Changeset 133620 in webkit


Ignore:
Timestamp:
Nov 6, 2012, 9:15:29 AM (13 years ago)
Author:
[email protected]
Message:

CSP 1.1: Tweak the script interface to match the spec.
https://bugs.webkit.org/show_bug.cgi?id=101321

Reviewed by Adam Barth.

Source/WebCore:

This patch brings WebKit in line with the changes made to the spec in
https://dvcs.w3.org/hg/content-security-policy/rev/5a29424a37d4.
Specifically, the following:

  • Renamed 'document.SecurityPolicy' to 'document.securityPolicy'
  • Converted the following to read-only boolean attributes:
  • 'allowsEval'
  • 'allowsInlineScript'
  • 'allowsInlineStyle'
  • 'isActive'

These changes only have effect for ports with CSP_NEXT enabled.

Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinescript.html

http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinestyle.html

  • dom/Document.idl:
  • page/DOMSecurityPolicy.idl:

Tweaking the IDL files to match the new definition of the
functionlity in the spec.

LayoutTests:

  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowconnectionto.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-alloweval.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowfontfrom.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowframefrom.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowimagefrom.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowmediafrom.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowobjectfrom.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowscriptfrom.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowstylefrom.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive.html:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi.html:
  • http/tests/security/contentSecurityPolicy/resources/securitypolicy-tests-base.js:

s/document.SecurityPolicy/document.securityPolicy/g

  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinescript-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinescript.html: Added.
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinestyle-expected.txt: Added.
  • http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinestyle.html: Added.

For whatever reason, we never wrote tests for these methods. Now we
have, which is good.

Location:
trunk
Files:
4 added
20 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r133619 r133620  
     12012-11-06  Mike West  <[email protected]>
     2
     3        CSP 1.1: Tweak the script interface to match the spec.
     4        https://bugs.webkit.org/show_bug.cgi?id=101321
     5
     6        Reviewed by Adam Barth.
     7
     8        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowconnectionto.html:
     9        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-alloweval.html:
     10        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowfontfrom.html:
     11        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html:
     12        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowframefrom.html:
     13        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowimagefrom.html:
     14        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowmediafrom.html:
     15        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowobjectfrom.html:
     16        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html:
     17        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowscriptfrom.html:
     18        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowstylefrom.html:
     19        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive-expected.txt:
     20        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive.html:
     21        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi-expected.txt:
     22        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi.html:
     23        * http/tests/security/contentSecurityPolicy/resources/securitypolicy-tests-base.js:
     24            s/document.SecurityPolicy/document.securityPolicy/g
     25        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinescript-expected.txt: Added.
     26        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinescript.html: Added.
     27        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinestyle-expected.txt: Added.
     28        * http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinestyle.html: Added.
     29            For whatever reason, we never wrote tests for these methods. Now we
     30            have, which is good.
     31
    1322012-11-06  David Barton  <[email protected]>
    233

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowconnectionto.html

    r125047 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsConnectionTo('http://example.com/'))
     6      if (document.securityPolicy.allowsConnectionTo('http://example.com/'))
    77          log('PASS connection is allowed when no policy exists.');
    88      else
     
    1212      injectPolicy("connect-src http://notexample.com;");
    1313
    14       if (!document.SecurityPolicy.allowsConnectionTo('http://example.com/'))
     14      if (!document.securityPolicy.allowsConnectionTo('http://example.com/'))
    1515          log('PASS connection is not allowed when policy exists.');
    1616      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-alloweval.html

    r123722 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsEval())
     6      if (document.securityPolicy.allowsEval)
    77          log('PASS eval is allowed when no policy exists.');
    88      else
     
    1111      injectPolicy("script-src 'unsafe-inline';");
    1212
    13       if (!document.SecurityPolicy.allowsEval())
     13      if (!document.securityPolicy.allowsEval)
    1414          log('PASS eval is not allowed when policy exists.');
    1515      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowfontfrom.html

    r125047 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsFontFrom('http://example.com/'))
     6      if (document.securityPolicy.allowsFontFrom('http://example.com/'))
    77          log('PASS font is allowed when no policy exists.');
    88      else
     
