Commit b7a83d5a authored by abarth@webkit.org's avatar abarth@webkit.org
Browse files

2011-02-15 Adam Barth <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Sketch script-src for Content Security Policy
        https://bugs.webkit.org/show_bug.cgi?id=54381

        * http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html: Added.
            - Test that we don't block scripts when the policy is just img-src.
        * http/tests/security/contentSecurityPolicy/script-src-in-iframe.html:
        * http/tests/security/contentSecurityPolicy/script-src-none.html:
        * http/tests/security/contentSecurityPolicy/script-src-redirect.html:
            - Turns out we need to escape the ; character in order for it to be
              echoed back correctly in the header.
2011-02-15  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Sketch script-src for Content Security Policy
        https://bugs.webkit.org/show_bug.cgi?id=54381

        This patch provides a sketch of the script-src directive.  We still do
        not parse the value of the directive, and the wiring into the rest of
        WebCore is incorrect, but those are things we can fix in future
        patches.  For the momemnt, this patch lets us test what we're doing.

        Test: http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html

        * page/ContentSecurityPolicy.cpp:
        (WebCore::CSPDirective::CSPDirective):
        (WebCore::CSPDirective::allows):
        (WebCore::ContentSecurityPolicy::didReceiveHeader):
        (WebCore::ContentSecurityPolicy::canLoadExternalScriptFromSrc):
        (WebCore::ContentSecurityPolicy::parse):
        (WebCore::ContentSecurityPolicy::emitDirective):
        * page/ContentSecurityPolicy.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@78569 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 2312f23d
2011-02-15 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel.
Sketch script-src for Content Security Policy
https://bugs.webkit.org/show_bug.cgi?id=54381
* http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html: Added.
- Test that we don't block scripts when the policy is just img-src.
* http/tests/security/contentSecurityPolicy/script-src-in-iframe.html:
* http/tests/security/contentSecurityPolicy/script-src-none.html:
* http/tests/security/contentSecurityPolicy/script-src-redirect.html:
- Turns out we need to escape the ; character in order for it to be
echoed back correctly in the header.
2011-02-15 Mario Sanchez Prada <msanchez@igalia.com>
 
Unreviewed, skipping flaky test on GTK 64-bit debug bot.
--------
Frame: '<!--framePath //<!--frame0-->-->'
--------
PASS
<!DOCTYPE html>
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.dumpChildFramesAsText();
}
</script>
</head>
<body>
<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=script-img%20'none'"></iframe>
</body>
</html>
......@@ -12,6 +12,6 @@ if (window.layoutTestController) {
<p>
Loads an iframe (a) which loads an iframe (b) which in turns tries to load an external script. The iframe (a) has a content security policy disabling external scripts. As this policy does not apply to (b), the script should be executed.
</p>
<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-iframe.pl?q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-src.html&csp=allow%20*;%20script-src%20'none'"></iframe>
<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-iframe.pl?q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script-src.html&csp=allow%20*%3B%20script-src%20'none'"></iframe>
</body>
</html>
......@@ -12,6 +12,6 @@ if (window.layoutTestController) {
<p>
Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
</p>
<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=allow%20*;%20script-src%20'none'"></iframe>
<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=no&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=allow%20*%3B%20script-src%20'none'"></iframe>
</body>
</html>
......@@ -12,6 +12,6 @@ if (window.layoutTestController) {
<p>
Loads an iframe which in turns tries to load an external script. The request for the script is redirected to 'localhost'. The iframe has a content security policy disabling external scripts from hosts other than 'localhost'. So the script should be allowed to run.
</p>
<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&csp=allow%20*;%20script-src%20'localhost'&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php%3furl=http://localhost:8000/security/contentSecurityPolicy/resources/script.js"></iframe>
<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=yes&csp=allow%20*%3B%20script-src%20'localhost'&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php%3furl=http://localhost:8000/security/contentSecurityPolicy/resources/script.js"></iframe>
</body>
</html>
2011-02-15 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel.
Sketch script-src for Content Security Policy
https://bugs.webkit.org/show_bug.cgi?id=54381
This patch provides a sketch of the script-src directive. We still do
not parse the value of the directive, and the wiring into the rest of
WebCore is incorrect, but those are things we can fix in future
patches. For the momemnt, this patch lets us test what we're doing.
Test: http/tests/security/contentSecurityPolicy/script-loads-with-img-src.html
* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirective::CSPDirective):
(WebCore::CSPDirective::allows):
(WebCore::ContentSecurityPolicy::didReceiveHeader):
(WebCore::ContentSecurityPolicy::canLoadExternalScriptFromSrc):
(WebCore::ContentSecurityPolicy::parse):
(WebCore::ContentSecurityPolicy::emitDirective):
* page/ContentSecurityPolicy.h:
2011-02-15 Antti Koivisto <antti@apple.com>
 
Reviewed by Andreas Kling.
......@@ -31,22 +31,22 @@ namespace WebCore {
class CSPDirective {
public:
CSPDirective(const String& name, const String& value)
: m_name(name)
, m_value(value)
explicit CSPDirective(const String& value)
: m_value(value)
{
}
const String& name() const { return m_name; }
const String& value() const { return m_value; }
bool allows(const KURL&)
{
return false;
}
private:
String m_name;
String m_value;
};
ContentSecurityPolicy::ContentSecurityPolicy()
: m_isEnabled(false)
: m_havePolicy(false)
{
}
......@@ -56,25 +56,49 @@ ContentSecurityPolicy::~ContentSecurityPolicy()
void ContentSecurityPolicy::didReceiveHeader(const String& header)
{
if (!m_directives.isEmpty())
if (m_havePolicy)
return; // The first policy wins.
m_isEnabled = true;
parse(header);
m_havePolicy = true;
}
bool ContentSecurityPolicy::canLoadExternalScriptFromSrc(const String&) const
bool ContentSecurityPolicy::canLoadExternalScriptFromSrc(const String& url) const
{
return !m_isEnabled;
return !m_scriptSrc || m_scriptSrc->allows(KURL(ParsedURLString, url));
}
void ContentSecurityPolicy::parse(const String& policy)
{
ASSERT(m_directives.isEmpty());
ASSERT(!m_havePolicy);
if (policy.isEmpty())
return;
const UChar* pos = policy.characters();
const UChar* end = pos + policy.length();
while (pos < end) {
Vector<UChar, 32> name;
Vector<UChar, 64> value;
parseDirective(pos, end, name, value);
if (name.isEmpty())
continue;
// We use a copy here instead of String::adopt because we expect
// the name and the value to be relatively short, so the copy will
// be cheaper than the extra malloc.
emitDirective(String(name), String(value));
}
}
void ContentSecurityPolicy::parseDirective(const UChar*& pos, const UChar* end, Vector<UChar, 32>& name, Vector<UChar, 64>& value)
{
ASSERT(pos < end);
ASSERT(name.isEmpty());
ASSERT(value.isEmpty());
enum {
BeforeDirectiveName,
DirectiveName,
......@@ -82,12 +106,6 @@ void ContentSecurityPolicy::parse(const String& policy)
DirectiveValue,
} state = BeforeDirectiveName;
const UChar* pos = policy.characters();
const UChar* end = pos + policy.length();
Vector<UChar, 32> name;
Vector<UChar, 64> value;
while (pos < end) {
UChar currentCharacter = *pos++;
switch (state) {
......@@ -113,17 +131,19 @@ void ContentSecurityPolicy::parse(const String& policy)
value.append(currentCharacter);
continue;
}
// We use a copy here instead of String::adopt because we expect
// the name and the value to be relatively short, so the copy will
// be cheaper than the extra malloc.
// FIXME: Perform directive-specific parsing of the value.
m_directives.append(CSPDirective(String(name), String(value)));
name.clear();
value.clear();
state = BeforeDirectiveName;
continue;
return;
}
}
}
void ContentSecurityPolicy::emitDirective(const String& name, const String& value)
{
DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
ASSERT(!name.isEmpty());
if (!m_scriptSrc && equalIgnoringCase(name, scriptSrc))
m_scriptSrc = adoptPtr(new CSPDirective(value));
}
}
......@@ -43,12 +43,12 @@ public:
bool canLoadExternalScriptFromSrc(const String& url) const;
private:
typedef Vector<CSPDirective> DirectiveList;
void parse(const String&);
void parseDirective(const UChar*& pos, const UChar* end, Vector<UChar, 32>& name, Vector<UChar, 64>& value);
void emitDirective(const String& name, const String& value);
bool m_isEnabled;
DirectiveList m_directives;
bool m_havePolicy;
OwnPtr<CSPDirective> m_scriptSrc;
};
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment