Diff
Modified: branches/safari-611.4.2.0-branch/LayoutTests/ChangeLog (283413 => 283414)
--- branches/safari-611.4.2.0-branch/LayoutTests/ChangeLog 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/LayoutTests/ChangeLog 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,76 +1,3 @@
-2021-10-01 Russell Epstein <repst...@apple.com>
-
- Cherry-pick r281431. rdar://problem/81175635
-
- Report correct blocked URI in CSP violation report
- https://bugs.webkit.org/show_bug.cgi?id=226316
- <rdar://problem/78552912>
-
- Reviewed by Alex Christensen.
-
- Source/WebCore:
-
- Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html
- http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html
-
- Currently for a blocked redirection we report the blocked URI as the
- target URL. This is not up to spec and we should actually report the
- requested URL.
-
- * loader/DocumentThreadableLoader.cpp:
- (WebCore::DocumentThreadableLoader::redirectReceived):
- (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
- * loader/DocumentThreadableLoader.h:
- * page/csp/ContentSecurityPolicy.cpp:
- (WebCore::ContentSecurityPolicy::allowConnectToSource const):
- (WebCore::ContentSecurityPolicy::reportViolation const):
- * page/csp/ContentSecurityPolicy.h:
-
- Source/WebKit:
-
- Currently for a blocked redirection we report the blocked URI as the
- target URL. This is not up to spec and we should actually report the
- requested URL.
-
- * NetworkProcess/NetworkLoadChecker.cpp:
- (WebKit::NetworkLoadChecker::check):
- (WebKit::NetworkLoadChecker::checkRedirection):
- (WebKit::NetworkLoadChecker::checkRequest):
- (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
- * NetworkProcess/NetworkLoadChecker.h:
-
- LayoutTests:
-
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html: Added.
- * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- WebKitLegacy and Win have different console logging.
-
- git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281431 268f45cc-cd09-0410-ab3c-d52691b4dbfc
-
- 2021-08-22 Kate Cheney <katherine_che...@apple.com>
-
- Report correct blocked URI in CSP violation report
- https://bugs.webkit.org/show_bug.cgi?id=226316
- <rdar://problem/78552912>
-
- Reviewed by Alex Christensen.
-
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html: Added.
- * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- WebKitLegacy and Win have different console logging.
-
2021-09-30 Russell Epstein <repst...@apple.com>
Cherry-pick r281613. rdar://problem/83369963
Deleted: branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (283413 => 283414)
--- branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,10 +0,0 @@
-CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Blocked by Content Security Policy.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py due to access control checks.
-PASS XMLHttpRequest.send() did not follow the disallowed redirect.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
-
-
Deleted: branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html (283413 => 283414)
--- branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,46 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py">
- <script src=""
-</head>
-<body>
- <script>
- window.jsTestIsAsync = true;
-
- var haveReportedXhrError = false;
- var haveReportedBlockedURI = false;
-
- // Expect the blocked URI to be the requested origin, not the redirect target.
- document.addEventListener('securitypolicyviolation', e => {
- document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
- haveReportedBlockedURI = true;
- if (haveReportedXhrError)
- finishJSTest();
- });
-
- var xhr = new XMLHttpRequest;
- try {
- xhr.open("GET", "resources/redir.py?url="" true);
- } catch(e) {
- testFailed("XMLHttpRequest.open() should not throw an exception.");
- }
-
- xhr._onload_ = function () {
- testFailed("XMLHttpRequest.send() should fail to follow the disallowed redirect.");
- finishJSTest();
- };
-
- xhr._onerror_ = function () {
- testPassed("XMLHttpRequest.send() did not follow the disallowed redirect.");
- haveReportedXhrError = true;
- if (haveReportedBlockedURI)
- finishJSTest();
- };
-
- xhr.send();
- </script>
-</script>
-<script src=""
-</body>
-</html>
Deleted: branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (283413 => 283414)
--- branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,10 +0,0 @@
-CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Blocked by Content Security Policy.
-CONSOLE MESSAGE: Fetch API cannot load http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py due to access control checks.
-PASS fetch was successfully blocked.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
-
-
Deleted: branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html (283413 => 283414)
--- branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,41 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py">
- <script src=""
-
-</head>
-<body>
- <script>
- window.jsTestIsAsync = true;
-
- var haveReportedFetchError = false;
- var haveReportedBlockedURI = false;
-
- // Expect the blocked URI to be the requested origin, not the redirect target.
- document.addEventListener('securitypolicyviolation', e => {
- document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
- haveReportedBlockedURI = true;
- if (haveReportedFetchError)
- finishJSTest();
- });
-
- var url = ""
-
-async function loadURL() {
- try {
- await fetch(url);
- testFailed("fetch should not have succeeded.");
- } catch (e) {
- haveReportedFetchError = true;
- testPassed("fetch was successfully blocked.");
- if (haveReportedBlockedURI)
- finishJSTest();
- }
-}
-loadURL();
- </script>
-</script>
-<script src=""
-</body>
-</html>
Deleted: branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (283413 => 283414)
--- branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,10 +0,0 @@
-CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Blocked by Content Security Policy.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
-PASS XMLHttpRequest.send() did not follow the disallowed redirect.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
-
-
Deleted: branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (283413 => 283414)
--- branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,10 +0,0 @@
-CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Blocked by Content Security Policy.
-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
-PASS fetch was successfully blocked.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
-
-
Deleted: branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (283413 => 283414)
--- branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,10 +0,0 @@
-CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Blocked by Content Security Policy.
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
-PASS XMLHttpRequest.send() did not follow the disallowed redirect.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
-
-
Deleted: branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (283413 => 283414)
--- branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,10 +0,0 @@
-CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Blocked by Content Security Policy.
-CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
-PASS fetch was successfully blocked.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
-
-
Modified: branches/safari-611.4.2.0-branch/Source/WebCore/ChangeLog (283413 => 283414)
--- branches/safari-611.4.2.0-branch/Source/WebCore/ChangeLog 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/Source/WebCore/ChangeLog 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,82 +1,3 @@
-2021-10-01 Russell Epstein <repst...@apple.com>
-
- Cherry-pick r281431. rdar://problem/81175635
-
- Report correct blocked URI in CSP violation report
- https://bugs.webkit.org/show_bug.cgi?id=226316
- <rdar://problem/78552912>
-
- Reviewed by Alex Christensen.
-
- Source/WebCore:
-
- Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html
- http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html
-
- Currently for a blocked redirection we report the blocked URI as the
- target URL. This is not up to spec and we should actually report the
- requested URL.
-
- * loader/DocumentThreadableLoader.cpp:
- (WebCore::DocumentThreadableLoader::redirectReceived):
- (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
- * loader/DocumentThreadableLoader.h:
- * page/csp/ContentSecurityPolicy.cpp:
- (WebCore::ContentSecurityPolicy::allowConnectToSource const):
- (WebCore::ContentSecurityPolicy::reportViolation const):
- * page/csp/ContentSecurityPolicy.h:
-
- Source/WebKit:
-
- Currently for a blocked redirection we report the blocked URI as the
- target URL. This is not up to spec and we should actually report the
- requested URL.
-
- * NetworkProcess/NetworkLoadChecker.cpp:
- (WebKit::NetworkLoadChecker::check):
- (WebKit::NetworkLoadChecker::checkRedirection):
- (WebKit::NetworkLoadChecker::checkRequest):
- (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
- * NetworkProcess/NetworkLoadChecker.h:
-
- LayoutTests:
-
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html: Added.
- * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- WebKitLegacy and Win have different console logging.
-
- git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281431 268f45cc-cd09-0410-ab3c-d52691b4dbfc
-
- 2021-08-22 Kate Cheney <katherine_che...@apple.com>
-
- Report correct blocked URI in CSP violation report
- https://bugs.webkit.org/show_bug.cgi?id=226316
- <rdar://problem/78552912>
-
- Reviewed by Alex Christensen.
-
- Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html
- http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html
-
- Currently for a blocked redirection we report the blocked URI as the
- target URL. This is not up to spec and we should actually report the
- requested URL.
-
- * loader/DocumentThreadableLoader.cpp:
- (WebCore::DocumentThreadableLoader::redirectReceived):
- (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
- * loader/DocumentThreadableLoader.h:
- * page/csp/ContentSecurityPolicy.cpp:
- (WebCore::ContentSecurityPolicy::allowConnectToSource const):
- (WebCore::ContentSecurityPolicy::reportViolation const):
- * page/csp/ContentSecurityPolicy.h:
-
2021-09-30 Russell Epstein <repst...@apple.com>
Cherry-pick r281613. rdar://problem/83369963
Modified: branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp (283413 => 283414)
--- branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp 2021-10-01 23:13:26 UTC (rev 283414)
@@ -325,7 +325,7 @@
return;
}
- if (!isAllowedByContentSecurityPolicy(request.url(), redirectResponse.isNull() ? ContentSecurityPolicy::RedirectResponseReceived::No : ContentSecurityPolicy::RedirectResponseReceived::Yes, redirectResponse.url())) {
+ if (!isAllowedByContentSecurityPolicy(request.url(), redirectResponse.isNull() ? ContentSecurityPolicy::RedirectResponseReceived::No : ContentSecurityPolicy::RedirectResponseReceived::Yes)) {
reportContentSecurityPolicyError(redirectResponse.url());
clearResource();
return completionHandler(WTFMove(request));
@@ -668,7 +668,7 @@
didFinishLoading(identifier);
}
-bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL)
+bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived)
{
switch (m_options.contentSecurityPolicyEnforcement) {
case ContentSecurityPolicyEnforcement::DoNotEnforce:
@@ -676,7 +676,7 @@
case ContentSecurityPolicyEnforcement::EnforceChildSrcDirective:
return contentSecurityPolicy().allowChildContextFromSource(url, redirectResponseReceived);
case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
- return contentSecurityPolicy().allowConnectToSource(url, redirectResponseReceived, preRedirectURL);
+ return contentSecurityPolicy().allowConnectToSource(url, redirectResponseReceived);
case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
return contentSecurityPolicy().allowScriptFromSource(url, redirectResponseReceived);
}
Modified: branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.h (283413 => 283414)
--- branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.h 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.h 2021-10-01 23:13:26 UTC (rev 283414)
@@ -103,7 +103,7 @@
void loadRequest(ResourceRequest&&, SecurityCheckPolicy);
bool isAllowedRedirect(const URL&);
- bool isAllowedByContentSecurityPolicy(const URL&, ContentSecurityPolicy::RedirectResponseReceived, const URL& preRedirectURL = URL());
+ bool isAllowedByContentSecurityPolicy(const URL&, ContentSecurityPolicy::RedirectResponseReceived);
SecurityOrigin& securityOrigin() const;
const ContentSecurityPolicy& contentSecurityPolicy() const;
Modified: branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (283413 => 283414)
--- branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-10-01 23:13:26 UTC (rev 283414)
@@ -618,7 +618,7 @@
return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::mediaSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia);
}
-bool ContentSecurityPolicy::allowConnectToSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
+bool ContentSecurityPolicy::allowConnectToSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
{
if (LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol().toStringWithoutCopying()))
return true;
@@ -626,7 +626,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, "Refused to connect to");
- reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition, preRedirectURL);
+ reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
@@ -677,12 +677,12 @@
return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state) const
{
- return reportViolation(effectiveViolatedDirective, violatedDirective.text(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state, preRedirectURL);
+ return reportViolation(effectiveViolatedDirective, violatedDirective.text(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state) const
{
logToConsole(consoleMessage, sourceURL, sourcePosition.m_line, sourcePosition.m_column, state);
@@ -717,12 +717,7 @@
}
ASSERT(m_client || is<Document>(m_scriptExecutionContext));
- String blockedURI;
- if (preRedirectURL.isNull())
- blockedURI = deprecatedURLForReporting(blockedURL);
- else
- blockedURI = deprecatedURLForReporting(preRedirectURL);
-
+ String blockedURI = deprecatedURLForReporting(blockedURL);
// FIXME: Is it policy to not use the status code for HTTPS, or is that a bug?
unsigned short httpStatusCode = m_selfSourceProtocol == "http" ? m_httpStatusCode : 0;
Modified: branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.h (283413 => 283414)
--- branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-10-01 23:13:26 UTC (rev 283414)
@@ -114,7 +114,7 @@
bool allowChildFrameFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
WEBCORE_EXPORT bool allowChildContextFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
- WEBCORE_EXPORT bool allowConnectToSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& requestedURL = URL()) const;
+ WEBCORE_EXPORT bool allowConnectToSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
bool allowFormAction(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
bool allowObjectFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
@@ -210,8 +210,8 @@
void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*) const;
void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
- void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr) const;
- void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL()) const;
+ void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* = nullptr) const;
+ void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*) const;
void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
// We can never have both a script execution context and a ContentSecurityPolicyClient.
Modified: branches/safari-611.4.2.0-branch/Source/WebKit/ChangeLog (283413 => 283414)
--- branches/safari-611.4.2.0-branch/Source/WebKit/ChangeLog 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/Source/WebKit/ChangeLog 2021-10-01 23:13:26 UTC (rev 283414)
@@ -1,77 +1,3 @@
-2021-10-01 Russell Epstein <repst...@apple.com>
-
- Cherry-pick r281431. rdar://problem/81175635
-
- Report correct blocked URI in CSP violation report
- https://bugs.webkit.org/show_bug.cgi?id=226316
- <rdar://problem/78552912>
-
- Reviewed by Alex Christensen.
-
- Source/WebCore:
-
- Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html
- http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html
-
- Currently for a blocked redirection we report the blocked URI as the
- target URL. This is not up to spec and we should actually report the
- requested URL.
-
- * loader/DocumentThreadableLoader.cpp:
- (WebCore::DocumentThreadableLoader::redirectReceived):
- (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
- * loader/DocumentThreadableLoader.h:
- * page/csp/ContentSecurityPolicy.cpp:
- (WebCore::ContentSecurityPolicy::allowConnectToSource const):
- (WebCore::ContentSecurityPolicy::reportViolation const):
- * page/csp/ContentSecurityPolicy.h:
-
- Source/WebKit:
-
- Currently for a blocked redirection we report the blocked URI as the
- target URL. This is not up to spec and we should actually report the
- requested URL.
-
- * NetworkProcess/NetworkLoadChecker.cpp:
- (WebKit::NetworkLoadChecker::check):
- (WebKit::NetworkLoadChecker::checkRedirection):
- (WebKit::NetworkLoadChecker::checkRequest):
- (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
- * NetworkProcess/NetworkLoadChecker.h:
-
- LayoutTests:
-
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html: Added.
- * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
- * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
- WebKitLegacy and Win have different console logging.
-
- git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281431 268f45cc-cd09-0410-ab3c-d52691b4dbfc
-
- 2021-08-22 Kate Cheney <katherine_che...@apple.com>
-
- Report correct blocked URI in CSP violation report
- https://bugs.webkit.org/show_bug.cgi?id=226316
- <rdar://problem/78552912>
-
- Reviewed by Alex Christensen.
-
- Currently for a blocked redirection we report the blocked URI as the
- target URL. This is not up to spec and we should actually report the
- requested URL.
-
- * NetworkProcess/NetworkLoadChecker.cpp:
- (WebKit::NetworkLoadChecker::check):
- (WebKit::NetworkLoadChecker::checkRedirection):
- (WebKit::NetworkLoadChecker::checkRequest):
- (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
- * NetworkProcess/NetworkLoadChecker.h:
-
2021-08-10 Russell Epstein <repst...@apple.com>
Apply patch. rdar://problem/79924198
Modified: branches/safari-611.4.2.0-branch/Source/WebKit/NetworkProcess/NetworkLoadChecker.h (283413 => 283414)
--- branches/safari-611.4.2.0-branch/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2021-10-01 23:13:20 UTC (rev 283413)
+++ branches/safari-611.4.2.0-branch/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2021-10-01 23:13:26 UTC (rev 283414)
@@ -103,9 +103,9 @@
bool isChecking() const { return !!m_corsPreflightChecker; }
bool isRedirected() const { return m_redirectCount; }
- void checkRequest(WebCore::ResourceRequest&&, WebCore::ContentSecurityPolicyClient*, const URL&, ValidationHandler&&);
+ void checkRequest(WebCore::ResourceRequest&&, WebCore::ContentSecurityPolicyClient*, ValidationHandler&&);
- bool isAllowedByContentSecurityPolicy(const WebCore::ResourceRequest&, WebCore::ContentSecurityPolicyClient*, const URL& preRedirectURL = URL());
+ bool isAllowedByContentSecurityPolicy(const WebCore::ResourceRequest&, WebCore::ContentSecurityPolicyClient*);
void continueCheckingRequest(WebCore::ResourceRequest&&, ValidationHandler&&);
void continueCheckingRequestOrDoSyntheticRedirect(WebCore::ResourceRequest&& originalRequest, WebCore::ResourceRequest&& currentRequest, ValidationHandler&&);