diff options
author | Simon Hausmann <simon.hausmann@digia.com> | 2012-10-15 16:08:57 +0200 |
---|---|---|
committer | Simon Hausmann <simon.hausmann@digia.com> | 2012-10-15 16:08:57 +0200 |
commit | 5466563f4b5b6b86523e3f89bb7f77e5b5270c78 (patch) | |
tree | 8caccf7cd03a15207cde3ba282c88bf132482a91 /Source/WebCore/page/ContentSecurityPolicy.cpp | |
parent | 33b26980cb24288b5a9f2590ccf32a949281bb79 (diff) | |
download | qtwebkit-5466563f4b5b6b86523e3f89bb7f77e5b5270c78.tar.gz |
Imported WebKit commit 0dc6cd75e1d4836eaffbb520be96fac4847cc9d2 (http://svn.webkit.org/repository/webkit/trunk@131300)
WebKit update which introduces the QtWebKitWidgets module that contains the WK1
widgets based API. (In fact it renames QtWebKit to QtWebKitWidgets while we're
working on completing the entire split as part of
https://bugs.webkit.org/show_bug.cgi?id=99314
Diffstat (limited to 'Source/WebCore/page/ContentSecurityPolicy.cpp')
-rw-r--r-- | Source/WebCore/page/ContentSecurityPolicy.cpp | 58 |
1 files changed, 40 insertions, 18 deletions
diff --git a/Source/WebCore/page/ContentSecurityPolicy.cpp b/Source/WebCore/page/ContentSecurityPolicy.cpp index 2667a8284..58d395fab 100644 --- a/Source/WebCore/page/ContentSecurityPolicy.cpp +++ b/Source/WebCore/page/ContentSecurityPolicy.cpp @@ -39,6 +39,8 @@ #include "PingLoader.h" #include "SchemeRegistry.h" #include "ScriptCallStack.h" +#include "ScriptCallStackFactory.h" +#include "ScriptState.h" #include "SecurityOrigin.h" #include "TextEncoding.h" #include <wtf/HashSet.h> @@ -736,7 +738,7 @@ public: bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; - bool allowEval(PassRefPtr<ScriptCallStack>, ContentSecurityPolicy::ReportingStatus) const; + bool allowEval(ScriptState*, ContentSecurityPolicy::ReportingStatus) const; bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const KURL&) const; bool allowPluginType(const String& type, const String& typeAttribute, const KURL&, ContentSecurityPolicy::ReportingStatus) const; @@ -769,7 +771,7 @@ private: void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&); SourceListDirective* operativeDirective(SourceListDirective*) const; - void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const; + void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL = KURL(), const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const; bool checkEval(SourceListDirective*) const; bool checkInline(SourceListDirective*) const; @@ -779,7 +781,7 @@ private: void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; } - bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), PassRefPtr<ScriptCallStack> = 0) const; + bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const; bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const; bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const; @@ -843,10 +845,10 @@ PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* pol return directives.release(); } -void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const +void CSPDirectiveList::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const { String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage; - m_policy->reportViolation(directiveText, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, callStack); + m_policy->reportViolation(directiveText, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, state); } bool CSPDirectiveList::checkEval(SourceListDirective* directive) const @@ -883,7 +885,7 @@ SourceListDirective* CSPDirectiveList::operativeDirective(SourceListDirective* d return directive ? directive : m_defaultSrc.get(); } -bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const +bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directive, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const { if (checkEval(directive)) return true; @@ -892,7 +894,7 @@ bool CSPDirectiveList::checkEvalAndReportViolation(SourceListDirective* directiv if (directive == m_defaultSrc) suffix = " Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback."; - reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, callStack); + reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, state); if (!m_reportOnly) { m_policy->reportBlockedScriptExecutionToInspector(directive->text()); return false; @@ -999,11 +1001,11 @@ bool CSPDirectiveList::allowInlineStyle(const String& contextURL, const WTF::Ord checkInline(operativeDirective(m_styleSrc.get())); } -bool CSPDirectiveList::allowEval(PassRefPtr<ScriptCallStack> callStack, ContentSecurityPolicy::ReportingStatus reportingStatus) const +bool CSPDirectiveList::allowEval(ScriptState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) const { DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to evaluate script because it violates the following Content Security Policy directive: "))); return reportingStatus == ContentSecurityPolicy::SendReport ? - checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), callStack) : + checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), state) : checkEval(operativeDirective(m_scriptSrc.get())); } @@ -1304,7 +1306,8 @@ void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType ty { if (m_scriptExecutionContext->isDocument()) { Document* document = static_cast<Document*>(m_scriptExecutionContext); - FeatureObserver::observe(document->domWindow(), FeatureObserver::PrefixedContentSecurityPolicy); + if (document->domWindow()) + FeatureObserver::observe(document->domWindow(), FeatureObserver::PrefixedContentSecurityPolicy); } // RFC2616, section 4.2 specifies that headers appearing multiple times can @@ -1345,11 +1348,21 @@ ContentSecurityPolicy::HeaderType ContentSecurityPolicy::deprecatedHeaderType() return m_policies.isEmpty() ? EnforcePolicy : m_policies[0]->headerType(); } -template<bool (CSPDirectiveList::*allowed)(PassRefPtr<ScriptCallStack>, ContentSecurityPolicy::ReportingStatus) const> -bool isAllowedByAllWithCallStack(const CSPDirectiveListVector& policies, PassRefPtr<ScriptCallStack> callStack, ContentSecurityPolicy::ReportingStatus reportingStatus) +template<bool (CSPDirectiveList::*allowed)(ContentSecurityPolicy::ReportingStatus) const> +bool isAllowedByAll(const CSPDirectiveListVector& policies, ContentSecurityPolicy::ReportingStatus reportingStatus) { for (size_t i = 0; i < policies.size(); ++i) { - if (!(policies[i].get()->*allowed)(callStack, reportingStatus)) + if (!(policies[i].get()->*allowed)(reportingStatus)) + return false; + } + return true; +} + +template<bool (CSPDirectiveList::*allowed)(ScriptState* state, ContentSecurityPolicy::ReportingStatus) const> +bool isAllowedByAllWithState(const CSPDirectiveListVector& policies, ScriptState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) +{ + for (size_t i = 0; i < policies.size(); ++i) { + if (!(policies[i].get()->*allowed)(state, reportingStatus)) return false; } return true; @@ -1410,9 +1423,9 @@ bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF return isAllowedByAllWithContext<&CSPDirectiveList::allowInlineStyle>(m_policies, contextURL, contextLine, reportingStatus); } -bool ContentSecurityPolicy::allowEval(PassRefPtr<ScriptCallStack> callStack, ContentSecurityPolicy::ReportingStatus reportingStatus) const +bool ContentSecurityPolicy::allowEval(ScriptState* state, ContentSecurityPolicy::ReportingStatus reportingStatus) const { - return isAllowedByAllWithCallStack<&CSPDirectiveList::allowEval>(m_policies, callStack, reportingStatus); + return isAllowedByAllWithState<&CSPDirectiveList::allowEval>(m_policies, state, reportingStatus); } String ContentSecurityPolicy::evalDisabledErrorMessage() const @@ -1514,9 +1527,9 @@ void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask) const m_scriptExecutionContext->enforceSandboxFlags(mask); } -void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const +void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const { - logToConsole(consoleMessage, contextURL, contextLine, callStack); + logToConsole(consoleMessage, contextURL, contextLine, state); if (reportURIs.isEmpty()) return; @@ -1612,8 +1625,17 @@ void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiv logToConsole(message); } -void ContentSecurityPolicy::logToConsole(const String& message, const String& contextURL, const WTF::OrdinalNumber& contextLine, PassRefPtr<ScriptCallStack> callStack) const +void ContentSecurityPolicy::logToConsole(const String& message, const String& contextURL, const WTF::OrdinalNumber& contextLine, ScriptState* state) const { + RefPtr<ScriptCallStack> callStack; + if (InspectorInstrumentation::consoleAgentEnabled(m_scriptExecutionContext)) { + if (state) + callStack = createScriptCallStackForConsole(state); + else + callStack = createScriptCallStack(ScriptCallStack::maxCallStackSizeToCapture, true); + if (callStack && !callStack->size()) + callStack = 0; + } m_scriptExecutionContext->addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, contextURL, contextLine.oneBasedInt(), callStack); } |