2011-04-06 Adam Barth <abarth@webkit.org>

Reviewed by Eric Seidel. CSP object-src should block plugin loads https://bugs.webkit.org/show_bug.cgi?id=57283 This change is pretty straight-forward. It's slighly unclear to me whether this patch is correct w.r.t. the code in DocumentWriter. I've added a FIXME comment, and I'll investigate that case more in the future. Test: http/tests/security/contentSecurityPolicy/object-src-none.html * loader/DocumentWriter.cpp: (WebCore::DocumentWriter::begin): * loader/SubframeLoader.cpp: (WebCore::SubframeLoader::requestPlugin): * page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowObjectFromSource): (WebCore::ContentSecurityPolicy::addDirective): * page/ContentSecurityPolicy.h: 2011-04-06 Adam Barth <abarth@webkit.org> Reviewed by Eric Seidel. CSP object-src should block plugin loads https://bugs.webkit.org/show_bug.cgi?id=57283 * http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Added. * http/tests/security/contentSecurityPolicy/object-src-none.html: Added. * http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl: Added. git-svn-id: svn://svn.chromium.org/blink/trunk@83141 bbb929c8-8fbe-4397-9dbb-9b2b20218538

2011-04-06 Adam Barth <abarth@webkit.org>
Reviewed by Eric Seidel. CSP object-src should block plugin loads https://bugs.webkit.org/show_bug.cgi?id=57283 This change is pretty straight-forward. It's slighly unclear to me whether this patch is correct w.r.t. the code in DocumentWriter. I've added a FIXME comment, and I'll investigate that case more in the future. Test: http/tests/security/contentSecurityPolicy/object-src-none.html * loader/DocumentWriter.cpp: (WebCore::DocumentWriter::begin): * loader/SubframeLoader.cpp: (WebCore::SubframeLoader::requestPlugin): * page/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowObjectFromSource): (WebCore::ContentSecurityPolicy::addDirective): * page/ContentSecurityPolicy.h: 2011-04-06 Adam Barth <abarth@webkit.org> Reviewed by Eric Seidel. CSP object-src should block plugin loads https://bugs.webkit.org/show_bug.cgi?id=57283 * http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Added. * http/tests/security/contentSecurityPolicy/object-src-none.html: Added. * http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl: Added. git-svn-id: svn://svn.chromium.org/blink/trunk@83141 bbb929c8-8fbe-4397-9dbb-9b2b20218538
463f252b · abarth@webkit.org · 4ac73696 · 463f252b · 463f252b · 463f252b
Commit 463f252b authored Apr 07, 2011 by abarth@webkit.org
9 changed files
--- a/third_party/WebKit/LayoutTests/ChangeLog
+++ b/third_party/WebKit/LayoutTests/ChangeLog
+2011-04-06  Adam Barth  <abarth@webkit.org>
+        Reviewed by Eric Seidel.
+        CSP object-src should block plugin loads
+        https://bugs.webkit.org/show_bug.cgi?id=57283
+        * http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-none.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl: Added.
 2011-04-06  Beth Dakin  <bdakin@apple.com>
        Reviewed by Dan Bernstein.
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-expected.txt
+ALERT: Plugin Loaded!
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none.html
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-object-data.pl?q=data:application/x-webkit-test-netscape,alertwhenloaded&csp=object-src%20'none'"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-object-data.pl?q=data:application/x-webkit-test-netscape,alertwhenloaded&csp=img-src%20'none'"></iframe>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl
+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+my $cgi = new CGI;
+print "Content-Type: text/html; charset=UTF-8\n";
+print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<body>\n";
+print "<object data=\"".$cgi->param('q')."\"></object>\n";
+print "</body>\n";
+print "</html>\n";
--- a/third_party/WebKit/Source/WebCore/ChangeLog
+++ b/third_party/WebKit/Source/WebCore/ChangeLog
+2011-04-06  Adam Barth  <abarth@webkit.org>
+        Reviewed by Eric Seidel.
+        CSP object-src should block plugin loads
+        https://bugs.webkit.org/show_bug.cgi?id=57283
+        This change is pretty straight-forward.  It's slighly unclear to me
+        whether this patch is correct w.r.t. the code in DocumentWriter.  I've
+        added a FIXME comment, and I'll investigate that case more in the future.
+        Test: http/tests/security/contentSecurityPolicy/object-src-none.html
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::begin):
+        * loader/SubframeLoader.cpp:
+        (WebCore::SubframeLoader::requestPlugin):
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
+        (WebCore::ContentSecurityPolicy::addDirective):
+        * page/ContentSecurityPolicy.h:
 2011-04-06  Beth Dakin  <bdakin@apple.com>
        Reviewed by Dan Bernstein.
--- a/third_party/WebKit/Source/WebCore/loader/DocumentWriter.cpp
+++ b/third_party/WebKit/Source/WebCore/loader/DocumentWriter.cpp
@@ -121,6 +121,8 @@ void DocumentWriter::begin(const KURL& url, bool dispatch, SecurityOrigin* origi
    if (document->isPluginDocument() && m_frame->loader()->isSandboxed(SandboxPlugins))
        document = SinkDocument::create(m_frame, url);
+    // FIXME: Do we need to consult the content security policy here about blocked plug-ins?
    bool resetScripting = !(m_frame->loader()->stateMachine()->isDisplayingInitialEmptyDocument() && m_frame->document()->securityOrigin()->isSecureTransitionTo(url));
    m_frame->loader()->clear(resetScripting, resetScripting);
    clear();

--- a/third_party/WebKit/Source/WebCore/loader/SubframeLoader.cpp
+++ b/third_party/WebKit/Source/WebCore/loader/SubframeLoader.cpp
@@ -33,6 +33,7 @@
 #include "config.h"
 #include "SubframeLoader.h"
+#include "ContentSecurityPolicy.h"
 #include "Frame.h"
 #include "FrameLoaderClient.h"
 #include "HTMLAppletElement.h"
@@ -109,8 +110,12 @@ bool SubframeLoader::requestPlugin(HTMLPlugInImageElement* ownerElement, const K
        || (!settings->isJavaEnabled() && MIMETypeRegistry::isJavaAppletMIMEType(mimeType)))
        return false;
-    if (m_frame->document() && m_frame->document()->securityOrigin()->isSandboxed(SandboxPlugins))
+    if (m_frame->document()) {
-        return false;
+        if (m_frame->document()->securityOrigin()->isSandboxed(SandboxPlugins))
+            return false;
+        if (!m_frame->document()->contentSecurityPolicy()->allowObjectFromSource(url))
+            return false;
+    }
    ASSERT(ownerElement->hasTagName(objectTag) || ownerElement->hasTagName(embedTag));
    return loadPlugin(ownerElement, url, mimeType, paramNames, paramValues, useFallback);

--- a/third_party/WebKit/Source/WebCore/page/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/WebCore/page/ContentSecurityPolicy.cpp
@@ -440,6 +440,11 @@ bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const
    return !m_scriptSrc || m_scriptSrc->allows(url);
 }
+bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
+{
+    return !m_objectSrc || m_objectSrc->allows(url);
+}
 // policy            = directive-list
 // directive-list    = [ directive *( ";" [ directive ] ) ]
 //
@@ -514,11 +519,14 @@ bool ContentSecurityPolicy::parseDirective(const UChar* begin, const UChar* end,
 void ContentSecurityPolicy::addDirective(const String& name, const String& value)
 {
    DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
+    DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src"));
    ASSERT(!name.isEmpty());
    if (!m_scriptSrc && equalIgnoringCase(name, scriptSrc))
        m_scriptSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
+    else if (!m_objectSrc && equalIgnoringCase(name, objectSrc))
+        m_objectSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
 }
 }
--- a/third_party/WebKit/Source/WebCore/page/ContentSecurityPolicy.h
+++ b/third_party/WebKit/Source/WebCore/page/ContentSecurityPolicy.h
@@ -48,6 +48,7 @@ public:
    bool allowJavaScriptURLs() const;
    bool allowInlineEventHandlers() const;
    bool allowScriptFromSource(const KURL&) const;
+    bool allowObjectFromSource(const KURL&) const;
 private:
    explicit ContentSecurityPolicy(SecurityOrigin*);
@@ -59,6 +60,7 @@ private:
    bool m_havePolicy;
    RefPtr<SecurityOrigin> m_origin;
    OwnPtr<CSPDirective> m_scriptSrc;
+    OwnPtr<CSPDirective> m_objectSrc;
 };
 }