Title: [197087] releases/WebKitGTK/webkit-2.12
- Revision
- 197087
- Author
- carlo...@webkit.org
- Date
- 2016-02-25 02:27:14 -0800 (Thu, 25 Feb 2016)
Log Message
Merge r196992 - REGRESSION (r196892): No longer emit error message when CSP form-action directive is used as a source _expression_
https://bugs.webkit.org/show_bug.cgi?id=154555
<rdar://problem/24776777>
Reviewed by Andy Estes.
Source/WebCore:
Fixes an issue where an error message is not emitted when directive form-action is used as a
source _expression_. Prior to <http://trac.webkit.org/changeset/196892>, when directive form-action
was used as a source _expression_ a console error message would be emitted with the form:
The Content Security Policy directive 'script-src' contains 'form-action' as a source _expression_.
Did you mean 'script-src ...; form-action...' (note the semicolon)?
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::isCSPDirectiveName): Return true if the specified directive name is "form-action".
LayoutTests:
Test that we emit a console error message when form-action is used as a source _expression_.
* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt:
* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Use form-action as a
source _expression_. Also, use a double quoted (") string literal instead of a single quoted (') string
literal to represent the CSP policy so as to avoid the need to escape embedded single quote characters.
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197086 => 197087)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 10:26:56 UTC (rev 197086)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 10:27:14 UTC (rev 197087)
@@ -1,3 +1,18 @@
+2016-02-23 Daniel Bates <daba...@apple.com>
+
+ REGRESSION (r196892): No longer emit error message when CSP form-action directive is used as a source _expression_
+ https://bugs.webkit.org/show_bug.cgi?id=154555
+ <rdar://problem/24776777>
+
+ Reviewed by Andy Estes.
+
+ Test that we emit a console error message when form-action is used as a source _expression_.
+
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt:
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Use form-action as a
+ source _expression_. Also, use a double quoted (") string literal instead of a single quoted (') string
+ literal to represent the CSP policy so as to avoid the need to escape embedded single quote characters.
+
2016-02-21 Daniel Bates <daba...@apple.com>
CSP: Enable form-action directive by default
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt (197086 => 197087)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt 2016-02-25 10:26:56 UTC (rev 197086)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt 2016-02-25 10:27:14 UTC (rev 197087)
@@ -1,6 +1,7 @@
CONSOLE MESSAGE: The Content Security Policy directive 'default-src' contains 'script-src' as a source _expression_. Did you mean 'default-src ...; script-src...' (note the semicolon)?
CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'object-src' as a source _expression_. Did you mean 'script-src ...; object-src...' (note the semicolon)?
CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'style-src' as a source _expression_. Did you mean 'script-src ...; style-src...' (note the semicolon)?
+CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'form-action' as a source _expression_. Did you mean 'script-src ...; form-action...' (note the semicolon)?
If a web author forgets a semicolon, we should do our best to warn them that the policy they've defined is probably not what they intended.
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html (197086 => 197087)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html 2016-02-25 10:26:56 UTC (rev 197086)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html 2016-02-25 10:27:14 UTC (rev 197087)
@@ -5,7 +5,7 @@
<script>
var tests = [
['yes', 'default-src \'self\' script-src example.com', 'resources/script.js'],
- ['yes', 'script-src \'self\' object-src \'self\' style-src *', 'resources/script.js'],
+ ['yes', "script-src 'self' object-src 'self' style-src * form-action 'self'", 'resources/script.js'],
];
</script>
</head>
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (197086 => 197087)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 10:26:56 UTC (rev 197086)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 10:27:14 UTC (rev 197087)
@@ -1,3 +1,21 @@
+2016-02-23 Daniel Bates <daba...@apple.com>
+
+ REGRESSION (r196892): No longer emit error message when CSP form-action directive is used as a source _expression_
+ https://bugs.webkit.org/show_bug.cgi?id=154555
+ <rdar://problem/24776777>
+
+ Reviewed by Andy Estes.
+
+ Fixes an issue where an error message is not emitted when directive form-action is used as a
+ source _expression_. Prior to <http://trac.webkit.org/changeset/196892>, when directive form-action
+ was used as a source _expression_ a console error message would be emitted with the form:
+
+ The Content Security Policy directive 'script-src' contains 'form-action' as a source _expression_.
+ Did you mean 'script-src ...; form-action...' (note the semicolon)?
+
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::isCSPDirectiveName): Return true if the specified directive name is "form-action".
+
2016-02-21 Daniel Bates <daba...@apple.com>
CSP: Enable form-action directive by default
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (197086 => 197087)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-25 10:26:56 UTC (rev 197086)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-25 10:27:14 UTC (rev 197087)
@@ -78,6 +78,7 @@
return equalLettersIgnoringASCIICase(name, connectSrc)
|| equalLettersIgnoringASCIICase(name, defaultSrc)
|| equalLettersIgnoringASCIICase(name, fontSrc)
+ || equalLettersIgnoringASCIICase(name, formAction)
|| equalLettersIgnoringASCIICase(name, frameSrc)
|| equalLettersIgnoringASCIICase(name, imgSrc)
|| equalLettersIgnoringASCIICase(name, mediaSrc)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes