Inline script and style blocked by Content Security Policy should provide more detailed console errors.
https://bugs.webkit.org/show_bug.cgi?id=86848
Patch by Mike West <mkwst@chromium.org> on 2012-05-25
Reviewed by Adam Barth.
Source/WebCore:
This change adds a URL and line number for context to each call to
`ContentSecurityPolicy::allowInline*`, and pipes it through to the
console message generation in `CSPDirectiveList::reportViolation`.
Line numbers are not added for injected scripts (`document.write(...)`,
`document.body.appendChild`, and etc.).
Tests: http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html
http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html
http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html
http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html
* bindings/ScriptControllerBase.cpp:
(WebCore::ScriptController::executeIfJavaScriptURL):
* bindings/js/JSLazyEventListener.cpp:
(WebCore::JSLazyEventListener::initializeJSFunction):
* bindings/v8/V8LazyEventListener.cpp:
(WebCore::V8LazyEventListener::prepareListenerObject):
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::ScriptElement):
(WebCore::ScriptElement::executeScript):
* dom/ScriptElement.h:
(ScriptElement):
* dom/StyleElement.cpp:
(WebCore::StyleElement::StyleElement):
(WebCore::StyleElement::createSheet):
* dom/StyleElement.h:
(StyleElement):
* dom/StyledElement.cpp:
(WebCore::StyledElement::StyledElement):
(WebCore):
(WebCore::StyledElement::style):
(WebCore::StyledElement::styleAttributeChanged):
* dom/StyledElement.h:
(StyledElement):
* page/ContentSecurityPolicy.cpp:
(CSPDirectiveList):
(WebCore::CSPDirectiveList::reportViolation):
(WebCore::CSPDirectiveList::checkInlineAndReportViolation):
(WebCore::CSPDirectiveList::checkEvalAndReportViolation):
(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):
(WebCore::CSPDirectiveList::allowInlineScript):
(WebCore::CSPDirectiveList::allowInlineStyle):
(WebCore::CSPDirectiveList::allowEval):
(WebCore):
(WebCore::isAllowedByAllWithCallStack):
(WebCore::isAllowedByAllWithContext):
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers):
(WebCore::ContentSecurityPolicy::allowInlineScript):
(WebCore::ContentSecurityPolicy::allowInlineStyle):
* page/ContentSecurityPolicy.h:
(WTF):
LayoutTests:
* http/tests/security/contentSecurityPolicy/combine-multiple-policies-expected.txt:
* http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/injected-inline-script-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-script-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt.
* http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/inline-script-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-style-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
* http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
* http/tests/security/contentSecurityPolicy/resources/inject-script.js: Added.
* http/tests/security/contentSecurityPolicy/resources/inject-style.js: Added.
* http/tests/security/contentSecurityPolicy/script-src-none-inline-event-expected.txt:
* http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src-expected.txt:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118585 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/dom/ScriptElement.cpp b/Source/WebCore/dom/ScriptElement.cpp
index aefdddb..746e6c3 100644
--- a/Source/WebCore/dom/ScriptElement.cpp
+++ b/Source/WebCore/dom/ScriptElement.cpp
@@ -41,12 +41,14 @@
#include "ScriptRunner.h"
#include "ScriptSourceCode.h"
#include "ScriptValue.h"
+#include "ScriptableDocumentParser.h"
#include "SecurityOrigin.h"
#include "Settings.h"
#include "Text.h"
#include <wtf/StdLibExtras.h>
#include <wtf/text/StringBuilder.h>
#include <wtf/text/StringHash.h>
+#include <wtf/text/TextPosition.h>
#if ENABLE(SVG)
#include "SVGNames.h"
@@ -58,6 +60,7 @@
ScriptElement::ScriptElement(Element* element, bool parserInserted, bool alreadyStarted)
: m_element(element)
, m_cachedScript(0)
+ , m_startLineNumber(WTF::OrdinalNumber::beforeFirst())
, m_parserInserted(parserInserted)
, m_isExternalScript(false)
, m_alreadyStarted(alreadyStarted)
@@ -70,6 +73,8 @@
, m_requestUsesAccessControl(false)
{
ASSERT(m_element);
+ if (parserInserted && m_element->document()->scriptableDocumentParser() && !m_element->document()->isInDocumentWrite())
+ m_startLineNumber = m_element->document()->scriptableDocumentParser()->lineNumber();
}
ScriptElement::~ScriptElement()
@@ -276,7 +281,7 @@
if (sourceCode.isEmpty())
return;
- if (!m_isExternalScript && !m_element->document()->contentSecurityPolicy()->allowInlineScript())
+ if (!m_isExternalScript && !m_element->document()->contentSecurityPolicy()->allowInlineScript(m_element->document()->url(), m_startLineNumber))
return;
RefPtr<Document> document = m_element->document();
