Summary: | Add support for the CSP connect-src directive | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Sam Weinig <sam> | ||||
Component: | New Bugs | Assignee: | Sam Weinig <sam> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | abarth, webkit.review.bot | ||||
Priority: | P2 | ||||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Sam Weinig
2011-10-04 11:00:56 PDT
Created attachment 109653 [details]
Patch
Comment on attachment 109653 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=109653&action=review This is a good first iteration, but it would be good to do a followup that handles redirects as well. > Source/WebCore/page/ContentSecurityPolicy.h:66 > + bool allowConnectFromSource(const KURL&) const; I would have called this "allowConnectToSource" > Source/WebCore/page/EventSource.cpp:95 > + if (!context->contentSecurityPolicy()->allowConnectFromSource(fullURL)) { > + // FIXME: Should this be throwing an exception? > + ec = SECURITY_ERR; > + return 0; > + } What about redirects? > Source/WebCore/xml/XMLHttpRequest.cpp:434 > + if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) { > + // FIXME: Should this be throwing an exception? > + ec = SECURITY_ERR; > + return; > + } Same question about redirects. Committed r96621: <http://trac.webkit.org/changeset/96621> |