Diff
Modified: trunk/LayoutTests/ChangeLog (273819 => 273820)
--- trunk/LayoutTests/ChangeLog 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/LayoutTests/ChangeLog 2021-03-03 17:51:55 UTC (rev 273820)
@@ -1,3 +1,23 @@
+2021-03-03 Kate Cheney <katherine_che...@apple.com>
+
+ Report the correct document uri in the case of a ContentSecurityPolicyClient
+ https://bugs.webkit.org/show_bug.cgi?id=222489
+ <rdar://problem/73774118>
+
+ Reviewed by Brent Fulgham.
+
+ Layout test coverage for redirects using a ContentSecurityPolicyClient
+ and blob files.
+
+ * http/tests/security/contentSecurityPolicy/report-document-uri-blob-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-document-uri-blob.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/TestExpectations:
+ Blob URLs timeout on win.
+
2021-03-03 Chris Gambrell <cgambr...@apple.com>
[LayoutTests] Convert http/tests/misc convert PHP to Python
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt (0 => 273820)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt 2021-03-03 17:51:55 UTC (rev 273820)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+documentURI = http://127.0.0.1:8000/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html (0 => 273820)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html 2021-03-03 17:51:55 UTC (rev 273820)
@@ -0,0 +1,43 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php">
+ <script src=""
+</head>
+<body>
+ <script>
+ window.jsTestIsAsync = true;
+ function log(msg) {
+ document.getElementById("console").appendChild(document.createTextNode(msg + "\n"));
+ }
+
+ // Expect the document URI to be the document URL stripped for reporting.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML += `documentURI = <b>${e.documentURI}</b><br/><br/>`;
+ finishJSTest();
+ });
+
+ var xhr = new XMLHttpRequest;
+ try {
+ // Redirect to a different host, because as of CSP2 paths
+ // are ignored when matching after a redirect.
+ xhr.open("GET", "resources/redir.php?url="" true);
+ } catch(e) {
+ testFailed("XMLHttpRequest.open() should not throw an exception.");
+ }
+
+ xhr._onload_ = function () {
+ testFailed("XMLHttpRequest.send() should fail to follow the disallowed redirect.");
+ finishJSTest();
+ };
+
+ xhr._onerror_ = function () {
+ testPassed("XMLHttpRequest.send() did not follow the disallowed redirect.");
+ };
+
+ xhr.send();
+ </script>
+</script>
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-blob-expected.txt (0 => 273820)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-blob-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-blob-expected.txt 2021-03-03 17:51:55 UTC (rev 273820)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+documentURI = blob
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-blob.html (0 => 273820)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-blob.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-document-uri-blob.html 2021-03-03 17:51:55 UTC (rev 273820)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-test'">
+<script nonce="test">
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+// Include a script not included in the script-src to cause a violation.
+// Include another script to report the document URI of this report, expecting
+// it to be stripped to only consist of the URL protocol.
+var violatingScript = "<script>\n\<" + "/script>"
+var reportingScript = "<script nonce=\"test\"> testRunner.waitUntilDone(); document.addEventListener('securitypolicyviolation', e => { document.body.innerHTML += `documentURI = <b>${e.documentURI}</b><br/><br/>`; testRunner.notifyDone(); });<" + "/script>";
+
+let blob = new Blob([violatingScript + reportingScript], {type : "text/html"});
+if (window.testRunner)
+ testRunner.queueLoad(URL.createObjectURL(blob));
+</script>
+<body>
+<p>Initial page</p>
+</body>
+</head>
+</html>
Added: trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt (0 => 273820)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt 2021-03-03 17:51:55 UTC (rev 273820)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+documentURI = http://127.0.0.1:8000/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html
+
+
Modified: trunk/LayoutTests/platform/win/TestExpectations (273819 => 273820)
--- trunk/LayoutTests/platform/win/TestExpectations 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/LayoutTests/platform/win/TestExpectations 2021-03-03 17:51:55 UTC (rev 273820)
@@ -2327,6 +2327,7 @@
fast/frames/restoring-page-cache-should-not-run-scripts.html [ Skip ]
http/tests/security/mixedContent/blob-url-in-iframe.html [ Skip ]
http/tests/security/contentSecurityPolicy/navigate-self-to-blob.html [ Skip ]
+http/tests/security/contentSecurityPolicy/report-document-uri-blob.html [ Skip ]
fast/frames/restoring-page-cache-should-not-run-scripts-via-style-update.html [ Skip ]
# Clear Key not implemented
Added: trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt (0 => 273820)
--- trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect-expected.txt 2021-03-03 17:51:55 UTC (rev 273820)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+documentURI = http://127.0.0.1:8000/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html
+
+
Modified: trunk/Source/WebCore/ChangeLog (273819 => 273820)
--- trunk/Source/WebCore/ChangeLog 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebCore/ChangeLog 2021-03-03 17:51:55 UTC (rev 273820)
@@ -1,3 +1,35 @@
+2021-03-03 Kate Cheney <katherine_che...@apple.com>
+
+ Report the correct document uri in the case of a ContentSecurityPolicyClient
+ https://bugs.webkit.org/show_bug.cgi?id=222489
+ <rdar://problem/73774118>
+
+ Reviewed by Brent Fulgham.
+
+ Tests: http/tests/security/contentSecurityPolicy/report-document-uri-after-blocked-redirect.html
+ http/tests/security/contentSecurityPolicy/report-document-uri-blob.html
+
+ Previously we were setting the document URI to be the blocked URI in
+ the case where we were using a ContentSecurityPolicyClient and didn't
+ have access to the document URL. This patch passes the document URL
+ to the network process when loading a resource so we can properly set
+ the document URI in this case.
+
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::shouldReportProtocolOnly):
+ (WebCore::ContentSecurityPolicy::deprecatedURLForReporting const):
+ (WebCore::ContentSecurityPolicy::reportViolation const):
+ Follow spec guidelines https://www.w3.org/TR/CSP2/#violation-reports
+ and set the document URI to be the URI's scheme if it is a globally
+ unique identifier.
+
+ In the case where we are using a client and don't have the document
+ URL, we should at least strip the blocked URL before reporting to align
+ with the spec.
+
+ * page/csp/ContentSecurityPolicy.h:
+ (WebCore::ContentSecurityPolicy::setDocumentURL):
+
2021-03-03 Youenn Fablet <you...@apple.com>
WebKitLegacy needs to keep JSDOMWindow even though it is used while its origin is not set
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (273819 => 273820)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-03-03 17:51:55 UTC (rev 273820)
@@ -651,11 +651,16 @@
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForBaseURI, url);
}
+static bool shouldReportProtocolOnly(const URL& url)
+{
+ return !url.isHierarchical() || url.protocolIs("file");
+}
+
String ContentSecurityPolicy::deprecatedURLForReporting(const URL& url) const
{
if (!url.isValid())
return { };
- if (!url.isHierarchical() || url.protocolIs("file"))
+ if (shouldReportProtocolOnly(url))
return url.protocol().toString();
return static_cast<SecurityOriginData>(*m_selfSource).securityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString();
}
@@ -686,7 +691,9 @@
// FIXME: Support sending reports from worker.
CSPInfo info;
- info.documentURI = blockedURL.string();
+
+ info.documentURI = m_documentURL ? m_documentURL.value().strippedForUseAsReferrer() : deprecatedURLForReporting(blockedURL);
+
if (m_client)
m_client->willSendCSPViolationReport(info);
else {
@@ -698,7 +705,7 @@
if (!frame)
return;
- info.documentURI = document.url().strippedForUseAsReferrer();
+ info.documentURI = shouldReportProtocolOnly(document.url()) ? document.url().protocol().toString() : document.url().strippedForUseAsReferrer();
auto stack = createScriptCallStack(JSExecState::currentState(), 2);
auto* callFrame = stack->firstNonNativeCallFrame();
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (273819 => 273820)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-03-03 17:51:55 UTC (rev 273820)
@@ -175,6 +175,8 @@
void setClient(ContentSecurityPolicyClient* client) { m_client = client; }
void updateSourceSelf(const SecurityOrigin&);
+ void setDocumentURL(URL& documentURL) { m_documentURL = documentURL; }
+
private:
void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), const WTF::OrdinalNumber& contextColumn = WTF::OrdinalNumber::beforeFirst(), JSC::JSGlobalObject* = nullptr) const;
void applyPolicyToScriptExecutionContext();
@@ -216,6 +218,7 @@
ScriptExecutionContext* m_scriptExecutionContext { nullptr };
ContentSecurityPolicyClient* m_client { nullptr };
URL m_protectedURL;
+ Optional<URL> m_documentURL;
std::unique_ptr<ContentSecurityPolicySource> m_selfSource;
String m_selfSourceProtocol;
CSPDirectiveListVector m_policies;
Modified: trunk/Source/WebKit/ChangeLog (273819 => 273820)
--- trunk/Source/WebKit/ChangeLog 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebKit/ChangeLog 2021-03-03 17:51:55 UTC (rev 273820)
@@ -1,3 +1,32 @@
+2021-03-03 Kate Cheney <katherine_che...@apple.com>
+
+ Report the correct document uri in the case of a ContentSecurityPolicyClient
+ https://bugs.webkit.org/show_bug.cgi?id=222489
+ <rdar://problem/73774118>
+
+ Reviewed by Brent Fulgham.
+
+ Pass the document URL from the Network Process when we schedule a load
+ in case we need to report a CSP violation in NetworkLoadChecker.
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::NetworkLoadChecker):
+ (WebKit::NetworkLoadChecker::contentSecurityPolicy):
+ The regular toString() method sets file:// URLs to null. We should use
+ toRawString() so we can report the scheme if the source origin is a
+ local file, as per the W3C spec.
+
+ * NetworkProcess/NetworkLoadChecker.h:
+ * NetworkProcess/NetworkResourceLoadParameters.cpp:
+ (WebKit::NetworkResourceLoadParameters::encode const):
+ (WebKit::NetworkResourceLoadParameters::decode):
+ * NetworkProcess/NetworkResourceLoadParameters.h:
+ * NetworkProcess/NetworkResourceLoader.cpp:
+ * NetworkProcess/PingLoad.cpp:
+ (WebKit::PingLoad::PingLoad):
+ * WebProcess/Network/WebLoaderStrategy.cpp:
+ (WebKit::WebLoaderStrategy::scheduleLoadFromNetworkProcess):
+
2021-03-03 Don Olmstead <don.olmst...@sony.com>
[CMake] _javascript_Core GLib headers should be copies
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (273819 => 273820)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2021-03-03 17:51:55 UTC (rev 273820)
@@ -50,7 +50,7 @@
return url.protocolIsData() || url.protocolIsBlob() || !origin || origin->canRequest(url);
}
-NetworkLoadChecker::NetworkLoadChecker(NetworkProcess& networkProcess, NetworkResourceLoader* networkResourceLoader, NetworkSchemeRegistry* schemeRegistry, FetchOptions&& options, PAL::SessionID sessionID, WebPageProxyIdentifier webPageProxyID, HTTPHeaderMap&& originalRequestHeaders, URL&& url, RefPtr<SecurityOrigin>&& sourceOrigin, RefPtr<SecurityOrigin>&& topOrigin, PreflightPolicy preflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled, bool shouldCaptureExtraNetworkLoadMetrics, LoadType requestLoadType)
+NetworkLoadChecker::NetworkLoadChecker(NetworkProcess& networkProcess, NetworkResourceLoader* networkResourceLoader, NetworkSchemeRegistry* schemeRegistry, FetchOptions&& options, PAL::SessionID sessionID, WebPageProxyIdentifier webPageProxyID, HTTPHeaderMap&& originalRequestHeaders, URL&& url, DocumentURL&& documentURL, RefPtr<SecurityOrigin>&& sourceOrigin, RefPtr<SecurityOrigin>&& topOrigin, PreflightPolicy preflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled, bool shouldCaptureExtraNetworkLoadMetrics, LoadType requestLoadType)
: m_options(WTFMove(options))
, m_sessionID(sessionID)
, m_networkProcess(networkProcess)
@@ -57,6 +57,7 @@
, m_webPageProxyID(webPageProxyID)
, m_originalRequestHeaders(WTFMove(originalRequestHeaders))
, m_url(WTFMove(url))
+ , m_documentURL(WTFMove(documentURL))
, m_origin(WTFMove(sourceOrigin))
, m_topOrigin(WTFMove(topOrigin))
, m_preflightPolicy(preflightPolicy)
@@ -474,8 +475,10 @@
{
if (!m_contentSecurityPolicy && m_cspResponseHeaders) {
// FIXME: Pass the URL of the protected resource instead of its origin.
- m_contentSecurityPolicy = makeUnique<ContentSecurityPolicy>(URL { URL { }, m_origin->toString() });
+ m_contentSecurityPolicy = makeUnique<ContentSecurityPolicy>(URL { URL { }, m_origin->toRawString() });
m_contentSecurityPolicy->didReceiveHeaders(*m_cspResponseHeaders, String { m_referrer }, ContentSecurityPolicy::ReportParsingErrors::No);
+ if (!m_documentURL.isEmpty())
+ m_contentSecurityPolicy->setDocumentURL(m_documentURL);
}
return m_contentSecurityPolicy.get();
}
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h (273819 => 273820)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2021-03-03 17:51:55 UTC (rev 273820)
@@ -53,12 +53,14 @@
class NetworkResourceLoader;
class NetworkSchemeRegistry;
+using DocumentURL = URL;
+
class NetworkLoadChecker : public CanMakeWeakPtr<NetworkLoadChecker> {
WTF_MAKE_FAST_ALLOCATED;
public:
enum class LoadType : bool { MainFrame, Other };
- NetworkLoadChecker(NetworkProcess&, NetworkResourceLoader*, NetworkSchemeRegistry*, WebCore::FetchOptions&&, PAL::SessionID, WebPageProxyIdentifier, WebCore::HTTPHeaderMap&&, URL&&, RefPtr<WebCore::SecurityOrigin>&&, RefPtr<WebCore::SecurityOrigin>&& topOrigin, WebCore::PreflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled = false, bool shouldCaptureExtraNetworkLoadMetrics = false, LoadType requestLoadType = LoadType::Other);
+ NetworkLoadChecker(NetworkProcess&, NetworkResourceLoader*, NetworkSchemeRegistry*, WebCore::FetchOptions&&, PAL::SessionID, WebPageProxyIdentifier, WebCore::HTTPHeaderMap&&, URL&&, DocumentURL&&, RefPtr<WebCore::SecurityOrigin>&&, RefPtr<WebCore::SecurityOrigin>&& topOrigin, WebCore::PreflightPolicy, String&& referrer, bool isHTTPSUpgradeEnabled = false, bool shouldCaptureExtraNetworkLoadMetrics = false, LoadType requestLoadType = LoadType::Other);
~NetworkLoadChecker();
struct RedirectionTriplet {
@@ -135,6 +137,7 @@
WebCore::HTTPHeaderMap m_originalRequestHeaders; // Needed for CORS checks.
