From fca5c35b393293a50cd5ee247aa2f6649fb2c177 Mon Sep 17 00:00:00 2001 From: Andrzej Surdej Date: Thu, 7 Feb 2013 12:46:51 +0100 Subject: [PATCH] Prepare wrt to handle csp policy rules. [Issue#] LINUXWRT-131 [Problem] Pass csp policy and combining rules to webkit [Cause] N/A [Solution] Prepared mock file to pretend webkit API and use it. [Verification] To verify build repo and install and run csp_ok.wgt placed in misc test widget. Check if any log regarding policy appears and if policy is the same as in config.xml Change-Id: I34ed708f2c476ae1f33e8d4cda574ba9682e080b --- CMakeLists.txt | 6 +++- src/api_new/runnable_widget_object.cpp | 60 ++++++++++++++++++++++++++++++-- src/api_new/webkit_csp_support_mock.h | 63 ++++++++++++++++++++++++++++++++++ src/domain/widget_model.cpp | 2 ++ src/domain/widget_model.h | 7 ++++ 5 files changed, 135 insertions(+), 3 deletions(-) create mode 100644 src/api_new/webkit_csp_support_mock.h diff --git a/CMakeLists.txt b/CMakeLists.txt index 80d7176..effa699 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -42,7 +42,11 @@ ENDIF(NOT CMAKE_BUILD_TYPE) OPTION(DPL_LOG "DPL logs status" ON) OPTION(WITH_TESTS "Build tests" OFF) - +#enable csp policy support +OPTION(CSP_SUPPORT "Support for csp policy" ON) +IF(CSP_SUPPORT) + ADD_DEFINITIONS("-DCSP_ENABLED") +ENDIF(CSP_SUPPORT) # logs can be only enabled in debug mode IF(CMAKE_BUILD_TYPE MATCHES "Profiling" AND DPL_LOG) MESSAGE(STATUS "Logging disabled for DPL") diff --git a/src/api_new/runnable_widget_object.cpp b/src/api_new/runnable_widget_object.cpp index 44c23fe..7aa0414 100644 --- a/src/api_new/runnable_widget_object.cpp +++ b/src/api_new/runnable_widget_object.cpp @@ -35,6 +35,8 @@ #include #include "ewk_context_manager.h" +#include "webkit_csp_support_mock.h" + namespace { //Anonymous const std::string ACCESS_DENIED = _("IDS_BR_POP_ACCESS_DENIED"); const std::string ALREADY_RUNNING = _("IDS_BR_POP_ALREADY_RUNNING"); @@ -117,8 +119,8 @@ bool RunnableWidgetObject::PrepareView(const std::string &startUrl, m_ewkContextManager = EwkContextManager::create(appId, ewkContext, m_view); } else { - if (ewkContext && - ewkContext != m_ewkContextManager->getEwkContext()) + if (ewkContext && + ewkContext != m_ewkContextManager->getEwkContext()) { m_ewkContextManager = EwkContextManager::create(appId, ewkContext, m_view); @@ -129,6 +131,60 @@ bool RunnableWidgetObject::PrepareView(const std::string &startUrl, return false; } +#ifdef CSP_ENABLED + LogInfo("Setting CSP default policy"); + // setting CSP policy rules + WKStringRef defaultPolicy = WKStringCreateWithUTF8CString("default-src ‘self’;"); + CSP_Rules rule; // = new CSP_Rules; + rule.default_src = OVERWRITE; + rule.other_src = OVERWRITE; + rule.sandbox = OVERWRITE; + //trusted apps allow unsafe directives + rule.allow_unsafe = true; + + if (0 != apply_csp(ewkContext, defaultPolicy, &rule, NULL)) + LogWarning("Failed to apply default csp policy"); + + DPL::OptionalString policy = m_widgetModel->CspPolicy.Get(); + + if (!(policy.IsNull())) + { + WrtDB::WidgetDAOReadOnly dao(m_widgetModel->TizenId); + bool trusted = dao.isTrusted(); + + LogDebug("CSP policy present in manifest: " << *policy); + LogDebug("Widget trusted: " << trusted); + + //config file policy + CSP_Rules manifest_rule; + manifest_rule.default_src = trusted ? OVERWRITE : IGNORE; + manifest_rule.other_src = SUM; + manifest_rule.sandbox = SUM; + //trusted apps allow unsafe directives + manifest_rule.allow_unsafe = trusted; + + //merging algorithm for http/meta policy + CSP_Rules http_rule; + http_rule.default_src = INTERSECTION; + http_rule.other_src = INTERSECTION; + http_rule.sandbox = INTERSECTION; + //trusted apps allow unsafe directives + http_rule.allow_unsafe = trusted; + + LogDebug("Setting manifest and http/meta policy"); + if (0 != apply_csp( + ewkContext, + WKStringCreateWithUTF8CString(DPL::ToUTF8String(*policy).c_str()), + &manifest_rule, + &http_rule)) + { + LogWarning("Failed to set manifest csp policy"); + } + } else { + LogDebug("Config CSP policy is not present"); + } + LogInfo("CSP set."); +#endif ADD_PROFILING_POINT("view_logic_init", "start"); Ewk_Context* context = m_ewkContextManager->getEwkContext(); diff --git a/src/api_new/webkit_csp_support_mock.h b/src/api_new/webkit_csp_support_mock.h new file mode 100644 index 0000000..cdd4d9b --- /dev/null +++ b/src/api_new/webkit_csp_support_mock.h @@ -0,0 +1,63 @@ +/* + * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file webkit_csp_support_mock.h + * @author Andrzej Surdej (a.surdej@samsung.com) + * @brief Mock file for webkit csp api. File will be removed. + */ + +#ifndef WRT_SRC_API_NEW_WEBKIT_CSP_SUPPORT_H +#define WRT_SRC_API_NEW_WEBKIT_CSP_SUPPORT_H + +#include +#include +#include + +enum Algorithm { + INTERSECTION = 0, // only entries existing in both directives are used + SUM, // a sum of both directives is used + OVERWRITE, // applied directive overwrites existing one + IGNORE // ignore provided policy +}; + +typedef struct _CSP_Rules{ + Algorithm default_src; //algorithm used to combine default-src + Algorithm other_src; //algorithm used to merge rest of policy + Algorithm sandbox; //algorithm used to merge sandbox policy + bool allow_unsafe; //are unsafe directives alloved +}CSP_Rules; + +/* + * The function is used to parse and merge given policy with existing one. The lifetime * of such policy is equal to the lifetime of the context. For report-uri the latest + * existing directive is used. It also used to set http/meta csp combining algorithm. + * @param context – the context for which the policy is applied + * @param policy – applied policy in form of a string + * @param CSP_Rules *local – defines CSP apply rules to combine default or manifest + * defined policy + * @param CSP_Rules *http_meta– defines CSP apply rules to combine http header csp + * poicy. If NULL provided use default algorithm - INTERSECTION. + * @return – error code returned if policy is malformed or some other argument is + * invalid + * + */ +int apply_csp(Ewk_Context* context, WKStringRef policy, CSP_Rules *local, CSP_Rules *http_meta) +{ + LogDebug("Setting csp policy"); + return 0; +} + +#endif /* WRT_SRC_API_NEW_WEBKIT_CSP_SUPPORT_H */ + diff --git a/src/domain/widget_model.cpp b/src/domain/widget_model.cpp index 2cadbce..ba92b4c 100644 --- a/src/domain/widget_model.cpp +++ b/src/domain/widget_model.cpp @@ -55,6 +55,8 @@ WidgetModel::WidgetModel(const std::string &tizenId) : &WidgetDAOReadOnly::getTizenPkgId>::Get), Type(this, &BindToWidgetDAO::Get), + CspPolicy(this, &BindToWidgetDAO::Get), ActualSize(this), PreferredSize(this, &BindToWidgetDAO Icon; /** + * @brief Config file based csp policy + */ + DPL::Event::Property CspPolicy; + + /** * @brief Widget splash image src */ DPL::Event::Property