Diff
Modified: trunk/LayoutTests/ChangeLog (197117 => 197118)
--- trunk/LayoutTests/ChangeLog 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/ChangeLog 2016-02-25 16:21:40 UTC (rev 197118)
@@ -1,3 +1,37 @@
+2016-02-25 Daniel Bates <daba...@apple.com>
+
+ CSP: Make SecurityPolicyViolationEvent more closely conform to CSP spec and enable it by default
+ https://bugs.webkit.org/show_bug.cgi?id=154522
+ <rdar://problem/24762078>
+
+ Reviewed by Brent Fulgham.
+
+ Add new test http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https.html
+ to ensure that SecurityPolicyViolationEvent.statusCode is 0 when dispatched for a violation on an HTTPS-served
+ document per section Reporting of the Content Security Policy 2.0 spec, <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+ Update existing test results and mark more tests as PASS in file LayoutTests/TestExpectations.
+
+ * TestExpectations: Mark tests http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation*.html as PASS
+ so that we run them.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-basics-expected.txt: Update expected result to
+ reflect failing sub-test. We do not support the experimental _javascript_ event listener onsecuritypolicyviolation when
+ building with ENABLE(CSP_NEXT) disabled.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt: Update line and column numbers.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html: Update line and column numbers.
+ * js/dom/global-constructors-attributes-expected.txt: Update expected results now that we expose SecurityPolicyViolationEvent.
+ * platform/efl/js/dom/global-constructors-attributes-expected.txt: Ditto.
+ * platform/mac-mavericks/js/dom/global-constructors-attributes-expected.txt: Ditto.
+ * platform/mac-yosemite/js/dom/global-constructors-attributes-expected.txt: Ditto.
+ * platform/mac/js/dom/global-constructors-attributes-expected.txt: Ditto.
+
2016-02-25 Eric Carlson <eric.carl...@apple.com>
[MediaStream] MediaDeviceInfo deviceId and groupId must be unique to the page's origin
Modified: trunk/LayoutTests/TestExpectations (197117 => 197118)
--- trunk/LayoutTests/TestExpectations 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/TestExpectations 2016-02-25 16:21:40 UTC (rev 197118)
@@ -814,6 +814,12 @@
http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html [ Pass ]
http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html [ Pass ]
http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-basics.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html [ Pass ]
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-basics-expected.txt (197117 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-basics-expected.txt 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-basics-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -3,7 +3,7 @@
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-PASS typeof document.onsecuritypolicyviolation is "object"
+FAIL typeof document.onsecuritypolicyviolation should be object. Was undefined.
PASS typeof SecurityPolicyViolationEvent is "function"
PASS typeof window.e is "object"
PASS window.e.documentURI is "documentURIValue"
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt (197117 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -13,8 +13,8 @@
PASS window.e.effectiveDirective is "img-src"
PASS window.e.originalPolicy is "img-src 'none'"
PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html"
-PASS window.e.lineNumber is 23
-PASS window.e.columnNumber is 21
+PASS window.e.lineNumber is 25
+PASS window.e.columnNumber is 16
PASS window.e.statusCode is 200
PASS successfullyParsed is true
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt (197117 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -14,7 +14,7 @@
PASS window.e.originalPolicy is "img-src 'none'"
PASS window.e.sourceFile is "http://localhost:8000"
PASS window.e.lineNumber is 3
-PASS window.e.columnNumber is 7
+PASS window.e.columnNumber is 2
PASS window.e.statusCode is 200
PASS successfullyParsed is true
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html (197117 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html 2016-02-25 16:21:40 UTC (rev 197118)
@@ -16,7 +16,7 @@
'originalPolicy': 'img-src \'none\'',
'sourceFile': 'http://localhost:8000',
'lineNumber': 3,
- 'columnNumber': 7,
+ 'columnNumber': 2,
'statusCode': 200,
};
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html (197117 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html 2016-02-25 16:21:40 UTC (rev 197118)
@@ -15,8 +15,8 @@
'effectiveDirective': 'img-src',
'originalPolicy': 'img-src \'none\'',
'sourceFile': document.location.toString(),
- 'lineNumber': 23,
- 'columnNumber': 21,
+ 'lineNumber': 25,
+ 'columnNumber': 16,
'statusCode': 200,
};
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt (197117 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -13,8 +13,8 @@
PASS window.e.effectiveDirective is "img-src"
PASS window.e.originalPolicy is "img-src 'none'"
PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
-PASS window.e.lineNumber is 23
-PASS window.e.columnNumber is 21
+PASS window.e.lineNumber is 25
+PASS window.e.columnNumber is 16
PASS window.e.statusCode is 200
PASS successfullyParsed is true
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt (197117 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -14,7 +14,7 @@
PASS window.e.originalPolicy is "img-src 'none'"
PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js"
PASS window.e.lineNumber is 3
-PASS window.e.columnNumber is 7
+PASS window.e.columnNumber is 2
PASS window.e.statusCode is 200
PASS successfullyParsed is true
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html (197117 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html 2016-02-25 16:21:40 UTC (rev 197118)
@@ -16,7 +16,7 @@
'originalPolicy': 'img-src \'none\'',
'sourceFile': 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js',
'lineNumber': 3,
- 'columnNumber': 7,
+ 'columnNumber': 2,
'statusCode': 200,
};
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https-expected.txt (from rev 197114, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt) (0 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -0,0 +1,27 @@
+CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Kicking off the tests:
+PASS window.e.documentURI is "https://127.0.0.1:8443/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
+PASS window.e.referrer is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https.html"
+FAIL window.e.blockedURI should be http://127.0.0.1:8000/security/resources/abe.png. Was http://127.0.0.1:8000.
+PASS window.e.violatedDirective is "img-src 'none'"
+PASS window.e.effectiveDirective is "img-src"
+PASS window.e.originalPolicy is "img-src 'none'"
+PASS window.e.sourceFile is "https://127.0.0.1:8443/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
+PASS window.e.lineNumber is 25
+PASS window.e.columnNumber is 16
+PASS window.e.statusCode is 0
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https.html (0 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https.html 2016-02-25 16:21:40 UTC (rev 197118)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<iframe src=""
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html (197117 => 197118)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html 2016-02-25 16:21:40 UTC (rev 197118)
@@ -15,14 +15,14 @@
'effectiveDirective': 'img-src',
'originalPolicy': 'img-src \'none\'',
'sourceFile': document.location.toString(),
- 'lineNumber': 23,
- 'columnNumber': 21,
- 'statusCode': 200,
+ 'lineNumber': 25,
+ 'columnNumber': 16,
+ 'statusCode': document.location.protocol === 'http:' ? 200 : 0,
};
function run() {
var img = document.createElement('img');
- img.src = '';
+ img.src = '';
document.body.appendChild(img);
}
</script>
Modified: trunk/LayoutTests/js/dom/global-constructors-attributes-expected.txt (197117 => 197118)
--- trunk/LayoutTests/js/dom/global-constructors-attributes-expected.txt 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/js/dom/global-constructors-attributes-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -1718,6 +1718,11 @@
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').hasOwnProperty('set') is false
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').enumerable is false
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').configurable is true
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').value is SecurityPolicyViolationEvent
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').hasOwnProperty('get') is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').hasOwnProperty('set') is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').enumerable is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').configurable is true
PASS Object.getOwnPropertyDescriptor(global, 'Selection').value is Selection
PASS Object.getOwnPropertyDescriptor(global, 'Selection').hasOwnProperty('get') is false
PASS Object.getOwnPropertyDescriptor(global, 'Selection').hasOwnProperty('set') is false
Modified: trunk/LayoutTests/platform/efl/js/dom/global-constructors-attributes-expected.txt (197117 => 197118)
--- trunk/LayoutTests/platform/efl/js/dom/global-constructors-attributes-expected.txt 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/platform/efl/js/dom/global-constructors-attributes-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -1788,6 +1788,11 @@
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').hasOwnProperty('set') is false
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').enumerable is false
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').configurable is true
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').value is SecurityPolicyViolationEvent
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').hasOwnProperty('get') is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').hasOwnProperty('set') is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').enumerable is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').configurable is true
PASS Object.getOwnPropertyDescriptor(global, 'Selection').value is Selection
PASS Object.getOwnPropertyDescriptor(global, 'Selection').hasOwnProperty('get') is false
PASS Object.getOwnPropertyDescriptor(global, 'Selection').hasOwnProperty('set') is false
Modified: trunk/LayoutTests/platform/mac/js/dom/global-constructors-attributes-expected.txt (197117 => 197118)
--- trunk/LayoutTests/platform/mac/js/dom/global-constructors-attributes-expected.txt 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/platform/mac/js/dom/global-constructors-attributes-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -1923,6 +1923,11 @@
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').hasOwnProperty('set') is false
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').enumerable is false
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').configurable is true
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').value is SecurityPolicyViolationEvent
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').hasOwnProperty('get') is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').hasOwnProperty('set') is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').enumerable is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').configurable is true
PASS Object.getOwnPropertyDescriptor(global, 'Selection').value is Selection
PASS Object.getOwnPropertyDescriptor(global, 'Selection').hasOwnProperty('get') is false
PASS Object.getOwnPropertyDescriptor(global, 'Selection').hasOwnProperty('set') is false
Modified: trunk/LayoutTests/platform/mac-mavericks/js/dom/global-constructors-attributes-expected.txt (197117 => 197118)
--- trunk/LayoutTests/platform/mac-mavericks/js/dom/global-constructors-attributes-expected.txt 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/platform/mac-mavericks/js/dom/global-constructors-attributes-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -1798,6 +1798,11 @@
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').hasOwnProperty('set') is false
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').enumerable is false
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').configurable is true
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').value is SecurityPolicyViolationEvent
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').hasOwnProperty('get') is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').hasOwnProperty('set') is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').enumerable is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').configurable is true
PASS Object.getOwnPropertyDescriptor(global, 'Selection').value is Selection
PASS Object.getOwnPropertyDescriptor(global, 'Selection').hasOwnProperty('get') is false
PASS Object.getOwnPropertyDescriptor(global, 'Selection').hasOwnProperty('set') is false
Modified: trunk/LayoutTests/platform/mac-yosemite/js/dom/global-constructors-attributes-expected.txt (197117 => 197118)
--- trunk/LayoutTests/platform/mac-yosemite/js/dom/global-constructors-attributes-expected.txt 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/LayoutTests/platform/mac-yosemite/js/dom/global-constructors-attributes-expected.txt 2016-02-25 16:21:40 UTC (rev 197118)
@@ -1923,6 +1923,11 @@
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').hasOwnProperty('set') is false
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').enumerable is false
PASS Object.getOwnPropertyDescriptor(global, 'ScriptProcessorNode').configurable is true
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').value is SecurityPolicyViolationEvent
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').hasOwnProperty('get') is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').hasOwnProperty('set') is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').enumerable is false
+PASS Object.getOwnPropertyDescriptor(global, 'SecurityPolicyViolationEvent').configurable is true
PASS Object.getOwnPropertyDescriptor(global, 'Selection').value is Selection
PASS Object.getOwnPropertyDescriptor(global, 'Selection').hasOwnProperty('get') is false
PASS Object.getOwnPropertyDescriptor(global, 'Selection').hasOwnProperty('set') is false
Modified: trunk/Source/WebCore/ChangeLog (197117 => 197118)
--- trunk/Source/WebCore/ChangeLog 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/Source/WebCore/ChangeLog 2016-02-25 16:21:40 UTC (rev 197118)
@@ -1,3 +1,29 @@
+2016-02-25 Daniel Bates <daba...@apple.com>
+
+ CSP: Make SecurityPolicyViolationEvent more closely conform to CSP spec and enable it by default
+ https://bugs.webkit.org/show_bug.cgi?id=154522
+ <rdar://problem/24762078>
+
+ Reviewed by Brent Fulgham.
+
+ Include attributes statusCode and columnNumber in a dispatched SecurityPolicyViolationEvent and
+ as part of the SecurityPolicyViolationEventInit dictionary as per section Violation DOM Events
+ of the Content Security Policy Level 3 spec., <https://w3c.github.io/webappsec-csp/> (24 February 2016).
+ Additionally, enable dispatching of this event when a Content Security Policy violation occurs regardless
+ of whether ENABLE(CSP_NEXT) is enabled.
+
+ Test: http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https.html
+
+ * WebCore.xcodeproj/project.pbxproj: Add files JSSecurityPolicyViolationEvent.{cpp, h}.
+ * dom/EventNames.in: Enable support for SecurityPolicyViolationEvent unconditionally.
+ * dom/SecurityPolicyViolationEvent.h: Remove ENABLE(CSP_NEXT)-guard so that we compile this
+ code unconditionally. Modified SecurityPolicyViolationEventInit and SecurityPolicyViolationEvent
+ to support attributes statusCode and columnNumebr.
+ * dom/SecurityPolicyViolationEvent.idl: Add attributes statusCode and columnNumber.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::reportViolation): Modified to both dispatch a SecurityPolicyViolationEvent
+ and send a violation report (if applicable).
+
2016-02-25 Eric Carlson <eric.carl...@apple.com>
[MediaStream] MediaDeviceInfo deviceId and groupId must be unique to the page's origin
Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (197117 => 197118)
--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2016-02-25 16:21:40 UTC (rev 197118)
@@ -6255,6 +6255,8 @@
CECADFCD1537791D00E37068 /* TextInsertionBaseCommand.cpp in Sources */ = {isa = PBXBuildFile; fileRef = CECADFCB1537791D00E37068 /* TextInsertionBaseCommand.cpp */; };
CECADFCE1537791D00E37068 /* TextInsertionBaseCommand.h in Headers */ = {isa = PBXBuildFile; fileRef = CECADFCC1537791D00E37068 /* TextInsertionBaseCommand.h */; };
CECCFC3B141973D5002A0AC1 /* DecodeEscapeSequences.h in Headers */ = {isa = PBXBuildFile; fileRef = CECCFC3A141973D5002A0AC1 /* DecodeEscapeSequences.h */; };
+ CED06AD01C77754800FDFAF1 /* JSSecurityPolicyViolationEvent.cpp in Sources */ = {isa = PBXBuildFile; fileRef = CED06ACE1C77754800FDFAF1 /* JSSecurityPolicyViolationEvent.cpp */; };
+ CED06AD11C77754800FDFAF1 /* JSSecurityPolicyViolationEvent.h in Headers */ = {isa = PBXBuildFile; fileRef = CED06ACF1C77754800FDFAF1 /* JSSecurityPolicyViolationEvent.h */; };
CEDA12D7152CA1CB00D9E08D /* AlternativeTextClient.h in Headers */ = {isa = PBXBuildFile; fileRef = CEDA12D6152CA1CB00D9E08D /* AlternativeTextClient.h */; settings = {ATTRIBUTES = (Private, ); }; };
CEE27ACB1BBB53A20072400A /* pthreadSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = CEE27ACA1BBB53A20072400A /* pthreadSPI.h */; settings = {ATTRIBUTES = (Private, ); }; };
CEEFCD7919DB31F7003876D7 /* MediaResourceLoader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = CEEFCD7719DB31F7003876D7 /* MediaResourceLoader.cpp */; };
@@ -14278,6 +14280,8 @@
CECADFCB1537791D00E37068 /* TextInsertionBaseCommand.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TextInsertionBaseCommand.cpp; sourceTree = "<group>"; };
CECADFCC1537791D00E37068 /* TextInsertionBaseCommand.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TextInsertionBaseCommand.h; sourceTree = "<group>"; };
CECCFC3A141973D5002A0AC1 /* DecodeEscapeSequences.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DecodeEscapeSequences.h; sourceTree = "<group>"; };
+ CED06ACE1C77754800FDFAF1 /* JSSecurityPolicyViolationEvent.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSSecurityPolicyViolationEvent.cpp; sourceTree = "<group>"; };
+ CED06ACF1C77754800FDFAF1 /* JSSecurityPolicyViolationEvent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSSecurityPolicyViolationEvent.h; sourceTree = "<group>"; };
CEDA12D6152CA1CB00D9E08D /* AlternativeTextClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AlternativeTextClient.h; sourceTree = "<group>"; };
CEE27ACA1BBB53A20072400A /* pthreadSPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = pthreadSPI.h; sourceTree = "<group>"; };
CEEC6034187DD962003E43BB /* TextTrackRepresentationIOS.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TextTrackRepresentationIOS.h; sourceTree = "<group>"; };
@@ -20986,6 +20990,8 @@
E1284BAF10449FFA00EAEB52 /* JSPageTransitionEvent.h */,
5189F01B10B37BD900F3C739 /* JSPopStateEvent.cpp */,
5189F01C10B37BD900F3C739 /* JSPopStateEvent.h */,
+ CED06ACE1C77754800FDFAF1 /* JSSecurityPolicyViolationEvent.cpp */,
+ CED06ACF1C77754800FDFAF1 /* JSSecurityPolicyViolationEvent.h */,
933A14B60B7D1D5200A53FFD /* JSTextEvent.cpp */,
933A14B70B7D1D5200A53FFD /* JSTextEvent.h */,
0FDA7C10188322EB00C954B5 /* JSTouch.cpp */,
@@ -26817,6 +26823,7 @@
FDA15ECE12B03F61003A583A /* JSScriptProcessorNode.h in Headers */,
9FA37EFB1172FDA600C4CD55 /* JSScriptProfile.h in Headers */,
9FA37EFD1172FDA600C4CD55 /* JSScriptProfileNode.h in Headers */,
+ CED06AD11C77754800FDFAF1 /* JSSecurityPolicyViolationEvent.h in Headers */,
9BDA64D81B975CF2009C4387 /* JSShadowRoot.h in Headers */,
CD9DE17B17AAC75B00EA386D /* JSSourceBuffer.h in Headers */,
CD9DE17D17AAC75B00EA386D /* JSSourceBufferList.h in Headers */,
@@ -30572,6 +30579,7 @@
FDA15ECD12B03F61003A583A /* JSScriptProcessorNode.cpp in Sources */,
9FA37EFA1172FDA600C4CD55 /* JSScriptProfile.cpp in Sources */,
9FA37EFC1172FDA600C4CD55 /* JSScriptProfileNode.cpp in Sources */,
+ CED06AD01C77754800FDFAF1 /* JSSecurityPolicyViolationEvent.cpp in Sources */,
9BDA64D71B975CE5009C4387 /* JSShadowRoot.cpp in Sources */,
CD9DE17A17AAC75B00EA386D /* JSSourceBuffer.cpp in Sources */,
CD9DE17C17AAC75B00EA386D /* JSSourceBufferList.cpp in Sources */,
Modified: trunk/Source/WebCore/dom/EventNames.in (197117 => 197118)
--- trunk/Source/WebCore/dom/EventNames.in 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/Source/WebCore/dom/EventNames.in 2016-02-25 16:21:40 UTC (rev 197118)
@@ -57,7 +57,7 @@
TrackEvent conditional=VIDEO_TRACK
AutocompleteErrorEvent conditional=REQUEST_AUTOCOMPLETE
CSSFontFaceLoadEvent conditional=FONT_LOAD_EVENTS
-SecurityPolicyViolationEvent conditional=CSP_NEXT
+SecurityPolicyViolationEvent
UIRequestEvent conditional=INDIE_UI
GestureEvent conditional=IOS_GESTURE_EVENTS|MAC_GESTURE_EVENTS
WebKitPlaybackTargetAvailabilityEvent conditional=WIRELESS_PLAYBACK_TARGET
Modified: trunk/Source/WebCore/dom/SecurityPolicyViolationEvent.h (197117 => 197118)
--- trunk/Source/WebCore/dom/SecurityPolicyViolationEvent.h 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/Source/WebCore/dom/SecurityPolicyViolationEvent.h 2016-02-25 16:21:40 UTC (rev 197118)
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2013 Google Inc. All rights reserved.
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -25,8 +26,6 @@
#ifndef SecurityPolicyViolationEvent_h
#define SecurityPolicyViolationEvent_h
-#if ENABLE(CSP_NEXT)
-
#include "Event.h"
namespace WebCore {
@@ -39,14 +38,16 @@
String effectiveDirective;
String originalPolicy;
String sourceFile;
+ unsigned short statusCode { 0 };
int lineNumber { 0 };
+ int columnNumber { 0 };
};
class SecurityPolicyViolationEvent final : public Event {
public:
- static Ref<SecurityPolicyViolationEvent> create(const AtomicString& type, bool canBubble, bool cancelable, const String& documentURI, const String& referrer, const String& blockedURI, const String& violatedDirective, const String& effectiveDirective, const String& originalPolicy, const String& sourceFile, int lineNumber)
+ static Ref<SecurityPolicyViolationEvent> create(const AtomicString& type, bool canBubble, bool cancelable, const String& documentURI, const String& referrer, const String& blockedURI, const String& violatedDirective, const String& effectiveDirective, const String& originalPolicy, const String& sourceFile, unsigned short statusCode, int lineNumber, int columnNumber)
{
- return adoptRef(*new SecurityPolicyViolationEvent(type, canBubble, cancelable, documentURI, referrer, blockedURI, violatedDirective, effectiveDirective, originalPolicy, sourceFile, lineNumber));
+ return adoptRef(*new SecurityPolicyViolationEvent(type, canBubble, cancelable, documentURI, referrer, blockedURI, violatedDirective, effectiveDirective, originalPolicy, sourceFile, statusCode, lineNumber, columnNumber));
}
static Ref<SecurityPolicyViolationEvent> createForBindings()
@@ -66,7 +67,9 @@
const String& effectiveDirective() const { return m_effectiveDirective; }
const String& originalPolicy() const { return m_originalPolicy; }
const String& sourceFile() const { return m_sourceFile; }
+ unsigned short statusCode() const { return m_statusCode; }
int lineNumber() const { return m_lineNumber; }
+ int columnNumber() const { return m_columnNumber; }
virtual EventInterface eventInterface() const { return SecurityPolicyViolationEventInterfaceType; }
@@ -75,7 +78,7 @@
{
}
- SecurityPolicyViolationEvent(const AtomicString& type, bool canBubble, bool cancelable, const String& documentURI, const String& referrer, const String& blockedURI, const String& violatedDirective, const String& effectiveDirective, const String& originalPolicy, const String& sourceFile, int lineNumber)
+ SecurityPolicyViolationEvent(const AtomicString& type, bool canBubble, bool cancelable, const String& documentURI, const String& referrer, const String& blockedURI, const String& violatedDirective, const String& effectiveDirective, const String& originalPolicy, const String& sourceFile, unsigned short statusCode, int lineNumber, int columnNumber)
