Diff - 04b67ee3ef891548354a447746aff788a752cf61^! - WebKit

commit	04b67ee3ef891548354a447746aff788a752cf61	[log] [tgz]
author	mkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Thu Nov 15 13:04:54 2012 +0000
committer	mkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Thu Nov 15 13:04:54 2012 +0000
tree	f4e7b6aad1380671240eef6b01c5981983a39bc1
parent	0eb8fb276dbb9ef449ac65b1e9b0f8480b976751 [diff] [blame]

We should trigger a console warning when we encounter invalid sandbox flags.
https://bugs.webkit.org/show_bug.cgi?id=101956

Reviewed by Adam Barth.

Source/WebCore:

A developer who writes '<iframe sandbox="allowScripts">' probably has
something in mind other than what the browser interprets. In these
situations, we should log a console warning that notes 'allowScripts'
is an invalid sandbox flag ('allow-scripts' is probably what she
meant).

This patch does the simplest thing possible: it throws a warning that
lists the invalid flags encountered for sandbox attributes on iframes,
and for sandbox Content Security Policy directives.

Tests: http/tests/security/contentSecurityPolicy/sandbox-invalid-header.html
http/tests/security/sandboxed-iframe-invalid.html

* dom/SecurityContext.cpp:
(WebCore::SecurityContext::parseSandboxPolicy):
* dom/SecurityContext.h:
(SecurityContext):
Accept a new out parameter, invalidTokensErrorMessage. If invalid
tokens are encountered, build an error message string, and pass it
back to the caller through this parameter.
* html/HTMLIFrameElement.cpp:
(WebCore::HTMLIFrameElement::parseAttribute):
* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirectiveList::applySandboxPolicy):
When applying a sandbox policy, pass a string into
SecurityContext::parseSandboxPolicy to grab any errors that might
be encountered, and log a warning in that event.
(WebCore::ContentSecurityPolicy::reportInvalidSandboxFlags):
(WebCore):
* page/ContentSecurityPolicy.h:
Adding a new method to report invalid sandbox flags.

LayoutTests:

* http/tests/security/contentSecurityPolicy/sandbox-invalid-header-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/sandbox-invalid-header.html: Added.
* http/tests/security/sandboxed-iframe-invalid-expected.txt: Added.
* http/tests/security/sandboxed-iframe-invalid.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@134766 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/http/tests/security/sandboxed-iframe-invalid.html b/LayoutTests/http/tests/security/sandboxed-iframe-invalid.html
new file mode 100644
index 0000000..64e78dd
--- /dev/null
+++ b/LayoutTests/http/tests/security/sandboxed-iframe-invalid.html

@@ -0,0 +1,17 @@
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+}
+</script>
+</head>
+
+<body>
+<p>Test that an iframe with invalid sandbox flags generates a relevant warning.</p>
+
+<iframe id="theFrame" sandbox="allowScripts"></iframe>
+<iframe id="theFrame2" sandbox="allowScripts allowSameOrigin allowFoobarbloop"></iframe>
+
+</body>
+</html>