2011-03-26 Adam Barth <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Teach Content Security Policy how to parse source-list
        https://bugs.webkit.org/show_bug.cgi?id=54799

        Test a variety of source-list parsing cases.  There's a bunch more
        cases we could be testing.  We'll add more over time.

        * http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/source-list-parsing.html: Added.
2011-03-26  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        Teach Content Security Policy how to parse source-list
        https://bugs.webkit.org/show_bug.cgi?id=54799

        This patch is larger than I would like, but I wasn't sure how to make
        it any smaller while still being reasonably testable.  I've left out
        some features (such as host wildcarding and 'self') so I can add them
        in later patches with tests.

        Test: http/tests/security/contentSecurityPolicy/source-list-parsing.html

        * bindings/ScriptControllerBase.cpp:
        * dom/ScriptElement.cpp:
        * html/parser/HTMLDocumentParser.cpp:
        * loader/FrameLoader.cpp:
            - Add include explicitly now that we're not spamming the include
              everywhere.
        * dom/Document.cpp:
        (WebCore::Document::initSecurityContext):
            - We need to pass the SecurityOrigin object to
              ContentSecurityPolicy so that it can resolve implicit parts of
              source patterns, such as the scheme.
        * dom/Document.h:
            - Forward declare ContentSecurityPolicy rather than including the
              header.  Technically this could be a separate change, but I was
              getting annoyed at the world re-builds.
        * page/ContentSecurityPolicy.cpp:
        (WebCore::skipExactly):
        (WebCore::skipUtil):
        (WebCore::skipWhile):
            - Clean up these parser helper functions.  We might consider moving
              them to a more general location.  They're very helpful for
              writing secure HTTP header parsers.
        (WebCore::CSPSource::CSPSource):
            - New class to represent one source in a source-list.
        (WebCore::CSPSource::matches):
        (WebCore::CSPSource::schemeMatches):
        (WebCore::CSPSource::hostMatches):
        (WebCore::CSPSource::portMatches):
        (WebCore::CSPSource::isSchemeOnly):
            - Currently we represent scheme-only sources using with an empty
              m_host.  Another approach I considered was using another bool,
              but that seemed slighly messier.
        (WebCore::CSPSourceList::CSPSourceList):
            - CSPSourceList doesn't need to ref SecurityOrigin because
              CSPSourceList is owned by ContentSecurityPolicy, which holds a
              ref.
        (WebCore::CSPSourceList::parse):
        (WebCore::CSPSourceList::matches):
        (WebCore::CSPSourceList::parseSource):
        (WebCore::CSPSourceList::parseScheme):
        (WebCore::CSPSourceList::parseHost):
        (WebCore::CSPSourceList::parsePort):
            - A basic "segment and recurse" parser.  This parser causes us to
              take more branches than we need, but I don't think we need to
              squeeze every last ouch of performance out of this parser.  This
              approach is more simple than some of the other approaches I
              tried.
        (WebCore::CSPSourceList::addSourceSelf):
        (WebCore::CSPDirective::CSPDirective):
        (WebCore::CSPDirective::allows):
        (WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
        (WebCore::ContentSecurityPolicy::parse):
        (WebCore::ContentSecurityPolicy::parseDirective):
        (WebCore::ContentSecurityPolicy::addDirective):
            - I couldn't resist re-writing this parser to use the helper
              functions and to match the style of the source-list parser.
        * page/ContentSecurityPolicy.h:
        (WebCore::ContentSecurityPolicy::create):
            - Accept a SecurityOrigin context object.

git-svn-id: svn://svn.chromium.org/blink/trunk@82028 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/ChangeLog

+2011-03-26  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Teach Content Security Policy how to parse source-list
+        https://bugs.webkit.org/show_bug.cgi?id=54799
+
+        Test a variety of source-list parsing cases.  There's a bunch more
+        cases we could be testing.  We'll add more over time.
+
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/source-list-parsing.html: Added.
+
 2011-03-26  Dan Bernstein  <mitz@apple.com>
 
         Added platform-specific expected results for a new test.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-expected.txt

+None of these scripts should execute even though there are parse errors in the policy.
+
+                 
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame3-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame4-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame5-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame6-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame7-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame8-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame9-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame10-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame11-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame12-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame13-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame14-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame15-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame16-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame17-->-->'
+--------
+PASS

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing.html

+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+  <p>
+    None of these scripts should execute even though there are parse errors in the policy.
+  </p>
+<script>
+function test(shouldRun, policy) {
+    document.write('<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-script-src.pl?should_run=');
+    document.write(shouldRun);
+    document.write('&q=http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js&csp=');
+    document.write(escape(policy));
+    document.write('"></iframe>\n');
+}
+
+
+test('yes', 'script-src 127.0.0.1:8000');
+test('yes', 'script-src http://127.0.0.1:8000');
+test('no',  'script-src https://127.0.0.1:8000');
+test('no',  'script-src https://127.0.0.1:*');
+test('no',  'script-src https://127.0.0.1:*  ');
+test('no',  'script-src https://127.?.0.1:*');
+test('yes', 'script-src https://127.0.0.1:\t*  ');
+test('yes', 'script-src\thttp://127.0.0.1:8000');
+test('yes', 'script-src http://127.0.0.1:8000   \t ');
+test('yes', 'script-src http://127.0.0.1:* ');
+test('yes', 'script-src http:');
+test('no',  'script-src https:');
+test('no',  'script-src    https:  ');
+test('no',  'script-src    https://');
+test('no',  'script-src https:  taco');
+test('yes', 'script-src https:  \x08');
+test('no',  'script-src \'none\'');
+test('yes', '\t\t\tscript-src    http://127.0.0.1:8000  \t\t  https:');
+
+</script>
+</body>
+</html>

third_party/WebKit/Source/WebCore/ChangeLog

+2011-03-26  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        Teach Content Security Policy how to parse source-list
+        https://bugs.webkit.org/show_bug.cgi?id=54799
+
+        This patch is larger than I would like, but I wasn't sure how to make
+        it any smaller while still being reasonably testable.  I've left out
+        some features (such as host wildcarding and 'self') so I can add them
+        in later patches with tests.
+
+        Test: http/tests/security/contentSecurityPolicy/source-list-parsing.html
+
+        * bindings/ScriptControllerBase.cpp:
+        * dom/ScriptElement.cpp:
+        * html/parser/HTMLDocumentParser.cpp:
+        * loader/FrameLoader.cpp:
+            - Add include explicitly now that we're not spamming the include
+              everywhere.
+        * dom/Document.cpp:
+        (WebCore::Document::initSecurityContext):
+            - We need to pass the SecurityOrigin object to
+              ContentSecurityPolicy so that it can resolve implicit parts of
+              source patterns, such as the scheme.
+        * dom/Document.h:
+            - Forward declare ContentSecurityPolicy rather than including the
+              header.  Technically this could be a separate change, but I was
+              getting annoyed at the world re-builds.
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::skipExactly):
+        (WebCore::skipUtil):
+        (WebCore::skipWhile):
+            - Clean up these parser helper functions.  We might consider moving
+              them to a more general location.  They're very helpful for
+              writing secure HTTP header parsers.
+        (WebCore::CSPSource::CSPSource):
+            - New class to represent one source in a source-list.
+        (WebCore::CSPSource::matches):
+        (WebCore::CSPSource::schemeMatches):
+        (WebCore::CSPSource::hostMatches):
+        (WebCore::CSPSource::portMatches):
+        (WebCore::CSPSource::isSchemeOnly):
+            - Currently we represent scheme-only sources using with an empty
+              m_host.  Another approach I considered was using another bool,
+              but that seemed slighly messier.
+        (WebCore::CSPSourceList::CSPSourceList):
+            - CSPSourceList doesn't need to ref SecurityOrigin because
+              CSPSourceList is owned by ContentSecurityPolicy, which holds a
+              ref.
+        (WebCore::CSPSourceList::parse):
+        (WebCore::CSPSourceList::matches):
+        (WebCore::CSPSourceList::parseSource):
+        (WebCore::CSPSourceList::parseScheme):
+        (WebCore::CSPSourceList::parseHost):
+        (WebCore::CSPSourceList::parsePort):
+            - A basic "segment and recurse" parser.  This parser causes us to
+              take more branches than we need, but I don't think we need to
+              squeeze every last ouch of performance out of this parser.  This
+              approach is more simple than some of the other approaches I
+              tried.
+        (WebCore::CSPSourceList::addSourceSelf):
+        (WebCore::CSPDirective::CSPDirective):
+        (WebCore::CSPDirective::allows):
+        (WebCore::ContentSecurityPolicy::ContentSecurityPolicy):
+        (WebCore::ContentSecurityPolicy::parse):
+        (WebCore::ContentSecurityPolicy::parseDirective):
+        (WebCore::ContentSecurityPolicy::addDirective):
+            - I couldn't resist re-writing this parser to use the helper
+              functions and to match the style of the source-list parser.
+        * page/ContentSecurityPolicy.h:
+        (WebCore::ContentSecurityPolicy::create):
+            - Accept a SecurityOrigin context object.
+
 2011-03-26  Patrick Gansterer  <paroga@webkit.org>
 
         Unreviewed EFL and WinCE build fix for r81977.

third_party/WebKit/Source/WebCore/bindings/ScriptControllerBase.cpp

@@ -21,6 +21,7 @@
 #include "config.h"
 #include "ScriptController.h"
 
+#include "ContentSecurityPolicy.h"
 #include "DocumentLoader.h"
 #include "Frame.h"
 #include "FrameLoaderClient.h"

third_party/WebKit/Source/WebCore/dom/Document.cpp

@@ -42,6 +42,7 @@
 #include "ChromeClient.h"
 #include "Comment.h"
 #include "Console.h"
+#include "ContentSecurityPolicy.h"
 #include "CookieJar.h"
 #include "CustomEvent.h"
 #include "DateComponents.h"
@@ -4500,7 +4501,7 @@ void Document::initSecurityContext()
     // loading URL with a fresh content security policy.
     m_cookieURL = m_url;
     ScriptExecutionContext::setSecurityOrigin(SecurityOrigin::create(m_url, m_frame->loader()->sandboxFlags()));
-    m_contentSecurityPolicy = ContentSecurityPolicy::create();
+    m_contentSecurityPolicy = ContentSecurityPolicy::create(securityOrigin());
 
     if (SecurityOrigin::allowSubstituteDataAccessToLocal()) {
         // If this document was loaded with substituteData, then the document can

third_party/WebKit/Source/WebCore/dom/Document.h

@@ -32,7 +32,6 @@
 #include "CollectionType.h"
 #include "Color.h"
 #include "ContainerNode.h"
-#include "ContentSecurityPolicy.h"
 #include "DOMTimeStamp.h"
 #include "DocumentOrderedMap.h"
 #include "DocumentTiming.h"
@@ -51,19 +50,20 @@
 
 namespace WebCore {
 
-class Attr;
 class AXObjectCache;
+class Attr;
 class CDATASection;
+class CSSPrimitiveValueCache;
+class CSSStyleDeclaration;
+class CSSStyleSelector;
+class CSSStyleSheet;
 class CachedCSSStyleSheet;
 class CachedResourceLoader;
 class CachedScript;
 class CanvasRenderingContext;
 class CharacterData;
-class CSSPrimitiveValueCache;
-class CSSStyleDeclaration;
-class CSSStyleSelector;
-class CSSStyleSheet;
 class Comment;
+class ContentSecurityPolicy;
 class DOMImplementation;
 class DOMSelection;
 class DOMWindow;

third_party/WebKit/Source/WebCore/dom/ScriptElement.cpp

@@ -26,6 +26,7 @@
 
 #include "CachedScript.h"
 #include "CachedResourceLoader.h"
+#include "ContentSecurityPolicy.h"
 #include "Document.h"
 #include "DocumentParser.h"
 #include "Frame.h"

third_party/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp

@@ -26,6 +26,7 @@
 #include "config.h"
 #include "HTMLDocumentParser.h"
 
+#include "ContentSecurityPolicy.h"
 #include "DocumentFragment.h"
 #include "Element.h"
 #include "Frame.h"

third_party/WebKit/Source/WebCore/loader/FrameLoader.cpp

@@ -41,6 +41,7 @@
 #include "CachedPage.h"
 #include "CachedResourceLoader.h"
 #include "Chrome.h"
+#include "ContentSecurityPolicy.h"
 #include "DOMImplementation.h"
 #include "DOMWindow.h"
 #include "Document.h"

third_party/WebKit/Source/WebCore/page/ContentSecurityPolicy.h

@@ -32,10 +32,14 @@
 namespace WebCore {
 
 class CSPDirective;
+class SecurityOrigin;
 
 class ContentSecurityPolicy : public RefCounted<ContentSecurityPolicy> {
 public:
-    static PassRefPtr<ContentSecurityPolicy> create() { return adoptRef(new ContentSecurityPolicy); }
+    static PassRefPtr<ContentSecurityPolicy> create(SecurityOrigin* origin = 0)
+    {
+        return adoptRef(new ContentSecurityPolicy(origin));
+    }
     ~ContentSecurityPolicy();
 
     void didReceiveHeader(const String&);
@@ -45,13 +49,14 @@ public:
     bool canLoadExternalScriptFromSrc(const String& url) const;
 
 private:
-    ContentSecurityPolicy();
+    explicit ContentSecurityPolicy(SecurityOrigin*);
 
     void parse(const String&);
-    bool parseDirective(const UChar*& pos, const UChar* end, Vector<UChar, 32>& name, Vector<UChar, 64>& value);
-    void emitDirective(const String& name, const String& value);
+    bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
+    void addDirective(const String& name, const String& value);
 
     bool m_havePolicy;
+    RefPtr<SecurityOrigin> m_origin;
     OwnPtr<CSPDirective> m_scriptSrc;
 };