Diff
Modified: trunk/LayoutTests/ChangeLog (290442 => 290443)
--- trunk/LayoutTests/ChangeLog 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/ChangeLog 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,3 +1,32 @@
+2022-02-24 Kate Cheney <katherine_che...@apple.com>
+
+ Update CSP console logging
+ https://bugs.webkit.org/show_bug.cgi?id=232216
+ <rdar://problem/89322580>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html:
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked.html:
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked.html:
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked.html:
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html:
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html:
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html:
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked.html:
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked.html:
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt:
+
2022-02-24 Alan Bujtas <za...@apple.com>
[LFC][IFC] Non-orthogonal inline block boxes keep their baseline on ideographic lines
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" because it does not appear in the worker-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the worker-src directive of the Content Security Policy.
CONSOLE MESSAGE: Blocked by Content Security Policy.
CONSOLE MESSAGE: Cannot load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js due to access control checks.
This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/redirection-response.py?host=localhost:8000&status=302&target=form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/navigation/resources/form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
Tests that blocking form redirect works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the media-src directive of the Content Security Policy.
-ALERT: PASS
+CONSOLE MESSAGE: Refused to load http://localhost:8000/resources/balls-of-the-orient.aif because it does not appear in the media-src directive of the Content Security Policy.
+blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
+
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html 2022-02-24 19:31:31 UTC (rev 290443)
@@ -4,8 +4,16 @@
<script src=""
<script src=""
<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.py">
+<script>
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML = `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ testRunner.notifyDone();
+ });
+</script>
</head>
<body>
-<audio src="" _onloadedmetadata_="alertAndDone('FAIL')" _onerror_="alertAndDone('PASS')"></audio>
+<audio
+ src=""
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,4 +1,8 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the font-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/resources/Ahem.woff because it does not appear in the font-src directive of the Content Security Policy.
Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
.
+
+blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
+
+
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html 2022-02-24 19:31:31 UTC (rev 290443)
@@ -7,7 +7,7 @@
<style>
@font-face {
font-family: "Ahem";
- src: url("http://127.0.0.1:8000/resources/redirect.py?code=307&url="" format("woff");
+ src: url("http://127.0.0.1:8000/resources/redirect.py?code=307&url="" format("woff");
}
</style>
</head>
@@ -15,9 +15,11 @@
<p>Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
<script>
-// Use a zero timer to wait until the font loaded.
-if (window.testRunner)
- window.setTimeout("window.testRunner.notifyDone();", 0);
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ window.testRunner.notifyDone();
+ });
</script>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/redirection-response.py?host=localhost:8000&status=302&target=form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/navigation/resources/form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
Tests that blocking form redirect reports the correct blockedURI.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the img-src directive of the Content Security Policy.
-Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
+blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,11 +1,19 @@
<!DOCTYPE html>
<html>
<head>
+<script src=""
<script src=""
<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.py">
</head>
<body>
<p>Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
-<img src="" width="128" height="128">
+<script>
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML = `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ window.testRunner.notifyDone();
+ });
+</script>
+<img src="" width="128" height="128">
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -5,6 +5,6 @@
PASS successfullyParsed is true
TEST COMPLETE
-blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the script-src directive of the Content Security Policy.
-ALERT: PASS
+CONSOLE MESSAGE: Refused to load http://localhost:8000/resources/alert-fail.js because it does not appear in the script-src directive of the Content Security Policy.
+blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
+
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html 2022-02-24 19:31:31 UTC (rev 290443)
@@ -4,7 +4,14 @@
<script src=""
<script src=""
<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/redirect.py 'unsafe-inline'">
-<script src="" _onerror_="alertAndDone('PASS')"></script>
+<script src=""
+<script>
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ window.testRunner.notifyDone();
+ });
+</script>
</head>
<body>
</body>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the style-src directive of the Content Security Policy.
-ALERT: PASS
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/blue.css because it does not appear in the style-src directive of the Content Security Policy.
+blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
+
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html 2022-02-24 19:31:31 UTC (rev 290443)
@@ -4,6 +4,13 @@
<script src=""
<script src=""
<meta http-equiv="Content-Security-Policy" content="style-src http://127.0.0.1:8000/resources/redirect.py">
-<link rel="stylesheet" href="" _onload_="alertAndDone('FAIL')" _onerror_="alertAndDone('PASS')">
+<script>
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ window.testRunner.notifyDone();
+ });
+</script>
+<link rel="stylesheet" href=""
</head>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the font-src directive of the Content Security Policy.
-Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/ABCFont.svg because it does not appear in the font-src directive of the Content Security Policy.
+blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,8 +1,16 @@
<!DOCTYPE html>
<html>
<head>
+<script src=""
<script src=""
<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.py">
+<script>
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML = `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ window.testRunner.notifyDone();
+ });
+</script>
</head>
<body>
<p>Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.</p>
@@ -9,7 +17,7 @@
<svg viewBox="0 0 100 100">
<font-face>
<font-face-src>
- <font-face-uri font-family="ABCFont" xlink:href=""
+ <font-face-uri font-family="ABCFont" xlink:href=""
</font-face-src>
</font-face>
</svg>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the img-src directive of the Content Security Policy.
-Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/red-square.svg because it does not appear in the img-src directive of the Content Security Policy.
+blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,11 +1,19 @@
<!DOCTYPE html>
<html>
<head>
+<script src=""
<script src=""
<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.py">
</head>
<body>
<p>Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
-<img src="" width="128" height="128">
+<script>
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML = `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ window.testRunner.notifyDone();
+ });
+</script>
+<img src="" width="128" height="128">
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the media-src directive of the Content Security Policy.
-ALERT: PASS
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt because it does not appear in the media-src directive of the Content Security Policy.
+ blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
+
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html 2022-02-24 19:31:31 UTC (rev 290443)
@@ -6,8 +6,15 @@
<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.py">
</head>
<body>
+<script>
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ window.testRunner.notifyDone();
+ });
+</script>
<video>
- <track src="" kind="captions" _onload_="alertAndDone('FAIL')" _onerror_="alertAndDone('PASS')">
+<track src="" kind="captions">
</video>
<script>
document.querySelector("track").track.mode = "hidden"; // Load the track
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the media-src directive of the Content Security Policy.
-ALERT: PASS
+CONSOLE MESSAGE: Refused to load http://localhost:8000/resources/test.mp4 because it does not appear in the media-src directive of the Content Security Policy.
+blockedURI = http://127.0.0.1:8000/resources/redirect.py?code=307&url=""
+
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html 2022-02-24 19:31:31 UTC (rev 290443)
@@ -6,6 +6,13 @@
<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.py">
</head>
<body>
-<video src="" _onloadedmetadata_="alertAndDone('FAIL')" _onerror_="alertAndDone('PASS')"></video>
+<script>
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML = `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ window.testRunner.notifyDone();
+ });
+</script>
+<video src=""
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/script-set-value.js because it does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: Blocked by Content Security Policy.
This tests that the Content Security Policy of the parent origin (this page) blocks a Web Worker from importing a script from a different origin, not listed in script-src, through a redirect.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/script-set-value.js because it does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: Blocked by Content Security Policy.
This tests a Web Worker with Content Security Policy "script-src 'self'" blocks the import of a script from a different origin through a redirect.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt (290442 => 290443)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,2 +1,2 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.xsl because it does not appear in the script-src directive of the Content Security Policy.
Modified: trunk/Source/WebCore/ChangeLog (290442 => 290443)
--- trunk/Source/WebCore/ChangeLog 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/Source/WebCore/ChangeLog 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,3 +1,20 @@
+2022-02-24 Kate Cheney <katherine_che...@apple.com>
+
+ Update CSP console logging
+ https://bugs.webkit.org/show_bug.cgi?id=232216
+ <rdar://problem/89322580>
+
+ Reviewed by Brent Fulgham.
+
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::willSendRequestInternal):
+ (WebCore::SubresourceLoader::originalHeaders const):
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowResourceFromSource const):
+ (WebCore::ContentSecurityPolicy::allowWorkerFromSource const):
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource const):
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource const):
+
2022-02-24 Alan Bujtas <za...@apple.com>
[LFC][IFC] Non-orthogonal inline block boxes keep their baseline on ideographic lines
Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (290442 => 290443)
--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2022-02-24 19:31:31 UTC (rev 290443)
@@ -277,7 +277,7 @@
m_frame->page()->diagnosticLoggingClient().logDiagnosticMessageWithResult(DiagnosticLoggingKeys::cachedResourceRevalidationKey(), emptyString(), DiagnosticLoggingResultFail, ShouldSample::Yes);
}
- if (!m_documentLoader->cachedResourceLoader().updateRequestAfterRedirection(m_resource->type(), newRequest, options(), redirectResponse.url())) {
+ if (!m_documentLoader->cachedResourceLoader().updateRequestAfterRedirection(m_resource->type(), newRequest, options(), originalRequest().url())) {
SUBRESOURCELOADER_RELEASE_LOG("willSendRequestInternal: resource load canceled because CachedResourceLoader::updateRequestAfterRedirection (really CachedResourceLoader::canRequestAfterRedirection) said no");
cancel();
return completionHandler(WTFMove(newRequest));
@@ -899,7 +899,7 @@
const HTTPHeaderMap* SubresourceLoader::originalHeaders() const
{
- return (m_resource && m_resource->originalRequest()) ? &m_resource->originalRequest()->httpHeaderFields() : nullptr;
+ return (m_resource && m_resource->originalRequest()) ? &m_resource->originalRequest()->httpHeaderFields() : nullptr;
}
} // namespace WebCore
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (290442 => 290443)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2022-02-24 19:31:31 UTC (rev 290443)
@@ -599,7 +599,7 @@
const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");
+ String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
reportViolation(violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), resourcePredicate, url, redirectResponseReceived == RedirectResponseReceived::Yes);
@@ -614,7 +614,7 @@
const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- auto consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");
+ auto consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
reportViolation(violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
@@ -632,7 +632,7 @@
const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");
+ String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
reportViolation(violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
@@ -654,7 +654,7 @@
const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(violatedDirective, blockedURL, "Refused to load");
+ String consoleMessage = consoleMessageForViolation(violatedDirective, url, "Refused to load");
reportViolation(violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
};
Modified: trunk/Source/WebKit/ChangeLog (290442 => 290443)
--- trunk/Source/WebKit/ChangeLog 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/Source/WebKit/ChangeLog 2022-02-24 19:31:31 UTC (rev 290443)
@@ -1,3 +1,18 @@
+2022-02-24 Kate Cheney <katherine_che...@apple.com>
+
+ Update CSP console logging
+ https://bugs.webkit.org/show_bug.cgi?id=232216
+ <rdar://problem/89322580>
+
+ Reviewed by Brent Fulgham.
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::check):
+ (WebKit::NetworkLoadChecker::checkRedirection):
+ (WebKit::NetworkLoadChecker::checkRequest):
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+ * NetworkProcess/NetworkLoadChecker.h:
+
2022-02-24 Devin Rousso <drou...@apple.com>
[MacCatalyst] REGRESSION(r290091): sometimes can crash if `WKWebView` is deallocated before the next visible content rect update
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (290442 => 290443)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2022-02-24 19:31:31 UTC (rev 290443)
@@ -93,7 +93,7 @@
m_loadInformation.request = request;
m_firstRequestHeaders = request.httpHeaderFields();
- checkRequest(WTFMove(request), client, URL(), WTFMove(handler));
+ checkRequest(WTFMove(request), client, WTFMove(handler));
}
static inline NetworkLoadChecker::RedirectionRequestOrError redirectionError(const ResourceResponse& redirectResponse, String&& errorMessage)
@@ -143,7 +143,7 @@
m_previousURL = WTFMove(m_url);
m_url = redirectRequest.url();
- checkRequest(WTFMove(redirectRequest), client, redirectResponse.url(), [handler = WTFMove(handler), request = WTFMove(request), redirectResponse](auto&& result) mutable {
+ checkRequest(WTFMove(redirectRequest), client, [handler = WTFMove(handler), request = WTFMove(request), redirectResponse](auto&& result) mutable {
WTF::switchOn(result,
[&handler] (ResourceError& error) mutable {
handler(makeUnexpected(WTFMove(error)));
@@ -221,7 +221,7 @@
return ResourceError { String { }, 0, m_url, WTFMove(message), ResourceError::Type::AccessControl };
}
-void NetworkLoadChecker::checkRequest(ResourceRequest&& request, ContentSecurityPolicyClient* client, const URL& preRedirectURL, ValidationHandler&& handler)
+void NetworkLoadChecker::checkRequest(ResourceRequest&& request, ContentSecurityPolicyClient* client, ValidationHandler&& handler)
{
ResourceRequest originalRequest = request;
@@ -230,7 +230,7 @@
auto type = m_options.mode == FetchOptions::Mode::Navigate ? ContentSecurityPolicy::InsecureRequestType::Navigation : ContentSecurityPolicy::InsecureRequestType::Load;
contentSecurityPolicy->upgradeInsecureRequestIfNeeded(request, type);
}
- if (!this->isAllowedByContentSecurityPolicy(request, client, preRedirectURL)) {
+ if (!this->isAllowedByContentSecurityPolicy(request, client)) {
handler(this->accessControlErrorForValidationHandler("Blocked by Content Security Policy."_s));
return;
}
@@ -267,7 +267,7 @@
this->continueCheckingRequest(WTFMove(currentRequest), WTFMove(handler));
}
-bool NetworkLoadChecker::isAllowedByContentSecurityPolicy(const ResourceRequest& request, WebCore::ContentSecurityPolicyClient* client, const URL& preRedirectURL)
+bool NetworkLoadChecker::isAllowedByContentSecurityPolicy(const ResourceRequest& request, WebCore::ContentSecurityPolicyClient* client)
{
auto* contentSecurityPolicy = this->contentSecurityPolicy();
contentSecurityPolicy->setClient(client);
@@ -275,6 +275,7 @@
contentSecurityPolicy->setClient(nullptr);
});
+ auto preRedirectURL = m_networkResourceLoader ? m_networkResourceLoader.get()->originalRequest().url() : URL();
auto redirectResponseReceived = isRedirected() ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
switch (m_options.destination) {
case FetchOptions::Destination::Audioworklet:
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h (290442 => 290443)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2022-02-24 18:29:46 UTC (rev 290442)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2022-02-24 19:31:31 UTC (rev 290443)
@@ -108,9 +108,9 @@
bool isChecking() const { return !!m_corsPreflightChecker; }
bool isRedirected() const { return m_redirectCount; }
- void checkRequest(WebCore::ResourceRequest&&, WebCore::ContentSecurityPolicyClient*, const URL&, ValidationHandler&&);
+ void checkRequest(WebCore::ResourceRequest&&, WebCore::ContentSecurityPolicyClient*, ValidationHandler&&);
- bool isAllowedByContentSecurityPolicy(const WebCore::ResourceRequest&, WebCore::ContentSecurityPolicyClient*, const URL& preRedirectURL = URL());
+ bool isAllowedByContentSecurityPolicy(const WebCore::ResourceRequest&, WebCore::ContentSecurityPolicyClient*);
void continueCheckingRequest(WebCore::ResourceRequest&&, ValidationHandler&&);
void continueCheckingRequestOrDoSyntheticRedirect(WebCore::ResourceRequest&& originalRequest, WebCore::ResourceRequest&& currentRequest, ValidationHandler&&);
