Commit 27b18607 authored by mkwst@chromium.org's avatar mkwst@chromium.org

CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur.

https://bugs.webkit.org/show_bug.cgi?id=112783

Reviewed by Adam Barth.

Source/WebCore:

A new event type for Content Security Policy violations landed in
http://wkrev.com/146305; this patch takes that stub, and wires it up to
ContentSecurityPolicy::reportViolation such that violation events fire
when resources are blocked.

This should bring WebKit up to date with the current description of
CSP's event model in sections 3.3[1] and 3.4.1.3[2] of the editor's
draft.

[1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#processing-model
[2]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#firing-events-using-the-securitypolicyviolationevent-interface

Test: http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html

* page/ContentSecurityPolicy.cpp:
(WebCore::gatherSecurityPolicyViolationEventData):
    Populate a SecurityPolicyViolationEventInit object with the various
    bits of data that should be passed into the event constructor.

    This static method is strictly an implementation detail; it's not
    part of ContentSecurityPolicy's public API.
(WebCore::ContentSecurityPolicy::reportViolation):
    Regardless of whether the policy has set a 'report-uri' directive
    or not, gather together all the data we'll need to fire an event,
    create the event, and queue it up for dispatching on the Document.

LayoutTests:

* http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146520 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent c409d280
2013-03-21 Mike West <mkwst@chromium.org>
CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur.
https://bugs.webkit.org/show_bug.cgi?id=112783
Reviewed by Adam Barth.
* http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html: Added.
2013-03-21 Mike West <mkwst@chromium.org>
Drop full URLs from cross-origin access errors caused by protocol mismatches.
CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
PASS window.e.referrer is ""
PASS window.e.blockedURI is "http://127.0.0.1:8000/security/resources/abe.png"
PASS window.e.violatedDirective is "img-src 'none'"
PASS window.e.effectiveDirective is "img-src"
PASS window.e.originalPolicy is "img-src 'none'"
PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
PASS window.e.lineNumber is 30
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
<script src="/js-test-resources/js-test-pre.js"></script>
<script>
description('Check that a SecurityPolicyViolationEvent is fired upon blocking an image.');
window.jsTestIsAsync = true;
document.addEventListener('securitypolicyviolation', function handleEvent(e) {
var expectations = {
'documentURI': document.location.toString(),
'referrer': document.referrer,
'blockedURI': 'http://127.0.0.1:8000/security/resources/abe.png',
'violatedDirective': 'img-src \'none\'',
'effectiveDirective': 'img-src',
'originalPolicy': 'img-src \'none\'',
'sourceURL': document.location.toString(),
'lineNumber': 30
};
window.e = e;
for (key in expectations)
shouldBe('window.e.' + key, JSON.stringify(expectations[key]));
finishJSTest();
});
window.onload = function () {
var img = document.createElement('img');
img.src = '/security/resources/abe.png';
document.body.appendChild(img);
};
</script>
<script src="/js-test-resources/js-test-post.js"></script>
</head>
<body>
</body>
</html>
2013-03-21 Mike West <mkwst@chromium.org>
CSP 1.1: Fire a SecurityPolicyViolationEvent when violations occur.
https://bugs.webkit.org/show_bug.cgi?id=112783
Reviewed by Adam Barth.
A new event type for Content Security Policy violations landed in
http://wkrev.com/146305; this patch takes that stub, and wires it up to
ContentSecurityPolicy::reportViolation such that violation events fire
when resources are blocked.
This should bring WebKit up to date with the current description of
CSP's event model in sections 3.3[1] and 3.4.1.3[2] of the editor's
draft.
[1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#processing-model
[2]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#firing-events-using-the-securitypolicyviolationevent-interface
Test: http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html
* page/ContentSecurityPolicy.cpp:
(WebCore::gatherSecurityPolicyViolationEventData):
Populate a SecurityPolicyViolationEventInit object with the various
bits of data that should be passed into the event constructor.
This static method is strictly an implementation detail; it's not
part of ContentSecurityPolicy's public API.
(WebCore::ContentSecurityPolicy::reportViolation):
Regardless of whether the policy has set a 'report-uri' directive
or not, gather together all the data we'll need to fire an event,
create the event, and queue it up for dispatching on the Document.
2013-03-21 Terry Anderson <tdanderson@chromium.org>
[chromium] Remove SK_SUPPORT_HINTING_SCALE_FACTOR flag and code
......@@ -43,6 +43,7 @@
#include "ScriptCallStackFactory.h"
#include "ScriptState.h"
#include "SecurityOrigin.h"
#include "SecurityPolicyViolationEvent.h"
#include "TextEncoding.h"
#include <wtf/HashSet.h>
#include <wtf/text/TextPosition.h>
......@@ -1671,13 +1672,36 @@ void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask) const
m_scriptExecutionContext->enforceSandboxFlags(mask);
}
void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const
#if ENABLE(CSP_NEXT)
static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header)
{
logToConsole(consoleMessage, contextURL, contextLine, state);
init.documentURI = document->url().string();
init.referrer = document->referrer();
init.blockedURI = blockedURL.isValid() ? blockedURL.string() : String();
init.violatedDirective = directiveText;
init.effectiveDirective = effectiveDirective;
init.originalPolicy = header;
init.sourceURL = String();
init.lineNumber = 0;
if (reportURIs.isEmpty())
RefPtr<ScriptCallStack> stack = createScriptCallStack(2, false);
if (!stack)
return;
const ScriptCallFrame& callFrame = getFirstNonNativeFrame(stack);
if (callFrame.lineNumber()) {
KURL source = KURL(KURL(), callFrame.sourceURL());
init.sourceURL = source.string();
init.lineNumber = callFrame.lineNumber();
}
}
#endif
void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const
{
logToConsole(consoleMessage, contextURL, contextLine, state);
// FIXME: Support sending reports from worker.
if (!m_scriptExecutionContext->isDocument())
return;
......@@ -1687,6 +1711,18 @@ void ContentSecurityPolicy::reportViolation(const String& directiveText, const S
if (!frame)
return;
#if ENABLE(CSP_NEXT)
if (experimentalFeaturesEnabled()) {
// FIXME: This code means that we're gathering information like line numbers twice. Once we can bring this out from behind the flag, we should reuse the data gathered here when generating the JSON report below.
SecurityPolicyViolationEventInit init;
gatherSecurityPolicyViolationEventData(init, document, directiveText, effectiveDirective, blockedURL, header);
document->enqueueDocumentEvent(SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, init));
}
#endif
if (reportURIs.isEmpty())
return;
// We need to be careful here when deciding what information to send to the
// report-uri. Currently, we send only the current document's URL and the
// directive that was violated. The document's URL is safe to send because
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment