[webkit-changes] [196992] trunk

[dbates]

Title: [196992] trunk

Revision

196992

Author

dba...@webkit.org

Date

2016-02-23 13:32:52 -0800 (Tue, 23 Feb 2016)

Log Message

REGRESSION (r196892): No longer emit error message when CSP form-action directive is used as a source _expression_
https://bugs.webkit.org/show_bug.cgi?id=154555
<rdar://problem/24776777>

Reviewed by Andy Estes.

Source/WebCore:

Fixes an issue where an error message is not emitted when directive form-action is used as a
source _expression_. Prior to <http://trac.webkit.org/changeset/196892>, when directive form-action
was used as a source _expression_ a console error message would be emitted with the form:

    The Content Security Policy directive 'script-src' contains 'form-action' as a source _expression_.
    Did you mean 'script-src ...; form-action...' (note the semicolon)?

* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::isCSPDirectiveName): Return true if the specified directive name is "form-action".

LayoutTests:

Test that we emit a console error message when form-action is used as a source _expression_.

* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt:
* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Use form-action as a
source _expression_. Also, use a double quoted (") string literal instead of a single quoted (') string
literal to represent the CSP policy so as to avoid the need to escape embedded single quote characters.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (196991 => 196992)

--- trunk/LayoutTests/ChangeLog	2016-02-23 21:18:05 UTC (rev 196991)
+++ trunk/LayoutTests/ChangeLog	2016-02-23 21:32:52 UTC (rev 196992)
@@ -1,3 +1,18 @@
+2016-02-23  Daniel Bates  <daba...@apple.com>
+
+        REGRESSION (r196892): No longer emit error message when CSP form-action directive is used as a source _expression_
+        https://bugs.webkit.org/show_bug.cgi?id=154555
+        <rdar://problem/24776777>
+
+        Reviewed by Andy Estes.
+
+        Test that we emit a console error message when form-action is used as a source _expression_.
+
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt:
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Use form-action as a
+        source _expression_. Also, use a double quoted (") string literal instead of a single quoted (') string
+        literal to represent the CSP policy so as to avoid the need to escape embedded single quote characters.
+
 2016-02-22  Dean Jackson  <d...@apple.com>
 
         Add tests for fast click change in r196679

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt (196991 => 196992)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt	2016-02-23 21:18:05 UTC (rev 196991)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt	2016-02-23 21:32:52 UTC (rev 196992)
@@ -1,6 +1,7 @@
 CONSOLE MESSAGE: The Content Security Policy directive 'default-src' contains 'script-src' as a source _expression_. Did you mean 'default-src ...; script-src...' (note the semicolon)?
 CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'object-src' as a source _expression_. Did you mean 'script-src ...; object-src...' (note the semicolon)?
 CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'style-src' as a source _expression_. Did you mean 'script-src ...; style-src...' (note the semicolon)?
+CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'form-action' as a source _expression_. Did you mean 'script-src ...; form-action...' (note the semicolon)?
 If a web author forgets a semicolon, we should do our best to warn them that the policy they've defined is probably not what they intended.
 
 

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html (196991 => 196992)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html	2016-02-23 21:18:05 UTC (rev 196991)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html	2016-02-23 21:32:52 UTC (rev 196992)
@@ -5,7 +5,7 @@
 <script>
 var tests = [
     ['yes', 'default-src \'self\' script-src example.com', 'resources/script.js'],
-    ['yes', 'script-src \'self\' object-src \'self\' style-src *', 'resources/script.js'],
+    ['yes', "script-src 'self' object-src 'self' style-src * form-action 'self'", 'resources/script.js'],
 ];
 </script>
 </head>

Modified: trunk/Source/WebCore/ChangeLog (196991 => 196992)

--- trunk/Source/WebCore/ChangeLog	2016-02-23 21:18:05 UTC (rev 196991)
+++ trunk/Source/WebCore/ChangeLog	2016-02-23 21:32:52 UTC (rev 196992)
@@ -1,3 +1,21 @@
+2016-02-23  Daniel Bates  <daba...@apple.com>
+
+        REGRESSION (r196892): No longer emit error message when CSP form-action directive is used as a source _expression_
+        https://bugs.webkit.org/show_bug.cgi?id=154555
+        <rdar://problem/24776777>
+
+        Reviewed by Andy Estes.
+
+        Fixes an issue where an error message is not emitted when directive form-action is used as a
+        source _expression_. Prior to <http://trac.webkit.org/changeset/196892>, when directive form-action
+        was used as a source _expression_ a console error message would be emitted with the form:
+
+            The Content Security Policy directive 'script-src' contains 'form-action' as a source _expression_.
+            Did you mean 'script-src ...; form-action...' (note the semicolon)?
+
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::isCSPDirectiveName): Return true if the specified directive name is "form-action".
+
 2016-02-23  Simon Fraser  <simon.fra...@apple.com>
 
         Lay the groundwork for more constness in StyleResolver-related code

Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (196991 => 196992)

--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp	2016-02-23 21:18:05 UTC (rev 196991)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp	2016-02-23 21:32:52 UTC (rev 196992)
@@ -78,6 +78,7 @@
     return equalLettersIgnoringASCIICase(name, connectSrc)
         || equalLettersIgnoringASCIICase(name, defaultSrc)
         || equalLettersIgnoringASCIICase(name, fontSrc)
+        || equalLettersIgnoringASCIICase(name, formAction)
         || equalLettersIgnoringASCIICase(name, frameSrc)
         || equalLettersIgnoringASCIICase(name, imgSrc)
         || equalLettersIgnoringASCIICase(name, mediaSrc)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes