[webkit-changes] [197087] releases/WebKitGTK/webkit-2.12

[carlosgc]

Title: [197087] releases/WebKitGTK/webkit-2.12

Revision

197087

Author

carlo...@webkit.org

Date

2016-02-25 02:27:14 -0800 (Thu, 25 Feb 2016)

Log Message

Merge r196992 - REGRESSION (r196892): No longer emit error message when CSP form-action directive is used as a source _expression_
https://bugs.webkit.org/show_bug.cgi?id=154555
<rdar://problem/24776777>

Reviewed by Andy Estes.

Source/WebCore:

Fixes an issue where an error message is not emitted when directive form-action is used as a
source _expression_. Prior to <http://trac.webkit.org/changeset/196892>, when directive form-action
was used as a source _expression_ a console error message would be emitted with the form:

    The Content Security Policy directive 'script-src' contains 'form-action' as a source _expression_.
    Did you mean 'script-src ...; form-action...' (note the semicolon)?

* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::isCSPDirectiveName): Return true if the specified directive name is "form-action".

LayoutTests:

Test that we emit a console error message when form-action is used as a source _expression_.

* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt:
* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Use form-action as a
source _expression_. Also, use a double quoted (") string literal instead of a single quoted (') string
literal to represent the CSP policy so as to avoid the need to escape embedded single quote characters.

Modified Paths

• releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog
• releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt
• releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html
• releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog
• releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197086 => 197087)

--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog	2016-02-25 10:26:56 UTC (rev 197086)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog	2016-02-25 10:27:14 UTC (rev 197087)
@@ -1,3 +1,18 @@
+2016-02-23  Daniel Bates  <daba...@apple.com>
+
+        REGRESSION (r196892): No longer emit error message when CSP form-action directive is used as a source _expression_
+        https://bugs.webkit.org/show_bug.cgi?id=154555
+        <rdar://problem/24776777>
+
+        Reviewed by Andy Estes.
+
+        Test that we emit a console error message when form-action is used as a source _expression_.
+
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt:
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Use form-action as a
+        source _expression_. Also, use a double quoted (") string literal instead of a single quoted (') string
+        literal to represent the CSP policy so as to avoid the need to escape embedded single quote characters.
+
 2016-02-21  Daniel Bates  <daba...@apple.com>
 
         CSP: Enable form-action directive by default

Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt (197086 => 197087)

--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt	2016-02-25 10:26:56 UTC (rev 197086)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt	2016-02-25 10:27:14 UTC (rev 197087)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: The Content Security Policy directive 'default-src' contains 'script-src' as a source _expression_. Did you mean 'default-src ...; script-src...' (note the semicolon)?
 CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'object-src' as a source _expression_. Did you mean 'script-src ...; object-src...' (note the semicolon)?
 CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'style-src' as a source _expression_. Did you mean 'script-src ...; style-src...' (note the semicolon)?
+CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'form-action' as a source _expression_. Did you mean 'script-src ...; form-action...' (note the semicolon)?
 If a web author forgets a semicolon, we should do our best to warn them that the policy they've defined is probably not what they intended.
 
 

Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html (197086 => 197087)

--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html	2016-02-25 10:26:56 UTC (rev 197086)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html	2016-02-25 10:27:14 UTC (rev 197087)
@@ -5,7 +5,7 @@
 <script>
 var tests = [
     ['yes', 'default-src \'self\' script-src example.com', 'resources/script.js'],
-    ['yes', 'script-src \'self\' object-src \'self\' style-src *', 'resources/script.js'],
+    ['yes', "script-src 'self' object-src 'self' style-src * form-action 'self'", 'resources/script.js'],
 ];
 </script>
 </head>

Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (197086 => 197087)

--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog	2016-02-25 10:26:56 UTC (rev 197086)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog	2016-02-25 10:27:14 UTC (rev 197087)
@@ -1,3 +1,21 @@
+2016-02-23  Daniel Bates  <daba...@apple.com>
+
+        REGRESSION (r196892): No longer emit error message when CSP form-action directive is used as a source _expression_
+        https://bugs.webkit.org/show_bug.cgi?id=154555
+        <rdar://problem/24776777>
+
+        Reviewed by Andy Estes.
+
+        Fixes an issue where an error message is not emitted when directive form-action is used as a
+        source _expression_. Prior to <http://trac.webkit.org/changeset/196892>, when directive form-action
+        was used as a source _expression_ a console error message would be emitted with the form:
+
+            The Content Security Policy directive 'script-src' contains 'form-action' as a source _expression_.
+            Did you mean 'script-src ...; form-action...' (note the semicolon)?
+
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::isCSPDirectiveName): Return true if the specified directive name is "form-action".
+
 2016-02-21  Daniel Bates  <daba...@apple.com>
 
         CSP: Enable form-action directive by default

Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (197086 => 197087)

--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp	2016-02-25 10:26:56 UTC (rev 197086)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp	2016-02-25 10:27:14 UTC (rev 197087)
@@ -78,6 +78,7 @@
     return equalLettersIgnoringASCIICase(name, connectSrc)
         || equalLettersIgnoringASCIICase(name, defaultSrc)
         || equalLettersIgnoringASCIICase(name, fontSrc)
+        || equalLettersIgnoringASCIICase(name, formAction)
         || equalLettersIgnoringASCIICase(name, frameSrc)
         || equalLettersIgnoringASCIICase(name, imgSrc)
         || equalLettersIgnoringASCIICase(name, mediaSrc)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes