OPTION(DPL_LOG "DPL logs status" ON)
OPTION(WITH_TESTS "Build tests" OFF)
-
+#enable csp policy support
+OPTION(CSP_SUPPORT "Support for csp policy" ON)
+IF(CSP_SUPPORT)
+ ADD_DEFINITIONS("-DCSP_ENABLED")
+ENDIF(CSP_SUPPORT)
# logs can be only enabled in debug mode
IF(CMAKE_BUILD_TYPE MATCHES "Profiling" AND DPL_LOG)
MESSAGE(STATUS "Logging disabled for DPL")
#include <popup-runner/PopupInvoker.h>
#include "ewk_context_manager.h"
+#include "webkit_csp_support_mock.h"
+
namespace { //Anonymous
const std::string ACCESS_DENIED = _("IDS_BR_POP_ACCESS_DENIED");
const std::string ALREADY_RUNNING = _("IDS_BR_POP_ALREADY_RUNNING");
m_ewkContextManager =
EwkContextManager::create(appId, ewkContext, m_view);
} else {
- if (ewkContext &&
- ewkContext != m_ewkContextManager->getEwkContext())
+ if (ewkContext &&
+ ewkContext != m_ewkContextManager->getEwkContext())
{
m_ewkContextManager =
EwkContextManager::create(appId, ewkContext, m_view);
return false;
}
+#ifdef CSP_ENABLED
+ LogInfo("Setting CSP default policy");
+ // setting CSP policy rules
+ WKStringRef defaultPolicy = WKStringCreateWithUTF8CString("default-src ‘self’;");
+ CSP_Rules rule; // = new CSP_Rules;
+ rule.default_src = OVERWRITE;
+ rule.other_src = OVERWRITE;
+ rule.sandbox = OVERWRITE;
+ //trusted apps allow unsafe directives
+ rule.allow_unsafe = true;
+
+ if (0 != apply_csp(ewkContext, defaultPolicy, &rule, NULL))
+ LogWarning("Failed to apply default csp policy");
+
+ DPL::OptionalString policy = m_widgetModel->CspPolicy.Get();
+
+ if (!(policy.IsNull()))
+ {
+ WrtDB::WidgetDAOReadOnly dao(m_widgetModel->TizenId);
+ bool trusted = dao.isTrusted();
+
+ LogDebug("CSP policy present in manifest: " << *policy);
+ LogDebug("Widget trusted: " << trusted);
+
+ //config file policy
+ CSP_Rules manifest_rule;
+ manifest_rule.default_src = trusted ? OVERWRITE : IGNORE;
+ manifest_rule.other_src = SUM;
+ manifest_rule.sandbox = SUM;
+ //trusted apps allow unsafe directives
+ manifest_rule.allow_unsafe = trusted;
+
+ //merging algorithm for http/meta policy
+ CSP_Rules http_rule;
+ http_rule.default_src = INTERSECTION;
+ http_rule.other_src = INTERSECTION;
+ http_rule.sandbox = INTERSECTION;
+ //trusted apps allow unsafe directives
+ http_rule.allow_unsafe = trusted;
+
+ LogDebug("Setting manifest and http/meta policy");
+ if (0 != apply_csp(
+ ewkContext,
+ WKStringCreateWithUTF8CString(DPL::ToUTF8String(*policy).c_str()),
+ &manifest_rule,
+ &http_rule))
+ {
+ LogWarning("Failed to set manifest csp policy");
+ }
+ } else {
+ LogDebug("Config CSP policy is not present");
+ }
+ LogInfo("CSP set.");
+#endif
ADD_PROFILING_POINT("view_logic_init", "start");
Ewk_Context* context = m_ewkContextManager->getEwkContext();
--- /dev/null
+/*
+ * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * @file webkit_csp_support_mock.h
+ * @author Andrzej Surdej (a.surdej@samsung.com)
+ * @brief Mock file for webkit csp api. File will be removed.
+ */
+
+#ifndef WRT_SRC_API_NEW_WEBKIT_CSP_SUPPORT_H
+#define WRT_SRC_API_NEW_WEBKIT_CSP_SUPPORT_H
+
+#include <EWebKit2.h>
+#include <dpl/log/log.h>
+#include <WebKit2/WKString.h>
+
+enum Algorithm {
+ INTERSECTION = 0, // only entries existing in both directives are used
+ SUM, // a sum of both directives is used
+ OVERWRITE, // applied directive overwrites existing one
+ IGNORE // ignore provided policy
+};
+
+typedef struct _CSP_Rules{
+ Algorithm default_src; //algorithm used to combine default-src
+ Algorithm other_src; //algorithm used to merge rest of policy
+ Algorithm sandbox; //algorithm used to merge sandbox policy
+ bool allow_unsafe; //are unsafe directives alloved
+}CSP_Rules;
+
+/*
+ * The function is used to parse and merge given policy with existing one. The lifetime * of such policy is equal to the lifetime of the context. For report-uri the latest
+ * existing directive is used. It also used to set http/meta csp combining algorithm.
+ * @param context – the context for which the policy is applied
+ * @param policy – applied policy in form of a string
+ * @param CSP_Rules *local – defines CSP apply rules to combine default or manifest
+ * defined policy
+ * @param CSP_Rules *http_meta– defines CSP apply rules to combine http header csp
+ * poicy. If NULL provided use default algorithm - INTERSECTION.
+ * @return – error code returned if policy is malformed or some other argument is
+ * invalid
+ *
+ */
+int apply_csp(Ewk_Context* context, WKStringRef policy, CSP_Rules *local, CSP_Rules *http_meta)
+{
+ LogDebug("Setting csp policy");
+ return 0;
+}
+
+#endif /* WRT_SRC_API_NEW_WEBKIT_CSP_SUPPORT_H */
+
&WidgetDAOReadOnly::getTizenPkgId>::Get),
Type(this, &BindToWidgetDAO<WidgetType,
&WidgetDAOReadOnly::getWidgetType>::Get),
+ CspPolicy(this, &BindToWidgetDAO<DPL::OptionalString,
+ &WidgetDAOReadOnly::getCspPolicy>::Get),
ActualSize(this),
PreferredSize(this,
&BindToWidgetDAO<WidgetSize,
DPL::Event::Property<OptionalWidgetIcon> Icon;
/**
+ * @brief Config file based csp policy
+ */
+ DPL::Event::Property<DPL::OptionalString,
+ DPL::Event::PropertyReadOnly,
+ DPL::Event::PropertyStorageDynamicCached> CspPolicy;
+
+ /**
* @brief Widget splash image src
*/
DPL::Event::Property<DPL::OptionalString,