Changeset 230346 in webkit

Timestamp:

Apr 6, 2018 12:15:34 PM (6 years ago)

Author:

dbates@webkit.org

Message:

Emit a more informative message when a script is blocked due to "X-Content-Type: nosniff"
​https://bugs.webkit.org/show_bug.cgi?id=184359

Reviewed by Per Arne Vollan.

Source/WebCore:

Emphasize in the message that the script was blocked from executing.

Test: http/tests/security/contentTypeOptions/nosniff-importScript-blocked.html

• dom/LoadableClassicScript.cpp:

(WebCore::LoadableClassicScript::notifyFinished):

• workers/WorkerScriptLoader.cpp:

(WebCore::WorkerScriptLoader::didReceiveResponse):

LayoutTests:

Adds a test to ensure we block importing scripts into a Web Worker whose HTTP responses
include "X-Content-Type: nosniff" and have a non script MIME type.

Also update existing expected results.

• http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt:
• http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt:
• http/tests/security/contentTypeOptions/nosniff-importScript-blocked-expected.txt: Added.
• http/tests/security/contentTypeOptions/nosniff-importScript-blocked.html: Added.
• http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt:
• http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt:
• http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt:
• http/tests/security/contentTypeOptions/resources/nosniff-importScript-blocked.js: Added.

(let.mimeType.of.unscriptyMIMETypes.catch):

• http/tests/security/contentTypeOptions/resources/script-with-header.pl:
• http/tests/security/module-correct-mime-types-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-importScript-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-importScript-blocked.html (added)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentTypeOptions/resources/nosniff-importScript-blocked.js (added)
• LayoutTests/http/tests/security/contentTypeOptions/resources/script-with-header.pl (modified) (1 diff)
• LayoutTests/http/tests/security/module-correct-mime-types-expected.txt (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/LoadableClassicScript.cpp (modified) (1 diff)
• Source/WebCore/workers/WorkerScriptLoader.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-04-06  Daniel Bates  <dabates@apple.com>
+
+        Emit a more informative message when a script is blocked due to "X-Content-Type: nosniff"
+        https://bugs.webkit.org/show_bug.cgi?id=184359
+
+        Reviewed by Per Arne Vollan.
+
+        Adds a test to ensure we block importing scripts into a Web Worker whose HTTP responses
+        include "X-Content-Type: nosniff" and have a non script MIME type.
+
+        Also update existing expected results.
+
+        * http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt:
+        * http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt:
+        * http/tests/security/contentTypeOptions/nosniff-importScript-blocked-expected.txt: Added.
+        * http/tests/security/contentTypeOptions/nosniff-importScript-blocked.html: Added.
+        * http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt:
+        * http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt:
+        * http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt:
+        * http/tests/security/contentTypeOptions/resources/nosniff-importScript-blocked.js: Added.
+        (let.mimeType.of.unscriptyMIMETypes.catch):
+        * http/tests/security/contentTypeOptions/resources/script-with-header.pl:
+        * http/tests/security/module-correct-mime-types-expected.txt:
+
 2018-04-06  Daniel Bates  <dabates@apple.com>
 

trunk/LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/json'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'image/png'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/html'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/vbs'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/vbscript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/x-javascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/json'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'image/png'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/html'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/vbs'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/vbscript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/x-javascript'.
 Check that script sent with an invalid 'X-Content-Type-Options: nosniff' header is correctly allowed, even if the MIME type isn't scripty.
 

trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
+CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.
 Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly blocked if the MIME type isn't scripty.
 

trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.1'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.2'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.3'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/livescript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/ecmascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/javascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/x-javascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/ecmascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/jscript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.1'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.2'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.3'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/livescript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/ecmascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/javascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/x-javascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/ecmascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/jscript'.
 Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly allowed if the MIME type is scripty.
 

trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
-CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=image/png' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
-CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
-CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbs' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
-CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbscript' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
-CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xx-javascript' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
+CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.
+CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=image/png as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.
+CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.
+CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbs as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.
+CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbscript as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.
+CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xx-javascript as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.
 Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly blocked if the MIME type isn't scripty.
 

trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
+CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type.
 Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly blocked if no 'Content-Type' header is present.
 

trunk/LayoutTests/http/tests/security/contentTypeOptions/resources/script-with-header.pl

@@ -14 +14 @@
 }
 print "\n";
-print "console.log(\"Executed script with MIME type: '" .  $cgi->param('mime') . "'.\");\n";
-print "window.scriptsSuccessfullyLoaded++;\n";
+print "if (self.console)\n";
+print "    console.log(\"Executed script with MIME type: '" .  $cgi->param('mime') . "'.\");\n";
+print "self.scriptsSuccessfullyLoaded++;\n";

trunk/LayoutTests/http/tests/security/module-correct-mime-types-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/ecmascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/javascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/x-ecmascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/x-javascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/ecmascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.0'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.1'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.2'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.3'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.4'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.5'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/jscript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/livescript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/x-ecmascript'.
-CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/x-javascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/ecmascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/javascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/x-ecmascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/x-javascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/ecmascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.0'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.1'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.2'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.3'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.4'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.5'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/jscript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/livescript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/x-ecmascript'.
+CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/x-javascript'.
 Test module scripts run with correct mime types.
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-04-06  Daniel Bates  <dabates@apple.com>
+
+        Emit a more informative message when a script is blocked due to "X-Content-Type: nosniff"
+        https://bugs.webkit.org/show_bug.cgi?id=184359
+
+        Reviewed by Per Arne Vollan.
+
+        Emphasize in the message that the script was blocked from executing.
+
+        Test: http/tests/security/contentTypeOptions/nosniff-importScript-blocked.html
+
+        * dom/LoadableClassicScript.cpp:
+        (WebCore::LoadableClassicScript::notifyFinished):
+        * workers/WorkerScriptLoader.cpp:
+        (WebCore::WorkerScriptLoader::didReceiveResponse):
+
 2018-04-06  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WebCore/dom/LoadableClassicScript.cpp

@@ -91 +91 @@
                 MessageSource::Security,
                 MessageLevel::Error,
-                makeString("Did not load script at '", m_cachedScript->url().stringCenterEllipsizedToLength(), "' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.")
+                makeString("Refused to execute ", m_cachedScript->url().stringCenterEllipsizedToLength(), " as script because \"X-Content-Type: nosniff\" was given and its Content-Type is not a script MIME type.")
             }
         };

trunk/Source/WebCore/workers/WorkerScriptLoader.cpp

@@ -128 +128 @@
 
     if (!isScriptAllowedByNosniff(response)) {
+        String message = makeString("Refused to execute ", response.url().stringCenterEllipsizedToLength(), " as script because \"X-Content-Type: nosniff\" was given and its Content-Type is not a script MIME type.");
+        m_error = ResourceError { errorDomainWebKitInternal, 0, url(), message, ResourceError::Type::General };
         m_failed = true;
         return;