Commit 5f414e1d authored by weinig@apple.com's avatar weinig@apple.com

Add support for the CSP connect-src directive

https://bugs.webkit.org/show_bug.cgi?id=69353

Reviewed by Adam Barth.

Add CSP support for XMLHttpRequest, WebSockets and EventSource.

Source/WebCore: 

Tests: http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html
       http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html
       http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html
       http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html
       http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html
       http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html

* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowConnectFromSource):
(WebCore::ContentSecurityPolicy::addDirective):
* page/ContentSecurityPolicy.h:
Add connect-src directive parsing and predicate.

* page/EventSource.cpp:
(WebCore::EventSource::create):
* websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::open):
Test allowConnectFromSource when establishing a connection.

LayoutTests: 

* http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96621 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent d4d3bcfd
2011-10-04 Sam Weinig <sam@webkit.org>
Add support for the CSP connect-src directive
https://bugs.webkit.org/show_bug.cgi?id=69353
Reviewed by Adam Barth.
Add CSP support for XMLHttpRequest, WebSockets and EventSource.
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html: Added.
2011-10-03 David Hyatt <hyatt@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=69317
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
<pre id="console"></pre>
<script>
function log(msg)
{
document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
}
try {
var es = new EventSource("http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis");
log("Pass");
} catch(e) {
log("Fail");
}
</script>
</body>
</html>
CONSOLE MESSAGE: line 1: Refused to load connect from 'http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis' because of Content-Security-Policy.
Pass
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-WebKit-CSP" content="connect-src http://localhost:8000">
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
<pre id="console"></pre>
<script>
function log(msg)
{
document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
}
try {
var es = new EventSource("http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis");
log("Fail");
} catch(e) {
log("Pass");
}
</script>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-WebKit-CSP" content="connect-src ws://127.0.0.1:8880">
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
<pre id="console"></pre>
<script>
function log(msg)
{
document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
}
try {
var ws = new WebSocket("ws://127.0.0.1:8880/websocket/tests/hybi/echo");
log("Pass");
} catch(e) {
log("Fail");
}
</script>
</body>
</html>
CONSOLE MESSAGE: line 1: Refused to load connect from 'ws://localhost:8880/websocket/tests/hybi/echo' because of Content-Security-Policy.
Pass
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-WebKit-CSP" content="connect-src ws://127.0.0.1:8880">
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
<pre id="console"></pre>
<script>
function log(msg)
{
document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
}
try {
var ws = new WebSocket("ws://localhost:8880/websocket/tests/hybi/echo");
log("Fail");
} catch(e) {
log("Pass");
}
</script>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
<pre id="console"></pre>
<script>
function log(msg)
{
document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
}
try {
var xhr = new XMLHttpRequest;
xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true);
log("Pass");
} catch(e) {
log("Fail");
}
</script>
</body>
</html>
CONSOLE MESSAGE: line 1: Refused to load connect from 'http://localhost:8000/xmlhttprequest/resources/get.txt' because of Content-Security-Policy.
Pass
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
<pre id="console"></pre>
<script>
function log(msg)
{
document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
}
try {
var xhr = new XMLHttpRequest;
xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/get.txt", true);
log("Fail");
} catch(e) {
log("Pass");
}
</script>
</body>
</html>
2011-10-04 Sam Weinig <sam@webkit.org>
Add support for the CSP connect-src directive
https://bugs.webkit.org/show_bug.cgi?id=69353
Reviewed by Adam Barth.
Add CSP support for XMLHttpRequest, WebSockets and EventSource.
Tests: http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html
http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html
http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html
http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html
http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html
