Diff
Modified: trunk/LayoutTests/ChangeLog (97034 => 97035)
--- trunk/LayoutTests/ChangeLog 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/ChangeLog 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,21 @@
+2011-10-09 Adam Barth <[email protected]>
+
+ CSP should log unrecognized directives to the console
+ https://bugs.webkit.org/show_bug.cgi?id=69728
+
+ Reviewed by Sam Weinig.
+
+ Update expected results to include new console message about unrecognized directives.
+
+ * http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt:
+ * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt:
+ * http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt:
+ * http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-src-none-expected.txt:
+
2011-10-09 W. James MacLean <[email protected]>
[chromium] Zoom animator front-end
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt (from rev 97034, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt) (0 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
+
+CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
+
+This script should not execute even though there are parse errors in the policy.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01.html (0 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01.html 2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+ <p>
+ This script should not execute even though there are parse errors in the policy.
+ </p>
+ <iframe src=""
+</body>
+</html>
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt (from rev 97034, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt) (0 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'aaa'.
+
+CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
+
+This script should not execute even though there are parse errors in the policy.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02.html (0 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-02.html 2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+ <p>
+ This script should not execute even though there are parse errors in the policy.
+ </p>
+ <iframe src=""
+</body>
+</html>
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt (from rev 97034, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt) (0 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
+
+This script should not execute even though there are parse errors in the policy.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03.html (0 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-03.html 2011-10-10 01:15:21 UTC (rev 97035)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+ <p>
+ This script should not execute even though there are parse errors in the policy.
+ </p>
+ <iframe src=""
+</body>
+</html>
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt (97034 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,24 +0,0 @@
-CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
-
-CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
-
-CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
-
-None of these scripts should execute even though there are parse errors in the policy.
-
-
-
---------
-Frame: '<!--framePath //<!--frame0-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame1-->-->'
---------
-PASS
-
---------
-Frame: '<!--framePath //<!--frame2-->-->'
---------
-PASS
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing.html (97034 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing.html 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing.html 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<script>
-if (window.layoutTestController) {
- layoutTestController.dumpAsText();
- layoutTestController.dumpChildFramesAsText();
-}
-</script>
-</head>
-<body>
- <p>
- None of these scripts should execute even though there are parse errors in the policy.
- </p>
- <iframe src=""
- <iframe src=""
- <iframe src=""
-</body>
-</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt (97034 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'options'.
+
CONSOLE MESSAGE: line 1: Refused to execute inline script because of Content-Security-Policy.
CONSOLE MESSAGE: line 1: Refused to execute inline event handler because of Content-Security-Policy.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt (97034 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'options'.
+
CONSOLE MESSAGE: line 1: Refused to execute _javascript_ URL because of Content-Security-Policy.
This test passes if it doesn't alert fail.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt (97034 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,2 +1,4 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
+
ALERT: PASS
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt (97034 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
+
CONSOLE MESSAGE: line 1: Refused to execute _javascript_ URL because of Content-Security-Policy.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt (97034 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-loads-with-img-src-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,5 +1,7 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'script-img'.
+
--------
Frame: '<!--framePath //<!--frame0-->-->'
--------
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt (97034 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
+
Loads an iframe (a) which loads an iframe (b) which in turns tries to load an external script. The iframe (a) has a content security policy disabling external scripts. As this policy does not apply to (b), the script should be executed.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt (97034 => 97035)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,5 @@
+CONSOLE MESSAGE: line 1: Unrecognized Content-Security-Policy directive 'allow'.
+
CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because of Content-Security-Policy.
Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
Modified: trunk/Source/WebCore/ChangeLog (97034 => 97035)
--- trunk/Source/WebCore/ChangeLog 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/Source/WebCore/ChangeLog 2011-10-10 01:15:21 UTC (rev 97035)
@@ -1,3 +1,21 @@
+2011-10-09 Adam Barth <[email protected]>
+
+ CSP should log unrecognized directives to the console
+ https://bugs.webkit.org/show_bug.cgi?id=69728
+
+ Reviewed by Sam Weinig.
+
+ Several of the web developers who have been experimenting with CSP have
+ run into trouble with directives we don't support. For example, one
+ developer was confused for a while why image-src didn't do what he
+ expected. Logging a message to the console will help these folks
+ figure out what's going on.
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::reportUnrecognizedDirective):
+ (WebCore::ContentSecurityPolicy::addDirective):
+ * page/ContentSecurityPolicy.h:
+
2011-10-09 W. James MacLean <[email protected]>
[chromium] Zoom animator front-end
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (97034 => 97035)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2011-10-10 01:15:21 UTC (rev 97035)
@@ -533,6 +533,12 @@
PingLoader::reportContentSecurityPolicyViolation(frame, m_reportURLs[i], report);
}
+void ContentSecurityPolicy::logUnrecognizedDirective(const String& name) const
+{
+ String message = makeString("Unrecognized Content-Security-Policy directive '", name, "'.\n");
+ m_scriptExecutionContext->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, 1, String(), 0);
+}
+
bool ContentSecurityPolicy::checkEval(CSPDirective* directive) const
{
return !directive || directive->allowEval();
@@ -774,6 +780,8 @@
m_connectSrc = createCSPDirective(name, value);
else if (m_reportURLs.isEmpty() && equalIgnoringCase(name, reportURI))
parseReportURI(value);
+ else
+ logUnrecognizedDirective(name);
}
}
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (97034 => 97035)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.h 2011-10-10 00:21:51 UTC (rev 97034)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h 2011-10-10 01:15:21 UTC (rev 97035)
@@ -77,6 +77,7 @@
CSPDirective* operativeDirective(CSPDirective*) const;
void reportViolation(const String& directiveText, const String& consoleMessage) const;
+ void logUnrecognizedDirective(const String& name) const;
bool checkEval(CSPDirective*) const;
bool checkInlineAndReportViolation(CSPDirective*, const String& consoleMessage) const;