Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (197085 => 197086)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 10:26:42 UTC (rev 197085)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-02-25 10:26:56 UTC (rev 197086)
@@ -1,5 +1,17 @@
2016-02-21 Daniel Bates <daba...@apple.com>
+ CSP: Enable form-action directive by default
+ https://bugs.webkit.org/show_bug.cgi?id=154520
+ <rdar://problem/24762029>
+
+ Reviewed by Sam Weinig.
+
+ Mark form-action tests as Pass so that we run them.
+
+ * TestExpectations:
+
+2016-02-21 Daniel Bates <daba...@apple.com>
+
Another attempt to fix the Content Extension test failures following <https://trac.webkit.org/changeset/196875>
(https://bugs.webkit.org/show_bug.cgi?id=154307)
Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations (197085 => 197086)
--- releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations 2016-02-25 10:26:42 UTC (rev 197085)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations 2016-02-25 10:26:56 UTC (rev 197086)
@@ -803,6 +803,13 @@
# Content Security Policy failures
webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
http/tests/security/contentSecurityPolicy/1.1/child-src [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/form-action-src-allowed.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/form-action-src-blocked.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/form-action-src-default-ignored.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-allowed.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/form-action-src-_javascript_-blocked.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html [ Pass ]
http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php [ Pass ]
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (197085 => 197086)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 10:26:42 UTC (rev 197085)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-02-25 10:26:56 UTC (rev 197086)
@@ -1,5 +1,19 @@
2016-02-21 Daniel Bates <daba...@apple.com>
+ CSP: Enable form-action directive by default
+ https://bugs.webkit.org/show_bug.cgi?id=154520
+ <rdar://problem/24762029>
+
+ Reviewed by Sam Weinig.
+
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Move logic to parse the form-action
+ directive outside the ENABLE(CSP_NEXT) macro guarded section/experimental feature runtime flag.
+ (WebCore::isExperimentalDirectiveName): Remove form-action from the directives considered
+ experimental.
+
+2016-02-21 Daniel Bates <daba...@apple.com>
+
CSP: Violation report should include column number
https://bugs.webkit.org/show_bug.cgi?id=154418
<rdar://problem/24729525>
Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (197085 => 197086)
--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-25 10:26:42 UTC (rev 197085)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-25 10:26:56 UTC (rev 197086)
@@ -60,7 +60,6 @@
static inline bool isExperimentalDirectiveName(const String& name)
{
return equalLettersIgnoringASCIICase(name, baseURI)
- || equalLettersIgnoringASCIICase(name, formAction)
|| equalLettersIgnoringASCIICase(name, pluginTypes)
|| equalLettersIgnoringASCIICase(name, reflectedXSS);
}
@@ -599,6 +598,8 @@
setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_connectSrc);
else if (equalLettersIgnoringASCIICase(name, childSrc))
setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_childSrc);
+ else if (equalLettersIgnoringASCIICase(name, formAction))
+ setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_formAction);
else if (equalLettersIgnoringASCIICase(name, sandbox))
applySandboxPolicy(name, value);
else if (equalLettersIgnoringASCIICase(name, reportURI))
@@ -607,8 +608,6 @@
else if (m_policy.experimentalFeaturesEnabled()) {
if (equalLettersIgnoringASCIICase(name, baseURI))
setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_baseURI);
- else if (equalLettersIgnoringASCIICase(name, formAction))
- setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_formAction);
else if (equalLettersIgnoringASCIICase(name, pluginTypes))
setCSPDirective<ContentSecurityPolicyMediaListDirective>(name, value, m_pluginTypes);
else if (equalLettersIgnoringASCIICase(name, reflectedXSS))