2011-02-24 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel.
CSP's script-src should block JavaScript URLs
https://bugs.webkit.org/show_bug.cgi?id=54787
Test how various CSP policies affect JavaScript URLs. We could test
more contexts in the future, but this is a start.
* http/tests/security/contentSecurityPolicy/javascript-url-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/javascript-url.html: Added.
* http/tests/security/contentSecurityPolicy/resources/javascript-url.pl: Added.
2011-02-24 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel.
CSP's script-src should block JavaScript URLs
https://bugs.webkit.org/show_bug.cgi?id=54787
Blocking JavaScript URLs required some re-architecting of the lifetime
of the ContentSecurityPolicy object. We now manage the lifetime the
same way we manage the lifetime of the SecurityOrigin object. In
particular, when SecurityOrigin inherits into an about:blank iframe, we
inherit the CSP object as well. (This is covered by the test added in
this patch.) In the future, we might consider making
ContentSecurityPolicy a component of SecurityOrigin instead of a
component of Document.
I noted the trickiness in
http://www.w3.org/Security/wiki/Content_Security_Policies so that we'll
make sure it gets defined properly in the spec.
Test: http/tests/security/contentSecurityPolicy/javascript-url.html
* bindings/ScriptControllerBase.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL):
* dom/Document.cpp:
(WebCore::Document::initSecurityContext):
* dom/Document.h:
(WebCore::Document::contentSecurityPolicy):
* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
* page/ContentSecurityPolicy.h:
(WebCore::ContentSecurityPolicy::create):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@79547 268f45cc-cd09-0410-ab3c-d52691b4dbfc
10 files changed
