Changeset 230602 in webkit
- Timestamp:
- Apr 12, 2018 3:32:40 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 8 added
- 23 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r230595 r230602 1 2018-04-12 Daniel Bates <dabates@apple.com> 2 3 Content-Type not enforced for <script> allows for XSS 4 https://bugs.webkit.org/show_bug.cgi?id=184386 5 <rdar://problem/39112268> 6 7 Reviewed by Brady Eidson. 8 9 Add tests to ensure that we block JavaScript scripts with a banned MIME type and update expected results. 10 11 Update tests http/tests/security/{cross-origin-cached-scripts, cross-origin-cached-scripts-parallel}.html 12 to load JavaScript scripts with MIME type text/javascript. These tests load JavaScript scripts indirectly 13 via the helper script LayoutTests/http/tests/security/resources/allow-if-origin.php. The script 14 allow-if-origin.php returns a response with MIME type image/png in absence of query string argument 15 contentType. We need to update these tests to pass contentType=text/javascript to allow-if-origin.php. 16 17 * TestExpectations: Mark test web-platform-tests/fetch/api/basic/block-mime-as-script.html DumpJSConsoleLogInStdErr 18 to ignore console message output when comparing the actual and expected result because the order the 19 sub tests are run is non-deterministic and the blocked MIME error message is specific to the blocked 20 response. 21 * http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt: 22 * http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html: 23 * http/tests/security/contentTypeOptions/resources/script-with-header.pl: Modified to only 24 set the HTTP header X-Content-Type-Options if the query argument no-content-type-options it 25 not present or evaluates to false in a boolean context. This lets us make use of this script 26 to test banned JavaScript MIME types. 27 * http/tests/security/cross-origin-cached-scripts-expected.txt: 28 * http/tests/security/cross-origin-cached-scripts-parallel-expected.txt: 29 * http/tests/security/cross-origin-cached-scripts-parallel.html: 30 * http/tests/security/cross-origin-cached-scripts.html: 31 * http/tests/security/resources/abe-that-increments-scriptsSuccessfullyLoaded.jpg: Added. 32 This file is both a valid JPEG image and a valid JavaScript script. When interpreted as a JavaScript 33 script it will increment the global variable self.scriptsSuccessfullyLoaded (defining it if 34 not already defined). 35 * http/tests/security/script-with-banned-mimetype-expected.txt: Added. 36 * http/tests/security/script-with-banned-mimetype.html: Added. 37 * http/tests/workers/resources/worker-importScripts-banned-mimetype.php: Added. 38 * http/tests/workers/worker-importScripts-banned-mimetype-expected.txt: Added. 39 * http/tests/workers/worker-importScripts-banned-mimetype.html: Added. 40 1 41 2018-04-12 Antoine Quint <graouts@apple.com> 2 42 -
trunk/LayoutTests/TestExpectations
r230590 r230602 609 609 imported/w3c/web-platform-tests/XMLHttpRequest/responsexml-document-properties.htm [ Failure ] 610 610 611 imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script.html [ DumpJSConsoleLogInStdErr ] 611 612 imported/w3c/web-platform-tests/fetch/api/cors/cors-origin.any.html [ DumpJSConsoleLogInStdErr ] 612 613 imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-status.any.html [ DumpJSConsoleLogInStdErr ] -
trunk/LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt
r230346 r230602 1 1 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'application/json'. 2 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'image/png'.3 2 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/html'. 4 3 CONSOLE MESSAGE: line 2: Executed script with MIME type: 'text/vbs'. -
trunk/LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed.html
r142683 r230602 11 11 var unscriptyMimeTypes = [ 12 12 'application/json', 13 'image/png',14 13 'text/html', 15 14 'text/vbs', -
trunk/LayoutTests/http/tests/security/contentTypeOptions/resources/script-with-header.pl
r230346 r230602 8 8 print "Content-Type: " . $cgi->param('mime') . "\n"; 9 9 } 10 if ($cgi->param('options')) { 11 print "X-Content-Type-Options: " . $cgi->param('options') . "\n"; 12 } else { 13 print "X-Content-Type-Options: nosniff\n"; 10 if (!$cgi->param('no-content-type-options')) { 11 if ($cgi->param('options')) { 12 print "X-Content-Type-Options: " . $cgi->param('options') . "\n"; 13 } else { 14 print "X-Content-Type-Options: nosniff\n"; 15 } 14 16 } 15 17 print "\n"; -
trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-expected.txt
