Skip to site navigation (Press enter)

[webkit-changes] [196655] trunk

dbates Tue, 16 Feb 2016 13:18:10 -0800

Title: [196655] trunk

Revision: 196655
Author: [email protected]
Date: 2016-02-16 13:18:19 -0800 (Tue, 16 Feb 2016)

Log Message

CSP: Fix parsing of 'host/path' source expressions
https://bugs.webkit.org/show_bug.cgi?id=153170
<rdar://problem/24383407>


Reviewed by Brent Fulgham.

Source/WebCore:

Merged from Blink (patch by Mike West):
<https://src.chromium.org/viewvc/blink?revision=154875&view=revision>

Fixes an issue where a source of the form example.com/A/ was incorrectly considered
invalid and hence such a requested resource would be blocked. A source of this form
is valid by the definition of host-source in section Source List Syntax of the Content
Security Policy 2.0 spec., <http://www.w3.org/TR/2015/CR-CSP2-20150721/>.

* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::parseSource):

LayoutTests:

Remove entry for test http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html
as it now passes.

* TestExpectations:

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/LayoutTests/TestExpectations
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (196654 => 196655)


--- trunk/LayoutTests/ChangeLog	2016-02-16 21:17:31 UTC (rev 196654)
+++ trunk/LayoutTests/ChangeLog	2016-02-16 21:18:19 UTC (rev 196655)
@@ -1,3 +1,16 @@
+2016-02-16  Daniel Bates  <[email protected]>
+
+        CSP: Fix parsing of 'host/path' source expressions
+        https://bugs.webkit.org/show_bug.cgi?id=153170
+        <rdar://problem/24383407>
+
+        Reviewed by Brent Fulgham.
+
+        Remove entry for test http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html
+        as it now passes.
+
+        * TestExpectations:
+
 2016-02-16  Joseph Pecoraro  <[email protected]>
 
         JSContext Inspector: Support for inline source maps

Modified: trunk/LayoutTests/TestExpectations (196654 => 196655)


--- trunk/LayoutTests/TestExpectations	2016-02-16 21:17:31 UTC (rev 196654)
+++ trunk/LayoutTests/TestExpectations	2016-02-16 21:18:19 UTC (rev 196655)
@@ -833,7 +833,6 @@
 webkit.org/b/153166 http/tests/security/contentSecurityPolicy/report-uri.html [ Failure ]
 webkit.org/b/153166 webkit.org/b/153242 http/tests/security/contentSecurityPolicy/report-and-enforce.html [ Failure ]
 webkit.org/b/153166 webkit.org/b/153242 http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html [ Failure ]
-webkit.org/b/153170 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html [ Failure ]
 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
 
 # These state object tests purposefully stress a resource limit, and take multiple seconds to run.

Modified: trunk/Source/WebCore/ChangeLog (196654 => 196655)


--- trunk/Source/WebCore/ChangeLog	2016-02-16 21:17:31 UTC (rev 196654)
+++ trunk/Source/WebCore/ChangeLog	2016-02-16 21:18:19 UTC (rev 196655)
@@ -1,5 +1,24 @@
 2016-02-16  Daniel Bates  <[email protected]>
 
+        CSP: Fix parsing of 'host/path' source expressions
+        https://bugs.webkit.org/show_bug.cgi?id=153170
+        <rdar://problem/24383407>
+
+        Reviewed by Brent Fulgham.
+
+        Merged from Blink (patch by Mike West):
+        <https://src.chromium.org/viewvc/blink?revision=154875&view=revision>
+
+        Fixes an issue where a source of the form example.com/A/ was incorrectly considered
+        invalid and hence such a requested resource would be blocked. A source of this form
+        is valid by the definition of host-source in section Source List Syntax of the Content
+        Security Policy 2.0 spec., <http://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::parseSource):
+
+2016-02-16  Daniel Bates  <[email protected]>
+
         CSP: Disallow an empty host in a host-source source _expression_
         https://bugs.webkit.org/show_bug.cgi?id=153168
         <rdar://problem/24383366>

Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (196654 => 196655)


--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp	2016-02-16 21:17:31 UTC (rev 196654)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp	2016-02-16 21:18:19 UTC (rev 196655)
@@ -198,11 +198,7 @@
     if (position < end && *position == '/') {
         // host/path || host/ || /
         //     ^            ^    ^
-        if (!parseHost(beginHost, position, host, hostHasWildcard)
-            || !parsePath(position, end, path)
-            || position != end)
-            return false;
-        return true;
+        return parseHost(beginHost, position, host, hostHasWildcard) && parsePath(position, end, path);
     }
 
     if (position < end && *position == ':') {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes