-
commit-queue@webkit.org authored
Inline script and style blocked by Content Security Policy should provide more detailed console errors. https://bugs.webkit.org/show_bug.cgi?id=86848 Patch by Mike West <mkwst@chromium.org> on 2012-05-25 Reviewed by Adam Barth. Source/WebCore: This change adds a URL and line number for context to each call to `ContentSecurityPolicy::allowInline*`, and pipes it through to the console message generation in `CSPDirectiveList::reportViolation`. Line numbers are not added for injected scripts (`document.write(...)`, `document.body.appendChild`, and etc.). Tests: http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html * bindings/ScriptControllerBase.cpp: (WebCore::ScriptController::executeIfJavaScriptURL): * bindings/js/JSLazyEventListener.cpp: (WebCore::JSLazyEventListener::initializeJSFunction): * bindings/v8/V8LazyEventListener.cpp: (WebCore::V8LazyEventListener::prepareListenerObject): * dom/ScriptElement.cpp: (WebCore::ScriptElement::ScriptElement): (WebCore::ScriptElement::executeScript): * dom/ScriptElement.h: (ScriptElement): * dom/StyleElement.cpp: (WebCore::StyleElement::StyleElement): (WebCore::StyleElement::createSheet): * dom/StyleElement.h: (StyleElement): * dom/StyledElement.cpp: (WebCore::StyledElement::StyledElement): (WebCore): (WebCore::StyledElement::style): (WebCore::StyledElement::styleAttributeChanged): * dom/StyledElement.h: (StyledElement): * page/ContentSecurityPolicy.cpp: (CSPDirectiveList): (WebCore::CSPDirectiveList::reportViolation): (WebCore::CSPDirectiveList::checkInlineAndReportViolation): (WebCore::CSPDirectiveList::checkEvalAndReportViolation): (WebCore::CSPDirectiveList::allowJavaScriptURLs): (WebCore::CSPDirectiveList::allowInlineEventHandlers): (WebCore::CSPDirectiveList::allowInlineScript): (WebCore::CSPDirectiveList::allowInlineStyle): (WebCore::CSPDirectiveList::allowEval): (WebCore): (WebCore::isAllowedByAllWithCallStack): (WebCore::isAllowedByAllWithContext): (WebCore::ContentSecurityPolicy::allowJavaScriptURLs): (WebCore::ContentSecurityPolicy::allowInlineEventHandlers): (WebCore::ContentSecurityPolicy::allowInlineScript): (WebCore::ContentSecurityPolicy::allowInlineStyle): * page/ContentSecurityPolicy.h: (WTF): LayoutTests: * http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt: * http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt: * http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt: Added. * http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html: Added. * http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt. * http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html: Added. * http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt: Added. * http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html: Added. * http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt: Added. * http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html: Added. * http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt: * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt: * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt: * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt: * http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt: * http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt: * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: * http/tests/security/contentSecurityPolicy/report-only-expected.txt: * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt: * http/tests/security/contentSecurityPolicy/report-uri-expected.txt: * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt: * http/tests/security/contentSecurityPolicy/resources/inject-script.js: Added. * http/tests/security/contentSecurityPolicy/resources/inject-style.js: Added. * http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt: * http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118585 268f45cc-cd09-0410-ab3c-d52691b4dbfc
fae2ea21