Diff
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 10:23:58 UTC (rev 197081)
@@ -1,3 +1,45 @@
+2016-02-21 Daniel Bates <daba...@apple.com>
+
+ CSP: sandbox directive should be ignored when contained in a policy defined via a meta element
+ https://bugs.webkit.org/show_bug.cgi?id=154299
+ <rdar://problem/24680433>
+
+ Reviewed by Brent Fulgham.
+
+ Add test http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html to ensure that we ignore
+ the sandbox directive when delivered via an HTML meta element and log a message to the Web Inspector console.
+
+ Remove tests http/tests/security/contentSecurityPolicy/sandbox-{allow-scripts-subframe, empty, empty-subframe}.html
+ that are no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element and
+ create analogous tests for when the sandbox directive is delivered via an HTTP header.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2-expected.txt: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt.
+ * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html: Removed.
+ This test is no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element.
+ An analogous test for when the directive is delivered via an HTTP header is http/tests/security/contentSecurityPolicy//sandbox-allow-scripts-in-http-header.html.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php: Added. Derived from test http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php: Added. Derived from test http/tests/security/contentSecurityPolicy/sandbox-empty.html.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html: Removed.
+ This test is no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element.
+ The analogous test for when the directive is delivered via an HTTP header is http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/sandbox-empty.html: Removed.
+ This test is no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element.
+ The analogous test for when the directive is delivered via an HTTP header is http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html: Added.
+
2016-02-19 Antti Koivisto <an...@apple.com>
ComposedTreeIterator traverses normal children for elements with empty shadow root
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
@@ -1,2 +0,0 @@
-ALERT: PASS
-This test passes if it does alert pass.
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2-expected.txt (from rev 197080, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt) (0 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
@@ -0,0 +1,2 @@
+ALERT: PASS
+This test passes if it does alert pass.
Copied: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php (from rev 197080, releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html) (0 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php 2016-02-25 10:23:58 UTC (rev 197081)
@@ -0,0 +1,16 @@
+<?php
+ header("Content-Security-Policy: sandbox allow-scripts");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+This test passes if it does alert pass.
+<script>
+alert('PASS');
+</script>
+</body>
+</html>
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe-expected.txt (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe-expected.txt 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
@@ -1,2 +0,0 @@
-ALERT: PASS
-This test passes if it does alert pass.
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html 2016-02-25 10:23:58 UTC (rev 197081)
@@ -1,7 +0,0 @@
-<script>
-if (window.testRunner)
- testRunner.dumpAsText();
-</script>
-<meta http-equiv="Content-Security-Policy" content="sandbox allow-scripts">
-This test passes if it does alert pass.
-<iframe src=""
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html 2016-02-25 10:23:58 UTC (rev 197081)
@@ -1,9 +0,0 @@
-<script>
-if (window.testRunner)
- testRunner.dumpAsText();
-</script>
-<meta http-equiv="Content-Security-Policy" content="sandbox allow-scripts">
-This test passes if it does alert pass.
-<script>
-alert('PASS');
-</script>
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
@@ -1,2 +0,0 @@
-CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-empty.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
-This test passes if it doesn't alert fail.
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-expected.txt (0 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-empty-in-http-header.php' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x8
+ RenderBlock {HTML} at (0,0) size 800x8
+ RenderBody {BODY} at (8,8) size 784x0
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe-expected.txt (0 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x124
+ RenderBlock {HTML} at (0,0) size 800x124
+ RenderBody {BODY} at (8,8) size 784x108
+ RenderIFrame {IFRAME} at (0,0) size 104x104 [border: (2px inset #000000)]
+ layer at (0,0) size 100x100
+ RenderView at (0,0) size 100x100
+ layer at (0,0) size 100x100
+ RenderBlock {HTML} at (0,0) size 100x100
+ RenderBody {BODY} at (8,8) size 84x84
+ RenderText {#text} at (0,0) size 0x0
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php (0 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php 2016-02-25 10:23:58 UTC (rev 197081)
@@ -0,0 +1,10 @@
+<?php
+ header("Content-Security-Policy: sandbox");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<!-- This test passes if it doesn't alert FAIL. -->
+<iframe src="" width="100" height="100"></iframe>
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php (0 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php 2016-02-25 10:23:58 UTC (rev 197081)
@@ -0,0 +1,10 @@
+<?php
+ header("Content-Security-Policy: sandbox");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<!-- This test passes if it doesn't alert FAIL. -->
+<script>alert('FAIL')</script>
+</body>
+</html>
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
@@ -1,2 +0,0 @@
-CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
-This test passes if it doesn't alert fail.
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html 2016-02-25 10:23:58 UTC (rev 197081)
@@ -1,7 +0,0 @@
-<script>
-if (window.testRunner)
- testRunner.dumpAsText();
-</script>
-<meta http-equiv="Content-Security-Policy" content="sandbox">
-This test passes if it doesn't alert fail.
-<iframe src=""
Deleted: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html 2016-02-25 10:23:58 UTC (rev 197081)
@@ -1,9 +0,0 @@
-<script>
-if (window.testRunner)
- testRunner.dumpAsText();
-</script>
-<meta http-equiv="Content-Security-Policy" content="sandbox">
-This test passes if it doesn't alert fail.
-<script>
-alert('FAIL');
-</script>
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored-expected.txt (0 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored-expected.txt 2016-02-25 10:23:58 UTC (rev 197081)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: The Content Security Policy directive 'sandbox' is ignored when delivered via an HTML meta element.
+ALERT: PASS executed script.
+This tests that the Content Security Policy sandbox directive is ignored when contained in a policy defined via an HTML meta element.
Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html (0 => 197081)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html 2016-02-25 10:23:58 UTC (rev 197081)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="sandbox">
+</head>
+<body>
+<p>This tests that the Content Security Policy <code>sandbox</code> directive is ignored when contained in a policy defined via an HTML meta element.</p>
+<script>alert("PASS executed script.")</script>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 10:23:58 UTC (rev 197081)
@@ -1,3 +1,48 @@
+2016-02-21 Daniel Bates <daba...@apple.com>
+
+ CSP: sandbox directive should be ignored when contained in a policy defined via a meta element
+ https://bugs.webkit.org/show_bug.cgi?id=154299
+ <rdar://problem/24680433>
+
+ Reviewed by Brent Fulgham.
+
+ The Content Security Policy sandbox directive should only be honored when enforcing a policy
+ defined via an HTTP header as per section sandbox of the Content Security Policy 2.0 spec.,
+ <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ Currently we honor the sandbox directive when enforcing a policy defined either via an HTML
+ meta element or an HTTP header. Instead we should only honor this directive when defined
+ via an HTTP header and log a message to the Web Inspector console to explain that the directive
+ was ignored as suggested in <https://www.w3.org/TR/2015/CR-CSP2-20150721/#delivery-html-meta-element>.
+
+ Tests: http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php
+ http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php
+ http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php
+ http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Substitute ContentSecurityPolicy::processHTTPEquiv() for
+ ContentSecurityPolicy::didReceiveHeader() as the latter was made private.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::copyStateFrom): Updated as needed based on ContentSecurityPolicy::didReceiveHeader() change below.
+ (WebCore::ContentSecurityPolicy::didReceiveHeaders): Ditto.
+ (WebCore::ContentSecurityPolicy::didReceiveHeader): Modified to take argument of type ContentSecurityPolicy::PolicyFrom
+ and pass it through to ContentSecurityPolicyDirectiveList::create().
+ (WebCore::ContentSecurityPolicy::reportInvalidDirectiveInHTTPEquivMeta): Logs a message to the Web Inspector console
+ that the specified directive was ignored because it was delivered via an HTML meta element.
+ * page/csp/ContentSecurityPolicy.h: Made member function ContentSecurityPolicy::didReceiveHeader() private. Defined
+ enum class PolicyFrom to represent the source of the Content Security Policy: HTTP equiv meta element, HTTP header, or
+ inherited from another ContentSecurityPolicy object (this value is only used by ContentSecurityPolicy::copyStateFrom()).
+ (WebCore::ContentSecurityPolicy::processHTTPEquiv): Added; turns around and calls ContentSecurityPolicy::didReceiveHeader().
+ The name of this function better describes its purpose - to handle the processing of a Content Security Policy
+ delivered via <meta http-equiv="Content-Security-Policy" content="...">.
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::create): Modified to take argument of type ContentSecurityPolicy::PolicyFrom
+ as pass it through to ContentSecurityPolicyDirectiveList::parse().
+ (WebCore::ContentSecurityPolicyDirectiveList::parse): Modified to ignore the directive sandbox when the Content Security
+ Policy came from an HTML meta element.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+
2016-02-20 Antti Koivisto <an...@apple.com>
Resolve style iteratively
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.cpp (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.cpp 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/dom/Document.cpp 2016-02-25 10:23:58 UTC (rev 197081)
@@ -3271,19 +3271,19 @@
break;
case HTTPHeaderName::ContentSecurityPolicy:
- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::Enforce);
+ contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::Enforce);
break;
case HTTPHeaderName::ContentSecurityPolicyReportOnly:
- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::Report);
+ contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::Report);
break;
case HTTPHeaderName::XWebKitCSP:
- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::PrefixedEnforce);
+ contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::PrefixedEnforce);
break;
case HTTPHeaderName::XWebKitCSPReportOnly:
- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::PrefixedReport);
+ contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::PrefixedReport);
break;
default:
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-25 10:23:58 UTC (rev 197081)
@@ -78,7 +78,7 @@
{
ASSERT(m_policies.isEmpty());
for (auto& policy : other->m_policies)
- didReceiveHeader(policy->header(), policy->headerType());
+ didReceiveHeader(policy->header(), policy->headerType(), ContentSecurityPolicy::PolicyFrom::Inherited);
}
ContentSecurityPolicyResponseHeaders ContentSecurityPolicy::responseHeaders() const
@@ -93,10 +93,10 @@
void ContentSecurityPolicy::didReceiveHeaders(const ContentSecurityPolicyResponseHeaders& headers)
{
for (auto& header : headers.m_headers)
- didReceiveHeader(header.first, header.second);
+ didReceiveHeader(header.first, header.second, ContentSecurityPolicy::PolicyFrom::HTTPHeader);
}
-void ContentSecurityPolicy::didReceiveHeader(const String& header, ContentSecurityPolicyHeaderType type)
+void ContentSecurityPolicy::didReceiveHeader(const String& header, ContentSecurityPolicyHeaderType type, ContentSecurityPolicy::PolicyFrom policyFrom)
{
// RFC2616, section 4.2 specifies that headers appearing multiple times can
// be combined with a comma. Walk the header string, and parse each comma
@@ -110,7 +110,7 @@
// header1,header2 OR header1
// ^ ^
- std::unique_ptr<ContentSecurityPolicyDirectiveList> policy = ContentSecurityPolicyDirectiveList::create(*this, String(begin, position - begin), type);
+ std::unique_ptr<ContentSecurityPolicyDirectiveList> policy = ContentSecurityPolicyDirectiveList::create(*this, String(begin, position - begin), type, policyFrom);
if (!policy->allowEval(0, ContentSecurityPolicy::ReportingStatus::SuppressReport))
m_lastPolicyEvalDisabledErrorMessage = policy->evalDisabledErrorMessage();
@@ -457,6 +457,11 @@
logToConsole("The Content Security Policy directive '" + directiveName + "' is ignored when delivered in a report-only policy.");
}
+void ContentSecurityPolicy::reportInvalidDirectiveInHTTPEquivMeta(const String& directiveName) const
+{
+ logToConsole("The Content Security Policy directive '" + directiveName + "' is ignored when delivered via an HTML meta element.");
+}
+
void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const
{
String message = makeString("The value for Content Security Policy directive '", directiveName, "' contains an invalid character: '", value, "'. Non-whitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/rfc3986#section-2.1.");
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.h (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-25 10:23:58 UTC (rev 197081)
@@ -67,9 +67,14 @@
};
ReflectedXSSDisposition reflectedXSSDisposition() const;
+ enum class PolicyFrom {
+ HTTPEquivMeta,
+ HTTPHeader,
+ Inherited,
+ };
ContentSecurityPolicyResponseHeaders responseHeaders() const;
void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
- void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType);
+ void processHTTPEquiv(const String& content, ContentSecurityPolicyHeaderType type) { didReceiveHeader(content, type, ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta); }
enum class ReportingStatus {
SendReport,
@@ -123,6 +128,7 @@
void reportInvalidSandboxFlags(const String&) const;
void reportInvalidReflectedXSS(const String&) const;
void reportInvalidDirectiveInReportOnlyMode(const String&) const;
+ void reportInvalidDirectiveInHTTPEquivMeta(const String&) const;
void reportMissingReportURI(const String&) const;
void reportUnsupportedDirective(const String&) const;
void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<String>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
@@ -136,6 +142,8 @@
void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
void applyPolicyToScriptExecutionContext();
+ void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicy::PolicyFrom);
+
ScriptExecutionContext* m_scriptExecutionContext { nullptr };
std::unique_ptr<ContentSecurityPolicySource> m_selfSource;
String m_selfSourceProtocol;
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-25 10:23:58 UTC (rev 197081)
@@ -115,10 +115,10 @@
m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
}
-std::unique_ptr<ContentSecurityPolicyDirectiveList> ContentSecurityPolicyDirectiveList::create(ContentSecurityPolicy& policy, const String& header, ContentSecurityPolicyHeaderType type)
+std::unique_ptr<ContentSecurityPolicyDirectiveList> ContentSecurityPolicyDirectiveList::create(ContentSecurityPolicy& policy, const String& header, ContentSecurityPolicyHeaderType type, ContentSecurityPolicy::PolicyFrom from)
{
auto directives = std::make_unique<ContentSecurityPolicyDirectiveList>(policy, type);
- directives->parse(header);
+ directives->parse(header, from);
if (!directives->checkEval(directives->operativeDirective(directives->m_scriptSrc.get()))) {
String message = makeString("Refused to evaluate a string as _javascript_ because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get())->text(), "\".\n");
@@ -389,7 +389,7 @@
// policy = directive-list
// directive-list = [ directive *( ";" [ directive ] ) ]
//
-void ContentSecurityPolicyDirectiveList::parse(const String& policy)
+void ContentSecurityPolicyDirectiveList::parse(const String& policy, ContentSecurityPolicy::PolicyFrom policyFrom)
{
m_header = policy;
if (policy.isEmpty())
@@ -406,7 +406,18 @@
String name, value;
if (parseDirective(directiveBegin, position, name, value)) {
ASSERT(!name.isEmpty());
- addDirective(name, value);
+ switch (policyFrom) {
+ case ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta:
+ // FIXME: We also need to ignore directive report-uri (https://bugs.webkit.org/show_bug.cgi?id=154307).
+ if (equalLettersIgnoringASCIICase(name, sandbox)) {
+ m_policy.reportInvalidDirectiveInHTTPEquivMeta(name);
+ break;
+ }
+ FALLTHROUGH;
+ default:
+ addDirective(name, value);
+ break;
+ }
}
ASSERT(position == end || *position == ';');
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (197080 => 197081)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-02-25 10:04:13 UTC (rev 197080)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-02-25 10:23:58 UTC (rev 197081)
@@ -41,7 +41,7 @@
WTF_MAKE_FAST_ALLOCATED;
WTF_MAKE_NONCOPYABLE(ContentSecurityPolicyDirectiveList)
public:
- static std::unique_ptr<ContentSecurityPolicyDirectiveList> create(ContentSecurityPolicy&, const String&, ContentSecurityPolicyHeaderType);
+ static std::unique_ptr<ContentSecurityPolicyDirectiveList> create(ContentSecurityPolicy&, const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicy::PolicyFrom);
ContentSecurityPolicyDirectiveList(ContentSecurityPolicy&, ContentSecurityPolicyHeaderType);
const String& header() const { return m_header; }
@@ -72,7 +72,7 @@
const Vector<String>& reportURIs() const { return m_reportURIs; }
private:
- void parse(const String&);
+ void parse(const String&, ContentSecurityPolicy::PolicyFrom);
bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
void parseReportURI(const String& name, const String& value);