Commit 699a4584 authored by commit-queue@webkit.org's avatar commit-queue@webkit.org
Browse files

Support paths in Content Security Policy directives.

https://bugs.webkit.org/show_bug.cgi?id=89750

Patch by Mike West <mkwst@chromium.org> on 2012-09-20
Reviewed by Adam Barth.

Source/WebCore:

In CSP 1.0, paths are simply ignored: 'script-src
http://example.com/path/to/a/file' would allow script to be loaded from
http://example.com/path/to/a/file/javascript.js, but also from
http://example.com/javascript.js.

This patch is an experimental implementation of more granular path
support in CSP source lists as proposed in the current editor's draft of
CSP 1.1. Paths are treated as specifying directories in which resources
can be found, and are implicitly terminated with a '/': in other words,
'script-src http://a.com/path' is the same as
'script-src http://a.com/path/'. Moreover, paths cannot contain either
'?' or '#' characters.

This is implemented outside the CSP_NEXT flag. All ports will be
effected.

Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#matching

Tests: http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html
       http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html

* page/ContentSecurityPolicy.cpp:
(WebCore::CSPSource::CSPSource):
    Store a path along with each CSP source.
(WebCore::CSPSource::matches):
    Check the path when comparing a URL to the source.
(WebCore::CSPSource::pathMatches):
    Compare the URL-decoded version of the resource to validate against
    the source's stored path. If the resource's path begins with the
    stored path, then it matches! If not, it doesn't.
(CSPSource):
    Store a path along with each CSP source.
(WebCore::CSPSourceList::parse):
    Pass a 'path' in when creating CSPSource objects.
(WebCore::CSPSourceList::parsePath):
    Actually parse the path, flagging errors if '?' or '#' are present,
    URL-decoding the result, and ensuring that a terminal '/' is
    added if necessary.
(WebCore::CSPSourceList::addSourceSelf):
    Ensure that 'self' sources have an empty path.
* page/ContentSecurityPolicy.h:
    Dropping the "ignored path component" console warning.

LayoutTests:

* http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt:
* http/tests/security/contentSecurityPolicy/source-list-parsing-05.html:
* http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt:
* http/tests/security/contentSecurityPolicy/source-list-parsing-06.html:
    The behavior of these tests changes based on the new functionality.
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html: Added.
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html: Added.
    New tests for various path cases.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129143 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 08e19373
2012-09-20 Mike West <mkwst@chromium.org>
Support paths in Content Security Policy directives.
https://bugs.webkit.org/show_bug.cgi?id=89750
Reviewed by Adam Barth.
* http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt:
* http/tests/security/contentSecurityPolicy/source-list-parsing-05.html:
* http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt:
* http/tests/security/contentSecurityPolicy/source-list-parsing-06.html:
The behavior of these tests changes based on the new functionality.
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html: Added.
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html: Added.
New tests for various path cases.
2012-09-20 Joshua Bell <jsbell@chromium.org>
 
IndexedDB: Rewrite confusing call sequence layout tests
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/thisisa'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/thisisa' is being ignored. Be careful.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path".
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/path?query=string'. It will be ignored.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path?query=string".
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/path#anchor'. It will be ignored.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path#anchor".
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path".
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:8000/path?query=string'. It will be ignored.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path?query=string".
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:8000/path#anchor'. It will be ignored.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path#anchor".
CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'pathwithasemicolon'.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/this'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/this' is being ignored. Be careful.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/thisisa".
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/this is a path with spaces".
Paths should be ignored when evaluating sources. This test passes if FAIL does not appear in the output, and each of the tests generates a warning about the path component.
......
......@@ -5,15 +5,15 @@
<script>
var tests = [
['yes', 'script-src 127.0.0.1:*/', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:*/path', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:*/path?query=string', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:*/path#anchor', 'resources/script.js'],
['no', 'script-src 127.0.0.1:*/path', 'resources/script.js'],
['no', 'script-src 127.0.0.1:*/path?query=string', 'resources/script.js'],
['no', 'script-src 127.0.0.1:*/path#anchor', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:8000/', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:8000/path', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:8000/path?query=string', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:8000/path#anchor', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
['no', 'script-src 127.0.0.1:8000/path', 'resources/script.js'],
['no', 'script-src 127.0.0.1:8000/path?query=string', 'resources/script.js'],
['no', 'script-src 127.0.0.1:8000/path#anchor', 'resources/script.js'],
['no', 'script-src 127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
['no', 'script-src 127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
];
</script>
</head>
......
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/thisisa'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/thisisa' is being ignored. Be careful.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path".
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:*/path?query=string'. It will be ignored.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path?query=string".
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:*/path#anchor'. It will be ignored.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path#anchor".
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path".
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:8000/path?query=string'. It will be ignored.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path?query=string".
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:8000/path#anchor'. It will be ignored.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path#anchor".
CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'pathwithasemicolon'.
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/this'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/this' is being ignored. Be careful.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/thisisa".
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/this is a path with spaces".
Paths should be ignored when evaluating sources. This test passes if FAIL does not appear in the output, and each of the tests generates a warning about the path component.
......
......@@ -5,15 +5,15 @@
<script>
var tests = [
['yes', 'script-src http://127.0.0.1:*/', 'resources/script.js'],
['yes', 'script-src http://127.0.0.1:*/path', 'resources/script.js'],
['yes', 'script-src http://127.0.0.1:*/path?query=string', 'resources/script.js'],
['yes', 'script-src http://127.0.0.1:*/path#anchor', 'resources/script.js'],
['no', 'script-src http://127.0.0.1:*/path', 'resources/script.js'],
['no', 'script-src http://127.0.0.1:*/path?query=string', 'resources/script.js'],
['no', 'script-src http://127.0.0.1:*/path#anchor', 'resources/script.js'],
['yes', 'script-src http://127.0.0.1:8000/', 'resources/script.js'],
['yes', 'script-src http://127.0.0.1:8000/path', 'resources/script.js'],
['yes', 'script-src http://127.0.0.1:8000/path?query=string', 'resources/script.js'],
['yes', 'script-src http://127.0.0.1:8000/path#anchor', 'resources/script.js'],
['yes', 'script-src http://127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
['yes', 'script-src http://127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
['no', 'script-src http://127.0.0.1:8000/path', 'resources/script.js'],
['no', 'script-src http://127.0.0.1:8000/path?query=string', 'resources/script.js'],
['no', 'script-src http://127.0.0.1:8000/path#anchor', 'resources/script.js'],
['no', 'script-src http://127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
['no', 'script-src http://127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
];
</script>
</head>
......
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/sec".
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/sec/".
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/not-security".
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/security%3bnot-contentSecurityPolicy".
Resources should be rejected unless they match a whitelisted path.
--------
Frame: '<!--framePath //<!--frame0-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame1-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame2-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame3-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame4-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame5-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame6-->-->'
--------
PASS
<!DOCTYPE html>
<html>
<head>
<script src='resources/multiple-iframe-test.js'></script>
<script>
var security = '%73%65%63%75%72%69%74%79';
var resources = '%72%65%73%6f%75%72%63%65%73';
var tests = [
['no', 'script-src 127.0.0.1:*/sec', 'resources/script.js'],
['no', 'script-src 127.0.0.1:*/sec/', 'resources/script.js'],
['no', 'script-src 127.0.0.1:8000/not-security', 'resources/script.js'],
['no', 'script-src 127.0.0.1:8000/security%3bnot-contentSecurityPolicy', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:*/' + security, 'resources/script.js'],
['yes', 'script-src 127.0.0.1:*/security', resources + '/script.js'],
['yes', 'script-src 127.0.0.1:*/' + security, resources + '/script.js'],
];
</script>
</head>
<body onload="test()">
<p>
Resources should be rejected unless they match a whitelisted path.
</p>
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/not-security#query=string'. It will be ignored.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security#query=string".
CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/not-security?query=string'. It will be ignored.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security?query=string".
CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'not-contentSecurityPolicy'.
Resources should be rejected unless they match a whitelisted path.
--------
Frame: '<!--framePath //<!--frame0-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame1-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame2-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame3-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame4-->-->'
--------
PASS
--------
Frame: '<!--framePath //<!--frame5-->-->'
--------
PASS
<!DOCTYPE html>
<html>
<head>
<script src='resources/multiple-iframe-test.js'></script>
<script>
var tests = [
['no', 'script-src 127.0.0.1:*/not-security#query=string', 'resources/script.js'],
['no', 'script-src 127.0.0.1:*/not-security?query=string', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:*/security', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:*/security/', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:*/security/contentSecurityPolicy', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:8000/security;not-contentSecurityPolicy', 'resources/script.js'],
];
</script>
</head>
<body onload="test()">
<p>
Resources should be rejected unless they match a whitelisted path.
</p>
2012-09-20 Mike West <mkwst@chromium.org>
Support paths in Content Security Policy directives.
https://bugs.webkit.org/show_bug.cgi?id=89750
Reviewed by Adam Barth.
In CSP 1.0, paths are simply ignored: 'script-src
http://example.com/path/to/a/file' would allow script to be loaded from
http://example.com/path/to/a/file/javascript.js, but also from
http://example.com/javascript.js.
This patch is an experimental implementation of more granular path
support in CSP source lists as proposed in the current editor's draft of
CSP 1.1. Paths are treated as specifying directories in which resources
can be found, and are implicitly terminated with a '/': in other words,
'script-src http://a.com/path' is the same as
'script-src http://a.com/path/'. Moreover, paths cannot contain either
'?' or '#' characters.
This is implemented outside the CSP_NEXT flag. All ports will be
effected.
Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#matching
Tests: http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html
http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html
* page/ContentSecurityPolicy.cpp:
(WebCore::CSPSource::CSPSource):
Store a path along with each CSP source.
(WebCore::CSPSource::matches):
Check the path when comparing a URL to the source.
(WebCore::CSPSource::pathMatches):
Compare the URL-decoded version of the resource to validate against
the source's stored path. If the resource's path begins with the
stored path, then it matches! If not, it doesn't.
(CSPSource):
Store a path along with each CSP source.
(WebCore::CSPSourceList::parse):
Pass a 'path' in when creating CSPSource objects.
(WebCore::CSPSourceList::parsePath):
Actually parse the path, flagging errors if '?' or '#' are present,
URL-decoding the result, and ensuring that a terminal '/' is
added if necessary.
(WebCore::CSPSourceList::addSourceSelf):
Ensure that 'self' sources have an empty path.
* page/ContentSecurityPolicy.h:
Dropping the "ignored path component" console warning.
2012-09-20 Joanmarie Diggs <jdiggs@igalia.com>
 
[GTK] ControlsPanel string is not localized in LocalizedStringsGtk
......@@ -71,6 +71,11 @@ bool isSourceCharacter(UChar c)
return !isASCIISpace(c);
}
bool isPathComponentCharacter(UChar c)
{
return c != '?' && c != '#';
}
bool isHostCharacter(UChar c)
{
return isASCIIAlphanumeric(c) || c == '-';
......@@ -132,10 +137,11 @@ static void skipWhile(const UChar*& position, const UChar* end)
class CSPSource {
public:
CSPSource(const String& scheme, const String& host, int port, bool hostHasWildcard, bool portHasWildcard)
CSPSource(const String& scheme, const String& host, int port, const String& path, bool hostHasWildcard, bool portHasWildcard)
: m_scheme(scheme)
, m_host(host)
, m_port(port)
, m_path(path)
, m_hostHasWildcard(hostHasWildcard)
, m_portHasWildcard(portHasWildcard)
{
......@@ -147,7 +153,7 @@ public:
return false;
if (isSchemeOnly())
return true;
return hostMatches(url) && portMatches(url);
return hostMatches(url) && portMatches(url) && pathMatches(url);
}
private:
......@@ -165,6 +171,16 @@ private:
}
bool pathMatches(const KURL& url) const
{
if (m_path.isEmpty())
return true;
String path = decodeURLEscapeSequences(url.path());
return path.startsWith(m_path, false);
}
bool portMatches(const KURL& url) const
{
if (m_portHasWildcard)
......@@ -189,6 +205,7 @@ private:
String m_scheme;
String m_host;
int m_port;
String m_path;
bool m_hostHasWildcard;
bool m_portHasWildcard;
......@@ -287,9 +304,7 @@ void CSPSourceList::parse(const UChar* begin, const UChar* end)
continue;
if (scheme.isEmpty())
scheme = m_policy->securityOrigin()->protocol();
if (!path.isEmpty())
m_policy->reportIgnoredPathComponent(m_directiveName, String(beginSource, position - beginSource), path);
m_list.append(CSPSource(scheme, host, port, hostHasWildcard, portHasWildcard));
m_list.append(CSPSource(scheme, host, port, path, hostHasWildcard, portHasWildcard));
} else
m_policy->reportInvalidSourceExpression(m_directiveName, String(beginSource, position - beginSource));
......@@ -474,16 +489,23 @@ bool CSPSourceList::parseHost(const UChar* begin, const UChar* end, String& host
return true;
}
// FIXME: Deal with an actual path. This just sucks up everything to the end of the string.
bool CSPSourceList::parsePath(const UChar* begin, const UChar* end, String& path)
{
ASSERT(begin <= end);
ASSERT(path.isEmpty());
if (begin == end)
const UChar* position = begin;
skipWhile<isPathComponentCharacter>(position, end);
// path/to/file.js?query=string || path/to/file.js#anchor
// ^ ^
if (position < end)
return false;
path = String(begin, end - begin);
path = decodeURLEscapeSequences(String(begin, end - begin));
if (!path.endsWith('/'))
path = path + '/';
ASSERT(position == end && path.endsWith('/'));
return true;
}
......@@ -520,7 +542,7 @@ bool CSPSourceList::parsePort(const UChar* begin, const UChar* end, int& port, b
void CSPSourceList::addSourceSelf()
{
m_list.append(CSPSource(m_policy->securityOrigin()->protocol(), m_policy->securityOrigin()->host(), m_policy->securityOrigin()->port(), false, false));
m_list.append(CSPSource(m_policy->securityOrigin()->protocol(), m_policy->securityOrigin()->host(), m_policy->securityOrigin()->port(), String(), false, false));
}
void CSPSourceList::addSourceStar()
......@@ -1550,12 +1572,6 @@ void ContentSecurityPolicy::reportInvalidNonce(const String& nonce) const
logToConsole(message);
}
void ContentSecurityPolicy::reportIgnoredPathComponent(const String& directiveName, const String& completeSource, const String& path) const
{
String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains the source '", completeSource, "'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '", path, "' is being ignored. Be careful.");
logToConsole(message);
}
void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source) const
{
String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains an invalid source: '", source, "'. It will be ignored.");
......
......@@ -100,7 +100,6 @@ public:
void gatherReportURIs(DOMStringList&) const;
void reportDuplicateDirective(const String&) const;
void reportIgnoredPathComponent(const String& directiveName, const String& completeSource, const String& path) const;
void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
void reportInvalidNonce(const String&) const;
void reportInvalidPluginTypes(const String&) const;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment