Commit 75a72fe0 authored by abarth@webkit.org's avatar abarth@webkit.org

2011-04-07 Adam Barth <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Implement img-src style-src and font-src
        https://bugs.webkit.org/show_bug.cgi?id=58018

        Test a bunch of allow/block tests for these new directives.

        * http/tests/security/contentSecurityPolicy/image-allowed-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/image-allowed.html: Added.
        * http/tests/security/contentSecurityPolicy/image-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/image-blocked.html: Added.
        * http/tests/security/contentSecurityPolicy/resources/blue.css: Added.
        * http/tests/security/contentSecurityPolicy/resources/style.xsl: Added.
        * http/tests/security/contentSecurityPolicy/style-allowed-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/style-allowed.html: Added.
        * http/tests/security/contentSecurityPolicy/style-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/style-blocked.html: Added.
        * http/tests/security/contentSecurityPolicy/xsl-allowed.php: Added.
        * http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/xsl-blocked.php: Added.
2011-04-07  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Implement img-src style-src and font-src
        https://bugs.webkit.org/show_bug.cgi?id=58018

        These are pretty straight forward given the rest of the infrastructure
        we've built so far.

        Tests: http/tests/security/contentSecurityPolicy/image-allowed.html
               http/tests/security/contentSecurityPolicy/image-blocked.html
               http/tests/security/contentSecurityPolicy/style-allowed.html
               http/tests/security/contentSecurityPolicy/style-blocked.html
               http/tests/security/contentSecurityPolicy/xsl-allowed.php
               http/tests/security/contentSecurityPolicy/xsl-blocked.php

        * loader/cache/CachedResourceLoader.cpp:
        (WebCore::CachedResourceLoader::canRequest):
        * page/ContentSecurityPolicy.cpp:
        (WebCore::ContentSecurityPolicy::allowImageFromSource):
        (WebCore::ContentSecurityPolicy::allowStyleFromSource):
        (WebCore::ContentSecurityPolicy::allowFontFromSource):
        (WebCore::ContentSecurityPolicy::addDirective):
        * page/ContentSecurityPolicy.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@83235 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent e0bc5507
2011-04-07 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel.
Implement img-src style-src and font-src
https://bugs.webkit.org/show_bug.cgi?id=58018
Test a bunch of allow/block tests for these new directives.
* http/tests/security/contentSecurityPolicy/image-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/image-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/resources/blue.css: Added.
* http/tests/security/contentSecurityPolicy/resources/style.xsl: Added.
* http/tests/security/contentSecurityPolicy/style-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/style-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/style-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/style-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-allowed.php: Added.
* http/tests/security/contentSecurityPolicy/xsl-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-blocked.php: Added.
2011-04-07 Enrica Casucci <enrica@apple.com>
Unreviewed. Updated comment in skipped list to
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-WebKit-CSP" content="img-src *; script-src 'none'; options disable-xss-protection">
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
<img src="../resources/abe.png" onload="alert(this.width == 76 ? 'PASS' : 'FAIL')">
</body>
</html>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-WebKit-CSP" content="img-src 'none'; script-src 'none'; options disable-xss-protection">
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
This test passes if it doesn't alert fail.
<img src="../resources/abe.png" onload="alert('FAIL')">
</body>
</html>
<?xml version="1.0"?>
<xsl:stylesheet version="2.0"
xmlns:xhtml="http://www.w3.org/1999/xhtml"
xmlns="http://www.w3.org/1999/xhtml"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
exclude-result-prefixes="xhtml xsl xs">
<xsl:output method="xml" version="1.0" encoding="UTF-8" doctype-public="-//W3C//DTD XHTML 1.1//EN" doctype-system="http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" indent="yes"/>
<xsl:template match="@*|node()">
<xsl:copy>
<xsl:apply-templates select="@*|node()"/>
</xsl:copy>
</xsl:template>
<xsl:template match="xhtml:div">
<xsl:copy>
Style sheet applied.
<xsl:apply-templates select="@*|node()"/>
</xsl:copy>
</xsl:template>
</xsl:stylesheet>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-WebKit-CSP" content="style-src *; script-src 'none'; options disable-xss-protection">
<link rel="stylesheet" href="resources/blue.css">
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
<script>
document.write(document.styleSheets.length > 0 ? 'PASS' : 'FAIL');
</script>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'none'; options disable-xss-protection">
<link rel="stylesheet" href="resources/blue.css">
<script>
if (window.layoutTestController)
layoutTestController.dumpAsText();
</script>
</head>
<body>
<script>
document.write(document.styleSheets.length > 0 ? 'FAIL' : 'PASS');
</script>
</body>
</html>
The text below should indicate that the style sheet was applied.
Style sheet applied.
<?php
header("Content-Type: application/xhtml+xml");
header("X-WebKit-CSP: style-src *; script-src 'none'; options disable-xss-protection");
echo '<?xml version="1.0" encoding="UTF-8"?>';
echo '<?xml-stylesheet type="text/xsl" href="resources/style.xsl"?>';
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>
//<![CDATA[
if (window.layoutTestController)
layoutTestController.dumpAsText();
//]]>
</script>
</head>
<body>
The text below should indicate that the style sheet was applied.
<div />
</body>
</html>
layer at (0,0) size 800x600
RenderView at (0,0) size 800x600
<?php
header("Content-Type: application/xhtml+xml");
header("X-WebKit-CSP: style-src 'none'; script-src *; options disable-xss-protection");
echo '<?xml version="1.0" encoding="UTF-8"?>';
echo '<?xml-stylesheet type="text/xsl" href="resources/style.xsl"?>';
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>
//<![CDATA[
if (window.layoutTestController)
layoutTestController.dumpAsText();
//]]>
</script>
</head>
<body>
This test should render as a blank page because the style sheet will fail to load!
<div />
</body>
</html>
2011-04-07 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel.
Implement img-src style-src and font-src
https://bugs.webkit.org/show_bug.cgi?id=58018
These are pretty straight forward given the rest of the infrastructure
we've built so far.
Tests: http/tests/security/contentSecurityPolicy/image-allowed.html
http/tests/security/contentSecurityPolicy/image-blocked.html
http/tests/security/contentSecurityPolicy/style-allowed.html
http/tests/security/contentSecurityPolicy/style-blocked.html
http/tests/security/contentSecurityPolicy/xsl-allowed.php
http/tests/security/contentSecurityPolicy/xsl-blocked.php
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest):
* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowImageFromSource):
(WebCore::ContentSecurityPolicy::allowStyleFromSource):
(WebCore::ContentSecurityPolicy::allowFontFromSource):
(WebCore::ContentSecurityPolicy::addDirective):
* page/ContentSecurityPolicy.h:
2011-04-07 David Levin <levin@chromium.org>
Reviewed by Darin Adler.
......@@ -255,8 +255,32 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const KURL& url
}
// FIXME: Consider letting the embedder block mixed content loads.
if (type == CachedResource::Script && !m_document->contentSecurityPolicy()->allowScriptFromSource(url))
return false;
switch (type) {
case CachedResource::Script:
if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url))
return false;
break;
#if ENABLE(XSLT)
case CachedResource::XSLStyleSheet:
#endif
case CachedResource::CSSStyleSheet:
if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url))
return false;
break;
case CachedResource::ImageResource:
if (!m_document->contentSecurityPolicy()->allowImageFromSource(url))
return false;
break;
case CachedResource::FontResource: {
if (!m_document->contentSecurityPolicy()->allowFontFromSource(url))
return false;
break;
}
#if ENABLE(LINK_PREFETCH)
case CachedResource::LinkPrefetch:
break;
#endif
}
return true;
}
......
......@@ -509,6 +509,21 @@ bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
return !m_objectSrc || m_objectSrc->allows(url);
}
bool ContentSecurityPolicy::allowImageFromSource(const KURL& url) const
{
return !m_imgSrc || m_imgSrc->allows(url);
}
bool ContentSecurityPolicy::allowStyleFromSource(const KURL& url) const
{
return !m_styleSrc || m_styleSrc->allows(url);
}
bool ContentSecurityPolicy::allowFontFromSource(const KURL& url) const
{
return !m_fontSrc || m_fontSrc->allows(url);
}
// policy = directive-list
// directive-list = [ directive *( ";" [ directive ] ) ]
//
......@@ -584,6 +599,9 @@ void ContentSecurityPolicy::addDirective(const String& name, const String& value
{
DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src"));
DEFINE_STATIC_LOCAL(String, imgSrc, ("img-src"));
DEFINE_STATIC_LOCAL(String, styleSrc, ("style-src"));
DEFINE_STATIC_LOCAL(String, fontSrc, ("font-src"));
DEFINE_STATIC_LOCAL(String, options, ("options"));
ASSERT(!name.isEmpty());
......@@ -592,6 +610,12 @@ void ContentSecurityPolicy::addDirective(const String& name, const String& value
m_scriptSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
else if (!m_objectSrc && equalIgnoringCase(name, objectSrc))
m_objectSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
else if (!m_imgSrc && equalIgnoringCase(name, imgSrc))
m_imgSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
else if (!m_styleSrc && equalIgnoringCase(name, styleSrc))
m_styleSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
else if (!m_fontSrc && equalIgnoringCase(name, fontSrc))
m_fontSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
else if (!m_options && equalIgnoringCase(name, options))
m_options = adoptPtr(new CSPOptions(value));
}
......
......@@ -49,8 +49,12 @@ public:
bool allowJavaScriptURLs() const;
bool allowInlineEventHandlers() const;
bool allowInlineScript() const;
bool allowScriptFromSource(const KURL&) const;
bool allowObjectFromSource(const KURL&) const;
bool allowImageFromSource(const KURL&) const;
bool allowStyleFromSource(const KURL&) const;
bool allowFontFromSource(const KURL&) const;
private:
explicit ContentSecurityPolicy(SecurityOrigin*);
......@@ -65,6 +69,9 @@ private:
RefPtr<SecurityOrigin> m_origin;
OwnPtr<CSPDirective> m_scriptSrc;
OwnPtr<CSPDirective> m_objectSrc;
OwnPtr<CSPDirective> m_imgSrc;
OwnPtr<CSPDirective> m_styleSrc;
OwnPtr<CSPDirective> m_fontSrc;
OwnPtr<CSPOptions> m_options;
};
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment