityPolicy/resources/javascript-url.pl: Added. 2011-02-24 Adam Barth <abarth@webkit.org> Reviewed by Eric Seidel. CSP's script-src should block JavaScript URLs https://bugs.webkit.org/show_bug.cgi?id=54787 Blocking JavaScript URLs required some re-architecting of the lifetime of the ContentSecurityPolicy object. We now manage the lifetime the same way we manage the lifetime of the SecurityOrigin object. In particular, when SecurityOrigin inherits into an about:blank iframe, we inherit the CSP object as well. (This is covered by the test added in this patch.) In the future, we might consider making ContentSecurityPolicy a component of SecurityOrigin instead of a component of Document. I noted the trickiness in http://www.w3.org/Security/wiki/Content_Security_Policies so that we'll make sure it gets defined properly in the spec. Test: http/tests/security/contentSecurityPolicy/javascript-url.html * bindings/ScriptControllerBase.cpp: (WebCore::ScriptController::executeIfJavaScriptURL): * dom/Document.cpp: (WebCore::Document::initSecurityContext): * dom/Document.h: (WebCore::Document::contentSecurityPolicy): * page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): * page/ContentSecurityPolicy.h: (WebCore::ContentSecurityPolicy::create): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@79547 268f45cc-cd09-0410-ab3c-d52691b4dbfc
d27ac26b