Diff
Modified: trunk/LayoutTests/ChangeLog (146757 => 146758)
--- trunk/LayoutTests/ChangeLog 2013-03-25 11:35:11 UTC (rev 146757)
+++ trunk/LayoutTests/ChangeLog 2013-03-25 12:20:23 UTC (rev 146758)
@@ -1,3 +1,32 @@
+2013-03-25 Mike West <mk...@chromium.org>
+
+ CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports.
+ https://bugs.webkit.org/show_bug.cgi?id=113039
+
+ Reviewed by Jochen Eisinger.
+
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html:
+ * http/tests/security/contentSecurityPolicy/resources/securitypolicyviolation-test.js: Added.
+ Updating tests to cover cross-origin scenarios: load cross-origin
+ images, and cross-origin scripts that inject images. The former
+ should strip the image URL down to the origin, the latter the
+ script URL.
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html: Added.
+ * platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added.
+ * platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added.
+ This patch changes the behavior of 'file:' URLs to behave similarly
+ to 'data:'/'blob:', etc. We weren't previously testing this, now we
+ are. We need platform-specific results for Chromium and GTK, since
+ those ports have enabled CSP_NEXT, which adds a field to the report.
+
2013-03-25 Zoltan Arvai <zar...@inf.u-szeged.hu>
[Qt] Unreviewed gardening. Making pixel test bot happier after r146206.
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt (from rev 146757, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt) (0 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,20 @@
+CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+Check that a SecurityPolicyViolationEvent strips detail from cross-origin blocked URLs.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Kicking off the tests:
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html"
+PASS window.e.referrer is ""
+PASS window.e.blockedURI is "http://localhost:8000"
+PASS window.e.violatedDirective is "img-src 'none'"
+PASS window.e.effectiveDirective is "img-src"
+PASS window.e.originalPolicy is "img-src 'none'"
+PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html"
+PASS window.e.lineNumber is 23
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt (from rev 146757, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt) (0 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,20 @@
+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+Check that a SecurityPolicyViolationEvent strips detail from cross-origin URLs upon blocking an image injected via script.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Kicking off the tests:
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html"
+PASS window.e.referrer is ""
+PASS window.e.blockedURI is "http://127.0.0.1:8000/security/resources/abe.png"
+PASS window.e.violatedDirective is "img-src 'none'"
+PASS window.e.effectiveDirective is "img-src"
+PASS window.e.originalPolicy is "img-src 'none'"
+PASS window.e.sourceURL is "http://localhost:8000"
+PASS window.e.lineNumber is 3
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html (0 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <script src=""
+ <script src=""
+ <script>
+ description('Check that a SecurityPolicyViolationEvent strips detail from cross-origin URLs upon blocking an image injected via script.');
+
+ var expectations = {
+ 'documentURI': document.location.toString(),
+ 'referrer': document.referrer,
+ 'blockedURI': 'http://127.0.0.1:8000/security/resources/abe.png',
+ 'violatedDirective': 'img-src \'none\'',
+ 'effectiveDirective': 'img-src',
+ 'originalPolicy': 'img-src \'none\'',
+ 'sourceURL': 'http://localhost:8000',
+ 'lineNumber': 3
+ };
+
+ function run() {
+ var script = document.createElement('script');
+ script.src = '';
+ document.body.appendChild(script);
+ }
+ </script>
+ <script src=""
+</head>
+<body>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html (0 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <script src=""
+ <script src=""
+ <script>
+ description('Check that a SecurityPolicyViolationEvent strips detail from cross-origin blocked URLs.');
+
+ var expectations = {
+ 'documentURI': document.location.toString(),
+ 'referrer': document.referrer,
+ 'blockedURI': 'http://localhost:8000',
+ 'violatedDirective': 'img-src \'none\'',
+ 'effectiveDirective': 'img-src',
+ 'originalPolicy': 'img-src \'none\'',
+ 'sourceURL': document.location.toString(),
+ 'lineNumber': 23
+ };
+
+ function run() {
+ var img = document.createElement('img');
+ img.src = '';
+ document.body.appendChild(img);
+ }
+ </script>
+ <script src=""
+</head>
+<body>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt (146757 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt 2013-03-25 11:35:11 UTC (rev 146757)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt 2013-03-25 12:20:23 UTC (rev 146758)
@@ -5,6 +5,7 @@
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+Kicking off the tests:
PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
PASS window.e.referrer is ""
PASS window.e.blockedURI is "http://127.0.0.1:8000/security/resources/abe.png"
@@ -12,7 +13,7 @@
PASS window.e.effectiveDirective is "img-src"
PASS window.e.originalPolicy is "img-src 'none'"
PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
-PASS window.e.lineNumber is 30
+PASS window.e.lineNumber is 23
PASS successfullyParsed is true
TEST COMPLETE
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt (from rev 146757, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt) (0 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,20 @@
+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+Check that a SecurityPolicyViolationEvent is fired upon blocking an image injected via script.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Kicking off the tests:
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html"
+PASS window.e.referrer is ""
+PASS window.e.blockedURI is "http://127.0.0.1:8000/security/resources/abe.png"
+PASS window.e.violatedDirective is "img-src 'none'"
+PASS window.e.effectiveDirective is "img-src"
+PASS window.e.originalPolicy is "img-src 'none'"
+PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js"
+PASS window.e.lineNumber is 3
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html (0 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+ <script src=""
+ <script src=""
+ <script>
+ description('Check that a SecurityPolicyViolationEvent is fired upon blocking an image injected via script.');
+
+ var expectations = {
+ 'documentURI': document.location.toString(),
+ 'referrer': document.referrer,
+ 'blockedURI': 'http://127.0.0.1:8000/security/resources/abe.png',
+ 'violatedDirective': 'img-src \'none\'',
+ 'effectiveDirective': 'img-src',
+ 'originalPolicy': 'img-src \'none\'',
+ 'sourceURL': 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js',
+ 'lineNumber': 3
+ };
+
+ function run() {
+ var script = document.createElement('script');
+ script.src = '';
+ document.body.appendChild(script);
+ }
+ </script>
+ <script src=""
+</head>
+<body>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html (146757 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html 2013-03-25 11:35:11 UTC (rev 146757)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html 2013-03-25 12:20:23 UTC (rev 146758)
@@ -3,33 +3,26 @@
<head>
<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
<script src=""
+ <script src=""
<script>
description('Check that a SecurityPolicyViolationEvent is fired upon blocking an image.');
- window.jsTestIsAsync = true;
+ var expectations = {
+ 'documentURI': document.location.toString(),
+ 'referrer': document.referrer,
+ 'blockedURI': 'http://127.0.0.1:8000/security/resources/abe.png',
+ 'violatedDirective': 'img-src \'none\'',
+ 'effectiveDirective': 'img-src',
+ 'originalPolicy': 'img-src \'none\'',
+ 'sourceURL': document.location.toString(),
+ 'lineNumber': 23
+ };
- document.addEventListener('securitypolicyviolation', function handleEvent(e) {
- var expectations = {
- 'documentURI': document.location.toString(),
- 'referrer': document.referrer,
- 'blockedURI': 'http://127.0.0.1:8000/security/resources/abe.png',
- 'violatedDirective': 'img-src \'none\'',
- 'effectiveDirective': 'img-src',
- 'originalPolicy': 'img-src \'none\'',
- 'sourceURL': document.location.toString(),
- 'lineNumber': 30
- };
- window.e = e;
- for (key in expectations)
- shouldBe('window.e.' + key, JSON.stringify(expectations[key]));
- finishJSTest();
- });
-
- window._onload_ = function () {
+ function run() {
var img = document.createElement('img');
img.src = '';
document.body.appendChild(img);
- };
+ }
</script>
<script src=""
</head>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (0 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Refused to load the image 'compass.jpg' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html
+REQUEST_METHOD: POST
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html","line-number":12}}
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html (0 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri resources/save-report.php">
+</head>
+<body>
+ <script>
+ testRunner.addOriginAccessWhitelistEntry('http://127.0.0.1:8000', 'file', '', true);
+ var localImageLocation = testRunner.pathToLocalResource('file:///tmp/LayoutTests/http/tests/security/resources/compass.jpg');
+
+ var localImageElement = document.createElement('img');
+ localImageElement.src = ""
+ document.body.appendChild(localImageElement);
+ </script>
+ <script src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/securitypolicyviolation-test.js (0 => 146758)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/securitypolicyviolation-test.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/securitypolicyviolation-test.js 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,13 @@
+window.jsTestIsAsync = true;
+
+document.addEventListener('securitypolicyviolation', function handleEvent(e) {
+ window.e = e;
+ for (key in expectations)
+ shouldBe('window.e.' + key, JSON.stringify(expectations[key]));
+ finishJSTest();
+});
+
+window.addEventListener('load', function () {
+ debug('Kicking off the tests:');
+ run();
+});
Added: trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (0 => 146758)
--- trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Refused to load the image 'compass.jpg' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html
+REQUEST_METHOD: POST
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html","line-number":12}}
Added: trunk/LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (0 => 146758)
--- trunk/LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt 2013-03-25 12:20:23 UTC (rev 146758)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Refused to load the image 'compass.jpg' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html
+REQUEST_METHOD: POST
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html","referrer":"","violated-directive":"img-src 'none'","effective-directive":"img-src","original-policy":"img-src 'none'; report-uri resources/save-report.php","blocked-uri":"file","source-file":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-blocked-file-uri.html","line-number":12}}
Modified: trunk/Source/WebCore/ChangeLog (146757 => 146758)
--- trunk/Source/WebCore/ChangeLog 2013-03-25 11:35:11 UTC (rev 146757)
+++ trunk/Source/WebCore/ChangeLog 2013-03-25 12:20:23 UTC (rev 146758)
@@ -1,3 +1,40 @@
+2013-03-25 Mike West <mk...@chromium.org>
+
+ CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports.