http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html
* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowConnectFromSource):
(WebCore::ContentSecurityPolicy::addDirective):
* page/ContentSecurityPolicy.h:
Add connect-src directive parsing and predicate.
* page/EventSource.cpp:
(WebCore::EventSource::create):
* websockets/WebSocket.cpp:
(WebCore::WebSocket::connect):
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::open):
Test allowConnectFromSource when establishing a connection.
2011-10-03 David Hyatt <hyatt@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=69317
......@@ -644,6 +644,12 @@ bool ContentSecurityPolicy::allowMediaFromSource(const KURL& url) const
return checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type);
}
bool ContentSecurityPolicy::allowConnectFromSource(const KURL& url) const
{
DEFINE_STATIC_LOCAL(String, type, ("connect"));
return checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type);
}
// policy = directive-list
// directive-list = [ directive *( ";" [ directive ] ) ]
//
......@@ -748,6 +754,7 @@ void ContentSecurityPolicy::addDirective(const String& name, const String& value
DEFINE_STATIC_LOCAL(String, styleSrc, ("style-src"));
DEFINE_STATIC_LOCAL(String, fontSrc, ("font-src"));
DEFINE_STATIC_LOCAL(String, mediaSrc, ("media-src"));
DEFINE_STATIC_LOCAL(String, connectSrc, ("connect-src"));
DEFINE_STATIC_LOCAL(String, reportURI, ("report-uri"));
ASSERT(!name.isEmpty());
......@@ -768,6 +775,8 @@ void ContentSecurityPolicy::addDirective(const String& name, const String& value
m_fontSrc = createCSPDirective(name, value);
else if (!m_mediaSrc && equalIgnoringCase(name, mediaSrc))
m_mediaSrc = createCSPDirective(name, value);
else if (!m_connectSrc && equalIgnoringCase(name, connectSrc))
m_connectSrc = createCSPDirective(name, value);
else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI))
parseReportURI(value);
}
......
......@@ -63,6 +63,7 @@ public:
bool allowStyleFromSource(const KURL&) const;
bool allowFontFromSource(const KURL&) const;
bool allowMediaFromSource(const KURL&) const;
bool allowConnectFromSource(const KURL&) const;
private:
explicit ContentSecurityPolicy(ScriptExecutionContext*);
......@@ -96,6 +97,7 @@ private:
OwnPtr<CSPDirective> m_styleSrc;
OwnPtr<CSPDirective> m_fontSrc;
OwnPtr<CSPDirective> m_mediaSrc;
OwnPtr<CSPDirective> m_connectSrc;
Vector<KURL> m_reportURLs;
};
......
......@@ -34,13 +34,14 @@
#include "config.h"
#include "EventSource.h"
#include "MemoryCache.h"
#include "ContentSecurityPolicy.h"
#include "DOMWindow.h"
#include "Event.h"
#include "EventException.h"
#include "ExceptionCode.h"
#include "PlatformString.h"
#include "MemoryCache.h"
#include "MessageEvent.h"
#include "PlatformString.h"
#include "ResourceError.h"
#include "ResourceRequest.h"
#include "ResourceResponse.h"
......@@ -87,6 +88,12 @@ PassRefPtr<EventSource> EventSource::create(const String& url, ScriptExecutionCo
return 0;
}
if (!context->contentSecurityPolicy()->allowConnectFromSource(fullURL)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return 0;
}
RefPtr<EventSource> source = adoptRef(new EventSource(fullURL, context));
source->setPendingActivity(source.get());
......
......@@ -37,6 +37,7 @@
#include "Blob.h"
#include "BlobData.h"
#include "CloseEvent.h"
#include "ContentSecurityPolicy.h"
#include "DOMWindow.h"
#include "Event.h"
#include "EventException.h"
......@@ -197,6 +198,14 @@ void WebSocket::connect(const String& url, const Vector<String>& protocols, Exce
return;
}
if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(m_url)) {
m_state = CLOSED;
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return;
}
m_channel = ThreadableWebSocketChannel::create(scriptExecutionContext(), this);
m_useHixie76Protocol = m_channel->useHixie76Protocol();
......
......@@ -24,7 +24,7 @@
#include "ArrayBuffer.h"
#include "Blob.h"
#include "MemoryCache.h"
#include "ContentSecurityPolicy.h"
#include "CrossOriginAccessControl.h"
#include "DOMFormData.h"
#include "DOMImplementation.h"
......@@ -38,6 +38,7 @@
#include "HTTPParsers.h"
#include "HTTPValidation.h"
#include "InspectorInstrumentation.h"
#include "MemoryCache.h"
#include "ResourceError.h"
#include "ResourceRequest.h"
#include "ScriptCallStack.h"
......@@ -51,10 +52,10 @@
#include "XMLHttpRequestProgressEvent.h"
#include "XMLHttpRequestUpload.h"
#include "markup.h"
#include <wtf/text/CString.h>
#include <wtf/StdLibExtras.h>
#include <wtf/RefCountedLeakCounter.h>
#include <wtf/StdLibExtras.h>
#include <wtf/UnusedParam.h>
#include <wtf/text/CString.h>
#if USE(JSC)
#include "JSDOMBinding.h"
......@@ -426,6 +427,12 @@ void XMLHttpRequest::open(const String& method, const KURL& url, bool async, Exc
return;
}
if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return;
}
m_method = uppercaseKnownHTTPMethod(method);
m_url = url;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment