Diff
Modified: trunk/Source/WebCore/ChangeLog (211655 => 211656)
--- trunk/Source/WebCore/ChangeLog 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebCore/ChangeLog 2017-02-03 23:14:53 UTC (rev 211656)
@@ -1,3 +1,28 @@
+2017-02-03 Daniel Bates <daba...@apple.com>
+
+ [Mac][WK2] Add SPI to override the Content Security Policy of a page
+ https://bugs.webkit.org/show_bug.cgi?id=167810
+ <rdar://problem/30102568>
+
+ Reviewed by Anders Carlsson.
+
+ * dom/Document.cpp:
+ (WebCore::Document::initSecurityContext): Apply the embedding client's override Content Security
+ Policy to the document if one exists.
+ * loader/FrameLoaderClient.h: Add function overrideContentSecurityPolicy() that a FrameLoaderClient
+ can override to provide a custom Content Security Policy for a document (defaults: null string - no policy).
+ As its name implies, the policy returned by overrideContentSecurityPolicy() will define the Content
+ Security Policy for the document, overriding any subsequently received Content Security Policy for
+ the document.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::copyStateFrom): Only copy policies from the specified ContentSecurityPolicy
+ object if our policy was not specified by the embedding client.
+ (WebCore::ContentSecurityPolicy::didReceiveHeader): Set ContentSecurityPolicy::m_hasAPIPolicy to true
+ when we receive an API policy from the embedding client (ContentSecurityPolicy::PolicyFrom::API). An
+ API policy must be defined before a policy received from a document. Do not process a received header
+ if we already have an API policy as the API policy overrides all other policies.
+ * page/csp/ContentSecurityPolicy.h:
+
2017-02-03 Chris Dumez <cdu...@apple.com>
Drop Mac App Store workaround for window.getComputedStyle()
Modified: trunk/Source/WebCore/dom/Document.cpp (211655 => 211656)
--- trunk/Source/WebCore/dom/Document.cpp 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebCore/dom/Document.cpp 2017-02-03 23:14:53 UTC (rev 211656)
@@ -5156,6 +5156,10 @@
setSecurityOriginPolicy(SecurityOriginPolicy::create(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url)));
setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(*this));
+ String overrideContentSecurityPolicy = m_frame->loader().client().overrideContentSecurityPolicy();
+ if (!overrideContentSecurityPolicy.isNull())
+ contentSecurityPolicy()->didReceiveHeader(overrideContentSecurityPolicy, ContentSecurityPolicyHeaderType::Enforce, ContentSecurityPolicy::PolicyFrom::API);
+
#if USE(QUICK_LOOK)
if (shouldEnforceQuickLookSandbox())
applyQuickLookSandbox();
Modified: trunk/Source/WebCore/loader/FrameLoaderClient.h (211655 => 211656)
--- trunk/Source/WebCore/loader/FrameLoaderClient.h 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebCore/loader/FrameLoaderClient.h 2017-02-03 23:14:53 UTC (rev 211656)
@@ -256,6 +256,8 @@
virtual void setTitle(const StringWithDirection&, const URL&) = 0;
virtual String userAgent(const URL&) = 0;
+
+ virtual String overrideContentSecurityPolicy() const { return String(); }
virtual void savePlatformDataToCachedFrame(CachedFrame*) = 0;
virtual void transitionToCommittedFromCachedFrame(CachedFrame*) = 0;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (211655 => 211656)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2017-02-03 23:14:53 UTC (rev 211656)
@@ -110,6 +110,8 @@
void ContentSecurityPolicy::copyStateFrom(const ContentSecurityPolicy* other)
{
+ if (m_hasAPIPolicy)
+ return;
ASSERT(m_policies.isEmpty());
for (auto& policy : other->m_policies)
didReceiveHeader(policy->header(), policy->headerType(), ContentSecurityPolicy::PolicyFrom::Inherited);
@@ -177,6 +179,14 @@
void ContentSecurityPolicy::didReceiveHeader(const String& header, ContentSecurityPolicyHeaderType type, ContentSecurityPolicy::PolicyFrom policyFrom)
{
+ if (m_hasAPIPolicy)
+ return;
+
+ if (policyFrom == PolicyFrom::API) {
+ ASSERT(m_policies.isEmpty());
+ m_hasAPIPolicy = true;
+ }
+
// RFC2616, section 4.2 specifies that headers appearing multiple times can
// be combined with a comma. Walk the header string, and parse each comma
// separated chunk as a separate header.
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (211655 => 211656)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2017-02-03 23:14:53 UTC (rev 211656)
@@ -74,6 +74,7 @@
void didCreateWindowShell(JSDOMWindowShell&) const;
enum class PolicyFrom {
+ API,
HTTPEquivMeta,
HTTPHeader,
Inherited,
@@ -210,6 +211,7 @@
bool m_overrideInlineStyleAllowed { false };
bool m_isReportingEnabled { true };
bool m_upgradeInsecureRequests { false };
+ bool m_hasAPIPolicy { false };
OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineScripts;
OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineStylesheets;
HashSet<RefPtr<SecurityOrigin>> m_insecureNavigationRequestsToUpgrade;
Modified: trunk/Source/WebKit2/ChangeLog (211655 => 211656)
--- trunk/Source/WebKit2/ChangeLog 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/ChangeLog 2017-02-03 23:14:53 UTC (rev 211656)
@@ -1,3 +1,46 @@
+2017-02-03 Daniel Bates <daba...@apple.com>
+
+ [Mac][WK2] Add SPI to override the Content Security Policy of a page
+ https://bugs.webkit.org/show_bug.cgi?id=167810
+ <rdar://problem/30102568>
+
+ Reviewed by Anders Carlsson.
+
+ Add SPI to WKWebViewConfiguration so that an embedding client can define a custom Content Security
+ Policy that overrides the Content Security Policy of any page loaded in the web view.
+
+ * Shared/WebPageCreationParameters.cpp:
+ (WebKit::WebPageCreationParameters::encode): Encode instance variable overrideContentSecurityPolicy.
+ (WebKit::WebPageCreationParameters::decode): Decode instance variable overrideContentSecurityPolicy.
+ * Shared/WebPageCreationParameters.h:
+ * UIProcess/API/APIPageConfiguration.cpp:
+ (API::PageConfiguration::copy): Copy instance variable overrideContentSecurityPolicy.
+ * UIProcess/API/APIPageConfiguration.h:
+ (API::PageConfiguration::overrideContentSecurityPolicy): Added.
+ (API::PageConfiguration::setOverrideContentSecurityPolicy): Added.
+ * UIProcess/API/Cocoa/WKWebView.mm:
+ (-[WKWebView _initializeWithConfiguration:]): Copy overrideContentSecurityPolicy set on the WKWebViewConfiguration
+ object to the API::PageConfiguration object if non-nil.
+ * UIProcess/API/Cocoa/WKWebViewConfiguration.mm:
+ (-[WKWebViewConfiguration copyWithZone:]): Copy the instance variable overrideContentSecurityPolicy.
+ (-[WKWebViewConfiguration _overrideContentSecurityPolicy]): Added.
+ (-[WKWebViewConfiguration _setOverrideContentSecurityPolicy:]): Added.
+ * UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h: Define SPI property _overrideContentSecurityPolicy.
+ * UIProcess/WebPageProxy.cpp:
+ (WebKit::WebPageProxy::WebPageProxy): Initialize m_overrideContentSecurityPolicy from the passed
+ page configuration.
+ (WebKit::WebPageProxy::creationParameters): Set WebPageCreationParameters::overrideContentSecurityPolicy
+ so that the WebPage object (in the WebProcess) will know the overridden Content Security Policy
+ to apply to the document.
+ * UIProcess/WebPageProxy.h:
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
+ (WebKit::WebFrameLoaderClient::overrideContentSecurityPolicy): Added. Returns the custom Content
+ Security Policy to apply to a new document.
+ * WebProcess/WebCoreSupport/WebFrameLoaderClient.h:
+ * WebProcess/WebPage/WebPage.cpp:
+ * WebProcess/WebPage/WebPage.h:
+ (WebKit::WebPage::overrideContentSecurityPolicy): Added.
+
2017-02-03 Anders Carlsson <ander...@apple.com>
Revert toString behavior to what we had in the last version we shipped
Modified: trunk/Source/WebKit2/Shared/WebPageCreationParameters.cpp (211655 => 211656)
--- trunk/Source/WebKit2/Shared/WebPageCreationParameters.cpp 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/Shared/WebPageCreationParameters.cpp 2017-02-03 23:14:53 UTC (rev 211656)
@@ -89,6 +89,7 @@
encoder << shouldScaleViewToFitDocument;
encoder.encodeEnum(userInterfaceLayoutDirection);
encoder.encodeEnum(observedLayoutMilestones);
+ encoder << overrideContentSecurityPolicy;
}
bool WebPageCreationParameters::decode(IPC::Decoder& decoder, WebPageCreationParameters& parameters)
@@ -204,6 +205,9 @@
if (!decoder.decodeEnum(parameters.observedLayoutMilestones))
return false;
+ if (!decoder.decode(parameters.overrideContentSecurityPolicy))
+ return false;
+
return true;
}
Modified: trunk/Source/WebKit2/Shared/WebPageCreationParameters.h (211655 => 211656)
--- trunk/Source/WebKit2/Shared/WebPageCreationParameters.h 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/Shared/WebPageCreationParameters.h 2017-02-03 23:14:53 UTC (rev 211656)
@@ -143,6 +143,8 @@
WebCore::UserInterfaceLayoutDirection userInterfaceLayoutDirection;
WebCore::LayoutMilestones observedLayoutMilestones;
+
+ String overrideContentSecurityPolicy;
};
} // namespace WebKit
Modified: trunk/Source/WebKit2/UIProcess/API/APIPageConfiguration.cpp (211655 => 211656)
--- trunk/Source/WebKit2/UIProcess/API/APIPageConfiguration.cpp 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/UIProcess/API/APIPageConfiguration.cpp 2017-02-03 23:14:53 UTC (rev 211656)
@@ -69,6 +69,7 @@
#endif
copy->m_initialCapitalizationEnabled = this->m_initialCapitalizationEnabled;
copy->m_controlledByAutomation = this->m_controlledByAutomation;
+ copy->m_overrideContentSecurityPolicy = this->m_overrideContentSecurityPolicy;
return copy;
}
Modified: trunk/Source/WebKit2/UIProcess/API/APIPageConfiguration.h (211655 => 211656)
--- trunk/Source/WebKit2/UIProcess/API/APIPageConfiguration.h 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/UIProcess/API/APIPageConfiguration.h 2017-02-03 23:14:53 UTC (rev 211656)
@@ -29,6 +29,7 @@
#include "APIObject.h"
#include "WebPreferencesStore.h"
#include <WebCore/SessionID.h>
+#include <wtf/Forward.h>
#include <wtf/GetPtr.h>
namespace WebKit {
@@ -98,6 +99,9 @@
bool isControlledByAutomation() const { return m_controlledByAutomation; }
void setControlledByAutomation(bool controlledByAutomation) { m_controlledByAutomation = controlledByAutomation; }
+ const WTF::String& overrideContentSecurityPolicy() const { return m_overrideContentSecurityPolicy; }
+ void setOverrideContentSecurityPolicy(const WTF::String& overrideContentSecurityPolicy) { m_overrideContentSecurityPolicy = overrideContentSecurityPolicy; }
+
private:
RefPtr<WebKit::WebProcessPool> m_processPool;
@@ -120,6 +124,8 @@
bool m_initialCapitalizationEnabled = true;
bool m_waitsForPaintAfterViewDidMoveToWindow = true;
bool m_controlledByAutomation = false;
+
+ WTF::String m_overrideContentSecurityPolicy;
};
} // namespace API
Modified: trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm (211655 => 211656)
--- trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm 2017-02-03 23:14:53 UTC (rev 211656)
@@ -414,6 +414,9 @@
pageConfiguration->setWebsiteDataStore([_configuration websiteDataStore]->_websiteDataStore.get());
pageConfiguration->setTreatsSHA1SignedCertificatesAsInsecure([_configuration _treatsSHA1SignedCertificatesAsInsecure]);
+ if (NSString *overrideContentSecurityPolicy = configuration._overrideContentSecurityPolicy)
+ pageConfiguration->setOverrideContentSecurityPolicy(overrideContentSecurityPolicy);
+
RefPtr<WebKit::WebPageGroup> pageGroup;
NSString *groupIdentifier = configuration._groupIdentifier;
if (groupIdentifier.length) {
Modified: trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm (211655 => 211656)
--- trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm 2017-02-03 23:14:53 UTC (rev 211656)
@@ -130,6 +130,8 @@
BOOL _applePayEnabled;
#endif
BOOL _needsStorageAccessFromFileURLsQuirk;
+
+ NSString *_overrideContentSecurityPolicy;
}
- (instancetype)init
@@ -318,6 +320,7 @@
configuration->_applePayEnabled = self->_applePayEnabled;
#endif
configuration->_needsStorageAccessFromFileURLsQuirk = self->_needsStorageAccessFromFileURLsQuirk;
+ configuration->_overrideContentSecurityPolicy = self->_overrideContentSecurityPolicy;
return configuration;
}
@@ -752,6 +755,16 @@
_needsStorageAccessFromFileURLsQuirk = needsLocalStorageQuirk;
}
+- (NSString *)_overrideContentSecurityPolicy
+{
+ return _overrideContentSecurityPolicy;
+}
+
+- (void)_setOverrideContentSecurityPolicy:(NSString *)overrideContentSecurityPolicy
+{
+ _overrideContentSecurityPolicy = overrideContentSecurityPolicy;
+}
+
@end
@implementation WKWebViewConfiguration (WKDeprecated)
Modified: trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h (211655 => 211656)
--- trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h 2017-02-03 23:14:53 UTC (rev 211656)
@@ -74,6 +74,8 @@
@property (nonatomic, setter=_setRequiresUserActionForAudioPlayback:) BOOL _requiresUserActionForAudioPlayback WK_API_DEPRECATED_WITH_REPLACEMENT("mediaTypesRequiringUserActionForPlayback", macosx(10.12, 10.12), ios(10.0, 10.0));
@property (nonatomic, setter=_setRequiresUserActionForVideoPlayback:) BOOL _requiresUserActionForVideoPlayback WK_API_DEPRECATED_WITH_REPLACEMENT("mediaTypesRequiringUserActionForPlayback", macosx(10.12, 10.12), ios(10.0, 10.0));
+@property (nonatomic, setter=_setOverrideContentSecurityPolicy:) NSString *_overrideContentSecurityPolicy WK_API_AVAILABLE(macosx(WK_MAC_TBA), ios(WK_IOS_TBA));
+
@end
#endif
Modified: trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp (211655 => 211656)
--- trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp 2017-02-03 23:14:53 UTC (rev 211656)
@@ -343,6 +343,7 @@
, m_websiteDataStore(m_configuration->websiteDataStore()->websiteDataStore())
, m_mainFrame(nullptr)
, m_userAgent(standardUserAgent())
+ , m_overrideContentSecurityPolicy { m_configuration->overrideContentSecurityPolicy() }
, m_treatsSHA1CertificatesAsInsecure(m_configuration->treatsSHA1SignedCertificatesAsInsecure())
#if ENABLE(FULLSCREEN_API)
, m_fullscreenClient(std::make_unique<API::FullscreenClient>())
@@ -5571,6 +5572,7 @@
parameters.shouldScaleViewToFitDocument = m_shouldScaleViewToFitDocument;
parameters.userInterfaceLayoutDirection = m_pageClient.userInterfaceLayoutDirection();
parameters.observedLayoutMilestones = m_observedLayoutMilestones;
+ parameters.overrideContentSecurityPolicy = m_overrideContentSecurityPolicy;
return parameters;
}
Modified: trunk/Source/WebKit2/UIProcess/WebPageProxy.h (211655 => 211656)
--- trunk/Source/WebKit2/UIProcess/WebPageProxy.h 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/UIProcess/WebPageProxy.h 2017-02-03 23:14:53 UTC (rev 211656)
@@ -1663,6 +1663,7 @@
String m_applicationNameForUserAgent;
String m_customUserAgent;
String m_customTextEncodingName;
+ String m_overrideContentSecurityPolicy;
bool m_treatsSHA1CertificatesAsInsecure;
Modified: trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp (211655 => 211656)
--- trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp 2017-02-03 23:14:53 UTC (rev 211656)
@@ -1297,6 +1297,15 @@
return webPage->userAgent(m_frame, url);
}
+String WebFrameLoaderClient::overrideContentSecurityPolicy() const
+{
+ WebPage* webPage = m_frame->page();
+ if (!webPage)
+ return String();
+
+ return webPage->overrideContentSecurityPolicy();
+}
+
void WebFrameLoaderClient::savePlatformDataToCachedFrame(CachedFrame* cachedFrame)
{
WebPage* webPage = m_frame->page();
Modified: trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.h (211655 => 211656)
--- trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.h 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.h 2017-02-03 23:14:53 UTC (rev 211656)
@@ -179,7 +179,9 @@
void setTitle(const WebCore::StringWithDirection&, const WebCore::URL&) final;
String userAgent(const WebCore::URL&) final;
-
+
+ String overrideContentSecurityPolicy() const final;
+
void savePlatformDataToCachedFrame(WebCore::CachedFrame*) final;
void transitionToCommittedFromCachedFrame(WebCore::CachedFrame*) final;
#if PLATFORM(IOS)
Modified: trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp (211655 => 211656)
--- trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp 2017-02-03 23:14:53 UTC (rev 211656)
@@ -362,6 +362,7 @@
, m_userActivity("Process suppression disabled for page.")
, m_userActivityHysteresis([this](HysteresisState) { updateUserActivity(); })
, m_userInterfaceLayoutDirection(parameters.userInterfaceLayoutDirection)
+ , m_overrideContentSecurityPolicy { parameters.overrideContentSecurityPolicy }
{
ASSERT(m_pageID);
Modified: trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h (211655 => 211656)
--- trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h 2017-02-03 23:14:53 UTC (rev 211656)
@@ -293,6 +293,8 @@
String platformUserAgent(const WebCore::URL&) const;
WebCore::KeyboardUIMode keyboardUIMode();
+ const String& overrideContentSecurityPolicy() const { return m_overrideContentSecurityPolicy; }
+
WebUndoStep* webUndoStep(uint64_t);
void addWebUndoStep(uint64_t, WebUndoStep*);
void removeWebEditCommand(uint64_t);
@@ -1542,6 +1544,8 @@
#endif
WebCore::UserInterfaceLayoutDirection m_userInterfaceLayoutDirection { WebCore::UserInterfaceLayoutDirection::LTR };
+
+ const String m_overrideContentSecurityPolicy;
};
} // namespace WebKit
Modified: trunk/Tools/ChangeLog (211655 => 211656)
--- trunk/Tools/ChangeLog 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Tools/ChangeLog 2017-02-03 23:14:53 UTC (rev 211656)
@@ -1,3 +1,21 @@
+2017-02-03 Daniel Bates <daba...@apple.com>
+
+ [Mac][WK2] Add SPI to override the Content Security Policy of a page
+ https://bugs.webkit.org/show_bug.cgi?id=167810
+ <rdar://problem/30102568>
+
+ Reviewed by Anders Carlsson.
+
+ Add tests to ensure that we do not regress -[WKWebView _setOverrideContentSecurityPolicy:].
+
+ * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+ * TestWebKitAPI/Tests/WebKit2Cocoa/OverrideContentSecurityPolicy.mm: Added.
+ (TEST):
+ * TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp-iframe.html: Added.
+ * TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp.html: Added.
+ * TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp-iframe.html: Added.
+ * TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp.html: Added.
+
2017-02-02 Alex Christensen <achristen...@webkit.org>
URLParser: Fix parsing invalid IPv4 addresses with non-ASCII characters
Modified: trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (211655 => 211656)
--- trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj 2017-02-03 23:08:17 UTC (rev 211655)
+++ trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj 2017-02-03 23:14:53 UTC (rev 211656)
@@ -539,6 +539,11 @@
CE3524FA1B1443890028A7C5 /* input-focus-blur.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CE3524F51B142BBB0028A7C5 /* input-focus-blur.html */; };
CEA6CF2819CCF69D0064F5A7 /* open-and-close-window.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEA6CF2719CCF69D0064F5A7 /* open-and-close-window.html */; };
CEBABD491B71687C0051210A /* should-open-external-schemes.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBABD481B71687C0051210A /* should-open-external-schemes.html */; };
+ CEBCA12F1E3A660100C73293 /* OverrideContentSecurityPolicy.mm in Sources */ = {isa = PBXBuildFile; fileRef = CEBCA12E1E3A660100C73293 /* OverrideContentSecurityPolicy.mm */; };
+ CEBCA1381E3A807A00C73293 /* page-with-csp.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1351E3A803400C73293 /* page-with-csp.html */; };
+ CEBCA1391E3A807A00C73293 /* page-with-csp-iframe.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1341E3A803400C73293 /* page-with-csp-iframe.html */; };
+ CEBCA13A1E3A807A00C73293 /* page-without-csp.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1371E3A803400C73293 /* page-without-csp.html */; };
+ CEBCA13B1E3A807A00C73293 /* page-without-csp-iframe.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1361E3A803400C73293 /* page-without-csp-iframe.html */; };
E1220DCA155B28AA0013E2FC /* MemoryCacheDisableWithinResourceLoadDelegate.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = E1220DC9155B287D0013E2FC /* MemoryCacheDisableWithinResourceLoadDelegate.html */; };
E194E1BD177E53C7009C4D4E /* StopLoadingFromDidReceiveResponse.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = E194E1BC177E534A009C4D4E /* StopLoadingFromDidReceiveResponse.html */; };
F415086D1DA040C50044BE9B /* play-audio-on-click.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = F415086C1DA040C10044BE9B /* play-audio-on-click.html */; };
@@ -746,6 +751,10 @@
290A9BB91735F63800D71BBC /* OpenNewWindow.html in Copy Resources */,
A1C4FB731BACD1CA003742D0 /* pages.pages in Copy Resources */,
A57A34F216AF6B2B00C2501F /* PageVisibilityStateWithWindowChanges.html in Copy Resources */,
+ CEBCA1381E3A807A00C73293 /* page-with-csp.html in Copy Resources */,
+ CEBCA1391E3A807A00C73293 /* page-with-csp-iframe.html in Copy Resources */,
+ CEBCA13A1E3A807A00C73293 /* page-without-csp.html in Copy Resources */,
+ CEBCA13B1E3A807A00C73293 /* page-without-csp-iframe.html in Copy Resources */,
F6FDDDD614241C6F004F1729 /* push-state.html in Copy Resources */,
52B8CF9815868D9100281053 /* SetDocumentURI.html in Copy Resources */,
CEBABD491B71687C0051210A /* should-open-external-schemes.html in Copy Resources */,
@@ -1331,6 +1340,11 @@
CEA6CF2219CCF5BD0064F5A7 /* OpenAndCloseWindow.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = OpenAndCloseWindow.mm; sourceTree = "<group>"; };
CEA6CF2719CCF69D0064F5A7 /* open-and-close-window.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "open-and-close-window.html"; sourceTree = "<group>"; };
CEBABD481B71687C0051210A /* should-open-external-schemes.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "should-open-external-schemes.html"; sourceTree = "<group>"; };
+ CEBCA12E1E3A660100C73293 /* OverrideContentSecurityPolicy.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = OverrideContentSecurityPolicy.mm; sourceTree = "<group>"; };
+ CEBCA1341E3A803400C73293 /* page-with-csp-iframe.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-with-csp-iframe.html"; sourceTree = "<group>"; };
+ CEBCA1351E3A803400C73293 /* page-with-csp.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-with-csp.html"; sourceTree = "<group>"; };
+ CEBCA1361E3A803400C73293 /* page-without-csp-iframe.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-without-csp-iframe.html"; sourceTree = "<group>"; };
+ CEBCA1371E3A803400C73293 /* page-without-csp.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-without-csp.html"; sourceTree = "<group>"; };
DC69AA621CF77C6500C6272F /* ScopedLambda.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ScopedLambda.cpp; sourceTree = "<group>"; };
E1220D9F155B25480013E2FC /* MemoryCacheDisableWithinResourceLoadDelegate.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = MemoryCacheDisableWithinResourceLoadDelegate.mm; sourceTree = "<group>"; };
E1220DC9155B287D0013E2FC /* MemoryCacheDisableWithinResourceLoadDelegate.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = MemoryCacheDisableWithinResourceLoadDelegate.html; sourceTree = "<group>"; };
@@ -1545,6 +1559,7 @@
A10F047C1E3AD29C00C95E19 /* NSFileManagerExtras.mm */,
37A22AA51DCAA27200AFBFC4 /* ObservedRenderingProgressEventsAfterCrash.mm */,
CEA6CF2219CCF5BD0064F5A7 /* OpenAndCloseWindow.mm */,
+ CEBCA12E1E3A660100C73293 /* OverrideContentSecurityPolicy.mm */,
C95501BE19AD2FAF0049BE3E /* Preferences.mm */,
5798E2AF1CAF5C2800C5CBA0 /* ProvisionalURLNotChange.mm */,
A1C4FB6C1BACCE50003742D0 /* QuickLook.mm */,
@@ -1728,6 +1743,10 @@
46C519E31D35629600DAA51A /* LocalStorageNullEntries.localstorage */,
46C519E41D35629600DAA51A /* LocalStorageNullEntries.localstorage-shm */,
7CCB99221D3B44E7003922F6 /* open-multiple-external-url.html */,
+ CEBCA1351E3A803400C73293 /* page-with-csp.html */,
+ CEBCA1341E3A803400C73293 /* page-with-csp-iframe.html */,
+ CEBCA1371E3A803400C73293 /* page-without-csp.html */,
+ CEBCA1361E3A803400C73293 /* page-without-csp-iframe.html */,
F4F405BB1D4C0CF8007A9707 /* skinny-autoplaying-video-with-audio.html */,
515BE16E1D4288FF00DD7C68 /* StoreBlobToBeDeleted.html */,
51714EB21CF8C761004723C4 /* WebProcessKillIDBCleanup-1.html */,
@@ -2648,6 +2667,7 @@
376C8C061D6E197C007D2BB9 /* FrameHandle.cpp in Sources */,
7CCE7F051A411AE600447C4C /* NewFirstVisuallyNonEmptyLayoutFrames.cpp in Sources */,
7CCE7F251A411AF600447C4C /* OpenAndCloseWindow.mm in Sources */,
+ CEBCA12F1E3A660100C73293 /* OverrideContentSecurityPolicy.mm in Sources */,
7CCB4DA91C83AE7300CC6918 /* PageGroup.cpp in Sources */,
5769C50B1D9B0002000847FB /* SerializedCryptoKeyWrap.mm in Sources */,
7CCE7F071A411AE600447C4C /* PageLoadBasic.cpp in Sources */,
Added: trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/OverrideContentSecurityPolicy.mm (0 => 211656)
--- trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/OverrideContentSecurityPolicy.mm (rev 0)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/OverrideContentSecurityPolicy.mm 2017-02-03 23:14:53 UTC (rev 211656)
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#import "config.h"
+
+#import "TestWKWebView.h"
+#import <WebKit/WKWebViewConfigurationPrivate.h>
+#import <wtf/RetainPtr.h>
+
+#if WK_API_ENABLED
+
+TEST(WKWebView, SetOverrideContentSecurityPolicyWithEmptyStringForPageWithCSP)
+{
+ @autoreleasepool {
+ RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ [configuration _setOverrideContentSecurityPolicy:@""];
+
+ RetainPtr<TestWKWebView> webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
+ NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"page-with-csp" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
+ [webView loadRequest:request];
+
+ [webView waitForMessage:@"MainFrame: A"];
+ [webView waitForMessage:@"MainFrame: B"];
+ [webView waitForMessage:@"Subframe: A"];
+ [webView waitForMessage:@"Subframe: B"];
+ }
+}
+
+TEST(WKWebView, SetOverrideContentSecurityPolicyForPageWithCSP)
+{
+ @autoreleasepool {
+ RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ [configuration _setOverrideContentSecurityPolicy:@"script-src 'nonce-b'"];
+
+ RetainPtr<TestWKWebView> webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
+ NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"page-with-csp" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
+ [webView loadRequest:request];
+
+ [webView waitForMessage:@"MainFrame: B"];
+ [webView waitForMessage:@"Subframe: B"];
+ }
+}
+
+TEST(WKWebView, SetOverrideContentSecurityPolicyForPageWithoutCSP)
+{
+ @autoreleasepool {
+ RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ [configuration _setOverrideContentSecurityPolicy:@"script-src 'nonce-b'"];
+
+ RetainPtr<TestWKWebView> webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
+ NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"page-without-csp" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
+ [webView loadRequest:request];
+
+ [webView waitForMessage:@"MainFrame: B"];
+ [webView waitForMessage:@"Subframe: B"];
+ }
+}
+
+#endif
Added: trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp-iframe.html (0 => 211656)
--- trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp-iframe.html (rev 0)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp-iframe.html 2017-02-03 23:14:53 UTC (rev 211656)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'none'">
+</head>
+<body>
+<script nonce="a">
+window.webkit.messageHandlers.testHandler.postMessage("Subframe: A");
+</script>
+<script nonce="b">
+window.webkit.messageHandlers.testHandler.postMessage("Subframe: B");
+</script>
+</body>
+</html>
Added: trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp.html (0 => 211656)
--- trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp.html (rev 0)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp.html 2017-02-03 23:14:53 UTC (rev 211656)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'none'">
+</head>
+<body>
+<script nonce="a">
+window.webkit.messageHandlers.testHandler.postMessage("MainFrame: A");
+</script>
+<script nonce="b">
+window.webkit.messageHandlers.testHandler.postMessage("MainFrame: B");
+</script>
+<iframe id="iframe" src=""
+</body>
+</html>
Added: trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp-iframe.html (0 => 211656)
--- trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp-iframe.html (rev 0)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp-iframe.html 2017-02-03 23:14:53 UTC (rev 211656)
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script nonce="a">
+window.webkit.messageHandlers.testHandler.postMessage("Subframe: A");
+</script>
+<script nonce="b">
+window.webkit.messageHandlers.testHandler.postMessage("Subframe: B");
+</script>
+</body>
+</html>
Added: trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp.html (0 => 211656)
--- trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp.html (rev 0)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp.html 2017-02-03 23:14:53 UTC (rev 211656)
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script nonce="a">
+window.webkit.messageHandlers.testHandler.postMessage("MainFrame: A");
+</script>
+<script nonce="b">
+window.webkit.messageHandlers.testHandler.postMessage("MainFrame: B");
+</script>
+<iframe id="iframe" src=""
+</body>
+</html>