Diff
Modified: trunk/LayoutTests/ChangeLog (186662 => 186663)
--- trunk/LayoutTests/ChangeLog 2015-07-10 03:45:10 UTC (rev 186662)
+++ trunk/LayoutTests/ChangeLog 2015-07-10 05:10:18 UTC (rev 186663)
@@ -1,3 +1,32 @@
+2015-07-09 Daniel Bates <daba...@apple.com>
+
+ Fetching Content Security Policy report URL should respect same origin policy
+ https://bugs.webkit.org/show_bug.cgi?id=146754
+ <rdar://problem/18860259>
+
+ Reviewed by Brady Eidson.
+
+ Inspired by Blink r149791 (by Mike West <mk...@chromium.org>):
+ <https://src.chromium.org/viewvc/blink?revision=149791&view=revision>
+
+ Added additional tests for private browsing mode.
+
+ * http/tests/cookies/resources/setCookies.cgi:
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/save-report.php:
+ * platform/wk2/TestExpectations: Skip private browsing mode tests in WebKit2 until we fix <https://bugs.webkit.org/show_bug.cgi?id=115274>.
+
2015-07-09 Wenson Hsieh <whs...@berkeley.edu>
Rubber banding is broken when using a Mighty Mouse
Modified: trunk/LayoutTests/http/tests/cookies/resources/setCookies.cgi (186662 => 186663)
--- trunk/LayoutTests/http/tests/cookies/resources/setCookies.cgi 2015-07-10 03:45:10 UTC (rev 186662)
+++ trunk/LayoutTests/http/tests/cookies/resources/setCookies.cgi 2015-07-10 05:10:18 UTC (rev 186663)
@@ -2,6 +2,8 @@
use strict;
print "Content-Type: text/plain\n";
+print "Access-Control-Allow-Origin: *\n";
+print "Access-Control-Allow-Headers: SET-COOKIE\n";
print "Cache-Control: no-store\n";
print 'Cache-Control: no-cache="set-cookie"' . "\n";
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-expected.txt 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,8 @@
+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.html
+REQUEST_METHOD: POST
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled-expected.txt 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,6 @@
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html
+REQUEST_METHOD: POST
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php">
+</head>
+<body>
+<script>
+ if (window.testRunner)
+ testRunner.setPrivateBrowsingEnabled(true);
+
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "http://localhost:8080/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled-expected.txt 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,6 @@
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html
+REQUEST_METHOD: POST
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php">
+</head>
+<body>
+<script>
+ // Normal browsing mode
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "http://localhost:8080/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+
+ if (window.testRunner)
+ testRunner.setPrivateBrowsingEnabled(true);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri http://localhost:8080/security/contentSecurityPolicy/resources/save-report.php">
+</head>
+<body>
+<script>
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "http://localhost:8080/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled-expected.txt 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,6 @@
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html
+REQUEST_METHOD: POST
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php">
+</head>
+<body>
+<script>
+ // Normal browsing mode
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+
+ if (window.testRunner)
+ testRunner.setPrivateBrowsingEnabled(true);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-expected.txt 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,9 @@
+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_COOKIE: hello=world
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.html
+REQUEST_METHOD: POST
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled-expected.txt 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,7 @@
+CSP report received:
+CONTENT_TYPE: application/json
+HTTP_COOKIE: hello=world
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html
+REQUEST_METHOD: POST
+=== POST DATA =""
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html","referrer":"","violated-directive":"img-src 'none'","original-policy":"img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php","blocked-uri":"http://127.0.0.1:8000/security/resources/abe.png"}}
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php">
+</head>
+<body>
+<script>
+ if (window.testRunner)
+ testRunner.setPrivateBrowsingEnabled(true);
+
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html (0 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html 2015-07-10 05:10:18 UTC (rev 186663)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="img-src 'none'; report-uri /security/contentSecurityPolicy/resources/save-report.php">
+</head>
+<body>
+<script>
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", "/cookies/resources/setCookies.cgi", false);
+ xhr.setRequestHeader("SET-COOKIE", "hello=world;path=/");
+ xhr.send(null);
+</script>
+
+<!-- This image will generate a CSP violation report. -->
+<img src=""
+
+<script src=""
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php (186662 => 186663)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2015-07-10 03:45:10 UTC (rev 186662)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/save-report.php 2015-07-10 05:10:18 UTC (rev 186663)
@@ -11,11 +11,15 @@
$httpHeaders = $_SERVER;
ksort($httpHeaders, SORT_STRING);
foreach ($httpHeaders as $name => $value) {
- if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD") {
+ if ($name === "CONTENT_TYPE" || $name === "HTTP_REFERER" || $name === "REQUEST_METHOD" || $name === "HTTP_COOKIE") {
$value = undoMagicQuotes($value);
fwrite($reportFile, "$name: $value\n");
}
}
+
+foreach ($_COOKIE as $name => $value)
+ setcookie($name, "deleted", time() - 60, "/");
+
fwrite($reportFile, "=== POST DATA =""
fwrite($reportFile, file_get_contents("php://input"));
fclose($reportFile);
Modified: trunk/LayoutTests/platform/wk2/TestExpectations (186662 => 186663)
--- trunk/LayoutTests/platform/wk2/TestExpectations 2015-07-10 03:45:10 UTC (rev 186662)
+++ trunk/LayoutTests/platform/wk2/TestExpectations 2015-07-10 05:10:18 UTC (rev 186663)
@@ -689,6 +689,14 @@
# WebKit2 should always have IndexedDB enabled
storage/indexeddb/properties-disabled-at-runtime.html [ Skip ]
+# WebKitTestRunner testRunner.setPrivateBrowsingEnabled doesn't work with NetworkProcess.
+# We explicitly Skip the following tests instead of marking them as Failure because some of these tests will naturally pass
+# as a consequence of testRunner.setPrivateBrowsingEnabled() effectively being a no-op as of the time of writing (07/08/2015).
+webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html [ Skip ]
+webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html [ Skip ]
+webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html [ Skip ]
+webkit.org/b/115274 http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html [ Skip ]
+
### END OF (4) Features that are not supported in WebKit2 and likely never will be
########################################
Modified: trunk/Source/WebCore/ChangeLog (186662 => 186663)
--- trunk/Source/WebCore/ChangeLog 2015-07-10 03:45:10 UTC (rev 186662)
+++ trunk/Source/WebCore/ChangeLog 2015-07-10 05:10:18 UTC (rev 186663)
@@ -1,3 +1,28 @@
+2015-07-09 Daniel Bates <daba...@apple.com>
+
+ Fetching Content Security Policy report URL should respect same origin policy
+ https://bugs.webkit.org/show_bug.cgi?id=146754
+ <rdar://problem/18860259>
+
+ Reviewed by Brady Eidson.
+
+ Inspired by Blink r149791 (by Mike West <mk...@chromium.org>):
+ <https://src.chromium.org/viewvc/blink?revision=149791&view=revision>
+
+ As per <http://www.w3.org/TR/2015/CR-CSP2-20150219/#send-violation-reports>, fetching the
+ Content Security Policy report URL should include cookies if and only if the origin of
+ the protected resource is equal to the origin of the report URL.
+
+ Tests: http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-enabled.html
+ http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies-when-private-browsing-toggled.html
+ http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html
+ http/tests/security/contentSecurityPolicy/report-same-origin-no-cookies-when-private-browsing-toggled.html
+ http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies-when-private-browsing-enabled.html
+ http/tests/security/contentSecurityPolicy/report-same-origin-with-cookies.html
+
+ * loader/PingLoader.cpp:
+ (WebCore::PingLoader::sendViolationReport):
+
2015-07-09 Timothy Horton <timothy_hor...@apple.com>
Use CoreAnimation fences instead of synchronous IPC to synchronize resize
Modified: trunk/Source/WebCore/loader/PingLoader.cpp (186662 => 186663)
--- trunk/Source/WebCore/loader/PingLoader.cpp 2015-07-10 03:45:10 UTC (rev 186662)
+++ trunk/Source/WebCore/loader/PingLoader.cpp 2015-07-10 05:10:18 UTC (rev 186663)
@@ -101,6 +101,7 @@
request.setHTTPMethod("POST");
request.setHTTPContentType("application/json");
request.setHTTPBody(report);
+ request.setAllowCookies(frame.document()->securityOrigin()->isSameSchemeHostPort(SecurityOrigin::create(reportURL).ptr()));
frame.loader().addExtraFieldsToSubresourceRequest(request);
String referrer = SecurityPolicy::generateReferrerHeader(frame.document()->referrerPolicy(), reportURL, frame.loader().outgoingReferrer());