Diff
Modified: trunk/Source/WebCore/CMakeLists.txt (141493 => 141494)
--- trunk/Source/WebCore/CMakeLists.txt 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/CMakeLists.txt 2013-01-31 23:18:35 UTC (rev 141494)
@@ -1556,6 +1556,7 @@
html/parser/TextDocumentParser.cpp
html/parser/TextViewSourceParser.cpp
html/parser/XSSAuditor.cpp
+ html/parser/XSSAuditorDelegate.cpp
html/shadow/ContentDistributor.cpp
html/shadow/ContentSelectorQuery.cpp
Modified: trunk/Source/WebCore/ChangeLog (141493 => 141494)
--- trunk/Source/WebCore/ChangeLog 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/ChangeLog 2013-01-31 23:18:35 UTC (rev 141494)
@@ -1,3 +1,83 @@
+2013-01-31 Tony Gentilcore <to...@chromium.org>
+
+ Begin to make XSSAuditor thread aware
+ https://bugs.webkit.org/show_bug.cgi?id=108394
+
+ Reviewed by Adam Barth.
+
+ This patch moves the parts of filterToken() that depend on Frame, Document, etc. to a delegate class.
+ The new didBlockScript delegate method is invoked with the resulting DidBlockScriptRequest which will
+ be owned by the CompactHTMLToken in the threaded case.
+
+ This is just the first step as there is more to do to make XSSAuditor thread safe.
+
+ No new tests because covered by existing tests.
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * Target.pri:
+ * WebCore.gypi:
+ * WebCore.vcproj/WebCore.vcproj:
+ * WebCore.vcxproj/WebCore.vcxproj:
+ * WebCore.vcxproj/WebCore.vcxproj.filters:
+ * WebCore.xcodeproj/project.pbxproj:
+ * html/parser/BackgroundHTMLParser.cpp:
+ (WebCore::BackgroundHTMLParser::pumpTokenizer):
+ * html/parser/HTMLDocumentParser.cpp:
+ (WebCore::HTMLDocumentParser::HTMLDocumentParser):
+ (WebCore::HTMLDocumentParser::processTokensFromBackgroundParser):
+ (WebCore::HTMLDocumentParser::pumpTokenizer):
+ * html/parser/HTMLDocumentParser.h:
+ (HTMLDocumentParser):
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::filterToken):
+ * html/parser/XSSAuditor.h:
+ (WebCore):
+ (XSSAuditor):
+ * html/parser/XSSAuditorDelegate.cpp: Added.
+ (WebCore):
+ (WebCore::XSSAuditorDelegate::XSSAuditorDelegate):
+ (WebCore::XSSAuditorDelegate::didBlockScript):
+ * html/parser/XSSAuditorDelegate.h: Added.
+ (WebCore):
+ (DidBlockScriptRequest):
+ (WebCore::DidBlockScriptRequest::create):
+ (WebCore::DidBlockScriptRequest::DidBlockScriptRequest):
+ (XSSAuditorDelegate):
+
+ * CMakeLists.txt:
+ * GNUmakefile.list.am:
+ * Target.pri:
+ * WebCore.gypi:
+ * WebCore.vcproj/WebCore.vcproj:
+ * WebCore.vcxproj/WebCore.vcxproj:
+ * WebCore.vcxproj/WebCore.vcxproj.filters:
+ * WebCore.xcodeproj/project.pbxproj:
+ * html/parser/BackgroundHTMLParser.cpp:
+ (WebCore::BackgroundHTMLParser::pumpTokenizer):
+ * html/parser/HTMLDocumentParser.cpp:
+ (WebCore::HTMLDocumentParser::HTMLDocumentParser):
+ (WebCore::HTMLDocumentParser::processParsedChunkFromBackgroundParser):
+ (WebCore::HTMLDocumentParser::pumpTokenizer):
+ * html/parser/HTMLDocumentParser.h:
+ (HTMLDocumentParser):
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::XSSAuditor):
+ (WebCore::XSSAuditor::filterToken):
+ * html/parser/XSSAuditor.h:
+ (WebCore):
+ (XSSAuditor):
+ * html/parser/XSSAuditorDelegate.cpp: Added.
+ (WebCore):
+ (WebCore::XSSAuditorDelegate::XSSAuditorDelegate):
+ (WebCore::XSSAuditorDelegate::didBlockScript):
+ * html/parser/XSSAuditorDelegate.h: Added.
+ (WebCore):
+ (DidBlockScriptRequest):
+ (WebCore::DidBlockScriptRequest::create):
+ (WebCore::DidBlockScriptRequest::DidBlockScriptRequest):
+ (XSSAuditorDelegate):
+
2013-01-31 Uday Kiran <udayki...@motorola.com>
CSS3's vh attribute is not adjusting while browser resizes
Modified: trunk/Source/WebCore/GNUmakefile.list.am (141493 => 141494)
--- trunk/Source/WebCore/GNUmakefile.list.am 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/GNUmakefile.list.am 2013-01-31 23:18:35 UTC (rev 141494)
@@ -3598,6 +3598,8 @@
Source/WebCore/html/parser/TextViewSourceParser.h \
Source/WebCore/html/parser/XSSAuditor.cpp \
Source/WebCore/html/parser/XSSAuditor.h \
+ Source/WebCore/html/parser/XSSAuditorDelegate.cpp \
+ Source/WebCore/html/parser/XSSAuditorDelegate.h \
Source/WebCore/html/shadow/PickerIndicatorElement.cpp \
Source/WebCore/html/shadow/PickerIndicatorElement.h \
Source/WebCore/html/shadow/ContentDistributor.cpp \
Modified: trunk/Source/WebCore/Target.pri (141493 => 141494)
--- trunk/Source/WebCore/Target.pri 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/Target.pri 2013-01-31 23:18:35 UTC (rev 141494)
@@ -735,6 +735,7 @@
html/parser/TextDocumentParser.cpp \
html/parser/TextViewSourceParser.cpp \
html/parser/XSSAuditor.cpp \
+ html/parser/XSSAuditorDelegate.cpp \
html/shadow/ContentDistributor.cpp \
html/shadow/ContentSelectorQuery.cpp \
html/shadow/DateTimeEditElement.cpp \
@@ -1911,6 +1912,7 @@
html/parser/HTMLTreeBuilder.h \
html/parser/HTMLViewSourceParser.h \
html/parser/XSSAuditor.h \
+ html/parser/XSSAuditorDelegate.h \
html/shadow/ContentDistributor.h \
html/shadow/ContentSelectorQuery.h \
html/shadow/HTMLContentElement.h \
Modified: trunk/Source/WebCore/WebCore.gypi (141493 => 141494)
--- trunk/Source/WebCore/WebCore.gypi 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/WebCore.gypi 2013-01-31 23:18:35 UTC (rev 141494)
@@ -3400,6 +3400,8 @@
'html/parser/TextViewSourceParser.h',
'html/parser/XSSAuditor.cpp',
'html/parser/XSSAuditor.h',
+ 'html/parser/XSSAuditorDelegate.cpp',
+ 'html/parser/XSSAuditorDelegate.h',
'html/shadow/PickerIndicatorElement.cpp',
'html/shadow/PickerIndicatorElement.h',
'html/shadow/ContentDistributor.cpp',
Modified: trunk/Source/WebCore/WebCore.vcproj/WebCore.vcproj (141493 => 141494)
--- trunk/Source/WebCore/WebCore.vcproj/WebCore.vcproj 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/WebCore.vcproj/WebCore.vcproj 2013-01-31 23:18:35 UTC (rev 141494)
@@ -64972,6 +64972,14 @@
RelativePath="..\html\parser\XSSAuditor.h"
>
</File>
+ <File
+ RelativePath="..\html\parser\XSSAuditorDelegate.cpp"
+ >
+ </File>
+ <File
+ RelativePath="..\html\parser\XSSAuditorDelegate.h"
+ >
+ </File>
</Filter>
<Filter
Name="shadow"
Modified: trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj (141493 => 141494)
--- trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj 2013-01-31 23:18:35 UTC (rev 141494)
@@ -4889,6 +4889,7 @@
<ClCompile Include="..\html\parser\TextDocumentParser.cpp" />
<ClCompile Include="..\html\parser\TextViewSourceParser.cpp" />
<ClCompile Include="..\html\parser\XSSAuditor.cpp" />
+ <ClCompile Include="..\html\parser\XSSAuditorDelegate.cpp" />
<ClCompile Include="..\html\shadow\ContentDistributor.cpp" />
<ClCompile Include="..\html\shadow\ContentSelectorQuery.cpp" />
<ClCompile Include="..\html\shadow\DateTimeEditElement.cpp" />
@@ -7930,6 +7931,7 @@
<ClInclude Include="..\html\parser\TextDocumentParser.h" />
<ClInclude Include="..\html\parser\TextViewSourceParser.h" />
<ClInclude Include="..\html\parser\XSSAuditor.h" />
+ <ClInclude Include="..\html\parser\XSSAuditorDelegate.h" />
<ClInclude Include="..\html\shadow\ContentDistributor.h" />
<ClInclude Include="..\html\shadow\ContentSelectorQuery.h" />
<ClInclude Include="..\html\shadow\DateTimeEditElement.h" />
Modified: trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj.filters (141493 => 141494)
--- trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj.filters 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj.filters 2013-01-31 23:18:35 UTC (rev 141494)
@@ -5697,6 +5697,9 @@
<ClCompile Include="..\html\parser\XSSAuditor.cpp">
<Filter>html\parser</Filter>
</ClCompile>
+ <ClCompile Include="..\html\parser\XSSAuditorDelegate.cpp">
+ <Filter>html\parser</Filter>
+ </ClCompile>
<ClCompile Include="..\html\shadow\ContentDistributor.cpp">
<Filter>html\shadow</Filter>
</ClCompile>
@@ -12584,6 +12587,9 @@
<ClInclude Include="..\html\parser\XSSAuditor.h">
<Filter>html\parser</Filter>
</ClInclude>
+ <ClInclude Include="..\html\parser\XSSAuditorDelegate.h">
+ <Filter>html\parser</Filter>
+ </ClInclude>
<ClInclude Include="..\html\shadow\ContentDistributor.h">
<Filter>html\shadow</Filter>
</ClInclude>
Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (141493 => 141494)
--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2013-01-31 23:18:35 UTC (rev 141494)
@@ -3643,6 +3643,8 @@
977E2DCE12F0E28300C13379 /* HTMLSourceTracker.h in Headers */ = {isa = PBXBuildFile; fileRef = 977E2DCC12F0E28300C13379 /* HTMLSourceTracker.h */; };
977E2E0E12F0FC9C00C13379 /* XSSAuditor.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 977E2E0B12F0FC9C00C13379 /* XSSAuditor.cpp */; };
977E2E0F12F0FC9C00C13379 /* XSSAuditor.h in Headers */ = {isa = PBXBuildFile; fileRef = 977E2E0C12F0FC9C00C13379 /* XSSAuditor.h */; };
+ 977E2E0E12F0FC9C00C13380 /* XSSAuditorDelegate.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 977E2E0B12F0FC9C00C13380 /* XSSAuditorDelegate.cpp */; };
+ 977E2E0F12F0FC9C00C13380 /* XSSAuditorDelegate.h in Headers */ = {isa = PBXBuildFile; fileRef = 977E2E0C12F0FC9C00C13380 /* XSSAuditorDelegate.h */; };
978AD67414130A8D00C7CAE3 /* HTMLSpanElement.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 978AD67114130A8D00C7CAE3 /* HTMLSpanElement.cpp */; };
978AD67514130A8D00C7CAE3 /* HTMLSpanElement.h in Headers */ = {isa = PBXBuildFile; fileRef = 978AD67214130A8D00C7CAE3 /* HTMLSpanElement.h */; };
978D07B6145A0F030096908D /* FileException.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 978D07B5145A0F030096908D /* FileException.cpp */; };
@@ -11043,6 +11045,8 @@
977E2DCC12F0E28300C13379 /* HTMLSourceTracker.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = HTMLSourceTracker.h; path = parser/HTMLSourceTracker.h; sourceTree = "<group>"; };
977E2E0B12F0FC9C00C13379 /* XSSAuditor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = XSSAuditor.cpp; path = parser/XSSAuditor.cpp; sourceTree = "<group>"; };
977E2E0C12F0FC9C00C13379 /* XSSAuditor.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = XSSAuditor.h; path = parser/XSSAuditor.h; sourceTree = "<group>"; };
+ 977E2E0B12F0FC9C00C13380 /* XSSAuditorDelegate.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = XSSAuditorDelegate.cpp; path = parser/XSSAuditorDelegate.cpp; sourceTree = "<group>"; };
+ 977E2E0C12F0FC9C00C13380 /* XSSAuditorDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = XSSAuditorDelegate.h; path = parser/XSSAuditorDelegate.h; sourceTree = "<group>"; };
978AD67114130A8D00C7CAE3 /* HTMLSpanElement.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = HTMLSpanElement.cpp; sourceTree = "<group>"; };
978AD67214130A8D00C7CAE3 /* HTMLSpanElement.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HTMLSpanElement.h; sourceTree = "<group>"; };
978AD67314130A8D00C7CAE3 /* HTMLSpanElement.idl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = HTMLSpanElement.idl; sourceTree = "<group>"; };
@@ -18636,6 +18640,8 @@
97BC84A312370DC8000C6161 /* TextViewSourceParser.h */,
977E2E0B12F0FC9C00C13379 /* XSSAuditor.cpp */,
977E2E0C12F0FC9C00C13379 /* XSSAuditor.h */,
+ 977E2E0B12F0FC9C00C13380 /* XSSAuditorDelegate.cpp */,
+ 977E2E0C12F0FC9C00C13380 /* XSSAuditorDelegate.h */,
);
name = parser;
sourceTree = "<group>";
@@ -26315,6 +26321,7 @@
93F199ED08245E59001E9ABC /* XSLTProcessor.h in Headers */,
E1BE512E0CF6C512002EA959 /* XSLTUnicodeSort.h in Headers */,
977E2E0F12F0FC9C00C13379 /* XSSAuditor.h in Headers */,
+ 977E2E0F12F0FC9C00C13380 /* XSSAuditorDelegate.h in Headers */,
FD537353137B651800008DCE /* ZeroPole.h in Headers */,
FB91392416AE4C17001FE682 /* DOMPath.h in Headers */,
FB91392616AE4C2F001FE682 /* CanvasPathMethods.h in Headers */,
@@ -29471,6 +29478,7 @@
93F19B0508245E59001E9ABC /* XSLTProcessorLibxslt.cpp in Sources */,
E1BE512D0CF6C512002EA959 /* XSLTUnicodeSort.cpp in Sources */,
977E2E0E12F0FC9C00C13379 /* XSSAuditor.cpp in Sources */,
+ 977E2E0E12F0FC9C00C13380 /* XSSAuditorDelegate.cpp in Sources */,
FD537352137B651800008DCE /* ZeroPole.cpp in Sources */,
FB91392716AE4C34001FE682 /* CanvasPathMethods.cpp in Sources */,
FB91392B16AE4FC0001FE682 /* JSDOMPath.cpp in Sources */,
Modified: trunk/Source/WebCore/html/parser/BackgroundHTMLParser.cpp (141493 => 141494)
--- trunk/Source/WebCore/html/parser/BackgroundHTMLParser.cpp 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/html/parser/BackgroundHTMLParser.cpp 2013-01-31 23:18:35 UTC (rev 141494)
@@ -164,6 +164,7 @@
void BackgroundHTMLParser::pumpTokenizer()
{
while (m_tokenizer->nextToken(m_input.current(), *m_token.get())) {
+ // FIXME: Call m_xssAuditor.filterToken(m_token) and put resulting DidBlockScriptRequest into CompactHTMLToken.
