Diff
Modified: trunk/LayoutTests/ChangeLog (96620 => 96621)
--- trunk/LayoutTests/ChangeLog 2011-10-04 18:17:04 UTC (rev 96620)
+++ trunk/LayoutTests/ChangeLog 2011-10-04 18:30:32 UTC (rev 96621)
@@ -1,3 +1,25 @@
+2011-10-04 Sam Weinig <[email protected]>
+
+ Add support for the CSP connect-src directive
+ https://bugs.webkit.org/show_bug.cgi?id=69353
+
+ Reviewed by Adam Barth.
+
+ Add CSP support for XMLHttpRequest, WebSockets and EventSource.
+
+ * http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html: Added.
+
2011-10-03 David Hyatt <[email protected]>
https://bugs.webkit.org/show_bug.cgi?id=69317
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed-expected.txt 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,2 @@
+Pass
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<pre id="console"></pre>
+<script>
+function log(msg)
+{
+ document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
+}
+
+try {
+ var es = new EventSource("http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis");
+ log("Pass");
+} catch(e) {
+ log("Fail");
+}
+
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked-expected.txt 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Refused to load connect from 'http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis' because of Content-Security-Policy.
+
+Pass
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="connect-src http://localhost:8000">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<pre id="console"></pre>
+<script>
+function log(msg)
+{
+ document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
+}
+
+try {
+ var es = new EventSource("http://127.0.0.1:8000/eventsource/resources/simple-event-stream.asis");
+ log("Fail");
+} catch(e) {
+ log("Pass");
+}
+
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed-expected.txt 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,2 @@
+Pass
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="connect-src ws://127.0.0.1:8880">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<pre id="console"></pre>
+<script>
+function log(msg)
+{
+ document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
+}
+
+try {
+ var ws = new WebSocket("ws://127.0.0.1:8880/websocket/tests/hybi/echo");
+ log("Pass");
+} catch(e) {
+ log("Fail");
+}
+
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked-expected.txt 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Refused to load connect from 'ws://localhost:8880/websocket/tests/hybi/echo' because of Content-Security-Policy.
+
+Pass
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="connect-src ws://127.0.0.1:8880">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<pre id="console"></pre>
+<script>
+function log(msg)
+{
+ document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
+}
+
+try {
+ var ws = new WebSocket("ws://localhost:8880/websocket/tests/hybi/echo");
+ log("Fail");
+} catch(e) {
+ log("Pass");
+}
+
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed-expected.txt 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,2 @@
+Pass
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<pre id="console"></pre>
+<script>
+function log(msg)
+{
+ document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
+}
+
+try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", true);
+ log("Pass");
+} catch(e) {
+ log("Fail");
+}
+
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked-expected.txt 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Refused to load connect from 'http://localhost:8000/xmlhttprequest/resources/get.txt' because of Content-Security-Policy.
+
+Pass
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html (0 => 96621)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html 2011-10-04 18:30:32 UTC (rev 96621)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
+<script>
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+</head>
+<body>
+<pre id="console"></pre>
+<script>
+function log(msg)
+{
+ document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
+}
+
+try {
+ var xhr = new XMLHttpRequest;
+ xhr.open("GET", "http://localhost:8000/xmlhttprequest/resources/get.txt", true);
+ log("Fail");
+} catch(e) {
+ log("Pass");
+}
+
+</script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (96620 => 96621)
--- trunk/Source/WebCore/ChangeLog 2011-10-04 18:17:04 UTC (rev 96620)
+++ trunk/Source/WebCore/ChangeLog 2011-10-04 18:30:32 UTC (rev 96621)
@@ -1,3 +1,33 @@
+2011-10-04 Sam Weinig <[email protected]>
+
+ Add support for the CSP connect-src directive
+ https://bugs.webkit.org/show_bug.cgi?id=69353
+
+ Reviewed by Adam Barth.
+
+ Add CSP support for XMLHttpRequest, WebSockets and EventSource.
+
+ Tests: http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html
+ http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html
+ http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html
+ http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html
+ http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html
+ http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowConnectFromSource):
+ (WebCore::ContentSecurityPolicy::addDirective):
+ * page/ContentSecurityPolicy.h:
+ Add connect-src directive parsing and predicate.
+
+ * page/EventSource.cpp:
+ (WebCore::EventSource::create):
+ * websockets/WebSocket.cpp:
+ (WebCore::WebSocket::connect):
+ * xml/XMLHttpRequest.cpp:
+ (WebCore::XMLHttpRequest::open):
+ Test allowConnectFromSource when establishing a connection.
