Changeset 203611 in webkit


Ignore:
Timestamp:
Jul 22, 2016 1:33:11 PM (8 years ago)
Author:
dbates@webkit.org
Message:

CSP: object-src and plugin-types directives are not respected for plugin replacements
https://bugs.webkit.org/show_bug.cgi?id=159761
<rdar://problem/27365724>

Reviewed by Brent Fulgham.

Source/WebCore:

Apply the Content Security Policy (CSP) object-src and plugin-types directives to content that will
load with a plugin replacement.

Tests: security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html

security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html
security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html
security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html
security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html
security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html
security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html
security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html

  • html/HTMLPlugInImageElement.cpp:

(WebCore::HTMLPlugInImageElement::allowedToLoadPluginContent): Added.
(WebCore::HTMLPlugInImageElement::requestObject): Only request loading plugin content if we
are allowed to load such content.

  • html/HTMLPlugInImageElement.h:
  • loader/SubframeLoader.cpp:

(WebCore::SubframeLoader::pluginIsLoadable): Removed code to check CSP as we will check CSP
earlier in HTMLPlugInImageElement::requestObject().
(WebCore::SubframeLoader::requestPlugin): Ditto.
(WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Deleted; moved implementation
to HTMLPlugInImageElement::allowedToLoadPluginContent().
(WebCore::SubframeLoader::requestObject): Deleted.

  • loader/SubframeLoader.h:
  • page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Changed signature from a non-const
function to a const function since these functions do not modify |this|.

  • page/csp/ContentSecurityPolicy.h:

LayoutTests:

Add layout tests to ensure that we apply the CSP object-src and plugin-types directives to content
that loads with either the QuickTime plugin replacement or YouTube plugin replacement.

  • security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt: Added.
  • security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html: Added.
  • security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt: Added.
  • security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html: Added.
  • security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt: Added.
  • security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html: Added.
  • security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt: Added.
  • security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html: Added.
  • security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt: Added.
  • security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt: Added.
  • security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html: Added.
  • security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html: Added.
  • security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt: Added.
  • security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt: Added.
  • security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html: Added.
  • security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html: Added.
Location:
trunk
Files:
16 added
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r203610 r203611  
     12016-07-22  Daniel Bates  <dabates@apple.com>
     2
     3        CSP: object-src and plugin-types directives are not respected for plugin replacements
     4        https://bugs.webkit.org/show_bug.cgi?id=159761
     5        <rdar://problem/27365724>
     6
     7        Reviewed by Brent Fulgham.
     8
     9        Add layout tests to ensure that we apply the CSP object-src and plugin-types directives to content
     10        that loads with either the QuickTime plugin replacement or YouTube plugin replacement.
     11
     12        * security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt: Added.
     13        * security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html: Added.
     14        * security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt: Added.
     15        * security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html: Added.
     16        * security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt: Added.
     17        * security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html: Added.
     18        * security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt: Added.
     19        * security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html: Added.
     20        * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt: Added.
     21        * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt: Added.
     22        * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html: Added.
     23        * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html: Added.
     24        * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt: Added.
     25        * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt: Added.
     26        * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html: Added.
     27        * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html: Added.
     28
    1292016-07-22  Chris Dumez  <cdumez@apple.com>
    230
  • trunk/Source/WebCore/ChangeLog

    r203610 r203611  
     12016-07-22  Daniel Bates  <dabates@apple.com>
     2
     3        CSP: object-src and plugin-types directives are not respected for plugin replacements
     4        https://bugs.webkit.org/show_bug.cgi?id=159761
     5        <rdar://problem/27365724>
     6
     7        Reviewed by Brent Fulgham.
     8
     9        Apply the Content Security Policy (CSP) object-src and plugin-types directives to content that will
     10        load with a plugin replacement.
     11
     12        Tests: security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html
     13               security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html
     14               security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html
     15               security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html
     16               security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html
     17               security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html
     18               security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html
     19               security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html
     20
     21        * html/HTMLPlugInImageElement.cpp:
     22        (WebCore::HTMLPlugInImageElement::allowedToLoadPluginContent): Added.
     23        (WebCore::HTMLPlugInImageElement::requestObject): Only request loading plugin content if we
     24        are allowed to load such content.
     25        * html/HTMLPlugInImageElement.h:
     26        * loader/SubframeLoader.cpp:
     27        (WebCore::SubframeLoader::pluginIsLoadable): Removed code to check CSP as we will check CSP
     28        earlier in HTMLPlugInImageElement::requestObject().
     29        (WebCore::SubframeLoader::requestPlugin): Ditto.
     30        (WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Deleted; moved implementation
     31        to HTMLPlugInImageElement::allowedToLoadPluginContent().
     32        (WebCore::SubframeLoader::requestObject): Deleted.
     33        * loader/SubframeLoader.h:
     34        * page/csp/ContentSecurityPolicy.cpp:
     35        (WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Changed signature from a non-const
     36        function to a const function since these functions do not modify |this|.
     37        * page/csp/ContentSecurityPolicy.h:
     38
    1392016-07-22  Chris Dumez  <cdumez@apple.com>
    240
  • trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp

    r202105 r203611  
    2424#include "Chrome.h"
    2525#include "ChromeClient.h"
     26#include "ContentSecurityPolicy.h"
    2627#include "Event.h"
    2728#include "EventHandler.h"
     
    771772}
    772773
     774bool HTMLPlugInImageElement::allowedToLoadPluginContent(const String& url, const String& mimeType) const
     775{
     776    URL completedURL;
     777    if (!url.isEmpty())
     778        completedURL = document().completeURL(url);
     779
     780    ASSERT(document().contentSecurityPolicy());
     781    const ContentSecurityPolicy& contentSecurityPolicy = *document().contentSecurityPolicy();
     782
     783    contentSecurityPolicy.upgradeInsecureRequestIfNeeded(completedURL, ContentSecurityPolicy::InsecureRequestType::Load);
     784
     785    String declaredMimeType = document().isPluginDocument() && document().ownerElement() ?
     786        document().ownerElement()->attributeWithoutSynchronization(HTMLNames::typeAttr) : attributeWithoutSynchronization(HTMLNames::typeAttr);
     787    bool isInUserAgentShadowTree = this->isInUserAgentShadowTree();
     788    return contentSecurityPolicy.allowObjectFromSource(completedURL, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, completedURL, isInUserAgentShadowTree);
     789}
     790
    773791bool HTMLPlugInImageElement::requestObject(const String& url, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues)
    774792{
     793    if (url.isEmpty() && mimeType.isEmpty())
     794        return false;
     795
     796    if (!allowedToLoadPluginContent(url, mimeType)) {
     797        renderEmbeddedObject()->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
     798        return false;
     799    }
     800
    775801    if (HTMLPlugInElement::requestObject(url, mimeType, paramNames, paramValues))
    776802        return true;
  • trunk/Source/WebCore/html/HTMLPlugInImageElement.h

    r200041 r203611  
    112112    bool isRestartedPlugin() const final { return m_isRestartedPlugin; }
    113113
     114    bool allowedToLoadPluginContent(const String& url, const String& mimeType) const;
     115
    114116    void finishParsingChildren() final;
    115117    void didAddUserAgentShadowRoot(ShadowRoot*) final;
  • trunk/Source/WebCore/loader/SubframeLoader.cpp

    r203324 r203611  
    109109}
    110110
    111 bool SubframeLoader::isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType) const
    112 {
    113     if (!document())
    114         return true;
    115 
    116     ASSERT(document()->contentSecurityPolicy());
    117     const ContentSecurityPolicy& contentSecurityPolicy = *document()->contentSecurityPolicy();
    118 
    119     String declaredMimeType = document()->isPluginDocument() && document()->ownerElement() ?
    120         document()->ownerElement()->attributeWithoutSynchronization(HTMLNames::typeAttr) : pluginElement.attributeWithoutSynchronization(HTMLNames::typeAttr);
    121     bool isInUserAgentShadowTree = pluginElement.isInUserAgentShadowTree();
    122     return contentSecurityPolicy.allowObjectFromSource(url, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, url, isInUserAgentShadowTree);
    123 }
    124 
    125 bool SubframeLoader::pluginIsLoadable(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType)
     111bool SubframeLoader::pluginIsLoadable(const URL& url, const String& mimeType)
    126112{
    127113    if (MIMETypeRegistry::isJavaAppletMIMEType(mimeType)) {
     
    141127        }
    142128
    143         if (!isPluginContentAllowedByContentSecurityPolicy(pluginElement, url, mimeType)) {
    144             RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject();
    145             renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
    146             return false;
    147         }
    148 
    149129        if (!m_frame.loader().mixedContentChecker().canRunInsecureContent(document()->securityOrigin(), url))
    150130            return false;
     
    162142        return false;
    163143
    164     if (!pluginIsLoadable(ownerElement, url, mimeType))
     144    if (!pluginIsLoadable(url, mimeType))
    165145        return false;
    166146
     
    241221        logPluginRequest(document()->page(), mimeType, completedURL, success);
    242222        return success;
    243     }
    244 
    245     if (!isPluginContentAllowedByContentSecurityPolicy(ownerElement, completedURL, mimeType)) {
    246         RenderEmbeddedObject* renderer = ownerElement.renderEmbeddedObject();
    247         renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
    248         return false;
    249223    }
    250224
  • trunk/Source/WebCore/loader/SubframeLoader.h

    r200799 r203611  
    7878    bool loadPlugin(HTMLPlugInImageElement&, const URL&, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues, bool useFallback);
    7979
    80     bool isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement&, const URL&, const String& mimeType) const;
    81 
    8280    bool shouldUsePlugin(const URL&, const String& mimeType, bool hasFallback, bool& useFallback);
    83     bool pluginIsLoadable(HTMLPlugInImageElement&, const URL&, const String& mimeType);
     81    bool pluginIsLoadable(const URL&, const String& mimeType);
    8482
    8583    Document* document() const;
  • trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

    r203434 r203611  
    830830}
    831831
    832 void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(ResourceRequest& request, InsecureRequestType requestType)
     832void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(ResourceRequest& request, InsecureRequestType requestType) const
    833833{
    834834    URL url = request.url();
     
    837837}
    838838
    839 void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(URL& url, InsecureRequestType requestType)
     839void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(URL& url, InsecureRequestType requestType) const
    840840{
    841841    if (!url.protocolIs("http") && !url.protocolIs("ws"))
  • trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h

    r203434 r203611  
    156156    bool upgradeInsecureRequests() const { return m_upgradeInsecureRequests; }
    157157    enum class InsecureRequestType { Load, FormSubmission, Navigation };
    158     void upgradeInsecureRequestIfNeeded(ResourceRequest&, InsecureRequestType);
    159     void upgradeInsecureRequestIfNeeded(URL&, InsecureRequestType);
     158    void upgradeInsecureRequestIfNeeded(ResourceRequest&, InsecureRequestType) const;
     159    void upgradeInsecureRequestIfNeeded(URL&, InsecureRequestType) const;
    160160
    161161    HashSet<RefPtr<SecurityOrigin>>&& takeNavigationRequestsToUpgrade();
Note: See TracChangeset for help on using the changeset viewer.