: Event(type, canBubble, cancelable)
, m_documentURI(documentURI)
, m_referrer(referrer)
@@ -84,7 +87,9 @@
, m_effectiveDirective(effectiveDirective)
, m_originalPolicy(originalPolicy)
, m_sourceFile(sourceFile)
+ , m_statusCode(statusCode)
, m_lineNumber(lineNumber)
+ , m_columnNumber(columnNumber)
{
}
@@ -97,7 +102,9 @@
, m_effectiveDirective(initializer.effectiveDirective)
, m_originalPolicy(initializer.originalPolicy)
, m_sourceFile(initializer.sourceFile)
+ , m_statusCode(initializer.statusCode)
, m_lineNumber(initializer.lineNumber)
+ , m_columnNumber(initializer.columnNumber)
{
}
@@ -108,11 +115,11 @@
String m_effectiveDirective;
String m_originalPolicy;
String m_sourceFile;
+ unsigned short m_statusCode;
int m_lineNumber;
+ int m_columnNumber;
};
} // namespace WebCore
-#endif // ENABLE(CSP_NEXT)
-
#endif // SecurityPolicyViolationEvent_h
Modified: trunk/Source/WebCore/dom/SecurityPolicyViolationEvent.idl (197117 => 197118)
--- trunk/Source/WebCore/dom/SecurityPolicyViolationEvent.idl 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/Source/WebCore/dom/SecurityPolicyViolationEvent.idl 2016-02-25 16:21:40 UTC (rev 197118)
@@ -1,5 +1,6 @@
/*
* Copyright (C) 2013 Google Inc. All rights reserved.
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -23,7 +24,6 @@
*/
[
- Conditional=CSP_NEXT,
ConstructorTemplate=Event,
] interface SecurityPolicyViolationEvent : Event {
[InitializedByEventConstructor] readonly attribute DOMString documentURI;
@@ -33,5 +33,7 @@
[InitializedByEventConstructor] readonly attribute DOMString effectiveDirective;
[InitializedByEventConstructor] readonly attribute DOMString originalPolicy;
[InitializedByEventConstructor] readonly attribute DOMString sourceFile;
- [InitializedByEventConstructor] readonly attribute long lineNumber;
+ [InitializedByEventConstructor] readonly attribute unsigned short statusCode;
+ [InitializedByEventConstructor] readonly attribute long lineNumber;
+ [InitializedByEventConstructor] readonly attribute long columnNumber;
};
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (197117 => 197118)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-25 16:21:07 UTC (rev 197117)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-25 16:21:40 UTC (rev 197118)
@@ -342,29 +342,31 @@
if (!frame)
return;
-#if ENABLE(CSP_NEXT)
- if (experimentalFeaturesEnabled()) {
- // FIXME: This code means that we're gathering information like line numbers twice. Once we can bring this out from behind the flag, we should reuse the data gathered here when generating the JSON report below.