+
2011-10-03 David Hyatt <[email protected]>
https://bugs.webkit.org/show_bug.cgi?id=69317
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (96620 => 96621)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2011-10-04 18:17:04 UTC (rev 96620)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2011-10-04 18:30:32 UTC (rev 96621)
@@ -644,6 +644,12 @@
return checkSourceAndReportViolation(operativeDirective(m_mediaSrc.get()), url, type);
}
+bool ContentSecurityPolicy::allowConnectFromSource(const KURL& url) const
+{
+ DEFINE_STATIC_LOCAL(String, type, ("connect"));
+ return checkSourceAndReportViolation(operativeDirective(m_connectSrc.get()), url, type);
+}
+
// policy = directive-list
// directive-list = [ directive *( ";" [ directive ] ) ]
//
@@ -748,6 +754,7 @@
DEFINE_STATIC_LOCAL(String, styleSrc, ("style-src"));
DEFINE_STATIC_LOCAL(String, fontSrc, ("font-src"));
DEFINE_STATIC_LOCAL(String, mediaSrc, ("media-src"));
+ DEFINE_STATIC_LOCAL(String, connectSrc, ("connect-src"));
DEFINE_STATIC_LOCAL(String, reportURI, ("report-uri"));
ASSERT(!name.isEmpty());
@@ -768,6 +775,8 @@
m_fontSrc = createCSPDirective(name, value);
else if (!m_mediaSrc && equalIgnoringCase(name, mediaSrc))
m_mediaSrc = createCSPDirective(name, value);
+ else if (!m_connectSrc && equalIgnoringCase(name, connectSrc))
+ m_connectSrc = createCSPDirective(name, value);
else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI))
parseReportURI(value);
}
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (96620 => 96621)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.h 2011-10-04 18:17:04 UTC (rev 96620)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h 2011-10-04 18:30:32 UTC (rev 96621)
@@ -63,6 +63,7 @@
bool allowStyleFromSource(const KURL&) const;
bool allowFontFromSource(const KURL&) const;
bool allowMediaFromSource(const KURL&) const;
+ bool allowConnectFromSource(const KURL&) const;
private:
explicit ContentSecurityPolicy(ScriptExecutionContext*);
@@ -96,6 +97,7 @@
OwnPtr<CSPDirective> m_styleSrc;
OwnPtr<CSPDirective> m_fontSrc;
OwnPtr<CSPDirective> m_mediaSrc;
+ OwnPtr<CSPDirective> m_connectSrc;
Vector<KURL> m_reportURLs;
};
Modified: trunk/Source/WebCore/page/EventSource.cpp (96620 => 96621)
--- trunk/Source/WebCore/page/EventSource.cpp 2011-10-04 18:17:04 UTC (rev 96620)
+++ trunk/Source/WebCore/page/EventSource.cpp 2011-10-04 18:30:32 UTC (rev 96621)
@@ -34,13 +34,14 @@
#include "config.h"
#include "EventSource.h"
-#include "MemoryCache.h"
+#include "ContentSecurityPolicy.h"
#include "DOMWindow.h"
#include "Event.h"
#include "EventException.h"
#include "ExceptionCode.h"
+#include "MemoryCache.h"
+#include "MessageEvent.h"
#include "PlatformString.h"
-#include "MessageEvent.h"
#include "ResourceError.h"
#include "ResourceRequest.h"
#include "ResourceResponse.h"
@@ -87,6 +88,12 @@
return 0;
}
+ if (!context->contentSecurityPolicy()->allowConnectFromSource(fullURL)) {
+ // FIXME: Should this be throwing an exception?
+ ec = SECURITY_ERR;
+ return 0;
+ }
+
RefPtr<EventSource> source = adoptRef(new EventSource(fullURL, context));
source->setPendingActivity(source.get());
Modified: trunk/Source/WebCore/websockets/WebSocket.cpp (96620 => 96621)
--- trunk/Source/WebCore/websockets/WebSocket.cpp 2011-10-04 18:17:04 UTC (rev 96620)
+++ trunk/Source/WebCore/websockets/WebSocket.cpp 2011-10-04 18:30:32 UTC (rev 96621)
@@ -37,6 +37,7 @@
#include "Blob.h"
#include "BlobData.h"
#include "CloseEvent.h"
+#include "ContentSecurityPolicy.h"
#include "DOMWindow.h"
#include "Event.h"
#include "EventException.h"
@@ -197,6 +198,14 @@
return;
}
+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(m_url)) {
+ m_state = CLOSED;
+
+ // FIXME: Should this be throwing an exception?
+ ec = SECURITY_ERR;
+ return;
+ }
+
m_channel = ThreadableWebSocketChannel::create(scriptExecutionContext(), this);
m_useHixie76Protocol = m_channel->useHixie76Protocol();
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (96620 => 96621)
--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2011-10-04 18:17:04 UTC (rev 96620)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2011-10-04 18:30:32 UTC (rev 96621)
@@ -24,7 +24,7 @@
#include "ArrayBuffer.h"
#include "Blob.h"
-#include "MemoryCache.h"
+#include "ContentSecurityPolicy.h"
#include "CrossOriginAccessControl.h"
#include "DOMFormData.h"
#include "DOMImplementation.h"
@@ -38,6 +38,7 @@
#include "HTTPParsers.h"
#include "HTTPValidation.h"
#include "InspectorInstrumentation.h"
+#include "MemoryCache.h"
#include "ResourceError.h"
#include "ResourceRequest.h"
#include "ScriptCallStack.h"
@@ -51,10 +52,10 @@
#include "XMLHttpRequestProgressEvent.h"
#include "XMLHttpRequestUpload.h"
#include "markup.h"
-#include <wtf/text/CString.h>
+#include <wtf/RefCountedLeakCounter.h>
#include <wtf/StdLibExtras.h>
-#include <wtf/RefCountedLeakCounter.h>
#include <wtf/UnusedParam.h>
+#include <wtf/text/CString.h>
#if USE(JSC)
#include "JSDOMBinding.h"
@@ -426,6 +427,12 @@
return;
}
+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) {
+ // FIXME: Should this be throwing an exception?
+ ec = SECURITY_ERR;
+ return;
+ }
+
m_method = uppercaseKnownHTTPMethod(method);
m_url = url;