m_pendingTokens->append(CompactHTMLToken(m_token.get(), TextPosition(m_input.current().currentLine(), m_input.current().currentColumn())));
m_token->clear();
Modified: trunk/Source/WebCore/html/parser/HTMLDocumentParser.cpp (141493 => 141494)
--- trunk/Source/WebCore/html/parser/HTMLDocumentParser.cpp 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/html/parser/HTMLDocumentParser.cpp 2013-01-31 23:18:35 UTC (rev 141494)
@@ -83,6 +83,7 @@
, m_treeBuilder(HTMLTreeBuilder::create(this, document, reportErrors, m_options))
, m_parserScheduler(HTMLParserScheduler::create(this))
, m_xssAuditor(this)
+ , m_xssAuditorDelegate(document)
#if ENABLE(THREADED_HTML_PARSER)
, m_weakFactory(this)
#endif
@@ -102,6 +103,7 @@
, m_tokenizer(HTMLTokenizer::create(m_options))
, m_treeBuilder(HTMLTreeBuilder::create(this, fragment, contextElement, scriptingPermission, m_options))
, m_xssAuditor(this)
+ , m_xssAuditorDelegate(fragment->document())
#if ENABLE(THREADED_HTML_PARSER)
, m_weakFactory(this)
#endif
@@ -314,7 +316,7 @@
for (Vector<CompactHTMLToken>::const_iterator it = tokens->begin(); it != tokens->end(); ++it) {
ASSERT(!isWaitingForScripts());
- // FIXME: Call m_xssAuditor.filterToken(*it).
+ // FIXME: Call m_xssAuditorDelegate.didBlockScript() with DidBlockScriptRequest from the CompactHTMLToken.
m_textPosition = it->textPosition();
constructTreeFromCompactHTMLToken(*it);
@@ -374,7 +376,9 @@
// We do not XSS filter innerHTML, which means we (intentionally) fail
// http/tests/security/xssAuditor/dom-write-innerHTML.html
- m_xssAuditor.filterToken(token());
+ OwnPtr<DidBlockScriptRequest> request = m_xssAuditor.filterToken(token());
+ if (request)
+ m_xssAuditorDelegate.didBlockScript(request.release());
}
constructTreeFromHTMLToken(token());
Modified: trunk/Source/WebCore/html/parser/HTMLDocumentParser.h (141493 => 141494)
--- trunk/Source/WebCore/html/parser/HTMLDocumentParser.h 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/html/parser/HTMLDocumentParser.h 2013-01-31 23:18:35 UTC (rev 141494)
@@ -38,6 +38,7 @@
#include "SegmentedString.h"
#include "Timer.h"
#include "XSSAuditor.h"
+#include "XSSAuditorDelegate.h"
#include <wtf/Deque.h>
#include <wtf/OwnPtr.h>
#include <wtf/WeakPtr.h>
@@ -175,6 +176,7 @@
HTMLSourceTracker m_sourceTracker;
TextPosition m_textPosition;
XSSAuditor m_xssAuditor;
+ XSSAuditorDelegate m_xssAuditorDelegate;
#if ENABLE(THREADED_HTML_PARSER)
OwnPtr<ParsedChunk> m_currentChunk;
Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (141493 => 141494)
--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2013-01-31 23:18:35 UTC (rev 141494)
@@ -50,6 +50,8 @@
#include "TextEncoding.h"
#include "TextResourceDecoder.h"
+#include <wtf/Functional.h>
+#include <wtf/MainThread.h>
#include <wtf/text/CString.h>
namespace WebCore {
@@ -173,7 +175,6 @@
, m_state(Uninitialized)
, m_shouldAllowCDATA(false)
, m_scriptTagNestingLevel(0)
- , m_notifyClient(true)
{
ASSERT(m_parser);
if (Frame* frame = parser->document()->frame()) {
@@ -268,14 +269,14 @@
}
}
-void XSSAuditor::filterToken(HTMLToken& token)
+PassOwnPtr<DidBlockScriptRequest> XSSAuditor::filterToken(HTMLToken& token)
{
if (m_state == Uninitialized)
init();
ASSERT(m_state == Initialized);
if (!m_isEnabled || m_xssProtection == XSSProtectionDisabled)
- return;
+ return nullptr;
bool didBlockScript = false;
if (token.type() == HTMLTokenTypes::StartTag)
@@ -288,38 +289,16 @@
}
if (didBlockScript) {
- // FIXME: Consider using a more helpful console message.
- DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute a _javascript_ script. Source code of script found within request.\n")));
- m_parser->document()->addConsoleMessage(JSMessageSource, ErrorMessageLevel, consoleMessage);
-
bool didBlockEntirePage = (m_xssProtection == XSSProtectionBlockEnabled);
- if (didBlockEntirePage)
- m_parser->document()->frame()->loader()->stopAllLoaders();
-
- if (m_notifyClient) {
- m_parser->document()->frame()->loader()->client()->didDetectXSS(m_parser->document()->url(), didBlockEntirePage);
- m_notifyClient = false;
- }
-
+ OwnPtr<DidBlockScriptRequest> request = DidBlockScriptRequest::create(m_reportURL, m_originalURL, m_originalHTTPBody, didBlockEntirePage);
if (!m_reportURL.isEmpty()) {
- RefPtr<InspectorObject> reportDetails = InspectorObject::create();
- reportDetails->setString("request-url", m_originalURL);
- reportDetails->setString("request-body", m_originalHTTPBody);
-
- RefPtr<InspectorObject> reportObject = InspectorObject::create();
- reportObject->setObject("xss-report", reportDetails.release());
-
- RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8().data());
- PingLoader::sendViolationReport(m_parser->document()->frame(), m_reportURL, report);
-
m_reportURL = KURL();
m_originalURL = String();
m_originalHTTPBody = String();
}
-
- if (didBlockEntirePage)
- m_parser->document()->frame()->navigationScheduler()->scheduleLocationChange(m_parser->document()->securityOrigin(), blankURL(), String());
+ return request.release();
}
+ return nullptr;
}
bool XSSAuditor::filterStartToken(HTMLToken& token)
Modified: trunk/Source/WebCore/html/parser/XSSAuditor.h (141493 => 141494)
--- trunk/Source/WebCore/html/parser/XSSAuditor.h 2013-01-31 23:13:16 UTC (rev 141493)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.h 2013-01-31 23:18:35 UTC (rev 141494)
@@ -29,9 +29,11 @@
#include "HTMLToken.h"
#include "HTTPParsers.h"
#include "SuffixTree.h"
+#include <wtf/PassOwnPtr.h>
namespace WebCore {
+class DidBlockScriptRequest;
class HTMLDocumentParser;
class XSSAuditor {
@@ -39,7 +41,7 @@
public:
explicit XSSAuditor(HTMLDocumentParser*);
- void filterToken(HTMLToken&);
+ PassOwnPtr<DidBlockScriptRequest> filterToken(HTMLToken&);
private:
static const size_t kMaximumFragmentLengthTarget = 100;
@@ -81,6 +83,7 @@
bool isContainedInRequest(const String&);
bool isLikelySafeResource(const String& url);
+ // FIXME: Remove this dependency.
HTMLDocumentParser* m_parser;
bool m_isEnabled;
XSSProtectionDisposition m_xssProtection;
@@ -95,7 +98,6 @@
String m_cachedDecodedSnippet;
bool m_shouldAllowCDATA;
unsigned m_scriptTagNestingLevel;
- bool m_notifyClient;
KURL m_reportURL;
};
Added: trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp (0 => 141494)
--- trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp (rev 0)
+++ trunk/Source/WebCore/html/parser/XSSAuditorDelegate.cpp 2013-01-31 23:18:35 UTC (rev 141494)
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2013 Google, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "XSSAuditorDelegate.h"
+
+#include "Console.h"
+#include "DOMWindow.h"
+#include "Document.h"
+#include "FormData.h"
+#include "Frame.h"
+#include "FrameLoaderClient.h"
+#include "InspectorValues.h"
+#include "PingLoader.h"
+#include "SecurityOrigin.h"
+
+namespace WebCore {
+
+XSSAuditorDelegate::XSSAuditorDelegate(Document* document)
+ : m_document(document)
+ , m_didNotifyClient(false)
+{
+ ASSERT(isMainThread());
+ ASSERT(m_document);
+}
+
+void XSSAuditorDelegate::didBlockScript(PassOwnPtr<DidBlockScriptRequest> request)
+{
+ ASSERT(isMainThread());
+
+ // FIXME: Consider using a more helpful console message.
+ DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute a _javascript_ script. Source code of script found within request.\n")));
+ m_document->addConsoleMessage(JSMessageSource, ErrorMessageLevel, consoleMessage);
+
+ if (request->m_didBlockEntirePage)
+ m_document->frame()->loader()->stopAllLoaders();
+
+ if (!m_didNotifyClient) {
+ m_document->frame()->loader()->client()->didDetectXSS(m_document->url(), request->m_didBlockEntirePage);
+ m_didNotifyClient = true;
+ }
+
+ if (!request->m_reportURL.isEmpty()) {
+ RefPtr<InspectorObject> reportDetails = InspectorObject::create();
+ reportDetails->setString("request-url", request->m_originalURL);
+ reportDetails->setString("request-body", request->m_originalHTTPBody);
+
+ RefPtr<InspectorObject> reportObject = InspectorObject::create();
+ reportObject->setObject("xss-report", reportDetails.release());
+
+ RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8().data());
+ PingLoader::sendViolationReport(m_document->frame(), request->m_reportURL, report);
+ }
+
+ if (request->m_didBlockEntirePage)
+ m_document->frame()->navigationScheduler()->scheduleLocationChange(m_document->securityOrigin(), blankURL(), String());
+}
+
+} // namespace WebCore
Added: trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h (0 => 141494)
--- trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h (rev 0)
+++ trunk/Source/WebCore/html/parser/XSSAuditorDelegate.h 2013-01-31 23:18:35 UTC (rev 141494)
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2013 Google, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef XSSAuditorDelegate_h
+#define XSSAuditorDelegate_h
+
+#include "KURL.h"
+#include <wtf/PassOwnPtr.h>
+#include <wtf/text/WTFString.h>
+
+namespace WebCore {
+
+class Document;
+
+class DidBlockScriptRequest {
+public:
+ static PassOwnPtr<DidBlockScriptRequest> create(const KURL& reportURL, const String& originalURL, const String& originalHTTPBody, bool didBlockEntirePage)
+ {
+ return adoptPtr(new DidBlockScriptRequest(reportURL, originalURL, originalHTTPBody, didBlockEntirePage));
+ }
+
+ KURL m_reportURL;
+ String m_originalURL;
+ String m_originalHTTPBody;
+ bool m_didBlockEntirePage;
+
+private:
+ DidBlockScriptRequest(const KURL& reportURL, const String& originalURL, const String& originalHTTPBody, bool didBlockEntirePage)
+ : m_reportURL(reportURL)
+ , m_originalURL(originalURL)
+ , m_originalHTTPBody(originalHTTPBody)
+ , m_didBlockEntirePage(didBlockEntirePage)
+ { }
+};
+
+class XSSAuditorDelegate {
+ WTF_MAKE_NONCOPYABLE(XSSAuditorDelegate);
+public:
+ explicit XSSAuditorDelegate(Document*);
+
+ void didBlockScript(PassOwnPtr<DidBlockScriptRequest>);
+
+private:
+ Document* m_document;
+ bool m_didNotifyClient;
+};
+
+}
+
+#endif