WebCore::HTTPHeaderMap m_firstRequestHeaders; // Needed for CORS checks.
URL m_url;
+ DocumentURL m_documentURL;
RefPtr<WebCore::SecurityOrigin> m_origin;
RefPtr<WebCore::SecurityOrigin> m_topOrigin;
Optional<WebCore::ContentSecurityPolicyResponseHeaders> m_cspResponseHeaders;
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp (273819 => 273820)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.cpp 2021-03-03 17:51:55 UTC (rev 273820)
@@ -110,6 +110,8 @@
encoder << parentFrameID;
encoder << crossOriginAccessControlCheckEnabled;
+ encoder << documentURL;
+
#if ENABLE(SERVICE_WORKER)
encoder << serviceWorkersMode;
encoder << serviceWorkerRegistrationIdentifier;
@@ -275,6 +277,12 @@
return WTF::nullopt;
result.crossOriginAccessControlCheckEnabled = *crossOriginAccessControlCheckEnabled;
+ Optional<URL> documentURL;
+ decoder >> documentURL;
+ if (!documentURL)
+ return WTF::nullopt;
+ result.documentURL = *documentURL;
+
#if ENABLE(SERVICE_WORKER)
Optional<ServiceWorkersMode> serviceWorkersMode;
decoder >> serviceWorkersMode;
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h (273819 => 273820)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoadParameters.h 2021-03-03 17:51:55 UTC (rev 273820)
@@ -64,7 +64,8 @@
bool pageHasResourceLoadClient { false };
Optional<WebCore::FrameIdentifier> parentFrameID;
bool crossOriginAccessControlCheckEnabled { true };
-
+ URL documentURL;
+
#if ENABLE(SERVICE_WORKER)
WebCore::ServiceWorkersMode serviceWorkersMode { WebCore::ServiceWorkersMode::None };
Optional<WebCore::ServiceWorkerRegistrationIdentifier> serviceWorkerRegistrationIdentifier;
Modified: trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp (273819 => 273820)
--- trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp 2021-03-03 17:51:55 UTC (rev 273820)
@@ -118,7 +118,7 @@
if (synchronousReply || parameters.shouldRestrictHTTPResponseAccess || parameters.options.keepAlive) {
NetworkLoadChecker::LoadType requestLoadType = isMainFrameLoad() ? NetworkLoadChecker::LoadType::MainFrame : NetworkLoadChecker::LoadType::Other;
- m_networkLoadChecker = makeUnique<NetworkLoadChecker>(connection.networkProcess(), this, &connection.schemeRegistry(), FetchOptions { m_parameters.options }, sessionID(), m_parameters.webPageProxyID, HTTPHeaderMap { m_parameters.originalRequestHeaders }, URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, originalRequest().httpReferrer(), m_parameters.isHTTPSUpgradeEnabled, shouldCaptureExtraNetworkLoadMetrics(), requestLoadType);
+ m_networkLoadChecker = makeUnique<NetworkLoadChecker>(connection.networkProcess(), this, &connection.schemeRegistry(), FetchOptions { m_parameters.options }, sessionID(), m_parameters.webPageProxyID, HTTPHeaderMap { m_parameters.originalRequestHeaders }, URL { m_parameters.request.url() }, URL { m_parameters.documentURL }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, originalRequest().httpReferrer(), m_parameters.isHTTPSUpgradeEnabled, shouldCaptureExtraNetworkLoadMetrics(), requestLoadType);
if (m_parameters.cspResponseHeaders)
m_networkLoadChecker->setCSPResponseHeaders(ContentSecurityPolicyResponseHeaders { m_parameters.cspResponseHeaders.value() });
#if ENABLE(CONTENT_EXTENSIONS)
Modified: trunk/Source/WebKit/NetworkProcess/PingLoad.cpp (273819 => 273820)
--- trunk/Source/WebKit/NetworkProcess/PingLoad.cpp 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebKit/NetworkProcess/PingLoad.cpp 2021-03-03 17:51:55 UTC (rev 273820)
@@ -45,7 +45,7 @@
, m_parameters(WTFMove(parameters))
, m_completionHandler(WTFMove(completionHandler))
, m_timeoutTimer(*this, &PingLoad::timeoutTimerFired)
- , m_networkLoadChecker(makeUniqueRef<NetworkLoadChecker>(networkProcess, nullptr, nullptr, FetchOptions { m_parameters.options}, m_sessionID, m_parameters.webPageProxyID, WTFMove(m_parameters.originalRequestHeaders), URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, m_parameters.request.httpReferrer()))
+ , m_networkLoadChecker(makeUniqueRef<NetworkLoadChecker>(networkProcess, nullptr, nullptr, FetchOptions { m_parameters.options}, m_sessionID, m_parameters.webPageProxyID, WTFMove(m_parameters.originalRequestHeaders), URL { m_parameters.request.url() }, URL { m_parameters.documentURL }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, m_parameters.request.httpReferrer()))
{
initialize(networkProcess);
}
@@ -55,7 +55,7 @@
, m_parameters(WTFMove(parameters))
, m_completionHandler(WTFMove(completionHandler))
, m_timeoutTimer(*this, &PingLoad::timeoutTimerFired)
- , m_networkLoadChecker(makeUniqueRef<NetworkLoadChecker>(connection.networkProcess(), nullptr, &connection.schemeRegistry(), FetchOptions { m_parameters.options}, m_sessionID, m_parameters.webPageProxyID, WTFMove(m_parameters.originalRequestHeaders), URL { m_parameters.request.url() }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, m_parameters.request.httpReferrer()))
+ , m_networkLoadChecker(makeUniqueRef<NetworkLoadChecker>(connection.networkProcess(), nullptr, &connection.schemeRegistry(), FetchOptions { m_parameters.options}, m_sessionID, m_parameters.webPageProxyID, WTFMove(m_parameters.originalRequestHeaders), URL { m_parameters.request.url() }, URL { m_parameters.documentURL }, m_parameters.sourceOrigin.copyRef(), m_parameters.topOrigin.copyRef(), m_parameters.preflightPolicy, m_parameters.request.httpReferrer()))
, m_blobFiles(connection.resolveBlobReferences(m_parameters))
{
for (auto& file : m_blobFiles) {
Modified: trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp (273819 => 273820)
--- trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Source/WebKit/WebProcess/Network/WebLoaderStrategy.cpp 2021-03-03 17:51:55 UTC (rev 273820)
@@ -378,8 +378,10 @@
if (!origin.isNull())
loadParameters.sourceOrigin = SecurityOrigin::createFromString(origin);
}
- if (document)
+ if (document) {
loadParameters.topOrigin = &document->topOrigin();
+ loadParameters.documentURL = document->url();
+ }
if (loadParameters.options.mode != FetchOptions::Mode::Navigate) {
ASSERT(loadParameters.sourceOrigin);
Modified: trunk/Tools/ChangeLog (273819 => 273820)
--- trunk/Tools/ChangeLog 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Tools/ChangeLog 2021-03-03 17:51:55 UTC (rev 273820)
@@ -1,3 +1,21 @@
+2021-03-03 Kate Cheney <katherine_che...@apple.com>
+
+ Report the correct document uri in the case of a ContentSecurityPolicyClient
+ https://bugs.webkit.org/show_bug.cgi?id=222489
+ <rdar://problem/73774118>
+
+ Reviewed by Brent Fulgham.
+
+ Rename OverrideContentSecurityPolicy.mm to ContentSecurityPolicy.mm
+ so we can use it for more general purpose CSP testing.
+
+ Add a test for document-uri reporting for file:, data: and about: protocols.
+
+ * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
+ * TestWebKitAPI/Tests/WebKitCocoa/ContentSecurityPolicy.mm: Renamed from Tools/TestWebKitAPI/Tests/WebKitCocoa/OverrideContentSecurityPolicy.mm.
+ (TEST):
+ * TestWebKitAPI/Tests/WebKitCocoa/csp-document-uri-report.html: Added.
+
2021-03-03 Youenn Fablet <you...@apple.com>
WebKitLegacy needs to keep JSDOMWindow even though it is used while its origin is not set
Modified: trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj (273819 => 273820)
--- trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj 2021-03-03 17:51:55 UTC (rev 273820)
@@ -289,6 +289,7 @@
4971B13024623A3C0096994D /* basicITPDatabase.db-wal in Resources */ = {isa = PBXBuildFile; fileRef = 4971B12E24623A3B0096994D /* basicITPDatabase.db-wal */; };
4971B13124623A4F0096994D /* basicITPDatabase.db in Copy Resources */ = {isa = PBXBuildFile; fileRef = 4971B12C246239D30096994D /* basicITPDatabase.db */; };
49897D6C241FE9E400ECF153 /* in-app-browser-privacy-local-file.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 49D7FBA7241FDDDA00AB67FA /* in-app-browser-privacy-local-file.html */; };
+ 4995A6F025E8772000E5F0A9 /* csp-document-uri-report.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = 4995A6EF25E876A300E5F0A9 /* csp-document-uri-report.html */; };
49AEEF6D2407359D00C87E4C /* InAppBrowserPrivacy.mm in Sources */ = {isa = PBXBuildFile; fileRef = 49AEEF6B2407358600C87E4C /* InAppBrowserPrivacy.mm */; };
4BFDFFA71314776C0061F24B /* HitTestResultNodeHandle_Bundle.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4BFDFFA61314776C0061F24B /* HitTestResultNodeHandle_Bundle.cpp */; };
510477721D298DDD009747EB /* IDBDeleteRecovery.sqlite3 in Copy Resources */ = {isa = PBXBuildFile; fileRef = 5104776F1D298D85009747EB /* IDBDeleteRecovery.sqlite3 */; };
@@ -1083,7 +1084,7 @@
CEA6CF2819CCF69D0064F5A7 /* open-and-close-window.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEA6CF2719CCF69D0064F5A7 /* open-and-close-window.html */; };
CEA7F57D2089624B0078EF6E /* DidResignInputElementStrongPasswordAppearance.mm in Sources */ = {isa = PBXBuildFile; fileRef = CEA7F57B20895F5B0078EF6E /* DidResignInputElementStrongPasswordAppearance.mm */; };
CEBABD491B71687C0051210A /* should-open-external-schemes.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBABD481B71687C0051210A /* should-open-external-schemes.html */; };
- CEBCA12F1E3A660100C73293 /* OverrideContentSecurityPolicy.mm in Sources */ = {isa = PBXBuildFile; fileRef = CEBCA12E1E3A660100C73293 /* OverrideContentSecurityPolicy.mm */; };
+ CEBCA12F1E3A660100C73293 /* ContentSecurityPolicy.mm in Sources */ = {isa = PBXBuildFile; fileRef = CEBCA12E1E3A660100C73293 /* ContentSecurityPolicy.mm */; };
CEBCA1381E3A807A00C73293 /* page-with-csp.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1351E3A803400C73293 /* page-with-csp.html */; };
CEBCA1391E3A807A00C73293 /* page-with-csp-iframe.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1341E3A803400C73293 /* page-with-csp-iframe.html */; };
CEBCA13A1E3A807A00C73293 /* page-without-csp.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1371E3A803400C73293 /* page-without-csp.html */; };
@@ -1390,6 +1391,7 @@
9B1F6F791F90559E00B55744 /* copy-html.html in Copy Resources */,
9B62630C1F8C25C8007EE29B /* copy-url.html in Copy Resources */,
7AEAD4811E20122700416EFE /* CrossPartitionFileSchemeAccess.html in Copy Resources */,
+ 4995A6F025E8772000E5F0A9 /* csp-document-uri-report.html in Copy Resources */,
F4AB578A1F65165400DB0DA1 /* custom-draggable-div.html in Copy Resources */,
290F4275172A221C00939FF0 /* custom-protocol-sync-xhr.html in Copy Resources */,
1CF59AE521E6977D006E37EC /* dark-mode.html in Copy Resources */,
@@ -2049,6 +2051,7 @@
4971B12C246239D30096994D /* basicITPDatabase.db */ = {isa = PBXFileReference; lastKnownFileType = file; path = basicITPDatabase.db; sourceTree = SOURCE_ROOT; };
4971B12D24623A3B0096994D /* basicITPDatabase.db-shm */ = {isa = PBXFileReference; lastKnownFileType = file; path = "basicITPDatabase.db-shm"; sourceTree = SOURCE_ROOT; };
4971B12E24623A3B0096994D /* basicITPDatabase.db-wal */ = {isa = PBXFileReference; lastKnownFileType = text; path = "basicITPDatabase.db-wal"; sourceTree = SOURCE_ROOT; };
+ 4995A6EF25E876A300E5F0A9 /* csp-document-uri-report.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "csp-document-uri-report.html"; sourceTree = "<group>"; };
49AEEF682407276F00C87E4C /* Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
49AEEF6B2407358600C87E4C /* InAppBrowserPrivacy.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = InAppBrowserPrivacy.mm; sourceTree = "<group>"; };
49D7FBA7241FDDDA00AB67FA /* in-app-browser-privacy-local-file.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "in-app-browser-privacy-local-file.html"; sourceTree = "<group>"; };
@@ -2842,7 +2845,7 @@
CEA6CF2719CCF69D0064F5A7 /* open-and-close-window.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "open-and-close-window.html"; sourceTree = "<group>"; };
CEA7F57B20895F5B0078EF6E /* DidResignInputElementStrongPasswordAppearance.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = DidResignInputElementStrongPasswordAppearance.mm; sourceTree = "<group>"; };
CEBABD481B71687C0051210A /* should-open-external-schemes.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "should-open-external-schemes.html"; sourceTree = "<group>"; };
- CEBCA12E1E3A660100C73293 /* OverrideContentSecurityPolicy.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = OverrideContentSecurityPolicy.mm; sourceTree = "<group>"; };
+ CEBCA12E1E3A660100C73293 /* ContentSecurityPolicy.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = ContentSecurityPolicy.mm; sourceTree = "<group>"; };
CEBCA1341E3A803400C73293 /* page-with-csp-iframe.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-with-csp-iframe.html"; sourceTree = "<group>"; };
CEBCA1351E3A803400C73293 /* page-with-csp.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-with-csp.html"; sourceTree = "<group>"; };
CEBCA1361E3A803400C73293 /* page-without-csp-iframe.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-without-csp-iframe.html"; sourceTree = "<group>"; };
@@ -3303,6 +3306,7 @@
A14FC5861B8991B600D107EB /* ContentFiltering.mm */,
A14FC5891B89927100D107EB /* ContentFilteringPlugIn.mm */,
5CA1DED81F74A87100E71BD3 /* ContentRuleListNotification.mm */,
+ CEBCA12E1E3A660100C73293 /* ContentSecurityPolicy.mm */,
5C121E8C2410703200486F9B /* ContentWorldPlugIn.mm */,
5C3B1D2522A74EA400BCF4D0 /* ContextMenus.mm */,
5C2936911D5BF63E00DEAB1E /* CookieAcceptPolicy.mm */,
@@ -3403,7 +3407,6 @@
F4EB4E902328AC3000574DAB /* NSItemProviderAdditions.mm */,
37A22AA51DCAA27200AFBFC4 /* ObservedRenderingProgressEventsAfterCrash.mm */,
CEA6CF2219CCF5BD0064F5A7 /* OpenAndCloseWindow.mm */,
- CEBCA12E1E3A660100C73293 /* OverrideContentSecurityPolicy.mm */,
2DA2586E225C67DC00B45C1C /* OverrideViewportArguments.mm */,
953ABB3425C0D681004C8B73 /* PageExtendedBackgroundColor.mm */,
2D3CA3A4221DF2390088E803 /* PageOverlayPlugin.mm */,
@@ -3837,6 +3840,7 @@
5C2936941D5BFD1900DEAB1E /* CookieMessage.html */,
9B1056421F9047CC00D5583F /* copy-html.html */,
9B62630B1F8C2510007EE29B /* copy-url.html */,
+ 4995A6EF25E876A300E5F0A9 /* csp-document-uri-report.html */,
F4AB57891F65164B00DB0DA1 /* custom-draggable-div.html */,
F47DFB2421A8704A00021FB6 /* data-detectors.html */,
F486B1CF1F6794FF00F34BDD /* DataTransfer-setDragImage.html */,
@@ -5206,6 +5210,7 @@
A1146A8D1D2D7115000FE710 /* ContentFiltering.mm in Sources */,
A14FC5881B8991BF00D107EB /* ContentFiltering.mm in Sources */,
5CA1DED91F74A91A00E71BD3 /* ContentRuleListNotification.mm in Sources */,
+ CEBCA12F1E3A660100C73293 /* ContentSecurityPolicy.mm in Sources */,
44CF31FD249941E8009CB6CB /* ContextMenuAction.cpp in Sources */,
7CCE7EB81A411A7E00447C4C /* ContextMenuCanCopyURL.mm in Sources */,
37FB72971DB2E82F00E41BE4 /* ContextMenuDefaultItemsHaveTags.mm in Sources */,
@@ -5459,7 +5464,6 @@
1CB2F27C24F88379000A5BC1 /* OrthogonalFlowAvailableSize.mm in Sources */,
0F34077623037FDC0060A1A0 /* OverflowScrollViewTests.mm in Sources */,
C104BC1F2547237100C078C9 /* OverrideAppleLanguagesPreference.mm in Sources */,
- CEBCA12F1E3A660100C73293 /* OverrideContentSecurityPolicy.mm in Sources */,
2DA2586F225C67DC00B45C1C /* OverrideViewportArguments.mm in Sources */,
953ABB3525C0D682004C8B73 /* PageExtendedBackgroundColor.mm in Sources */,
7CCB4DA91C83AE7300CC6918 /* PageGroup.cpp in Sources */,
Copied: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ContentSecurityPolicy.mm (from rev 273819, trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/OverrideContentSecurityPolicy.mm) (0 => 273820)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ContentSecurityPolicy.mm (rev 0)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/ContentSecurityPolicy.mm 2021-03-03 17:51:55 UTC (rev 273820)
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2017-2021 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#import "config.h"
+
+#import "TestWKWebView.h"
+#import <WebKit/WKWebViewConfigurationPrivate.h>
+#import <WebKit/WKWebViewPrivate.h>
+#import <wtf/RetainPtr.h>
+
+TEST(WKWebView, DISABLED_SetOverrideContentSecurityPolicyWithEmptyStringForPageWithCSP)
+{
+ @autoreleasepool {
+ RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ [configuration _setOverrideContentSecurityPolicy:@""];
+
+ RetainPtr<TestWKWebView> webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
+ NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"page-with-csp" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
+ [webView loadRequest:request];
+
+ [webView waitForMessage:@"MainFrame: A"];
+ [webView waitForMessage:@"MainFrame: B"];
+ [webView waitForMessage:@"Subframe: A"];
+ [webView waitForMessage:@"Subframe: B"];
+ }
+}
+
+TEST(WKWebView, SetOverrideContentSecurityPolicyForPageWithCSP)
+{
+ @autoreleasepool {
+ RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ [configuration _setOverrideContentSecurityPolicy:@"script-src 'nonce-b'"];
+
+ RetainPtr<TestWKWebView> webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
+ NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"page-with-csp" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
+ [webView loadRequest:request];
+
+ [webView waitForMessage:@"MainFrame: B"];
+ [webView waitForMessage:@"Subframe: B"];
+ }
+}
+
+TEST(WKWebView, SetOverrideContentSecurityPolicyForPageWithoutCSP)
+{
+ @autoreleasepool {
+ RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ [configuration _setOverrideContentSecurityPolicy:@"script-src 'nonce-b'"];
+
+ RetainPtr<TestWKWebView> webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
+ NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"page-without-csp" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
+ [webView loadRequest:request];
+
+ [webView waitForMessage:@"MainFrame: B"];
+ [webView waitForMessage:@"Subframe: B"];
+ }
+}
+
+TEST(WKWebView, CheckViolationReportDocumentURIForFileProtocol)
+{
+ @autoreleasepool {
+ auto configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
+ NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"csp-document-uri-report" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
+ [webView loadRequest:request];
+
+ [webView waitForMessage:@"document-uri: file"];
+ }
+}
+
+TEST(WKWebView, CheckViolationReportDocumentURIForDataProtocol)
+{
+ @autoreleasepool {
+ auto configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
+ NSString *path = [NSBundle.mainBundle pathForResource:@"csp-document-uri-report" ofType:@"html" inDirectory:@"TestWebKitAPI.resources"];
+ NSString* content = [NSString stringWithContentsOfFile:path encoding:NSUTF8StringEncoding error:NULL];
+
+ NSURLRequest *loadRequest = [NSURLRequest requestWithURL:[NSURL URLWithString:@"data:text/html"]];
+ NSData *data = "" dataUsingEncoding:NSUTF8StringEncoding];
+ auto response = adoptNS([[NSURLResponse alloc] initWithURL:[NSURL URLWithString:@"data:text/html"] MIMEType:@"text/HTML" expectedContentLength:[data length] textEncodingName:@"UTF-8"]);
+
+ [webView loadSimulatedRequest:loadRequest withResponse:response.get() responseData:data];
+ [webView waitForMessage:@"document-uri: data"];
+ }
+}
+
+TEST(WKWebView, CheckViolationReportDocumentURIForAboutProtocol)
+{
+ @autoreleasepool {
+ auto configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
+ auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
+ NSString *path = [NSBundle.mainBundle pathForResource:@"csp-document-uri-report" ofType:@"html" inDirectory:@"TestWebKitAPI.resources"];
+ NSString* content = [NSString stringWithContentsOfFile:path encoding:NSUTF8StringEncoding error:NULL];
+
+ [webView loadHTMLString:content baseURL:nil];
+ [webView waitForMessage:@"document-uri: about"];
+ }
+}
Deleted: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/OverrideContentSecurityPolicy.mm (273819 => 273820)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/OverrideContentSecurityPolicy.mm 2021-03-03 17:14:52 UTC (rev 273819)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/OverrideContentSecurityPolicy.mm 2021-03-03 17:51:55 UTC (rev 273820)
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#import "config.h"
-
-#import "TestWKWebView.h"
-#import <WebKit/WKWebViewConfigurationPrivate.h>
-#import <wtf/RetainPtr.h>
-
-TEST(WKWebView, DISABLED_SetOverrideContentSecurityPolicyWithEmptyStringForPageWithCSP)
-{
- @autoreleasepool {
- RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
- [configuration _setOverrideContentSecurityPolicy:@""];
-
- RetainPtr<TestWKWebView> webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
- NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"page-with-csp" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
- [webView loadRequest:request];
-
- [webView waitForMessage:@"MainFrame: A"];
- [webView waitForMessage:@"MainFrame: B"];
- [webView waitForMessage:@"Subframe: A"];
- [webView waitForMessage:@"Subframe: B"];
- }
-}
-
-TEST(WKWebView, SetOverrideContentSecurityPolicyForPageWithCSP)
-{
- @autoreleasepool {
- RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
- [configuration _setOverrideContentSecurityPolicy:@"script-src 'nonce-b'"];
-
- RetainPtr<TestWKWebView> webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
- NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"page-with-csp" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
- [webView loadRequest:request];
-
- [webView waitForMessage:@"MainFrame: B"];
- [webView waitForMessage:@"Subframe: B"];
- }
-}
-
-TEST(WKWebView, SetOverrideContentSecurityPolicyForPageWithoutCSP)
-{
- @autoreleasepool {
- RetainPtr<WKWebViewConfiguration> configuration = adoptNS([[WKWebViewConfiguration alloc] init]);
- [configuration _setOverrideContentSecurityPolicy:@"script-src 'nonce-b'"];
-
- RetainPtr<TestWKWebView> webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSMakeRect(0, 0, 800, 600) configuration:configuration.get()]);
- NSURLRequest *request = [NSURLRequest requestWithURL:[[NSBundle mainBundle] URLForResource:@"page-without-csp" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"]];
- [webView loadRequest:request];
-
- [webView waitForMessage:@"MainFrame: B"];
- [webView waitForMessage:@"Subframe: B"];
- }
-}
Added: trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/csp-document-uri-report.html (0 => 273820)
--- trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/csp-document-uri-report.html (rev 0)
+++ trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/csp-document-uri-report.html 2021-03-03 17:51:55 UTC (rev 273820)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-b'">
+</head>
+<body>
+<script>
+</script>
+<script nonce="b">
+ document.addEventListener('securitypolicyviolation', e => {
+ window.webkit.messageHandlers.testHandler.postMessage("document-uri: " + e.documentURI);
+ });
+</script>
+</body>
+</html>
