Diff
Modified: trunk/LayoutTests/ChangeLog (281430 => 281431)
--- trunk/LayoutTests/ChangeLog 2021-08-23 01:41:34 UTC (rev 281430)
+++ trunk/LayoutTests/ChangeLog 2021-08-23 02:24:23 UTC (rev 281431)
@@ -1,3 +1,21 @@
+2021-08-22 Kate Cheney <katherine_che...@apple.com>
+
+ Report correct blocked URI in CSP violation report
+ https://bugs.webkit.org/show_bug.cgi?id=226316
+ <rdar://problem/78552912>
+
+ Reviewed by Alex Christensen.
+
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ WebKitLegacy and Win have different console logging.
+
2021-08-22 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Remove already-shipped JS feature flags
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (0 => 281431)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-08-23 02:24:23 UTC (rev 281431)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html (0 => 281431)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html 2021-08-23 02:24:23 UTC (rev 281431)
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py">
+ <script src=""
+</head>
+<body>
+ <script>
+ window.jsTestIsAsync = true;
+
+ var haveReportedXhrError = false;
+ var haveReportedBlockedURI = false;
+
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ haveReportedBlockedURI = true;
+ if (haveReportedXhrError)
+ finishJSTest();
+ });
+
+ var xhr = new XMLHttpRequest;
+ try {
+ xhr.open("GET", "resources/redir.py?url="" true);
+ } catch(e) {
+ testFailed("XMLHttpRequest.open() should not throw an exception.");
+ }
+
+ xhr._onload_ = function () {
+ testFailed("XMLHttpRequest.send() should fail to follow the disallowed redirect.");
+ finishJSTest();
+ };
+
+ xhr._onerror_ = function () {
+ testPassed("XMLHttpRequest.send() did not follow the disallowed redirect.");
+ haveReportedXhrError = true;
+ if (haveReportedBlockedURI)
+ finishJSTest();
+ };
+
+ xhr.send();
+ </script>
+</script>
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (0 => 281431)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-08-23 02:24:23 UTC (rev 281431)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py due to access control checks.
+PASS fetch was successfully blocked.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html (0 => 281431)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html 2021-08-23 02:24:23 UTC (rev 281431)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py">
+ <script src=""
+
+</head>
+<body>
+ <script>
+ window.jsTestIsAsync = true;
+
+ var haveReportedFetchError = false;
+ var haveReportedBlockedURI = false;
+
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ haveReportedBlockedURI = true;
+ if (haveReportedFetchError)
+ finishJSTest();
+ });
+
+ var url = ""
+
+async function loadURL() {
+ try {
+ await fetch(url);
+ testFailed("fetch should not have succeeded.");
+ } catch (e) {
+ haveReportedFetchError = true;
+ testPassed("fetch was successfully blocked.");
+ if (haveReportedBlockedURI)
+ finishJSTest();
+ }
+}
+loadURL();
+ </script>
+</script>
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (0 => 281431)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-08-23 02:24:23 UTC (rev 281431)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Added: trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (0 => 281431)
--- trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-08-23 02:24:23 UTC (rev 281431)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
+PASS fetch was successfully blocked.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Added: trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (0 => 281431)
--- trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-08-23 02:24:23 UTC (rev 281431)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Added: trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (0 => 281431)
--- trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-08-23 02:24:23 UTC (rev 281431)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
+PASS fetch was successfully blocked.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Modified: trunk/Source/WebCore/ChangeLog (281430 => 281431)
--- trunk/Source/WebCore/ChangeLog 2021-08-23 01:41:34 UTC (rev 281430)
+++ trunk/Source/WebCore/ChangeLog 2021-08-23 02:24:23 UTC (rev 281431)
@@ -1,3 +1,27 @@
+2021-08-22 Kate Cheney <katherine_che...@apple.com>
+
+ Report correct blocked URI in CSP violation report
+ https://bugs.webkit.org/show_bug.cgi?id=226316
+ <rdar://problem/78552912>
+
+ Reviewed by Alex Christensen.
+
+ Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html
+ http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html
+
+ Currently for a blocked redirection we report the blocked URI as the
+ target URL. This is not up to spec and we should actually report the
+ requested URL.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::redirectReceived):
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/DocumentThreadableLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowConnectToSource const):
+ (WebCore::ContentSecurityPolicy::reportViolation const):
+ * page/csp/ContentSecurityPolicy.h:
+
2021-08-22 Myles C. Maxfield <mmaxfi...@apple.com>
Tiny cleanups in CSS parsing code
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (281430 => 281431)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2021-08-23 01:41:34 UTC (rev 281430)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2021-08-23 02:24:23 UTC (rev 281431)
@@ -328,7 +328,7 @@
return;
}
- if (!isAllowedByContentSecurityPolicy(request.url(), redirectResponse.isNull() ? ContentSecurityPolicy::RedirectResponseReceived::No : ContentSecurityPolicy::RedirectResponseReceived::Yes)) {
+ if (!isAllowedByContentSecurityPolicy(request.url(), redirectResponse.isNull() ? ContentSecurityPolicy::RedirectResponseReceived::No : ContentSecurityPolicy::RedirectResponseReceived::Yes, redirectResponse.url())) {
reportContentSecurityPolicyError(redirectResponse.url());
clearResource();
return completionHandler(WTFMove(request));
@@ -675,7 +675,7 @@
didFinishLoading(identifier);
}
-bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived)
+bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL)
{
switch (m_options.contentSecurityPolicyEnforcement) {
case ContentSecurityPolicyEnforcement::DoNotEnforce:
@@ -683,7 +683,7 @@
case ContentSecurityPolicyEnforcement::EnforceChildSrcDirective:
return contentSecurityPolicy().allowChildContextFromSource(url, redirectResponseReceived);
case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
- return contentSecurityPolicy().allowConnectToSource(url, redirectResponseReceived);
+ return contentSecurityPolicy().allowConnectToSource(url, redirectResponseReceived, preRedirectURL);
case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
return contentSecurityPolicy().allowScriptFromSource(url, redirectResponseReceived);
}
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.h (281430 => 281431)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2021-08-23 01:41:34 UTC (rev 281430)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2021-08-23 02:24:23 UTC (rev 281431)
@@ -103,7 +103,7 @@
void loadRequest(ResourceRequest&&, SecurityCheckPolicy);
bool isAllowedRedirect(const URL&);
- bool isAllowedByContentSecurityPolicy(const URL&, ContentSecurityPolicy::RedirectResponseReceived);
+ bool isAllowedByContentSecurityPolicy(const URL&, ContentSecurityPolicy::RedirectResponseReceived, const URL& preRedirectURL = URL());
SecurityOrigin& securityOrigin() const;
const ContentSecurityPolicy& contentSecurityPolicy() const;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (281430 => 281431)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-08-23 01:41:34 UTC (rev 281430)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-08-23 02:24:23 UTC (rev 281431)
@@ -600,7 +600,7 @@
return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::mediaSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia);
}
-bool ContentSecurityPolicy::allowConnectToSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowConnectToSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
if (LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol().toStringWithoutCopying()))
return true;
@@ -608,7 +608,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, "Refused to connect to");
- reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
+ reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition, preRedirectURL);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
@@ -659,12 +659,12 @@
return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state) const
{
- return reportViolation(effectiveViolatedDirective, violatedDirective.text(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state);
+ return reportViolation(effectiveViolatedDirective, violatedDirective.text(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state, preRedirectURL);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL) const
{
logToConsole(consoleMessage, sourceURL, sourcePosition.m_line, sourcePosition.m_column, state);
@@ -699,7 +699,12 @@
}
ASSERT(m_client || is<Document>(m_scriptExecutionContext));
- String blockedURI = deprecatedURLForReporting(blockedURL);
+ String blockedURI;
+ if (preRedirectURL.isNull())
+ blockedURI = deprecatedURLForReporting(blockedURL);
+ else
+ blockedURI = deprecatedURLForReporting(preRedirectURL);
+
// FIXME: Is it policy to not use the status code for HTTPS, or is that a bug?
unsigned short httpStatusCode = m_selfSourceProtocol == "http" ? m_httpStatusCode : 0;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (281430 => 281431)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-08-23 01:41:34 UTC (rev 281430)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-08-23 02:24:23 UTC (rev 281431)
@@ -114,7 +114,7 @@
bool allowChildFrameFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
WEBCORE_EXPORT bool allowChildContextFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
- WEBCORE_EXPORT bool allowConnectToSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ WEBCORE_EXPORT bool allowConnectToSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& requestedURL = URL()) const;
bool allowFormAction(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
bool allowObjectFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
@@ -210,8 +210,8 @@
void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*) const;
void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
- void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* = nullptr) const;
- void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*) const;
+ void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr) const;
+ void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL()) const;
void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
// We can never have both a script execution context and a ContentSecurityPolicyClient.
Modified: trunk/Source/WebKit/ChangeLog (281430 => 281431)
--- trunk/Source/WebKit/ChangeLog 2021-08-23 01:41:34 UTC (rev 281430)
+++ trunk/Source/WebKit/ChangeLog 2021-08-23 02:24:23 UTC (rev 281431)
@@ -1,3 +1,22 @@
+2021-08-22 Kate Cheney <katherine_che...@apple.com>
+
+ Report correct blocked URI in CSP violation report
+ https://bugs.webkit.org/show_bug.cgi?id=226316
+ <rdar://problem/78552912>
+
+ Reviewed by Alex Christensen.
+
+ Currently for a blocked redirection we report the blocked URI as the
+ target URL. This is not up to spec and we should actually report the
+ requested URL.
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::check):
+ (WebKit::NetworkLoadChecker::checkRedirection):
+ (WebKit::NetworkLoadChecker::checkRequest):
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+ * NetworkProcess/NetworkLoadChecker.h:
+
2021-08-22 Wenson Hsieh <wenson_hs...@apple.com>
[iOS] Fix and reenable several layout tests to account for the changes in rdar://80384564
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (281430 => 281431)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2021-08-23 01:41:34 UTC (rev 281430)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2021-08-23 02:24:23 UTC (rev 281431)
@@ -92,7 +92,7 @@
m_loadInformation.request = request;
m_firstRequestHeaders = request.httpHeaderFields();
- checkRequest(WTFMove(request), client, WTFMove(handler));
+ checkRequest(WTFMove(request), client, URL(), WTFMove(handler));
}
static inline NetworkLoadChecker::RedirectionRequestOrError redirectionError(const ResourceResponse& redirectResponse, String&& errorMessage)
@@ -142,7 +142,7 @@
m_previousURL = WTFMove(m_url);
m_url = redirectRequest.url();
- checkRequest(WTFMove(redirectRequest), client, [handler = WTFMove(handler), request = WTFMove(request), redirectResponse = WTFMove(redirectResponse)](auto&& result) mutable {
+ checkRequest(WTFMove(redirectRequest), client, redirectResponse.url(), [handler = WTFMove(handler), request = WTFMove(request), redirectResponse](auto&& result) mutable {
WTF::switchOn(result,
[&handler] (ResourceError& error) mutable {
handler(makeUnexpected(WTFMove(error)));
@@ -207,7 +207,7 @@
return ResourceError { String { }, 0, m_url, WTFMove(message), ResourceError::Type::AccessControl };
}
-void NetworkLoadChecker::checkRequest(ResourceRequest&& request, ContentSecurityPolicyClient* client, ValidationHandler&& handler)
+void NetworkLoadChecker::checkRequest(ResourceRequest&& request, ContentSecurityPolicyClient* client, const URL& preRedirectURL, ValidationHandler&& handler)
{
ResourceRequest originalRequest = request;
@@ -216,7 +216,7 @@
auto type = m_options.mode == FetchOptions::Mode::Navigate ? ContentSecurityPolicy::InsecureRequestType::Navigation : ContentSecurityPolicy::InsecureRequestType::Load;
contentSecurityPolicy->upgradeInsecureRequestIfNeeded(request, type);
}
- if (!this->isAllowedByContentSecurityPolicy(request, client)) {
+ if (!this->isAllowedByContentSecurityPolicy(request, client, preRedirectURL)) {
handler(this->accessControlErrorForValidationHandler("Blocked by Content Security Policy."_s));
return;
}
@@ -253,7 +253,7 @@
this->continueCheckingRequest(WTFMove(currentRequest), WTFMove(handler));
}
-bool NetworkLoadChecker::isAllowedByContentSecurityPolicy(const ResourceRequest& request, WebCore::ContentSecurityPolicyClient* client)
+bool NetworkLoadChecker::isAllowedByContentSecurityPolicy(const ResourceRequest& request, WebCore::ContentSecurityPolicyClient* client, const URL& preRedirectURL)
{
auto* contentSecurityPolicy = this->contentSecurityPolicy();
contentSecurityPolicy->setClient(client);
@@ -275,7 +275,7 @@
// FIXME: Check CSP for non-importScripts() initiated loads.
return true;
case FetchOptions::Destination::EmptyString:
- return contentSecurityPolicy->allowConnectToSource(request.url(), redirectResponseReceived);
+ return contentSecurityPolicy->allowConnectToSource(request.url(), redirectResponseReceived, preRedirectURL);
case FetchOptions::Destination::Audio:
case FetchOptions::Destination::Document:
case FetchOptions::Destination::Embed:
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h (281430 => 281431)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2021-08-23 01:41:34 UTC (rev 281430)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2021-08-23 02:24:23 UTC (rev 281431)
@@ -106,9 +106,9 @@
bool isChecking() const { return !!m_corsPreflightChecker; }
bool isRedirected() const { return m_redirectCount; }
- void checkRequest(WebCore::ResourceRequest&&, WebCore::ContentSecurityPolicyClient*, ValidationHandler&&);
+ void checkRequest(WebCore::ResourceRequest&&, WebCore::ContentSecurityPolicyClient*, const URL&, ValidationHandler&&);
- bool isAllowedByContentSecurityPolicy(const WebCore::ResourceRequest&, WebCore::ContentSecurityPolicyClient*);
+ bool isAllowedByContentSecurityPolicy(const WebCore::ResourceRequest&, WebCore::ContentSecurityPolicyClient*, const URL& preRedirectURL = URL());
void continueCheckingRequest(WebCore::ResourceRequest&&, ValidationHandler&&);
void continueCheckingRequestOrDoSyntheticRedirect(WebCore::ResourceRequest&& originalRequest, WebCore::ResourceRequest&& currentRequest, ValidationHandler&&);