2011-04-06 Adam Barth <abarth@webkit.org>

        Reviewed by Eric Seidel.

        CSP object-src should block plugin loads
        https://bugs.webkit.org/show_bug.cgi?id=57283

        This change is pretty straight-forward.  It's slighly unclear to me
        whether this patch is correct w.r.t. the code in DocumentWriter.  I've
        added a FIXME comment, and I'll investigate that case more in the future.

        Test: http/tests/security/contentSecurityPolicy/object-src-none.html

        * loader/DocumentWriter.cpp:
        (WebCore::DocumentWriter::begin):
        * loader/SubframeLoader.cpp:
        (WebCore::SubframeLoader::requestPlugin):
        * page/ContentSecurityPolicy.cpp:
        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
        (WebCore::ContentSecurityPolicy::addDirective):
        * page/ContentSecurityPolicy.h:
2011-04-06  Adam Barth  <abarth@webkit.org>

        Reviewed by Eric Seidel.

        CSP object-src should block plugin loads
        https://bugs.webkit.org/show_bug.cgi?id=57283

        * http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Added.
        * http/tests/security/contentSecurityPolicy/object-src-none.html: Added.
        * http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl: Added.


git-svn-id: svn://svn.chromium.org/blink/trunk@83141 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/LayoutTests/ChangeLog

+2011-04-06  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        CSP object-src should block plugin loads
+        https://bugs.webkit.org/show_bug.cgi?id=57283
+
+        * http/tests/security/contentSecurityPolicy/object-src-none-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-none.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl: Added.
+
 2011-04-06  Beth Dakin  <bdakin@apple.com>
 
         Reviewed by Dan Bernstein.

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none-expected.txt

+ALERT: Plugin Loaded!
+  
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-none.html

+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-object-data.pl?q=data:application/x-webkit-test-netscape,alertwhenloaded&csp=object-src%20'none'"></iframe>
+  <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-object-data.pl?q=data:application/x-webkit-test-netscape,alertwhenloaded&csp=img-src%20'none'"></iframe>
+</body>
+</html>

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl

+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi = new CGI;
+
+print "Content-Type: text/html; charset=UTF-8\n";
+print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<body>\n";
+print "<object data=\"".$cgi->param('q')."\"></object>\n";
+print "</body>\n";
+print "</html>\n";

third_party/WebKit/Source/WebCore/ChangeLog

+2011-04-06  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Eric Seidel.
+
+        CSP object-src should block plugin loads
+        https://bugs.webkit.org/show_bug.cgi?id=57283
+
+        This change is pretty straight-forward.  It's slighly unclear to me
+        whether this patch is correct w.r.t. the code in DocumentWriter.  I've
+        added a FIXME comment, and I'll investigate that case more in the future.
+
+        Test: http/tests/security/contentSecurityPolicy/object-src-none.html
+
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::begin):
+        * loader/SubframeLoader.cpp:
+        (WebCore::SubframeLoader::requestPlugin):
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowObjectFromSource):
+        (WebCore::ContentSecurityPolicy::addDirective):
+        * page/ContentSecurityPolicy.h:
+
 2011-04-06  Beth Dakin  <bdakin@apple.com>
 
         Reviewed by Dan Bernstein.

third_party/WebKit/Source/WebCore/loader/DocumentWriter.cpp

@@ -121,6 +121,8 @@ void DocumentWriter::begin(const KURL& url, bool dispatch, SecurityOrigin* origi
     if (document->isPluginDocument() && m_frame->loader()->isSandboxed(SandboxPlugins))
         document = SinkDocument::create(m_frame, url);
 
+    // FIXME: Do we need to consult the content security policy here about blocked plug-ins?
+
     bool resetScripting = !(m_frame->loader()->stateMachine()->isDisplayingInitialEmptyDocument() && m_frame->document()->securityOrigin()->isSecureTransitionTo(url));
     m_frame->loader()->clear(resetScripting, resetScripting);
     clear();

third_party/WebKit/Source/WebCore/loader/SubframeLoader.cpp

@@ -33,6 +33,7 @@
 #include "config.h"
 #include "SubframeLoader.h"
 
+#include "ContentSecurityPolicy.h"
 #include "Frame.h"
 #include "FrameLoaderClient.h"
 #include "HTMLAppletElement.h"
@@ -109,8 +110,12 @@ bool SubframeLoader::requestPlugin(HTMLPlugInImageElement* ownerElement, const K
         || (!settings->isJavaEnabled() && MIMETypeRegistry::isJavaAppletMIMEType(mimeType)))
         return false;
 
-    if (m_frame->document() && m_frame->document()->securityOrigin()->isSandboxed(SandboxPlugins))
+    if (m_frame->document()) {
+        if (m_frame->document()->securityOrigin()->isSandboxed(SandboxPlugins))
             return false;
+        if (!m_frame->document()->contentSecurityPolicy()->allowObjectFromSource(url))
+            return false;
+    }
 
     ASSERT(ownerElement->hasTagName(objectTag) || ownerElement->hasTagName(embedTag));
     return loadPlugin(ownerElement, url, mimeType, paramNames, paramValues, useFallback);

third_party/WebKit/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -440,6 +440,11 @@ bool ContentSecurityPolicy::allowScriptFromSource(const KURL& url) const
     return !m_scriptSrc || m_scriptSrc->allows(url);
 }
 
+bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url) const
+{
+    return !m_objectSrc || m_objectSrc->allows(url);
+}
+
 // policy            = directive-list
 // directive-list    = [ directive *( ";" [ directive ] ) ]
 //
@@ -514,11 +519,14 @@ bool ContentSecurityPolicy::parseDirective(const UChar* begin, const UChar* end,
 void ContentSecurityPolicy::addDirective(const String& name, const String& value)
 {
     DEFINE_STATIC_LOCAL(String, scriptSrc, ("script-src"));
+    DEFINE_STATIC_LOCAL(String, objectSrc, ("object-src"));
 
     ASSERT(!name.isEmpty());
 
     if (!m_scriptSrc && equalIgnoringCase(name, scriptSrc))
         m_scriptSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
+    else if (!m_objectSrc && equalIgnoringCase(name, objectSrc))
+        m_objectSrc = adoptPtr(new CSPDirective(value, m_origin.get()));
 }
 
 }

third_party/WebKit/Source/WebCore/page/ContentSecurityPolicy.h

@@ -48,6 +48,7 @@ public:
     bool allowJavaScriptURLs() const;
     bool allowInlineEventHandlers() const;
     bool allowScriptFromSource(const KURL&) const;
+    bool allowObjectFromSource(const KURL&) const;
 
 private:
     explicit ContentSecurityPolicy(SecurityOrigin*);
@@ -59,6 +60,7 @@ private:
     bool m_havePolicy;
     RefPtr<SecurityOrigin> m_origin;
     OwnPtr<CSPDirective> m_scriptSrc;
+    OwnPtr<CSPDirective> m_objectSrc;
 };
 
 }