Title: [97035] trunk
Revision
97035
Author
[email protected]
Date
2011-10-09 18:15:21 -0700 (Sun, 09 Oct 2011)

Log Message

CSP should log unrecognized directives to the console
https://bugs.webkit.org/show_bug.cgi?id=69728

Reviewed by Sam Weinig.

Source/WebCore:

Several of the web developers who have been experimenting with CSP have
run into trouble with directives we don't support.  For example, one
developer was confused for a while why image-src didn't do what he
expected.  Logging a message to the console will help these folks
figure out what's going on.

* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportUnrecognizedDirective):
(WebCore::ContentSecurityPolicy::addDirective):
* page/ContentSecurityPolicy.h:

LayoutTests:

Update expected results to include new console message about unrecognized directives.

* http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt:
* http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt:
* http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt:
* http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt:
* http/tests/security/contentSecurityPolicy/script-src-none-expected.txt:

Modified Paths

Added Paths

Removed Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (97034 => 97035)


--- trunk/LayoutTests/ChangeLog	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/ChangeLog	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,21 @@
+2011-10-09  Adam Barth  <[email protected]>
+
+        CSP should log unrecognized directives to the console
+        https://bugs.webkit.org/show_bug.cgi?id=69728
+
+        Reviewed by Sam Weinig.
+
+        Update expected results to include new console message about unrecognized directives.
+
+        * http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt:
+        * http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt:
+        * http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt:
+        * http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt:
+        * http/tests/security/contentSecurityPolicy/script-src-none-expected.txt:
+
 2011-10-09  W. James MacLean  <[email protected]>
 
         [chromium] Zoom animator front-end

Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt (from rev 97034, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt) (0 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
+
+CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
+
+This script should not execute even though there are parse errors in the policy.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01.html (0 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01.html	2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+  <p>
+    This script should not execute even though there are parse errors in the policy.
+  </p>
+  <iframe src=""
+</body>
+</html>

Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt (from rev 97034, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt) (0 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'aaa'.
+
+CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
+
+This script should not execute even though there are parse errors in the policy.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02.html (0 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02.html	2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+  <p>
+    This script should not execute even though there are parse errors in the policy.
+  </p>
+  <iframe src=""
+</body>
+</html>

Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt (from rev 97034, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt) (0 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
+
+This script should not execute even though there are parse errors in the policy.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03.html (0 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03.html	2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+  <p>
+    This script should not execute even though there are parse errors in the policy.
+  </p>
+  <iframe src=""
+</body>
+</html>

Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt (97034 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,24 +0,0 @@
-CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
-
-CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
-
-CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
-
-None of these scripts should execute even though there are parse errors in the policy.
-
-   
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame2-->-->'
---------
-PASS

Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing.html (97034 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing.html	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing.html	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script>
-if (window.layoutTestController) {
-  layoutTestController.dumpAsText();
-  layoutTestController.dumpChildFramesAsText();
-}
-</script>
-</head>
-<body>
-  <p>
-    None of these scripts should execute even though there are parse errors in the policy.
-  </p>
-  <iframe src=""
-  <iframe src=""
-  <iframe src=""
-</body>
-</html>

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt (97034 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'options'.
+
 CONSOLE MESSAGE: line 1: Refused to execute inline script because of Content-Security-Policy.
 
 CONSOLE MESSAGE: line 1: Refused to execute inline event handler because of Content-Security-Policy.

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt (97034 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'options'.
+
 CONSOLE MESSAGE: line 1: Refused to execute _javascript_ URL because of Content-Security-Policy.
 
 This test passes if it doesn't alert fail. 

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt (97034 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,2 +1,4 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
+
 ALERT: PASS
 

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt (97034 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
+
 CONSOLE MESSAGE: line 1: Refused to execute _javascript_ URL because of Content-Security-Policy.
 
 

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt (97034 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,5 +1,7 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'script-img'.
 
 
+
 --------
 Frame: '<!--framePath //<!--frame0-->-->'
 --------

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt (97034 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
+
 Loads an iframe (a) which loads an iframe (b) which in turns tries to load an external script. The iframe (a) has a content security policy disabling external scripts. As this policy does not apply to (b), the script should be executed.
 
 

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt (97034 => 97035)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
+
 CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
 
 Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.

Modified: trunk/Source/WebCore/ChangeLog (97034 => 97035)


--- trunk/Source/WebCore/ChangeLog	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/Source/WebCore/ChangeLog	2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,21 @@
+2011-10-09  Adam Barth  <[email protected]>
+
+        CSP should log unrecognized directives to the console
+        https://bugs.webkit.org/show_bug.cgi?id=69728
+
+        Reviewed by Sam Weinig.
+
+        Several of the web developers who have been experimenting with CSP have
+        run into trouble with directives we don't support.  For example, one
+        developer was confused for a while why image-src didn't do what he
+        expected.  Logging a message to the console will help these folks
+        figure out what's going on.
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::reportUnrecognizedDirective):
+        (WebCore::ContentSecurityPolicy::addDirective):
+        * page/ContentSecurityPolicy.h:
+
 2011-10-09  W. James MacLean  <[email protected]>
 
         [chromium] Zoom animator front-end

Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (97034 => 97035)


--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2011-10-10 01:15:21 UTC (rev 97035)
@@ -533,6 +533,12 @@
         PingLoader::reportContentSecurityPolicyViolation(frame, m_reportURLs[i], report);
 }
 
+void ContentSecurityPolicy::logUnrecognizedDirective(const String& name) const
+{
+    String message = makeString("Unrecognized Content-Security-Policy directive '", name, "'.\n");
+    m_scriptExecutionContext->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, 1, String(), 0);
+}
+
 bool ContentSecurityPolicy::checkEval(CSPDirective* directive) const
 {
     return !directive || directive->allowEval();
@@ -774,6 +780,8 @@
         m_connectSrc = createCSPDirective(name, value);
     else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI))
         parseReportURI(value);
+    else
+        logUnrecognizedDirective(name);
 }
 
 }

Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (97034 => 97035)


--- trunk/Source/WebCore/page/ContentSecurityPolicy.h	2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h	2011-10-10 01:15:21 UTC (rev 97035)
@@ -77,6 +77,7 @@
 
     CSPDirective* operativeDirective(CSPDirective*) const;
     void reportViolation(const String& directiveText, const String& consoleMessage) const;
+    void logUnrecognizedDirective(const String& name) const;
     bool checkEval(CSPDirective*) const;
 
     bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to