Changeset 230346 in webkit
- Timestamp:
- Apr 6, 2018 12:15:34 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 11 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r230345 r230346 1 2018-04-06 Daniel Bates <dabates@apple.com> 2 3 Emit a more informative message when a script is blocked due to "X-Content-Type: nosniff" 4 https://bugs.webkit.org/show_bug.cgi?id=184359 5 6 Reviewed by Per Arne Vollan. 7 8 Adds a test to ensure we block importing scripts into a Web Worker whose HTTP responses 9 include "X-Content-Type: nosniff" and have a non script MIME type. 10 11 Also update existing expected results. 12 13 * http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt: 14 * http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt: 15 * http/tests/security/contentTypeOptions/nosniff-importScript-blocked-expected.txt: Added. 16 * http/tests/security/contentTypeOptions/nosniff-importScript-blocked.html: Added. 17 * http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt: 18 * http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt: 19 * http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt: 20 * http/tests/security/contentTypeOptions/resources/nosniff-importScript-blocked.js: Added. 21 (let.mimeType.of.unscriptyMIMETypes.catch): 22 * http/tests/security/contentTypeOptions/resources/script-with-header.pl: 23 * http/tests/security/module-correct-mime-types-expected.txt: 24 1 25 2018-04-06 Daniel Bates <dabates@apple.com> 2 26 -
trunk/LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt
r142683 r230346 1 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/json'.2 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'image/png'.3 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/html'.4 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/vbs'.5 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/vbscript'.6 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/x-javascript'.1 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/json'. 2 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'image/png'. 3 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/html'. 4 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/vbs'. 5 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/vbscript'. 6 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/x-javascript'. 7 7 Check that script sent with an invalid 'X-Content-Type-Options: nosniff' header is correctly allowed, even if the MIME type isn't scripty. 8 8 -
trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt
r215753 r230346 1 CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.1 CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type. 2 2 Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly blocked if the MIME type isn't scripty. 3 3 -
trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt
r142683 r230346 1 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.1'.2 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.2'.3 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.3'.4 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/livescript'.5 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/ecmascript'.6 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/javascript'.7 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/x-javascript'.8 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/ecmascript'.9 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript'.10 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/jscript'.1 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.1'. 2 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.2'. 3 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.3'. 4 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/livescript'. 5 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/ecmascript'. 6 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/javascript'. 7 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/x-javascript'. 8 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/ecmascript'. 9 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript'. 10 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/jscript'. 11 11 Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly allowed if the MIME type is scripty. 12 12 -
trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt
r215753 r230346 1 CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.2 CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=image/png' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.3 CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.4 CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbs' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.5 CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbscript' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.6 CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xx-javascript' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.1 CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type. 2 CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=image/png as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type. 3 CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type. 4 CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbs as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type. 5 CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbscript as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type. 6 CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xx-javascript as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type. 7 7 Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly blocked if the MIME type isn't scripty. 8 8 -
trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt
r215753 r230346 1 CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.1 CONSOLE MESSAGE: Refused to execute http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl as script because "X-Content-Type: nosniff" was given and its Content-Type is not a script MIME type. 2 2 Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly blocked if no 'Content-Type' header is present. 3 3 -
trunk/LayoutTests/http/tests/security/contentTypeOptions/resources/script-with-header.pl
r142683 r230346 14 14 } 15 15 print "\n"; 16 print "console.log(\"Executed script with MIME type: '" . $cgi->param('mime') . "'.\");\n"; 17 print "window.scriptsSuccessfullyLoaded++;\n"; 16 print "if (self.console)\n"; 17 print " console.log(\"Executed script with MIME type: '" . $cgi->param('mime') . "'.\");\n"; 18 print "self.scriptsSuccessfullyLoaded++;\n"; -
trunk/LayoutTests/http/tests/security/module-correct-mime-types-expected.txt
r208788 r230346 1 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/ecmascript'.2 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/javascript'.3 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/x-ecmascript'.4 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'application/x-javascript'.5 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/ecmascript'.6 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript'.7 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.0'.8 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.1'.9 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.2'.10 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.3'.11 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.4'.12 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/javascript1.5'.13 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/jscript'.14 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/livescript'.15 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/x-ecmascript'.16 CONSOLE MESSAGE: line 1: Executed script with MIME type: 'text/x-javascript'.1 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/ecmascript'. 2 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/javascript'. 3 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/x-ecmascript'. 4 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/x-javascript'. 5 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/ecmascript'. 6 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript'. 7 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.0'. 8 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.1'. 9 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.2'. 10 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.3'. 11 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.4'. 12 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/javascript1.5'. 13 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/jscript'. 14 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/livescript'. 15 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/x-ecmascript'. 16 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/x-javascript'. 17 17 Test module scripts run with correct mime types. 18 18 -
trunk/Source/WebCore/ChangeLog
r230345 r230346 1 2018-04-06 Daniel Bates <dabates@apple.com> 2 3 Emit a more informative message when a script is blocked due to "X-Content-Type: nosniff" 4 https://bugs.webkit.org/show_bug.cgi?id=184359 5 6 Reviewed by Per Arne Vollan. 7 8 Emphasize in the message that the script was blocked from executing. 9 10 Test: http/tests/security/contentTypeOptions/nosniff-importScript-blocked.html 11 12 * dom/LoadableClassicScript.cpp: 13 (WebCore::LoadableClassicScript::notifyFinished): 14 * workers/WorkerScriptLoader.cpp: 15 (WebCore::WorkerScriptLoader::didReceiveResponse): 16 1 17 2018-04-06 Daniel Bates <dabates@apple.com> 2 18 -
trunk/Source/WebCore/dom/LoadableClassicScript.cpp
r227612 r230346 91 91 MessageSource::Security, 92 92 MessageLevel::Error, 93 makeString(" Did not load script at '", m_cachedScript->url().stringCenterEllipsizedToLength(), "' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.")93 makeString("Refused to execute ", m_cachedScript->url().stringCenterEllipsizedToLength(), " as script because \"X-Content-Type: nosniff\" was given and its Content-Type is not a script MIME type.") 94 94 } 95 95 }; -
trunk/Source/WebCore/workers/WorkerScriptLoader.cpp
r226904 r230346 128 128 129 129 if (!isScriptAllowedByNosniff(response)) { 130 String message = makeString("Refused to execute ", response.url().stringCenterEllipsizedToLength(), " as script because \"X-Content-Type: nosniff\" was given and its Content-Type is not a script MIME type."); 131 m_error = ResourceError { errorDomainWebKitInternal, 0, url(), message, ResourceError::Type::General }; 130 132 m_failed = true; 131 133 return;
Note: See TracChangeset
for help on using the changeset viewer.