    1111      injectPolicy("font-src http://notexample.com;");
    1212
    13       if (!document.SecurityPolicy.allowsFontFrom('http://example.com/'))
     13      if (!document.securityPolicy.allowsFontFrom('http://example.com/'))
    1414          log('PASS font is not allowed when policy exists.');
    1515      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowformaction.html

    r125983 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsFormAction('http://example.com/'))
     6      if (document.securityPolicy.allowsFormAction('http://example.com/'))
    77          log('PASS form action is allowed when no policy exists.');
    88      else
     
    1212      injectPolicy("form-action http://notexample.com;");
    1313
    14       if (!document.SecurityPolicy.allowsFormAction('http://example.com/'))
     14      if (!document.securityPolicy.allowsFormAction('http://example.com/'))
    1515          log('PASS form action is not allowed when policy exists.');
    1616      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowframefrom.html

    r125047 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsFrameFrom('http://example.com/'))
     6      if (document.securityPolicy.allowsFrameFrom('http://example.com/'))
    77          log('PASS frame is allowed when no policy exists.');
    88      else
     
    1111      injectPolicy("frame-src http://notexample.com;");
    1212
    13       if (!document.SecurityPolicy.allowsFrameFrom('http://example.com/'))
     13      if (!document.securityPolicy.allowsFrameFrom('http://example.com/'))
    1414          log('PASS frame is not allowed when policy exists.');
    1515      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowimagefrom.html

    r125047 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsImageFrom('http://example.com/'))
     6      if (document.securityPolicy.allowsImageFrom('http://example.com/'))
    77          log('PASS image is allowed when no policy exists.');
    88      else
     
    1111      injectPolicy("img-src http://notexample.com;");
    1212
    13       if (!document.SecurityPolicy.allowsImageFrom('http://example.com/'))
     13      if (!document.securityPolicy.allowsImageFrom('http://example.com/'))
    1414          log('PASS image is not allowed when policy exists.');
    1515      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowmediafrom.html

    r125047 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsMediaFrom('http://example.com/'))
     6      if (document.securityPolicy.allowsMediaFrom('http://example.com/'))
    77          log('PASS media is allowed when no policy exists.');
    88      else
     
    1111      injectPolicy("media-src http://notexample.com;");
    1212
    13       if (!document.SecurityPolicy.allowsMediaFrom('http://example.com/'))
     13      if (!document.securityPolicy.allowsMediaFrom('http://example.com/'))
    1414          log('PASS media is not allowed when policy exists.');
    1515      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowobjectfrom.html

    r125047 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsObjectFrom('http://example.com/'))
     6      if (document.securityPolicy.allowsObjectFrom('http://example.com/'))
    77          log('PASS object is allowed when no policy exists.');
    88      else
     
    1111      injectPolicy("object-src http://notexample.com;");
    1212
    13       if (!document.SecurityPolicy.allowsObjectFrom('http://example.com/'))
     13      if (!document.securityPolicy.allowsObjectFrom('http://example.com/'))
    1414          log('PASS object is not allowed when policy exists.');
    1515      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowplugintype.html

    r125983 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsPluginType('application/x-shockwave-flash'))
     6      if (document.securityPolicy.allowsPluginType('application/x-shockwave-flash'))
    77          log('PASS plugin type is allowed when no policy exists.');
    88      else
     
    1212      injectPolicy("plugin-types application/x-webkit-test-netscape;");
    1313
    14       if (!document.SecurityPolicy.allowsPluginType('application/x-shockwave-flash'))
     14      if (!document.securityPolicy.allowsPluginType('application/x-shockwave-flash'))
    1515          log('PASS plugin type is not allowed when policy exists.');
    1616      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowscriptfrom.html

    r125047 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsScriptFrom('http://example.com/'))
     6      if (document.securityPolicy.allowsScriptFrom('http://example.com/'))
    77          log('PASS script is allowed when no policy exists.');
    88      else
     
    1111      injectPolicy("script-src http://notexample.com;");
    1212
    13       if (!document.SecurityPolicy.allowsScriptFrom('http://example.com/'))
     13      if (!document.securityPolicy.allowsScriptFrom('http://example.com/'))
    1414          log('PASS script is not allowed when policy exists.');
    1515      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowstylefrom.html

    r125047 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.allowsStyleFrom('http://example.com/'))
     6      if (document.securityPolicy.allowsStyleFrom('http://example.com/'))
    77          log('PASS style is allowed when no policy exists.');
    88      else
     
    1111      injectPolicy("style-src http://notexample.com;");
    1212
    13       if (!document.SecurityPolicy.allowsStyleFrom('http://example.com/'))
     13      if (!document.securityPolicy.allowsStyleFrom('http://example.com/'))
    1414          log('PASS style is not allowed when policy exists.');
    1515      else

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive-expected.txt

    r123722 r133620  
    1 PASS document.SecurityPolicy.active is false when no policy exists.
    2 PASS document.SecurityPolicy.active is true when policy exists.
     1PASS document.securityPolicy.active is false when no policy exists.
     2PASS document.securityPolicy.active is true when policy exists.
    33

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-isactive.html

    r123722 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (!document.SecurityPolicy.isActive())
    7           log('PASS document.SecurityPolicy.active is false when no policy exists.');
     6      if (!document.securityPolicy.isActive)
     7          log('PASS document.securityPolicy.active is false when no policy exists.');
    88      else
    9           log('FAIL document.SecurityPolicy.active is truw when no policy exists.');
     9          log('FAIL document.securityPolicy.active is truw when no policy exists.');
    1010
    1111      injectPolicy("script-src 'unsafe-inline';");
    1212
    13       if (document.SecurityPolicy.isActive())
    14           log('PASS document.SecurityPolicy.active is true when policy exists.');
     13      if (document.securityPolicy.isActive)
     14          log('PASS document.securityPolicy.active is true when policy exists.');
    1515      else
    16           log('FAIL document.SecurityPolicy.active is false when policy exists.');
     16          log('FAIL document.securityPolicy.active is false when policy exists.');
    1717    </script>
    1818  </body>

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi-expected.txt

    r123722 r133620  
    1 PASS document.SecurityPolicy.reportURIs has length 0 when no policy exists.
    2 PASS document.SecurityPolicy.reportURIs has length 1 when policy exists.
    3 PASS document.SecurityPolicy.reportURIs[0] is correct.
     1PASS document.securityPolicy.reportURIs has length 0 when no policy exists.
     2PASS document.securityPolicy.reportURIs has length 1 when policy exists.
     3PASS document.securityPolicy.reportURIs[0] is correct.
    44

