Diff
Modified: trunk/LayoutTests/ChangeLog (197006 => 197007)
--- trunk/LayoutTests/ChangeLog 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/ChangeLog 2016-02-24 00:53:29 UTC (rev 197007)
@@ -1,3 +1,37 @@
+2016-02-23 Daniel Bates <[email protected]>
+
+ CSP: Enable base-uri directive by default
+ https://bugs.webkit.org/show_bug.cgi?id=154521
+ <rdar://problem/24762032>
+
+ Reviewed by Brent Fulgham.
+
+ Copy test http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html to
+ http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html,
+ making some minor stylistic changes, and update TestExpectations to skip it because it depends
+ on the firing of event SecurityPolicyViolationEvent, which is disabled as of the time of writing.
+ We will enable the firing of this event in <https://bugs.webkit.org/show_bug.cgi?id=154522>.
+ Repurpose test name base-uri-deny.html to test that the base-uri directive prevents the use of
+ document base URL without depending on the firing of event SecurityPolicyViolationEvent.
+
+ Additionally, add test http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html
+ to ensure that we do not fall back to enforcing the default-src directive in absence of
+ a base-uri directive as per section base-uri of the Content Security Policy 2.0 spec.,
+ <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ * TestExpectations:
+ * http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html: Repurpose test.
+ * http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html.
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt: Update expected result based on change to test (below).
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Modified to test that we emit
+ a console warning when base-uri is used as a source _expression_.
+
2016-02-22 Ryosuke Niwa <[email protected]>
Calling importNode on shadow root causes a crash
Modified: trunk/LayoutTests/TestExpectations (197006 => 197007)
--- trunk/LayoutTests/TestExpectations 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/TestExpectations 2016-02-24 00:53:29 UTC (rev 197007)
@@ -810,6 +810,9 @@
http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html [ Pass ]
http/tests/security/contentSecurityPolicy/1.1/form-action-src-_javascript_-blocked.html [ Pass ]
http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/base-uri-allow.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html [ Pass ]
http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php [ Pass ]
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
@@ -836,6 +839,7 @@
webkit.org/b/153161 http/tests/security/contentSecurityPolicy/register-bypassing-scheme-partial.html [ Failure ]
webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]
webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
+webkit.org/b/154522 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html
http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
# These state object tests purposefully stress a resource limit, and take multiple seconds to run.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt (0 => 197007)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt 2016-02-24 00:53:29 UTC (rev 197007)
@@ -0,0 +1,2 @@
+ALERT: This is a safe script.
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html (0 => 197007)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html 2016-02-24 00:53:29 UTC (rev 197007)
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'">
+<base href=""
+<script src=""
+</head>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt (197006 => 197007)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt 2016-02-24 00:53:29 UTC (rev 197007)
@@ -1,21 +1,4 @@
-CONSOLE MESSAGE: Refused to set the document's base URI to 'http://example.com/' because it violates the following Content Security Policy directive: "base-uri 'self'".
+CONSOLE MESSAGE: Refused to set the document's base URI to 'http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/resources/base-href/' because it violates the following Content Security Policy directive: "base-uri 'none'".
-Check that base URIs cannot be set if they violate the page's policy.
+ALERT: This is a safe script.
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-Kicking off the tests:
-PASS document.baseURI is document.location.href
-PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/base-uri-deny.html"
-PASS window.e.referrer is ""
-PASS window.e.blockedURI is "http://example.com"
-PASS window.e.violatedDirective is "base-uri 'self'"
-PASS window.e.effectiveDirective is "base-uri"
-PASS window.e.originalPolicy is "base-uri 'self'"
-PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/base-uri-deny.html"
-PASS window.e.lineNumber is 24
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html (197006 => 197007)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html 2016-02-24 00:53:29 UTC (rev 197007)
@@ -1,33 +1,12 @@
<!DOCTYPE html>
<html>
<head>
- <meta http-equiv="Content-Security-Policy" content="base-uri 'self'">
- <script src=""
- <script src=""
- <script>
- description('Check that base URIs cannot be set if they violate the page\'s policy.');
-
- var expectations = {
- 'documentURI': document.location.toString(),
- 'referrer': document.referrer,
- 'blockedURI': 'http://example.com',
- 'violatedDirective': 'base-uri \'self\'',
- 'effectiveDirective': 'base-uri',
- 'originalPolicy': 'base-uri \'self\'',
- 'sourceFile': document.location.toString(),
- 'lineNumber': 24
- };
-
- function run() {
- var base = document.createElement('base');
- base.href = '';
- document.head.appendChild(base);
-
- shouldBe('document.baseURI', 'document.location.href');
- }
- </script>
- <script src=""
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="base-uri 'none'">
+<base href=""
+<script src=""
</head>
-<body>
-</body>
</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js (0 => 197007)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js 2016-02-24 00:53:29 UTC (rev 197007)
@@ -0,0 +1 @@
+alert("CSP violation");
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js (0 => 197007)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js 2016-02-24 00:53:29 UTC (rev 197007)
@@ -0,0 +1 @@
+alert("This is a safe script.");
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt (from rev 197006, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt) (0 => 197007)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt 2016-02-24 00:53:29 UTC (rev 197007)
@@ -0,0 +1,21 @@
+CONSOLE MESSAGE: Refused to set the document's base URI to 'http://example.com/' because it violates the following Content Security Policy directive: "base-uri 'self'".
+
+Check that base URIs cannot be set if they violate the page's policy.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Kicking off the tests:
+PASS document.baseURI is document.location.href
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/base-uri-deny.html"
+PASS window.e.referrer is ""
+PASS window.e.blockedURI is "http://example.com"
+PASS window.e.violatedDirective is "base-uri 'self'"
+PASS window.e.effectiveDirective is "base-uri"
+PASS window.e.originalPolicy is "base-uri 'self'"
+PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/base-uri-deny.html"
+PASS window.e.lineNumber is 24
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html (0 => 197007)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html 2016-02-24 00:53:29 UTC (rev 197007)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="base-uri 'self'">
+<script src=""
+<script src=""
+<script>
+ description("Check that base URIs cannot be set if they violate the page's policy.");
+
+ var expectations = {
+ 'documentURI': document.location.toString(),
+ 'referrer': document.referrer,
+ 'blockedURI': 'http://example.com',
+ 'violatedDirective': "base-uri 'self'",
+ 'effectiveDirective': 'base-uri',
+ 'originalPolicy': "base-uri 'self'",
+ 'sourceFile': document.location.toString(),
+ 'lineNumber': 24
+ };
+
+ function run() {
+ var base = document.createElement('base');
+ base.href = '';
+ document.head.appendChild(base);
+
+ shouldBe('document.baseURI', 'document.location.href');
+ }
+</script>
+<script src=""
+</head>
+<body>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt (197006 => 197007)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt 2016-02-24 00:53:29 UTC (rev 197007)
@@ -2,6 +2,7 @@
CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'object-src' as a source _expression_. Did you mean 'script-src ...; object-src...' (note the semicolon)?
CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'style-src' as a source _expression_. Did you mean 'script-src ...; style-src...' (note the semicolon)?
CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'form-action' as a source _expression_. Did you mean 'script-src ...; form-action...' (note the semicolon)?
+CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'base-uri' as a source _expression_. Did you mean 'script-src ...; base-uri...' (note the semicolon)?
If a web author forgets a semicolon, we should do our best to warn them that the policy they've defined is probably not what they intended.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html (197006 => 197007)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html 2016-02-24 00:53:29 UTC (rev 197007)
@@ -5,7 +5,7 @@
<script>
var tests = [
['yes', 'default-src \'self\' script-src example.com', 'resources/script.js'],
- ['yes', "script-src 'self' object-src 'self' style-src * form-action 'self'", 'resources/script.js'],
+ ['yes', "script-src 'self' object-src 'self' style-src * form-action 'self' base-uri 'self'", 'resources/script.js'],
];
</script>
</head>
Modified: trunk/Source/WebCore/ChangeLog (197006 => 197007)
--- trunk/Source/WebCore/ChangeLog 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/Source/WebCore/ChangeLog 2016-02-24 00:53:29 UTC (rev 197007)
@@ -1,3 +1,21 @@
+2016-02-23 Daniel Bates <[email protected]>
+
+ CSP: Enable base-uri directive by default
+ https://bugs.webkit.org/show_bug.cgi?id=154521
+ <rdar://problem/24762032>
+
+ Reviewed by Brent Fulgham.
+
+ Tests: http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html
+ http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html
+
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::isExperimentalDirectiveName): Move base-uri from the directives considered
+ experimental to...
+ (WebCore::isCSPDirectiveName): ...the list of standard directives.
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Move logic to parse the base-uri
+ directive outside the ENABLE(CSP_NEXT) macro guarded section/experimental feature runtime flag.
+
2016-02-23 Gavin Barraclough <[email protected]>
Add a mechanism to automatically ramp up timer alignment.
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (197006 => 197007)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-24 00:53:29 UTC (rev 197007)
@@ -59,9 +59,7 @@
static inline bool isExperimentalDirectiveName(const String& name)
{
- return equalLettersIgnoringASCIICase(name, baseURI)
- || equalLettersIgnoringASCIICase(name, pluginTypes)
- || equalLettersIgnoringASCIICase(name, reflectedXSS);
+ return equalLettersIgnoringASCIICase(name, pluginTypes) || equalLettersIgnoringASCIICase(name, reflectedXSS);
}
#else
@@ -75,7 +73,8 @@
bool isCSPDirectiveName(const String& name)
{
- return equalLettersIgnoringASCIICase(name, connectSrc)
+ return equalLettersIgnoringASCIICase(name, baseURI)
+ || equalLettersIgnoringASCIICase(name, connectSrc)
|| equalLettersIgnoringASCIICase(name, defaultSrc)
|| equalLettersIgnoringASCIICase(name, fontSrc)
|| equalLettersIgnoringASCIICase(name, formAction)
@@ -601,15 +600,15 @@
setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_childSrc);
else if (equalLettersIgnoringASCIICase(name, formAction))
setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_formAction);
+ else if (equalLettersIgnoringASCIICase(name, baseURI))
+ setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_baseURI);
else if (equalLettersIgnoringASCIICase(name, sandbox))
applySandboxPolicy(name, value);
else if (equalLettersIgnoringASCIICase(name, reportURI))
parseReportURI(name, value);
#if ENABLE(CSP_NEXT)
else if (m_policy.experimentalFeaturesEnabled()) {
- if (equalLettersIgnoringASCIICase(name, baseURI))
- setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_baseURI);
- else if (equalLettersIgnoringASCIICase(name, pluginTypes))
+ if (equalLettersIgnoringASCIICase(name, pluginTypes))
setCSPDirective<ContentSecurityPolicyMediaListDirective>(name, value, m_pluginTypes);
else if (equalLettersIgnoringASCIICase(name, reflectedXSS))
parseReflectedXSS(name, value);
