[webkit-reviews] review granted: [Bug 69353] Add support for the CSP connect-src directive : [Attachment 109653] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 4 11:16:22 PDT 2011
Adam Barth <abarth at webkit.org> has granted Sam Weinig <sam at webkit.org>'s
request for review:
Bug 69353: Add support for the CSP connect-src directive
https://bugs.webkit.org/show_bug.cgi?id=69353
Attachment 109653: Patch
https://bugs.webkit.org/attachment.cgi?id=109653&action=review
------- Additional Comments from Adam Barth <abarth at webkit.org>
View in context: https://bugs.webkit.org/attachment.cgi?id=109653&action=review
This is a good first iteration, but it would be good to do a followup that
handles redirects as well.
> Source/WebCore/page/ContentSecurityPolicy.h:66
> + bool allowConnectFromSource(const KURL&) const;
I would have called this "allowConnectToSource"
> Source/WebCore/page/EventSource.cpp:95
> + if (!context->contentSecurityPolicy()->allowConnectFromSource(fullURL))
{
> + // FIXME: Should this be throwing an exception?
> + ec = SECURITY_ERR;
> + return 0;
> + }
What about redirects?
> Source/WebCore/xml/XMLHttpRequest.cpp:434
> + if
(!scriptExecutionContext()->contentSecurityPolicy()->allowConnectFromSource(url
)) {
> + // FIXME: Should this be throwing an exception?
> + ec = SECURITY_ERR;
> + return;
> + }
Same question about redirects.
More information about the webkit-reviews
mailing list