Diff
Modified: trunk/LayoutTests/ChangeLog (126784 => 126785)
--- trunk/LayoutTests/ChangeLog 2012-08-27 19:16:22 UTC (rev 126784)
+++ trunk/LayoutTests/ChangeLog 2012-08-27 20:08:39 UTC (rev 126785)
@@ -1,3 +1,28 @@
+2012-08-27 Mike West <[email protected]>
+
+ 'self' in a CSP directive should match blob: and filesystem: URLs.
+ https://bugs.webkit.org/show_bug.cgi?id=94918
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/blob-urls-match-self.html: Added.
+ * http/tests/security/contentSecurityPolicy/filesystem-urls-match-self-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html: Added.
+ Test the new functionality.
+ * http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:
+ (test):
+ Adding support for data: URLs.
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-08.html: Added.
+ Adding data: URL tests to ensure that grabbing the inner URL of the
+ URL to test doesn't inadvertently regress that behavior.
+ * platform/efl/Skipped:
+ * platform/mac/Skipped:
+ * platform/qt/Skipped:
+ * platform/win/Skipped:
+ Skipping filessytem test on ports where it's not enabled.
+
2012-08-27 Simon Fraser <[email protected]>
Fix some more sticky ref tests; avoid wrapping at the 800px
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt (0 => 126785)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt 2012-08-27 20:08:39 UTC (rev 126785)
@@ -0,0 +1,2 @@
+ALERT: PASS (1/1)!
+blob: URLs are same-origin with the page in which they were created, and should therefore match the 'self' source in CSP directives.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html (0 => 126785)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html 2012-08-27 20:08:39 UTC (rev 126785)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'self'">
+ </head>
+ <body>
+ <p>
+ blob: URLs are same-origin with the page in which they were created,
+ and should therefore match the 'self' source in CSP directives.
+ </p>
+
+ <script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+ function pass() {
+ alert("PASS (1/1)!");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ var b = new Blob(['pass();'], { type: 'application/_javascript_' });
+
+ var script = document.createElement('script');
+ script.src = ""
+ document.body.appendChild(script);
+ </script>
+ </body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self-expected.txt (0 => 126785)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self-expected.txt 2012-08-27 20:08:39 UTC (rev 126785)
@@ -0,0 +1,2 @@
+ALERT: PASS (1/1)!
+filesystem: URLs are same-origin with the page in which they were created, and should therefore match the 'self' source in CSP directives.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html (0 => 126785)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html 2012-08-27 20:08:39 UTC (rev 126785)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'self'">
+ </head>
+ <body>
+ <p>
+ filesystem: URLs are same-origin with the page in which they were
+ created, and should therefore match the 'self' source in CSP
+ directives.
+ </p>
+
+ <script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+ function pass() {
+ alert("PASS (1/1)!");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
+ fs.root.getFile('pass.js', {create: true}, function(fileEntry) {
+ fileEntry.createWriter(function(fileWriter) {
+ fileWriter._onwriteend_ = function(e) {
+ var script = document.createElement('script');
+ script.src =""
+ document.body.appendChild(script);
+ };
+
+ // Create a new Blob and write it to pass.js.
+ var b = new Blob(['pass();'], {type: 'application/_javascript_'});
+ fileWriter.write(b);
+ });
+ });
+ });
+ </script>
+ </body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js (126784 => 126785)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js 2012-08-27 19:16:22 UTC (rev 126784)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js 2012-08-27 20:08:39 UTC (rev 126785)
@@ -14,7 +14,9 @@
iframe.src = "" + "resources/echo-script-src.pl?" +
"should_run=" + escape(current[0]) +
"&csp=" + escape(current[1]) +
- "&q=" + baseURL + escape(current[2]);
+ "&q=" + (current[2].match(/^data:/) ?
+ escape(current[2]) :
+ baseURL + escape(current[2]));
if (current[3])
iframe.src += "&nonce=" + escape(current[3]);
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt (0 => 126785)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08-expected.txt 2012-08-27 20:08:39 UTC (rev 126785)
@@ -0,0 +1,22 @@
+CONSOLE MESSAGE: Refused to load the script 'data:application/_javascript_;base64,dmFyIHJlc3VsdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdyZXN1bHQnKTtyZXN1bHQuZmlyc3RDaGlsZC5ub2RlVmFsdWUgPSByZXN1bHQuYXR0cmlidXRlcy5nZXROYW1lZEl0ZW0oJ3RleHQnKS52YWx1ZTs=' because it violates the following Content Security Policy directive: "script-src 'self'".
+
+CONSOLE MESSAGE: Refused to load the script 'data:application/_javascript_;base64,dmFyIHJlc3VsdCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdyZXN1bHQnKTtyZXN1bHQuZmlyc3RDaGlsZC5ub2RlVmFsdWUgPSByZXN1bHQuYXR0cmlidXRlcy5nZXROYW1lZEl0ZW0oJ3RleHQnKS52YWx1ZTs=' because it violates the following Content Security Policy directive: "script-src https://127.0.0.1:8000".
+
+Test proper handling of data: URLs.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08.html (0 => 126785)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-08.html 2012-08-27 20:08:39 UTC (rev 126785)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=''></script>
+<script>
+var dataURL = "data:application/_javascript_;base64," +
+ btoa("var result = document.getElementById('result');" +
+ "result.firstChild.nodeValue = result.attributes.getNamedItem('text').value;");
+var tests = [
+ ['yes', 'script-src data:', dataURL],
+ ['no', 'script-src \'self\'', dataURL],
+ ['no', 'script-src https://127.0.0.1:8000', dataURL],
+];
+</script>
+</head>
+<body _onload_="test()">
+ <p>
+ Test proper handling of data: URLs.
+ </p>
Modified: trunk/LayoutTests/platform/efl/Skipped (126784 => 126785)
--- trunk/LayoutTests/platform/efl/Skipped 2012-08-27 19:16:22 UTC (rev 126784)
+++ trunk/LayoutTests/platform/efl/Skipped 2012-08-27 20:08:39 UTC (rev 126785)
@@ -1062,6 +1062,7 @@
# Requires ENABLE(FILE_SYSTEM)
fast/forms/file/input-file-entries.html
+http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
# Transparent image being produced
fast/frames/transparent-scrollbar.html
Modified: trunk/LayoutTests/platform/mac/Skipped (126784 => 126785)
--- trunk/LayoutTests/platform/mac/Skipped 2012-08-27 19:16:22 UTC (rev 126784)
+++ trunk/LayoutTests/platform/mac/Skipped 2012-08-27 20:08:39 UTC (rev 126785)
@@ -339,6 +339,7 @@
fast/filesystem
http/tests/filesystem
http/tests/inspector/filesystem
+http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
http/tests/security/filesystem-iframe-from-remote.html
http/tests/security/mixedContent/filesystem-url-in-iframe.html
http/tests/websocket/tests/hybi/send-file-blob.html
Modified: trunk/LayoutTests/platform/qt/Skipped (126784 => 126785)
--- trunk/LayoutTests/platform/qt/Skipped 2012-08-27 19:16:22 UTC (rev 126784)
+++ trunk/LayoutTests/platform/qt/Skipped 2012-08-27 20:08:39 UTC (rev 126785)
@@ -118,6 +118,7 @@
fast/forms/file/input-file-entries.html
http/tests/filesystem
http/tests/inspector/filesystem
+http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
http/tests/security/filesystem-iframe-from-remote.html
http/tests/security/mixedContent/filesystem-url-in-iframe.html
http/tests/websocket/tests/hybi/send-file-blob.html
Modified: trunk/LayoutTests/platform/win/Skipped (126784 => 126785)
--- trunk/LayoutTests/platform/win/Skipped 2012-08-27 19:16:22 UTC (rev 126784)
+++ trunk/LayoutTests/platform/win/Skipped 2012-08-27 20:08:39 UTC (rev 126785)
@@ -1300,6 +1300,7 @@
fast/filesystem
http/tests/filesystem
http/tests/inspector/filesystem
+http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
http/tests/security/filesystem-iframe-from-remote.html
http/tests/websocket/tests/hybi/send-file-blob.html
http/tests/websocket/tests/hybi/send-file-blob-fail.html
Modified: trunk/Source/WebCore/ChangeLog (126784 => 126785)
--- trunk/Source/WebCore/ChangeLog 2012-08-27 19:16:22 UTC (rev 126784)
+++ trunk/Source/WebCore/ChangeLog 2012-08-27 20:08:39 UTC (rev 126785)
@@ -1,3 +1,36 @@
+2012-08-27 Mike West <[email protected]>
+
+ 'self' in a CSP directive should match blob: and filesystem: URLs.
+ https://bugs.webkit.org/show_bug.cgi?id=94918
+
+ Reviewed by Adam Barth.
+
+ 'blob:' and 'filesystem:' URLs are same-origin with the page on which
+ they were created. Currently, we're using the wrong URL for comparison
+ when matching against CSP directive source lists. This patch adjusts the
+ matching logic to compare against the blob's inner URL, rather than
+ directly against the blob itself.
+
+ Tests: http/tests/security/contentSecurityPolicy/blob-urls-match-self.html
+ http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
+ http/tests/security/contentSecurityPolicy/source-list-parsing-08.html
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPSourceList::matches):
+ If we should use the inner URL of a given resource, extract it into
+ a local variable, and pass that into CSPSource for comparison.
+ * page/SecurityOrigin.cpp:
+ (WebCore::SecurityOrigin::shouldUseInnerURL):
+ (WebCore::SecurityOrigin::extractInnerURL):
+ Move shouldUseInnerURL and extractInnerURL to SecurityOrigin's
+ public signature.
+ (WebCore::shouldTreatAsUniqueOrigin):
+ (WebCore::SecurityOrigin::create):
+ (WebCore::SecurityOrigin::isSecure):
+ shouldUseInnerURL and extractInnerURL are now static methods of
+ SecurityOrigin: updating calls to mathc.
+ * page/SecurityOrigin.h:
+
2012-08-27 Kevin Funk <[email protected]>
Fix compilation when both OS(WINCE) and PLATFORM(QT) are true
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (126784 => 126785)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-08-27 19:16:22 UTC (rev 126784)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-08-27 20:08:39 UTC (rev 126785)
@@ -244,8 +244,10 @@
if (m_allowStar)
return true;
+ KURL effectiveURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
+
for (size_t i = 0; i < m_list.size(); ++i) {
- if (m_list[i].matches(url))
+ if (m_list[i].matches(effectiveURL))
return true;
}
Modified: trunk/Source/WebCore/page/SecurityOrigin.cpp (126784 => 126785)
--- trunk/Source/WebCore/page/SecurityOrigin.cpp 2012-08-27 19:16:22 UTC (rev 126784)
+++ trunk/Source/WebCore/page/SecurityOrigin.cpp 2012-08-27 20:08:39 UTC (rev 126785)
@@ -53,18 +53,7 @@
return url.protocolIsInHTTPFamily() || url.protocolIs("ftp");
}
-// Some URL schemes use nested URLs for their security context. For example,
-// filesystem URLs look like the following:
-//
-// filesystem:http://example.com/temporary/path/to/file.png
-//
-// We're supposed to use "http://example.com" as the origin.
-//
-// Generally, we add URL schemes to this list when WebKit support them. For
-// example, we don't include the "jar" scheme, even though Firefox understands
-// that jar uses an inner URL for it's security origin.
-//
-static bool shouldUseInnerURL(const KURL& url)
+bool SecurityOrigin::shouldUseInnerURL(const KURL& url)
{
#if ENABLE(BLOB)
if (url.protocolIs("blob"))
@@ -81,7 +70,7 @@
// In general, extracting the inner URL varies by scheme. It just so happens
// that all the URL schemes we currently support that use inner URLs for their
// security origin can be parsed using this algorithm.
-static KURL extractInnerURL(const KURL& url)
+KURL SecurityOrigin::extractInnerURL(const KURL& url)
{
if (url.innerURL())
return *url.innerURL();
@@ -105,7 +94,7 @@
return true;
// FIXME: Do we need to unwrap the URL further?
- KURL innerURL = shouldUseInnerURL(url) ? extractInnerURL(url) : url;
+ KURL innerURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
// FIXME: Check whether innerURL is valid.
Modified: trunk/Source/WebCore/page/SecurityOrigin.h (126784 => 126785)
--- trunk/Source/WebCore/page/SecurityOrigin.h 2012-08-27 19:16:22 UTC (rev 126784)
+++ trunk/Source/WebCore/page/SecurityOrigin.h 2012-08-27 20:08:39 UTC (rev 126785)
@@ -52,6 +52,19 @@
static PassRefPtr<SecurityOrigin> createFromString(const String&);
static PassRefPtr<SecurityOrigin> create(const String& protocol, const String& host, int port);
+ // Some URL schemes use nested URLs for their security context. For example,
+ // filesystem URLs look like the following:
+ //
+ // filesystem:http://example.com/temporary/path/to/file.png
+ //
+ // We're supposed to use "http://example.com" as the origin.
+ //
+ // Generally, we add URL schemes to this list when WebKit support them. For
+ // example, we don't include the "jar" scheme, even though Firefox
+ // understands that "jar" uses an inner URL for it's security origin.
+ static bool shouldUseInnerURL(const KURL&);
+ static KURL extractInnerURL(const KURL&);
+
// Create a deep copy of this SecurityOrigin. This method is useful
// when marshalling a SecurityOrigin to another thread.
PassRefPtr<SecurityOrigin> isolatedCopy() const;
