Bug 69353

Summary: Add support for the CSP connect-src directive
Product: WebKit Reporter: Sam Weinig <sam>
Component: New BugsAssignee: Sam Weinig <sam>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch abarth: review+

Description Sam Weinig 2011-10-04 11:00:56 PDT 
Add support for the CSP connect-src directive
Comment 1 Sam Weinig 2011-10-04 11:09:46 PDT 
Created attachment 109653 [details]
Patch
Comment 2 Adam Barth 2011-10-04 11:16:22 PDT 
Comment on attachment 109653 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=109653&action=review

This is a good first iteration, but it would be good to do a followup that handles redirects as well.

> Source/WebCore/page/ContentSecurityPolicy.h:66
> +    bool allowConnectFromSource(const KURL&) const;

I would have called this "allowConnectToSource"

> Source/WebCore/page/EventSource.cpp:95
> +    if (!context->contentSecurityPolicy()->allowConnectFromSource(fullURL)) {
> +        // FIXME: Should this be throwing an exception?
> +        ec = SECURITY_ERR;
> +        return 0;
> +    }

What about redirects?

> Source/WebCore/xml/XMLHttpRequest.cpp:434
> +    if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) {
> +        // FIXME: Should this be throwing an exception?
> +        ec = SECURITY_ERR;
> +        return;
> +    }

Same question about redirects.
Comment 3 Sam Weinig 2011-10-04 11:29:29 PDT 
Committed r96621: <http://trac.webkit.org/changeset/96621>
Comment 4 Sam Weinig 2011-10-04 17:48:19 PDT 
*** Bug 63636 has been marked as a duplicate of this bug. ***