Ignore paths in Content Security Policy sources rather than failing to parse them.
https://bugs.webkit.org/show_bug.cgi?id=89281
Patch by Mike West <mkwst@chromium.org> on 2012-06-16
Reviewed by Adam Barth.
Source/WebCore:
In short: `script-src http://example.com/` should allow scripts from
http://example.com. Currently, it allows no scripts at all, as the
terminal `/` isn't accepted as part of a hostname.
This patch adjusts CSPSourceList::parseSource to accept paths (and
discard them). Once this lands, the next step will be to keep the
path, and use it when comparing source origins in the various
allowXXXFromSource methods.
Tests: http/tests/security/contentSecurityPolicy/source-list-parsing-05.html
http/tests/security/contentSecurityPolicy/source-list-parsing-06.html
* page/ContentSecurityPolicy.cpp:
(CSPSourceList):
(WebCore):
(WebCore::CSPSourceList::parseSource):
Reworked this method entirely to support paths.
(WebCore::CSPSourceList::parsePath):
More or less a no-op at the moment.
(WebCore::CSPSourceList::parsePort):
Moved the `:` assertion here from parseSource.
LayoutTests:
* http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/source-list-parsing-05.html: Added.
* http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/source-list-parsing-06.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@120540 268f45cc-cd09-0410-ab3c-d52691b4dbfc
7 files changed
