Bug 69353 - Add support for the CSP connect-src directive
Summary: Add support for the CSP connect-src directive
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Sam Weinig
URL:
Keywords:
: 63636 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-10-04 11:00 PDT by Sam Weinig
Modified: 2011-10-04 17:48 PDT (History)
2 users (show)

See Also:


Attachments
Patch (17.75 KB, patch)
2011-10-04 11:09 PDT, Sam Weinig
abarth: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sam Weinig 2011-10-04 11:00:56 PDT
Add support for the CSP connect-src directive
Comment 1 Sam Weinig 2011-10-04 11:09:46 PDT
Created attachment 109653 [details]
Patch
Comment 2 Adam Barth 2011-10-04 11:16:22 PDT
Comment on attachment 109653 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=109653&action=review

This is a good first iteration, but it would be good to do a followup that handles redirects as well.

> Source/WebCore/page/ContentSecurityPolicy.h:66
> +    bool allowConnectFromSource(const KURL&) const;

I would have called this "allowConnectToSource"

> Source/WebCore/page/EventSource.cpp:95
> +    if (!context->contentSecurityPolicy()->allowConnectFromSource(fullURL)) {
> +        // FIXME: Should this be throwing an exception?
> +        ec = SECURITY_ERR;
> +        return 0;
> +    }

What about redirects?

> Source/WebCore/xml/XMLHttpRequest.cpp:434
> +    if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) {
> +        // FIXME: Should this be throwing an exception?
> +        ec = SECURITY_ERR;
> +        return;
> +    }

Same question about redirects.
Comment 3 Sam Weinig 2011-10-04 11:29:29 PDT
Committed r96621: <http://trac.webkit.org/changeset/96621>
Comment 4 Sam Weinig 2011-10-04 17:48:19 PDT
*** Bug 63636 has been marked as a duplicate of this bug. ***