Changeset 207249 in webkit

Timestamp:

Oct 12, 2016 4:01:40 PM (8 years ago)

Author:

matthew_hanson@apple.com

Message:

Merge r203611. rdar://problem/28476958

Location:

branches/safari-602.2.14.0-branch

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt (added)
• LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html (added)
• LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt (added)
• LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html (added)
• LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/HTMLPlugInImageElement.cpp (modified) (2 diffs)
• Source/WebCore/html/HTMLPlugInImageElement.h (modified) (1 diff)
• Source/WebCore/loader/SubframeLoader.cpp (modified) (4 diffs)
• Source/WebCore/loader/SubframeLoader.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicy.cpp (modified) (2 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicy.h (modified) (1 diff)

branches/safari-602.2.14.0-branch/LayoutTests/ChangeLog

@@ +1 @@
+2016-10-11  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r203611. rdar://problem/28476958
+
+    2016-07-22  Daniel Bates  <dabates@apple.com>
+
+            CSP: object-src and plugin-types directives are not respected for plugin replacements
+            https://bugs.webkit.org/show_bug.cgi?id=159761
+            <rdar://problem/27365724>
+
+            Reviewed by Brent Fulgham.
+
+            Add layout tests to ensure that we apply the CSP object-src and plugin-types directives to content
+            that loads with either the QuickTime plugin replacement or YouTube plugin replacement.
+
+            * security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt: Added.
+            * security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html: Added.
+            * security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt: Added.
+            * security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html: Added.
+            * security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt: Added.
+            * security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html: Added.
+            * security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt: Added.
+            * security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html: Added.
+            * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt: Added.
+            * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt: Added.
+            * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html: Added.
+            * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html: Added.
+            * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt: Added.
+            * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt: Added.
+            * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html: Added.
+            * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html: Added.
+
 2016-10-11  Matthew Hanson  <matthew_hanson@apple.com>
 

branches/safari-602.2.14.0-branch/Source/WebCore/ChangeLog

@@ +1 @@
+2016-10-11  Matthew Hanson  <matthew_hanson@apple.com>
+
+        Merge r203611. rdar://problem/28476958
+
+    2016-07-22  Daniel Bates  <dabates@apple.com>
+
+            CSP: object-src and plugin-types directives are not respected for plugin replacements
+            https://bugs.webkit.org/show_bug.cgi?id=159761
+            <rdar://problem/27365724>
+
+            Reviewed by Brent Fulgham.
+
+            Apply the Content Security Policy (CSP) object-src and plugin-types directives to content that will
+            load with a plugin replacement.
+
+            Tests: security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html
+                   security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html
+                   security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html
+                   security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html
+                   security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html
+                   security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html
+                   security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html
+                   security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html
+
+            * html/HTMLPlugInImageElement.cpp:
+            (WebCore::HTMLPlugInImageElement::allowedToLoadPluginContent): Added.
+            (WebCore::HTMLPlugInImageElement::requestObject): Only request loading plugin content if we
+            are allowed to load such content.
+            * html/HTMLPlugInImageElement.h:
+            * loader/SubframeLoader.cpp:
+            (WebCore::SubframeLoader::pluginIsLoadable): Removed code to check CSP as we will check CSP
+            earlier in HTMLPlugInImageElement::requestObject().
+            (WebCore::SubframeLoader::requestPlugin): Ditto.
+            (WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Deleted; moved implementation
+            to HTMLPlugInImageElement::allowedToLoadPluginContent().
+            (WebCore::SubframeLoader::requestObject): Deleted.
+            * loader/SubframeLoader.h:
+            * page/csp/ContentSecurityPolicy.cpp:
+            (WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Changed signature from a non-const
+            function to a const function since these functions do not modify |this|.
+            * page/csp/ContentSecurityPolicy.h:
+
 2016-10-11  Matthew Hanson  <matthew_hanson@apple.com>
 

branches/safari-602.2.14.0-branch/Source/WebCore/html/HTMLPlugInImageElement.cpp

@@ -24 +24 @@
 #include "Chrome.h"
 #include "ChromeClient.h"
+#include "ContentSecurityPolicy.h"
 #include "Event.h"
 #include "EventHandler.h"
@@ -771 +772 @@
 }
 
+bool HTMLPlugInImageElement::allowedToLoadPluginContent(const String& url, const String& mimeType) const
+{
+    URL completedURL;
+    if (!url.isEmpty())
+        completedURL = document().completeURL(url);
+
+    ASSERT(document().contentSecurityPolicy());
+    const ContentSecurityPolicy& contentSecurityPolicy = *document().contentSecurityPolicy();
+
+    contentSecurityPolicy.upgradeInsecureRequestIfNeeded(completedURL, ContentSecurityPolicy::InsecureRequestType::Load);
+
+    String declaredMimeType = document().isPluginDocument() && document().ownerElement() ?
+        document().ownerElement()->attributeWithoutSynchronization(HTMLNames::typeAttr) : attributeWithoutSynchronization(HTMLNames::typeAttr);
+    bool isInUserAgentShadowTree = this->isInUserAgentShadowTree();
+    return contentSecurityPolicy.allowObjectFromSource(completedURL, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, completedURL, isInUserAgentShadowTree);
+}
+
 bool HTMLPlugInImageElement::requestObject(const String& url, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues)
 {
+    if (url.isEmpty() && mimeType.isEmpty())
+        return false;
+
+    if (!allowedToLoadPluginContent(url, mimeType)) {
+        renderEmbeddedObject()->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
+        return false;
+    }
+
     if (HTMLPlugInElement::requestObject(url, mimeType, paramNames, paramValues))
         return true;

branches/safari-602.2.14.0-branch/Source/WebCore/html/HTMLPlugInImageElement.h

@@ -112 +112 @@
     bool isRestartedPlugin() const final { return m_isRestartedPlugin; }
 
+    bool allowedToLoadPluginContent(const String& url, const String& mimeType) const;
+
     void finishParsingChildren() final;
     void didAddUserAgentShadowRoot(ShadowRoot*) final;

branches/safari-602.2.14.0-branch/Source/WebCore/loader/SubframeLoader.cpp

@@ -109 +109 @@
 }
 
-bool SubframeLoader::isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType) const
-{
-    if (!document())
-        return true;
-
-    ASSERT(document()->contentSecurityPolicy());
-    const ContentSecurityPolicy& contentSecurityPolicy = *document()->contentSecurityPolicy();
-
-    String declaredMimeType = document()->isPluginDocument() && document()->ownerElement() ?
-        document()->ownerElement()->attributeWithoutSynchronization(HTMLNames::typeAttr) : pluginElement.attributeWithoutSynchronization(HTMLNames::typeAttr);
-    bool isInUserAgentShadowTree = pluginElement.isInUserAgentShadowTree();
-    return contentSecurityPolicy.allowObjectFromSource(url, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, url, isInUserAgentShadowTree);
-}
-
-bool SubframeLoader::pluginIsLoadable(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType)
+bool SubframeLoader::pluginIsLoadable(const URL& url, const String& mimeType)
 {
     if (MIMETypeRegistry::isJavaAppletMIMEType(mimeType)) {
@@ -141 +127 @@
         }
 
-        if (!isPluginContentAllowedByContentSecurityPolicy(pluginElement, url, mimeType)) {
-            RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject();
-            renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
-            return false;
-        }
-
         if (!m_frame.loader().mixedContentChecker().canRunInsecureContent(document()->securityOrigin(), url))
             return false;
@@ -162 +142 @@
         return false;
 
-    if (!pluginIsLoadable(ownerElement, url, mimeType))
+    if (!pluginIsLoadable(url, mimeType))
         return false;
 
@@ -241 +221 @@
         logPluginRequest(document()->page(), mimeType, completedURL, success);
         return success;
-    }
-
-    if (!isPluginContentAllowedByContentSecurityPolicy(ownerElement, completedURL, mimeType)) {
-        RenderEmbeddedObject* renderer = ownerElement.renderEmbeddedObject();
-        renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
-        return false;
     }
 

branches/safari-602.2.14.0-branch/Source/WebCore/loader/SubframeLoader.h

@@ -78 +78 @@
     bool loadPlugin(HTMLPlugInImageElement&, const URL&, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues, bool useFallback);
 
-    bool isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement&, const URL&, const String& mimeType) const;
-
     bool shouldUsePlugin(const URL&, const String& mimeType, bool hasFallback, bool& useFallback);
-    bool pluginIsLoadable(HTMLPlugInImageElement&, const URL&, const String& mimeType);
+    bool pluginIsLoadable(const URL&, const String& mimeType);
 
     Document* document() const;

branches/safari-602.2.14.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

@@ -766 +766 @@
 }
 
-void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(ResourceRequest& request, InsecureRequestType requestType)
+void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(ResourceRequest& request, InsecureRequestType requestType) const
 {
     URL url = request.url();
@@ -773 +773 @@
 }
 
-void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(URL& url, InsecureRequestType requestType)
+void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(URL& url, InsecureRequestType requestType) const
 {
     if (!url.protocolIs("http") && !url.protocolIs("ws"))

branches/safari-602.2.14.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.h

@@ -157 +157 @@
     bool upgradeInsecureRequests() const { return m_upgradeInsecureRequests; }
     enum class InsecureRequestType { Load, FormSubmission, Navigation };
-    void upgradeInsecureRequestIfNeeded(ResourceRequest&, InsecureRequestType);
-    void upgradeInsecureRequestIfNeeded(URL&, InsecureRequestType);
+    void upgradeInsecureRequestIfNeeded(ResourceRequest&, InsecureRequestType) const;
+    void upgradeInsecureRequestIfNeeded(URL&, InsecureRequestType) const;
 
     HashSet<RefPtr<SecurityOrigin>>&& takeNavigationRequestsToUpgrade();