[webkit-changes] [198951] trunk

Fri, 01 Apr 2016 11:40:46 -0700

Title: [198951] trunk
Revision
198951
Author
[email protected]
Date
2016-04-01 11:40:21 -0700 (Fri, 01 Apr 2016)

Log Message

CSP: child-src violations reported as frame-src violation
https://bugs.webkit.org/show_bug.cgi?id=156092
<rdar://problem/25478509>

Reviewed by Andy Estes.

Source/WebCore:

Tests: http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html
       http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html
       http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src.html

* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource): Determine the name of the effective violation
directive from the name of the violated directive. If the name of the violated directive is "frame-src"
then use that name for the name of the effective violated directive. Otherwise, use "child-src" for the
name of the effective violated directive. A byproduct of this decision is that we report child-src as the
effective violated directive when a frame load was blocked by the default-src directive. This seems reasonable
because directive frame-src is deprecated in Content Security Policy Level 2. The child-src directive is
its replacement.

LayoutTests:

* TestExpectations: Mark the newly added tests as PASS so that we run them.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt: Substitute "child-src" for "frame-src" in the
expected console warning.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (198950 => 198951)


--- trunk/LayoutTests/ChangeLog	2016-04-01 18:22:22 UTC (rev 198950)
+++ trunk/LayoutTests/ChangeLog	2016-04-01 18:40:21 UTC (rev 198951)
@@ -1,3 +1,22 @@
+2016-04-01  Daniel Bates  <[email protected]>
+
+        CSP: child-src violations reported as frame-src violation
+        https://bugs.webkit.org/show_bug.cgi?id=156092
+        <rdar://problem/25478509>
+
+        Reviewed by Andy Estes.
+
+        * TestExpectations: Mark the newly added tests as PASS so that we run them.
+        * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt: Substitute "child-src" for "frame-src" in the
+        expected console warning.
+        * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt: Ditto.
+        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src.html: Added.
+
 2016-04-01  Ada Chan  <[email protected]>
 
         Add a way to reset the eventTrigger in ControlsTest in LayoutTests/media/controls/controls-test-helpers.js

Modified: trunk/LayoutTests/TestExpectations (198950 => 198951)


--- trunk/LayoutTests/TestExpectations	2016-04-01 18:22:22 UTC (rev 198950)
+++ trunk/LayoutTests/TestExpectations	2016-04-01 18:40:21 UTC (rev 198951)
@@ -844,6 +844,9 @@
 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-https.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src.html  [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/stylehash-allowed.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked.html [ Pass ]
 http/tests/security/contentSecurityPolicy/1.1/stylehash-multiple-policies.html [ Pass ]

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt (198950 => 198951)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt	2016-04-01 18:22:22 UTC (rev 198950)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt	2016-04-01 18:40:21 UTC (rev 198951)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
 This tests that an <iframe> load is blocked when using Content Security Policy child-src 'none'. This test PASSED if there is no _javascript_ alert.

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt (198950 => 198951)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt	2016-04-01 18:22:22 UTC (rev 198950)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt	2016-04-01 18:40:21 UTC (rev 198951)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
 This tests that the Content Security Policy of the page blocks an <iframe> from loading a document of a different origin through a redirect. This test PASSED if there is no _javascript_ alert.

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt (0 => 198951)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt	2016-04-01 18:40:21 UTC (rev 198951)
@@ -0,0 +1,21 @@
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
+Check that a SecurityPolicyViolationEvent is fired upon blocking an frame by the child-src directive.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Kicking off the tests:
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html"
+PASS window.e.referrer is ""
+PASS window.e.blockedURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"
+PASS window.e.violatedDirective is "child-src 'none'"
+PASS window.e.effectiveDirective is "child-src"
+PASS window.e.originalPolicy is "child-src 'none'"
+PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html"
+PASS window.e.lineNumber is 27
+PASS window.e.columnNumber is 38
+PASS window.e.statusCode is 200
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html (0 => 198951)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html	2016-04-01 18:40:21 UTC (rev 198951)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="child-src 'none'">
+<script src=""
+<script src=""
+<script>
+description("Check that a SecurityPolicyViolationEvent is fired upon blocking an frame by the child-src directive.");
+
+var expectations = {
+    "documentURI": document.location.toString(),
+    "referrer": document.referrer,
+    "blockedURI": "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html",
+    "violatedDirective": "child-src 'none'",
+    "effectiveDirective": "child-src",
+    "originalPolicy": "child-src 'none'",
+    "sourceFile": document.location.toString(),
+    "lineNumber": 27,
+    "columnNumber": 30,
+    "statusCode": document.location.protocol === "http:" ? 200 : 0,
+};
+
+function run()
+{
+    var frame = document.createElement("iframe");
+    frame.src = ""
+    document.body.appendChild(frame);
+}
+</script>
+</head>
+<body>
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt (0 => 198951)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt	2016-04-01 18:40:21 UTC (rev 198951)
@@ -0,0 +1,21 @@
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it appears in neither the child-src directive nor the default-src directive of the Content Security Policy.
+Check that a SecurityPolicyViolationEvent is fired upon blocking an frame by the default-src directive.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Kicking off the tests:
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html"
+PASS window.e.referrer is ""
+PASS window.e.blockedURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"
+PASS window.e.violatedDirective is "default-src 'none'"
+PASS window.e.effectiveDirective is "child-src"
+PASS window.e.originalPolicy is "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html"
+PASS window.e.lineNumber is 27
+PASS window.e.columnNumber is 38
+PASS window.e.statusCode is 200
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html (0 => 198951)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html	2016-04-01 18:40:21 UTC (rev 198951)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'">
+<script src=""
+<script src=""
+<script>
+description("Check that a SecurityPolicyViolationEvent is fired upon blocking an frame by the default-src directive.");
+
+var expectations = {
+    "documentURI": document.location.toString(),
+    "referrer": document.referrer,
+    "blockedURI": "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html",
+    "violatedDirective": "default-src 'none'",
+    "effectiveDirective": "child-src",
+    "originalPolicy": "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",
+    "sourceFile": document.location.toString(),
+    "lineNumber": 27,
+    "columnNumber": 30,
+    "statusCode": document.location.protocol === "http:" ? 200 : 0,
+};
+
+function run()
+{
+    var frame = document.createElement("iframe");
+    frame.src = ""
+    document.body.appendChild(frame);
+}
+</script>
+</head>
+<body>
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src-expected.txt (0 => 198951)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src-expected.txt	2016-04-01 18:40:21 UTC (rev 198951)
@@ -0,0 +1,21 @@
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
+Check that a SecurityPolicyViolationEvent is fired upon blocking an frame by the frame-src directive.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Kicking off the tests:
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src.html"
+PASS window.e.referrer is ""
+PASS window.e.blockedURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"
+PASS window.e.violatedDirective is "frame-src 'none'"
+PASS window.e.effectiveDirective is "frame-src"
+PASS window.e.originalPolicy is "frame-src 'none'"
+PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src.html"
+PASS window.e.lineNumber is 27
+PASS window.e.columnNumber is 38
+PASS window.e.statusCode is 200
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src.html (0 => 198951)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src.html	2016-04-01 18:40:21 UTC (rev 198951)
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
+<script src=""
+<script src=""
+<script>
+description("Check that a SecurityPolicyViolationEvent is fired upon blocking an frame by the frame-src directive.");
+
+var expectations = {
+    "documentURI": document.location.toString(),
+    "referrer": document.referrer,
+    "blockedURI": "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html",
+    "violatedDirective": "frame-src 'none'",
+    "effectiveDirective": "frame-src",
+    "originalPolicy": "frame-src 'none'",
+    "sourceFile": document.location.toString(),
+    "lineNumber": 27,
+    "columnNumber": 30,
+    "statusCode": document.location.protocol === "http:" ? 200 : 0,
+};
+
+function run()
+{
+    var frame = document.createElement("iframe");
+    frame.src = ""
+    document.body.appendChild(frame);
+}
+</script>
+</head>
+<body>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (198950 => 198951)


--- trunk/Source/WebCore/ChangeLog	2016-04-01 18:22:22 UTC (rev 198950)
+++ trunk/Source/WebCore/ChangeLog	2016-04-01 18:40:21 UTC (rev 198951)
@@ -1,3 +1,24 @@
+2016-04-01  Daniel Bates  <[email protected]>
+
+        CSP: child-src violations reported as frame-src violation
+        https://bugs.webkit.org/show_bug.cgi?id=156092
+        <rdar://problem/25478509>
+
+        Reviewed by Andy Estes.
+
+        Tests: http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html
+               http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html
+               http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-frame-src.html
+
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): Determine the name of the effective violation
+        directive from the name of the violated directive. If the name of the violated directive is "frame-src"
+        then use that name for the name of the effective violated directive. Otherwise, use "child-src" for the
+        name of the effective violated directive. A byproduct of this decision is that we report child-src as the
+        effective violated directive when a frame load was blocked by the default-src directive. This seems reasonable
+        because directive frame-src is deprecated in Content Security Policy Level 2. The child-src directive is
+        its replacement.
+
 2016-04-01  Alex Christensen  <[email protected]>
 
         Compile DumpRenderTree with CMake on Mac

Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (198950 => 198951)


--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp	2016-04-01 18:22:22 UTC (rev 198950)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp	2016-04-01 18:40:21 UTC (rev 198951)
@@ -405,8 +405,9 @@
     const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url);
     if (!violatedDirective)
         return true;
-    String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::frameSrc, *violatedDirective, url, "Refused to load");
-    reportViolation(ContentSecurityPolicyDirectiveNames::frameSrc, *violatedDirective, url, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber()));
+    const char* effectiveViolatedDirective = violatedDirective->name() == ContentSecurityPolicyDirectiveNames::frameSrc ? ContentSecurityPolicyDirectiveNames::frameSrc : ContentSecurityPolicyDirectiveNames::childSrc;
+    String consoleMessage = consoleMessageForViolation(effectiveViolatedDirective, *violatedDirective, url, "Refused to load");
+    reportViolation(effectiveViolatedDirective, *violatedDirective, url, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber()));
     return violatedDirective->directiveList().isReportOnly();
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to