[webkit-changes] [126047] trunk

[commit-queue]

Title: [126047] trunk

Revision

126047

Author

commit-qu...@webkit.org

Date

2012-08-20 11:33:20 -0700 (Mon, 20 Aug 2012)

Log Message

CSP 1.1: The 'plugin-types' warning should include details about explicit type declaration when relevant.
https://bugs.webkit.org/show_bug.cgi?id=94432

Patch by Mike West <mk...@chromium.org> on 2012-08-20
Reviewed by Adam Barth.

Source/WebCore:

Given a 'plugin-types' Content Security Policy directive, an 'object' or
'embed' tag is blocked if it doesn't include an explicit declaration of
the plugin's expected media type. This restriction should be made clear
in the console warning that's generated.

Existing tests have been adjusted to agree with the new error string.

* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation):
    If a media type fail to match the policy's restrictions, and the
    declared type attribute is empty, then add another line to the
    console warning, espousing the virtues of explicit declaration.

LayoutTests:

* http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (126046 => 126047)

--- trunk/LayoutTests/ChangeLog	2012-08-20 18:23:08 UTC (rev 126046)
+++ trunk/LayoutTests/ChangeLog	2012-08-20 18:33:20 UTC (rev 126047)
@@ -1,3 +1,13 @@
+2012-08-20  Mike West  <mk...@chromium.org>
+
+        CSP 1.1: The 'plugin-types' warning should include details about explicit type declaration when relevant.
+        https://bugs.webkit.org/show_bug.cgi?id=94432
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt:
+
 2012-08-20  Sheriff Bot  <webkit.review....@gmail.com>
 
         Unreviewed, rolling out r125989.

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt (126046 => 126047)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt	2012-08-20 18:23:08 UTC (rev 126046)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-data-expected.txt	2012-08-20 18:33:20 UTC (rev 126047)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'.
+CONSOLE MESSAGE: Refused to load 'data:application/x-webkit-test-netscape,logifloaded' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>').
 
 Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a console message above and "FAIL!" isn't logged.  

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt (126046 => 126047)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt	2012-08-20 18:23:08 UTC (rev 126046)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-notype-url-expected.txt	2012-08-20 18:33:20 UTC (rev 126047)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'.
+CONSOLE MESSAGE: Refused to load 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' (MIME type '') because it violates the following Content Security Policy Directive: 'plugin-types application/x-invalid-type'. When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type="[TYPE GOES HERE]" ...>').
 
 Given a `plugin-types` directive, plugins have to declare a type explicitly. No declared type, no load. This test passes if there's a console message above.  
 

Modified: trunk/Source/WebCore/ChangeLog (126046 => 126047)

--- trunk/Source/WebCore/ChangeLog	2012-08-20 18:23:08 UTC (rev 126046)
+++ trunk/Source/WebCore/ChangeLog	2012-08-20 18:33:20 UTC (rev 126047)
@@ -1,3 +1,23 @@
+2012-08-20  Mike West  <mk...@chromium.org>
+
+        CSP 1.1: The 'plugin-types' warning should include details about explicit type declaration when relevant.
+        https://bugs.webkit.org/show_bug.cgi?id=94432
+
+        Reviewed by Adam Barth.
+
+        Given a 'plugin-types' Content Security Policy directive, an 'object' or
+        'embed' tag is blocked if it doesn't include an explicit declaration of
+        the plugin's expected media type. This restriction should be made clear
+        in the console warning that's generated.
+
+        Existing tests have been adjusted to agree with the new error string.
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirectiveList::checkMediaTypeAndReportViolation):
+            If a media type fail to match the policy's restrictions, and the
+            declared type attribute is empty, then add another line to the
+            console warning, espousing the virtues of explicit declaration.
+
 2012-08-20  Dana Jansens  <dan...@chromium.org>
 
         [chromium] Update HUD resources as a final step to drawing a frame

Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (126046 => 126047)

--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2012-08-20 18:23:08 UTC (rev 126046)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp	2012-08-20 18:33:20 UTC (rev 126047)
@@ -861,7 +861,11 @@
     if (checkMediaType(directive, type, typeAttribute))
         return true;
 
-    reportViolation(directive->text(), consoleMessage + "\'" + directive->text() + "\'.\n", KURL());
+    String message = makeString(consoleMessage, "\'", directive->text(), "\'.");
+    if (typeAttribute.isEmpty())
+        message = message + " When enforcing the 'plugin-types' directive, the plugin's media type must be explicitly declared with a 'type' attribute on the containing element (e.g. '<object type=\"[TYPE GOES HERE]\" ...>').";
+
+    reportViolation(directive->text(), message + "\n", KURL());
     return denyIfEnforcingPolicy();
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes