Bug 69353 - Add support for the CSP connect-src directive
Summary: Add support for the CSP connect-src directive
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Sam Weinig
URL:
Keywords:
: 63636 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-10-04 11:00 PDT by Sam Weinig
Modified: 2011-10-04 17:48 PDT (History)
2 users (show)

See Also:

Attachments
Patch (17.75 KB, patch)
2011-10-04 11:09 PDT, Sam Weinig 		abarth: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam Weinig 2011-10-04 11:00:56 PDT 
Add support for the CSP connect-src directive
Comment 1 Sam Weinig 2011-10-04 11:09:46 PDT 
Created attachment 109653 [details]
Patch
Comment 2 Adam Barth 2011-10-04 11:16:22 PDT 
Comment on attachment 109653 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=109653&action=review

This is a good first iteration, but it would be good to do a followup that handles redirects as well.

> Source/WebCore/page/ContentSecurityPolicy.h:66
> +    bool allowConnectFromSource(const KURL&) const;

I would have called this "allowConnectToSource"

> Source/WebCore/page/EventSource.cpp:95
> +    if (!context->contentSecurityPolicy()->allowConnectFromSource(fullURL)) {
> +        // FIXME: Should this be throwing an exception?
> +        ec = SECURITY_ERR;
> +        return 0;
> +    }

What about redirects?

> Source/WebCore/xml/XMLHttpRequest.cpp:434
> +    if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url)) {
> +        // FIXME: Should this be throwing an exception?
> +        ec = SECURITY_ERR;
> +        return;
> +    }

Same question about redirects.
Comment 3 Sam Weinig 2011-10-04 11:29:29 PDT 
Committed r96621: <http://trac.webkit.org/changeset/96621>
Comment 4 Sam Weinig 2011-10-04 17:48:19 PDT 
*** Bug 63636 has been marked as a duplicate of this bug. ***