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicy-reporturi.html

    r125047 r133620  
    44    <script src="http://trac.webkit.org/resources/securitypolicy-tests-base.js"></script>
    55    <script>
    6       if (document.SecurityPolicy.reportURIs.length === 0)
    7           log('PASS document.SecurityPolicy.reportURIs has length 0 when no policy exists.');
     6      if (document.securityPolicy.reportURIs.length === 0)
     7          log('PASS document.securityPolicy.reportURIs has length 0 when no policy exists.');
    88      else
    9           log('FAIL document.SecurityPolicy.reportURIs has length ' + document.SecurityPolicy.reportURIs.length + ' when no policy exists.');
     9          log('FAIL document.securityPolicy.reportURIs has length ' + document.securityPolicy.reportURIs.length + ' when no policy exists.');
    1010
    1111      injectPolicy('report-uri http://example.com');
    1212
    13       if (document.SecurityPolicy.reportURIs.length === 1)
    14           log('PASS document.SecurityPolicy.reportURIs has length 1 when policy exists.');
     13      if (document.securityPolicy.reportURIs.length === 1)
     14          log('PASS document.securityPolicy.reportURIs has length 1 when policy exists.');
    1515      else
    16           log('FAIL document.SecurityPolicy.reportURIs has length ' + document.SecurityPolicy.reportURIs.length + ' when policy exists.');
     16          log('FAIL document.securityPolicy.reportURIs has length ' + document.securityPolicy.reportURIs.length + ' when policy exists.');
    1717
    18       if (document.SecurityPolicy.reportURIs[0] === "http://example.com/")
    19           log('PASS document.SecurityPolicy.reportURIs[0] is correct.');
     18      if (document.securityPolicy.reportURIs[0] === "http://example.com/")
     19          log('PASS document.securityPolicy.reportURIs[0] is correct.');
    2020      else
    21           log('FAIL document.SecurityPolicy.reportURIs[0] is ' + document.SecurityPolicy.reportURIs[0] + ' (should be `http://example.com/`).');
     21          log('FAIL document.securityPolicy.reportURIs[0] is ' + document.securityPolicy.reportURIs[0] + ' (should be `http://example.com/`).');
    2222    </script>
    2323  </body>

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/securitypolicy-tests-base.js

    r124691 r133620  
    1515}
    1616
    17 if (!document.SecurityPolicy)
     17if (!document.securityPolicy)
    1818    log('FAIL document.securityPolicy is not defined.')
    1919

  • trunk/Source/WebCore/ChangeLog

    r133614 r133620  
     12012-11-06  Mike West  <[email protected]>
     2
     3        CSP 1.1: Tweak the script interface to match the spec.
     4        https://bugs.webkit.org/show_bug.cgi?id=101321
     5
     6        Reviewed by Adam Barth.
     7
     8       This patch brings WebKit in line with the changes made to the spec in
     9       https://dvcs.w3.org/hg/content-security-policy/rev/5a29424a37d4.
     10       Specifically, the following:
     11
     12       - Renamed 'document.SecurityPolicy' to 'document.securityPolicy'
     13       - Converted the following to read-only boolean attributes:
     14         - 'allowsEval'
     15         - 'allowsInlineScript'
     16         - 'allowsInlineStyle'
     17         - 'isActive'
     18
     19        These changes only have effect for ports with CSP_NEXT enabled.
     20
     21        Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinescript.html
     22               http/tests/security/contentSecurityPolicy/1.1/securitypolicy-allowinlinestyle.html
     23
     24        * dom/Document.idl:
     25        * page/DOMSecurityPolicy.idl:
     26            Tweaking the IDL files to match the new definition of the
     27            functionlity in the spec.
     28
    1292012-11-06  Andrey Lushnikov  <[email protected]>
    230

  • trunk/Source/WebCore/dom/Document.idl

    r133326 r133620  
    367367
    368368    // Security Policy API: http://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-interfaces
    369     [Conditional=CSP_NEXT] readonly attribute DOMSecurityPolicy SecurityPolicy;
     369    [Conditional=CSP_NEXT] readonly attribute DOMSecurityPolicy securityPolicy;
    370370
    371371};

  • trunk/Source/WebCore/page/DOMSecurityPolicy.idl

    r131172 r133620  
    2828    InterfaceName=SecurityPolicy
    2929] interface DOMSecurityPolicy {
     30    readonly attribute boolean allowsEval;
     31    readonly attribute boolean allowsInlineScript;
     32    readonly attribute boolean allowsInlineStyle;
     33    readonly attribute boolean isActive;
     34
    3035    readonly attribute DOMStringList reportURIs;
    31 
    32     boolean isActive();
    3336
    3437    boolean allowsConnectionTo(in DOMString url);
     
    4245    boolean allowsScriptFrom(in DOMString url);
    4346    boolean allowsStyleFrom(in DOMString url);
    44 
    45     boolean allowsEval();
    46     boolean allowsInlineScript();
    47     boolean allowsInlineStyle();
    4847};
    49 
Note: See TracChangeset for help on using the changeset viewer.