- String documentURI = document.url().string();
- String referrer = document.referrer();
- String blockedURI = stripURLForUseInReport(document, blockedURL);
- String violatedDirective = directiveText;
- String originalPolicy = header;
- String sourceFile = String();
- int lineNumber = 0;
-
- Ref<ScriptCallStack> stack = createScriptCallStack(JSMainThreadExecState::currentState(), 2);
- const ScriptCallFrame* callFrame = stack->firstNonNativeCallFrame();
- if (callFrame && callFrame->lineNumber()) {
- URL source = URL(URL(), callFrame->sourceURL());
- sourceFile = stripURLForUseInReport(document, source);
- lineNumber = callFrame->lineNumber();
- }
+ String documentURI = document.url().strippedForUseAsReferrer();
+ String referrer = document.referrer();
+ String blockedURI = stripURLForUseInReport(document, blockedURL);
+ String violatedDirective = directiveText;
+ String originalPolicy = header;
+ ASSERT(document.loader());
+ unsigned short statusCode = document.url().protocolIs("http") && document.loader() ? document.loader()->response().httpStatusCode() : 0;
- document.enqueueDocumentEvent(SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, false, false, documentURI, referrer, blockedURI, violatedDirective, effectiveDirective, originalPolicy, sourceFile, lineNumber));
+ String sourceFile;
+ int lineNumber = 0;
+ int columnNumber = 0;
+ RefPtr<ScriptCallStack> stack = createScriptCallStack(JSMainThreadExecState::currentState(), 2);
+ const ScriptCallFrame* callFrame = stack->firstNonNativeCallFrame();
+ if (callFrame && callFrame->lineNumber()) {
+ sourceFile = stripURLForUseInReport(document, URL(URL(), callFrame->sourceURL()));
+ lineNumber = callFrame->lineNumber();
+ columnNumber = callFrame->columnNumber();
}
-#endif
+ // 1. Dispatch violation event.
+ bool canBubble = false;
+ bool cancelable = false;
+ document.enqueueDocumentEvent(SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, canBubble, cancelable, documentURI, referrer, blockedURI, violatedDirective, effectiveDirective, originalPolicy, sourceFile, statusCode, lineNumber, columnNumber));
+
+ // 2. Send violation report (if applicable).
if (reportURIs.isEmpty())
return;
@@ -379,30 +381,23 @@
// harmless information.
RefPtr<InspectorObject> cspReport = InspectorObject::create();
- cspReport->setString(ASCIILiteral("document-uri"), document.url().strippedForUseAsReferrer());
- cspReport->setString(ASCIILiteral("referrer"), document.referrer());
+ cspReport->setString(ASCIILiteral("document-uri"), documentURI);
+ cspReport->setString(ASCIILiteral("referrer"), referrer);
cspReport->setString(ASCIILiteral("violated-directive"), directiveText);
cspReport->setString(ASCIILiteral("effective-directive"), effectiveDirective);
- cspReport->setString(ASCIILiteral("original-policy"), header);
- cspReport->setString(ASCIILiteral("blocked-uri"), stripURLForUseInReport(document, blockedURL));
-
- ASSERT(document.loader());
- cspReport->setInteger(ASCIILiteral("status-code"), document.url().protocolIs("http") && document.loader() ? document.loader()->response().httpStatusCode() : 0);
-
- RefPtr<ScriptCallStack> stack = createScriptCallStack(JSMainThreadExecState::currentState(), 2);
- const ScriptCallFrame* callFrame = stack->firstNonNativeCallFrame();
- if (callFrame && callFrame->lineNumber()) {
- URL source = URL(URL(), callFrame->sourceURL());
- cspReport->setString(ASCIILiteral("source-file"), stripURLForUseInReport(document, source));
- cspReport->setInteger(ASCIILiteral("line-number"), callFrame->lineNumber());
- cspReport->setInteger(ASCIILiteral("column-number"), callFrame->columnNumber());
+ cspReport->setString(ASCIILiteral("original-policy"), originalPolicy);
+ cspReport->setString(ASCIILiteral("blocked-uri"), blockedURI);
+ cspReport->setInteger(ASCIILiteral("status-code"), statusCode);
+ if (!sourceFile.isNull()) {
+ cspReport->setString(ASCIILiteral("source-file"), sourceFile);
+ cspReport->setInteger(ASCIILiteral("line-number"), lineNumber);
+ cspReport->setInteger(ASCIILiteral("column-number"), columnNumber);
}
RefPtr<InspectorObject> reportObject = InspectorObject::create();
reportObject->setObject(ASCIILiteral("csp-report"), cspReport.release());
RefPtr<FormData> report = FormData::create(reportObject->toJSONString().utf8());
-
for (const auto& url : reportURIs)
PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef(), ViolationReportType::ContentSecurityPolicy);
}