Source/WebCore/bindings/ScriptControllerBase.cpp · fae2ea216379d9a391fde88178b46bdc6aeb60f8 · App_Technologies / webkit

Inline script and style blocked by Content Security Policy should provide more... · fae2ea21
commit-queue@webkit.org authored May 25, 2012
Inline script and style blocked by Content Security Policy should provide more detailed console errors.
https://bugs.webkit.org/show_bug.cgi?id=86848

Patch by Mike West <mkwst@chromium.org> on 2012-05-25
Reviewed by Adam Barth.

Source/WebCore:

This change adds a URL and line number for context to each call to
`ContentSecurityPolicy::allowInline*`, and pipes it through to the
console message generation in `CSPDirectiveList::reportViolation`.

Line numbers are not added for injected scripts (`document.write(...)`,
`document.body.appendChild`, and etc.).

Tests: http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html
       http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html
       http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html
       http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html

* bindings/ScriptControllerBase.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL):
* bindings/js/JSLazyEventListener.cpp:
(WebCore::JSLazyEventListener::initializeJSFunction):
* bindings/v8/V8LazyEventListener.cpp:
(WebCore::V8LazyEventListener::prepareListenerObject):
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::ScriptElement):
(WebCore::ScriptElement::executeScript):
* dom/ScriptElement.h:
(ScriptElement):
* dom/StyleElement.cpp:
(WebCore::StyleElement::StyleElement):
(WebCore::StyleElement::createSheet):
* dom/StyleElement.h:
(StyleElement):
* dom/StyledElement.cpp:
(WebCore::StyledElement::StyledElement):
(WebCore):
(WebCore::StyledElement::style):
(WebCore::StyledElement::styleAttributeChanged):
* dom/StyledElement.h:
(StyledElement):
* page/ContentSecurityPolicy.cpp:
(CSPDirectiveList):
(WebCore::CSPDirectiveList::reportViolation):
(WebCore::CSPDirectiveList::checkInlineAndReportViolation):
(WebCore::CSPDirectiveList::checkEvalAndReportViolation):
(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):
(WebCore::CSPDirectiveList::allowInlineScript):
(WebCore::CSPDirectiveList::allowInlineStyle):
(WebCore::CSPDirectiveList::allowEval):
(WebCore):
(WebCore::isAllowedByAllWithCallStack):
(WebCore::isAllowedByAllWithContext):
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
(WebCore::ContentSecurityPolicy::allowInlineScript):
(WebCore::ContentSecurityPolicy::allowInlineStyle):
* page/ContentSecurityPolicy.h:
(WTF):

LayoutTests:

* http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt:
* http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt.
* http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
* http/tests/security/contentSecurityPolicy/resources/inject-script.js: Added.
* http/tests/security/contentSecurityPolicy/resources/inject-style.js: Added.
* http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
* http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118585 268f45cc-cd09-0410-ab3c-d52691b4dbfc
fae2ea21