- Revision
- 121936
- Author
- commit-qu...@webkit.org
- Date
- 2012-07-05 19:50:57 -0700 (Thu, 05 Jul 2012)
Log Message
Multiple Content Security Policy headers are correctly processed as separate headers.
https://bugs.webkit.org/show_bug.cgi?id=90629
Source/WebCore:
Headers of the same name are normalized into a single, comma-separated
string as per RFC2616, section 4.2. We didn't correctly account for this
in ContentSecurityPolicy::didReceiveHeader. Now we do by walking through
the header string, looking for commas and processing each block in turn.
This oversight bit Firefox as well, and was patched in February:
https://bugzilla.mozilla.org/show_bug.cgi?id=717511
Patch by Mike West <mk...@chromium.org> on 2012-07-05
Reviewed by Adam Barth.
Test: http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers.html
* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::didReceiveHeader):
LayoutTests:
Patch by Mike West <mk...@chromium.org> on 2012-07-05
Reviewed by Adam Barth.
* http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers.html: Added.
* http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (121935 => 121936)
--- trunk/LayoutTests/ChangeLog 2012-07-06 01:55:14 UTC (rev 121935)
+++ trunk/LayoutTests/ChangeLog 2012-07-06 02:50:57 UTC (rev 121936)
@@ -1,3 +1,14 @@
+2012-07-05 Mike West <mk...@chromium.org>
+
+ Multiple Content Security Policy headers are correctly processed as separate headers.
+ https://bugs.webkit.org/show_bug.cgi?id=90629
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl: Added.
+
2012-07-05 Filip Pizlo <fpi...@apple.com>
Unreviewed, skipping failing tests.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt (0 => 121936)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt 2012-07-06 02:50:57 UTC (rev 121936)
@@ -0,0 +1,12 @@
+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
+
+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "default-src 'self'".
+
+This script should not execute even through the second CSP header would allow it.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers.html (0 => 121936)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers.html 2012-07-06 02:50:57 UTC (rev 121936)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+ <p>
+ This script should not execute even through the second CSP header would allow it.
+ </p>
+ <iframe src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl (0 => 121936)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl 2012-07-06 02:50:57 UTC (rev 121936)
@@ -0,0 +1,22 @@
+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi = new CGI;
+
+print "Content-Type: text/html; charset=UTF-8\n";
+print "X-WebKit-CSP: ".$cgi->param('csp1')."\n";
+print "X-WebKit-CSP: ".$cgi->param('csp2')."\n\n";
+
+my ($text, $replacement) = ("FAIL", "PASS");
+($text, $replacement) = ($replacement, $text) if $cgi->param('should_run') eq 'no';
+
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<body>\n";
+print "<div id=\"result\" text=\"$replacement\">\n";
+print "$text\n";
+print "</div>\n";
+print "<script src=""
+print "</body>\n";
+print "</html>\n";
Property changes on: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl
___________________________________________________________________
Added: svn:executable
Modified: trunk/Source/WebCore/ChangeLog (121935 => 121936)
--- trunk/Source/WebCore/ChangeLog 2012-07-06 01:55:14 UTC (rev 121935)
+++ trunk/Source/WebCore/ChangeLog 2012-07-06 02:50:57 UTC (rev 121936)
@@ -1,3 +1,23 @@
+2012-07-05 Mike West <mk...@chromium.org>
+
+ Multiple Content Security Policy headers are correctly processed as separate headers.
+ https://bugs.webkit.org/show_bug.cgi?id=90629
+
+ Headers of the same name are normalized into a single, comma-separated
+ string as per RFC2616, section 4.2. We didn't correctly account for this
+ in ContentSecurityPolicy::didReceiveHeader. Now we do by walking through
+ the header string, looking for commas and processing each block in turn.
+
+ This oversight bit Firefox as well, and was patched in February:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=717511
+
+ Reviewed by Adam Barth.
+
+ Test: http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers.html
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::didReceiveHeader):
+
2012-07-05 Sheriff Bot <webkit.review....@gmail.com>
Unreviewed, rolling out r121921.
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (121935 => 121936)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-07-06 01:55:14 UTC (rev 121935)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-07-06 02:50:57 UTC (rev 121936)
@@ -1045,7 +1045,24 @@
void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType type)
{
- m_policies.append(CSPDirectiveList::create(m_scriptExecutionContext, header, type));
+ // RFC2616, section 4.2 specifies that headers appearing multiple times can
+ // be combined with a comma. Walk the header string, and parse each comma
+ // separated chunk as a separate header.
+ const UChar* begin = header.characters();
+ const UChar* position = begin;
+ const UChar* end = begin + header.length();
+ while (position < end) {
+ skipUntil(position, end, ',');
+
+ // header1,header2 OR header1
+ // ^ ^
+ m_policies.append(CSPDirectiveList::create(m_scriptExecutionContext, String(begin, position - begin), type));
+
+ // Skip the comma, and begin the next header from the current position.
+ ASSERT(position == end || *position == ',');
+ skipExactly(position, end, ',');
+ begin = position;
+ }
}
void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value)