+ https://bugs.webkit.org/show_bug.cgi?id=113039
+
+ Reviewed by Jochen Eisinger.
+
+ I'd originally assumed that we didn't need to be quite so careful when
+ handing URLs to _javascript_ via SecurityPolicyViolationEvents. This was
+ a mistake. Cross-origin URLs aren't accessible to _javascript_ currently
+ and there's no reason that we should begin exposing them via an event.
+
+ This patch extracts the stripping logic from the existing reports into
+ stripURLForUseInReport(), and uses that new method when populating the
+ event and report objects.
+
+ Relatedly, we were doing the wrong thing with 'file:' URLs, which this
+ patch made clear. Now they're treated the same as 'data:' et al.
+
+ Spec: https://dvcs.w3.org/hg/content-security-policy/rev/45f6ccaba0ef
+
+ Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html
+ http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html
+ http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html
+ http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::stripURLForUseInReport):
+ Extract the logic from blockedURI out into a reusable method:
+ cross-origin URLs are stripped down to the ASCII serialization of
+ their origin, and non-heirarchical (and 'file:') URLs are stripped
+ down to the ASCII serialization of their protocol.
+ (WebCore::gatherSecurityPolicyViolationEventData):
+ (WebCore::ContentSecurityPolicy::reportViolation):
+ Use ::stripURLForUseInReport for blockedURL and sourceFile
+ attributes in these two methods.
+
2013-03-25 Eugene Klyuchnikov <eus...@chromium.org>
Web Inspector: Fix JSDocs.
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (146757 => 146758)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2013-03-25 11:35:11 UTC (rev 146757)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2013-03-25 12:20:23 UTC (rev 146758)
@@ -1672,12 +1672,21 @@
m_scriptExecutionContext->enforceSandboxFlags(mask);
}
+static String stripURLForUseInReport(Document* document, const KURL& url)
+{
+ if (!url.isValid())
+ return String();
+ if (!url.isHierarchical() || url.protocolIs("file"))
+ return url.protocol();
+ return document->securityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString();
+}
+
#if ENABLE(CSP_NEXT)
static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header)
{
init.documentURI = document->url().string();
init.referrer = document->referrer();
- init.blockedURI = blockedURL.isValid() ? blockedURL.string() : String();
+ init.blockedURI = stripURLForUseInReport(document, blockedURL);
init.violatedDirective = directiveText;
init.effectiveDirective = effectiveDirective;
init.originalPolicy = header;
@@ -1692,7 +1701,7 @@
if (callFrame.lineNumber()) {
KURL source = KURL(ParsedURLString, callFrame.sourceURL());
- init.sourceURL = source.string();
+ init.sourceURL = stripURLForUseInReport(document, source);
init.lineNumber = callFrame.lineNumber();
}
}
@@ -1744,13 +1753,7 @@
UNUSED_PARAM(effectiveDirective);
#endif
cspReport->setString("original-policy", header);
- if (blockedURL.isValid())
- if (blockedURL.isHierarchical())
- cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString());
- else
- cspReport->setString("blocked-uri", blockedURL.protocol());
- else
- cspReport->setString("blocked-uri", String());
+ cspReport->setString("blocked-uri", stripURLForUseInReport(document, blockedURL));
RefPtr<ScriptCallStack> stack = createScriptCallStack(2, false);
if (stack) {
@@ -1758,7 +1761,7 @@
if (callFrame.lineNumber()) {
KURL source = KURL(ParsedURLString, callFrame.sourceURL());
- cspReport->setString("source-file", document->securityOrigin()->canRequest(source) ? source.strippedForUseAsReferrer() : SecurityOrigin::create(source)->toString());
+ cspReport->setString("source-file", stripURLForUseInReport(document, source));
cspReport->setNumber("line-number", callFrame.lineNumber());
}
}
