CSP should let sites both enforce one policy and monitor another
https://bugs.webkit.org/show_bug.cgi?id=85561
Reviewed by Eric Seidel.
Source/WebCore:
This patch lets us enforce and/or monitor multiple CSP policies.
Rather than having a single directive list, we now have a vector of
directive lists.
Tests: http/tests/security/contentSecurityPolicy/combine-multiple-policies.html
http/tests/security/contentSecurityPolicy/report-and-enforce.html
* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::copyStateFrom):
(WebCore::ContentSecurityPolicy::didReceiveHeader):
(WebCore::ContentSecurityPolicy::deprecatedHeader):
(WebCore::ContentSecurityPolicy::deprecatedHeaderType):
- Even after this patch, workers aren't smart enough to enforce
multiple policies. They just use the first header, like they did
before. We'll need to teach workers how to enforce multiple
policies in a future patch.
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
(WebCore::ContentSecurityPolicy::allowInlineScript):
(WebCore::ContentSecurityPolicy::allowInlineStyle):
(WebCore::ContentSecurityPolicy::allowEval):
(WebCore::ContentSecurityPolicy::allowScriptFromSource):
(WebCore::ContentSecurityPolicy::allowObjectFromSource):
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
(WebCore::ContentSecurityPolicy::allowImageFromSource):
(WebCore::ContentSecurityPolicy::allowStyleFromSource):
(WebCore::ContentSecurityPolicy::allowFontFromSource):
(WebCore::ContentSecurityPolicy::allowMediaFromSource):
(WebCore::ContentSecurityPolicy::allowConnectFromSource):
* page/ContentSecurityPolicy.h:
* workers/DefaultSharedWorkerRepository.cpp:
(WebCore::SharedWorkerScriptLoader::notifyFinished):
* workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::startWorkerContext):
Source/WebKit/chromium:
* src/SharedWorkerRepository.cpp:
(WebCore::SharedWorkerScriptLoader::notifyFinished):
* src/WebWorkerClientImpl.cpp:
(WebKit::WebWorkerClientImpl::startWorkerContext):
LayoutTests:
Test that we can enforce multiple policies and that we can enforce one
policy while monitoring another.
* http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/combine-multiple-policies.html: Added.
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-and-enforce.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@116254 268f45cc-cd09-0410-ab3c-d52691b4dbfc
13 files changed
