Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(2)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: Source/core/dom/Document.cpp

Issue 1318153009: CSP: Loosen restrictions on inline style and event attributes. (Closed) Base URL: https://chromium.googlesource.com/chromium/blink.git@master
Patch Set: Created 5 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js ('k') | Source/core/dom/Element.cpp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org) 2 * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
3 * (C) 1999 Antti Koivisto (koivisto@kde.org) 3 * (C) 1999 Antti Koivisto (koivisto@kde.org)
4 * (C) 2001 Dirk Mueller (mueller@kde.org) 4 * (C) 2001 Dirk Mueller (mueller@kde.org)
5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org) 5 * (C) 2006 Alexey Proskuryakov (ap@webkit.org)
6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All r ights reserved. 6 * Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2011, 2012 Apple Inc. All r ights reserved.
7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/) 7 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.t orchmobile.com/)
8 * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved. 8 * Copyright (C) 2008, 2009, 2011, 2012 Google Inc. All rights reserved.
9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies) 9 * Copyright (C) 2010 Nokia Corporation and/or its subsidiary(-ies)
10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved. 10 * Copyright (C) Research In Motion Limited 2010-2011. All rights reserved.
(...skipping 4756 matching lines...) Expand 10 before | Expand all | Expand 10 after
4767 // Per CSP2, plugin-types for plugin documents in nested browsing 4767 // Per CSP2, plugin-types for plugin documents in nested browsing
4768 // contexts gets inherited from the parent. 4768 // contexts gets inherited from the parent.
4769 contentSecurityPolicy()->copyPluginTypesFrom(parentCSP); 4769 contentSecurityPolicy()->copyPluginTypesFrom(parentCSP);
4770 } 4770 }
4771 } 4771 }
4772 contentSecurityPolicy()->bindToExecutionContext(this); 4772 contentSecurityPolicy()->bindToExecutionContext(this);
4773 } 4773 }
4774 4774
4775 bool Document::allowInlineEventHandlers(Node* node, EventListener* listener, con st String& contextURL, const WTF::OrdinalNumber& contextLine) 4775 bool Document::allowInlineEventHandlers(Node* node, EventListener* listener, con st String& contextURL, const WTF::OrdinalNumber& contextLine)
4776 { 4776 {
4777 if (!contentSecurityPolicy()->allowInlineEventHandlers(contextURL, contextLi ne)) 4777 if (!ContentSecurityPolicy::shouldBypassMainWorld(this) && !contentSecurityP olicy()->allowInlineEventHandlers(contextURL, contextLine))
4778 return false; 4778 return false;
4779 4779
4780 // HTML says that inline script needs browsing context to create its executi on environment. 4780 // HTML says that inline script needs browsing context to create its executi on environment.
4781 // http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.ht ml#event-handler-attributes 4781 // http://www.whatwg.org/specs/web-apps/current-work/multipage/webappapis.ht ml#event-handler-attributes
4782 // Also, if the listening node came from other document, which happens on co ntext-less event dispatching, 4782 // Also, if the listening node came from other document, which happens on co ntext-less event dispatching,
4783 // we also need to ask the owner document of the node. 4783 // we also need to ask the owner document of the node.
4784 LocalFrame* frame = executingFrame(); 4784 LocalFrame* frame = executingFrame();
4785 if (!frame) 4785 if (!frame)
4786 return false; 4786 return false;
4787 if (!frame->script().canExecuteScripts(NotAboutToExecuteScript)) 4787 if (!frame->script().canExecuteScripts(NotAboutToExecuteScript))
(...skipping 933 matching lines...) Expand 10 before | Expand all | Expand 10 after
5721 #ifndef NDEBUG 5721 #ifndef NDEBUG
5722 using namespace blink; 5722 using namespace blink;
5723 void showLiveDocumentInstances() 5723 void showLiveDocumentInstances()
5724 { 5724 {
5725 Document::WeakDocumentSet& set = Document::liveDocumentSet(); 5725 Document::WeakDocumentSet& set = Document::liveDocumentSet();
5726 fprintf(stderr, "There are %u documents currently alive:\n", set.size()); 5726 fprintf(stderr, "There are %u documents currently alive:\n", set.size());
5727 for (Document* document : set) 5727 for (Document* document : set)
5728 fprintf(stderr, "- Document %p URL: %s\n", document, document->url().str ing().utf8().data()); 5728 fprintf(stderr, "- Document %p URL: %s\n", document, document->url().str ing().utf8().data());
5729 } 5729 }
5730 #endif 5730 #endif
OLDNEW
« no previous file with comments | « LayoutTests/http/tests/security/isolatedWorld/resources/bypass-main-world-csp-for-inline-style.js ('k') | Source/core/dom/Element.cpp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698