r210546 r230602 6 6 7 7 Trying to load sequentially the same script from different origins. 8 Test 1 PASS: Loaded script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8000 (crossOrigin=anonymous)9 Test 2 PASS: Did not load script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8080 (crossOrigin=anonymous)10 Test 3 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:808011 Test 4 PASS: Did not load script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js from localhost:8080 (crossOrigin=anonymous)12 Test 5 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js from localhost:8000 (crossOrigin=anonymous)13 Test 6 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js from localhost:8080 (crossOrigin=anonymous)8 Test 1 PASS: Loaded script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript from localhost:8000 (crossOrigin=anonymous) 9 Test 2 PASS: Did not load script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript from localhost:8080 (crossOrigin=anonymous) 10 Test 3 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript from localhost:8080 11 Test 4 PASS: Did not load script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript from localhost:8080 (crossOrigin=anonymous) 12 Test 5 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js&contentType=text/javascript from localhost:8000 (crossOrigin=anonymous) 13 Test 6 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js&contentType=text/javascript from localhost:8080 (crossOrigin=anonymous) 14 14 15 15 -
trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel-expected.txt
r205908 r230602 6 6 7 7 Trying to load sequentially the same script from various origins. 8 Test 1 PASS: Loaded script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000 from localhost:8000 (crossOrigin=anonymous)9 Test 2 PASS: Did not load script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000 from localhost:8080 (crossOrigin=anonymous)10 Test 3 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000 from localhost:808011 Test 4 PASS: Did not load script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000 from localhost:8080 (crossOrigin=anonymous)8 Test 1 PASS: Loaded script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript from localhost:8000 (crossOrigin=anonymous) 9 Test 2 PASS: Did not load script http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript from localhost:8080 (crossOrigin=anonymous) 10 Test 3 PASS: Loaded script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript from localhost:8080 11 Test 4 PASS: Did not load script http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript from localhost:8080 (crossOrigin=anonymous) 12 12 13 13 -
trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts-parallel.html
r205908 r230602 37 37 var iframeURL8080 = "http://localhost:8080/security/resources/cross-origin-cached-resource-iframe.html"; 38 38 39 var allow8000Script1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000 ";40 var allow8000Script2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000 ";39 var allow8000Script1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript"; 40 var allow8000Script2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&delay=1000&contentType=text/javascript"; 41 41 42 42 function firstTest() -
trunk/LayoutTests/http/tests/security/cross-origin-cached-scripts.html
r210546 r230602 30 30 var iframeURL8080 = "http://localhost:8080/security/resources/cross-origin-cached-resource-iframe.html"; 31 31 32 var allow8000Script1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js ";33 var allow8000Script2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js ";34 var allow8000Script3 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js ";32 var allow8000Script1 = "http://127.0.0.1:8000/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript"; 33 var allow8000Script2 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=http%3A%2F%2Flocalhost%3A8000&name=notify-loaded.js&contentType=text/javascript"; 34 var allow8000Script3 = "http://127.0.0.1:8080/security/resources/allow-if-origin.php?allowCache&origin=*&name=notify-loaded.js&contentType=text/javascript"; 35 35 36 36 var counter = 0; -
trunk/LayoutTests/imported/w3c/ChangeLog
r230594 r230602 1 2018-04-12 Daniel Bates <dabates@apple.com> 2 3 Content-Type not enforced for <script> allows for XSS 4 https://bugs.webkit.org/show_bug.cgi?id=184386 5 <rdar://problem/39112268> 6 7 Reviewed by Brady Eidson. 8 9 Update expected result now that we pass all sub tests. 10 11 * web-platform-tests/fetch/api/basic/block-mime-as-script-expected.txt: 12 1 13 2018-04-12 Antoine Quint <graouts@apple.com> 2 14 -
trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/basic/block-mime-as-script-expected.txt
r222307 r230602 1 CONSOLE MESSAGE: line 1: Script loaded2 CONSOLE MESSAGE: line 1: Script loaded3 CONSOLE MESSAGE: line 1: Script loaded4 CONSOLE MESSAGE: line 1: Script loaded5 CONSOLE MESSAGE: line 1: Script loaded6 CONSOLE MESSAGE: line 1: Script loaded7 CONSOLE MESSAGE: line 1: Script loaded8 CONSOLE MESSAGE: line 1: Script loaded9 CONSOLE MESSAGE: line 1: Script loaded10 CONSOLE MESSAGE: line 1: Script loaded11 CONSOLE MESSAGE: line 1: Script loaded12 CONSOLE MESSAGE: line 1: Script loaded13 1 14 FAIL Should fail loading non-empty script with text/csv MIME type assert_unreached: Unexpected load event Reached unreachable code 15 FAIL Should fail loading non-empty script with audio/aiff MIME type assert_unreached: Unexpected load event Reached unreachable code 16 FAIL Should fail loading non-empty script with audio/midi MIME type assert_unreached: Unexpected load event Reached unreachable code 17 FAIL Should fail loading non-empty script with audio/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code 18 FAIL Should fail loading non-empty script with video/avi MIME type assert_unreached: Unexpected load event Reached unreachable code 19 FAIL Should fail loading non-empty script with video/fli MIME type assert_unreached: Unexpected load event Reached unreachable code 20 FAIL Should fail loading non-empty script with video/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code 21 FAIL Should fail loading non-empty script with image/jpeg MIME type assert_unreached: Unexpected load event Reached unreachable code 22 FAIL Should fail loading non-empty script with image/gif MIME type assert_unreached: Unexpected load event Reached unreachable code 23 FAIL Should fail loading non-empty script with image/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code 24 FAIL Should fail loading empty script with text/csv MIME type assert_unreached: Unexpected load event Reached unreachable code 25 FAIL Should fail loading empty script with audio/aiff MIME type assert_unreached: Unexpected load event Reached unreachable code 26 FAIL Should fail loading empty script with audio/midi MIME type assert_unreached: Unexpected load event Reached unreachable code 27 FAIL Should fail loading empty script with audio/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code 28 FAIL Should fail loading empty script with video/avi MIME type assert_unreached: Unexpected load event Reached unreachable code 29 FAIL Should fail loading empty script with video/fli MIME type assert_unreached: Unexpected load event Reached unreachable code 30 FAIL Should fail loading empty script with video/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code 31 FAIL Should fail loading empty script with image/jpeg MIME type assert_unreached: Unexpected load event Reached unreachable code 32 FAIL Should fail loading empty script with image/gif MIME type assert_unreached: Unexpected load event Reached unreachable code 33 FAIL Should fail loading empty script with image/whatever MIME type assert_unreached: Unexpected load event Reached unreachable code 2 PASS Should fail loading non-empty script with text/csv MIME type 3 PASS Should fail loading non-empty script with audio/aiff MIME type 4 PASS Should fail loading non-empty script with audio/midi MIME type 5 PASS Should fail loading non-empty script with audio/whatever MIME type 6 PASS Should fail loading non-empty script with video/avi MIME type 7 PASS Should fail loading non-empty script with video/fli MIME type 8 PASS Should fail loading non-empty script with video/whatever MIME type 9 PASS Should fail loading non-empty script with image/jpeg MIME type 10 PASS Should fail loading non-empty script with image/gif MIME type 11 PASS Should fail loading non-empty script with image/whatever MIME type 12 PASS Should fail loading empty script with text/csv MIME type 13 PASS Should fail loading empty script with audio/aiff MIME type 14 PASS Should fail loading empty script with audio/midi MIME type 15 PASS Should fail loading empty script with audio/whatever MIME type 16 PASS Should fail loading empty script with video/avi MIME type 17 PASS Should fail loading empty script with video/fli MIME type 18 PASS Should fail loading empty script with video/whatever MIME type 19 PASS Should fail loading empty script with image/jpeg MIME type 20 PASS Should fail loading empty script with image/gif MIME type 21 PASS Should fail loading empty script with image/whatever MIME type 34 22 PASS Should load script with text/html MIME type 35 23 PASS Should load script with text/plain MIME type -
trunk/Source/WebCore/ChangeLog
r230595 r230602 1 2018-04-12 Daniel Bates <dabates@apple.com> 2 3 Content-Type not enforced for <script> allows for XSS 4 https://bugs.webkit.org/show_bug.cgi?id=184386 5 <rdar://problem/39112268> 6 7 Reviewed by Brady Eidson. 8 9 As per the Fetch standard, <https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-mime-type?> (16 March 2018), 10 we should block JavaScript scripts that are served with MIME type text/csv, or a MIME type 11 that begins with "audio/", "image/" or "video/". 12 13 As a side benefit of this change we now set the destination property [1] on preload requests. 14 15 [1] <https://fetch.spec.whatwg.org/#concept-request-destination> 16 17 Tests: http/tests/security/script-with-banned-mimetype.html 18 http/tests/workers/worker-importScripts-banned-mimetype.html 19 20 * Sources.txt: Add file FetchIdioms.cpp. 21 * WebCore.xcodeproj/project.pbxproj: Add files FetchIdioms.{cpp, h}. 22 * dom/LoadableClassicScript.cpp: 23 (WebCore::LoadableClassicScript::notifyFinished): Check the MIME type of the response and 24 block the script if applicable. 25 * dom/LoadableScript.h: Add error type MIMEType. 26 * loader/FetchIdioms.cpp: Added. 27 (WebCore::shouldBlockResponseDueToMIMEType): Implements the "Should response to request be blocked 28 due to its MIME type?" algorithm from the Fetch standard. 29 * loader/FetchIdioms.h: Added. 30 * loader/FetchOptions.h: 31 (WebCore::isScriptLikeDestination): Implements the definition of "script like" as per <https://fetch.spec.whatwg.org/#request-destination-script-like>. 32 * loader/cache/CachedResourceLoader.cpp: 33 (WebCore::CachedResourceLoader::requestImage): Removed logic to set the destination property as 34 CachedResourceLoader::requestResource() is now responsible for doing this. 35 (WebCore::CachedResourceLoader::requestFont): Ditto. 36 (WebCore::CachedResourceLoader::requestTextTrack): Ditto. 37 (WebCore::CachedResourceLoader::requestCSSStyleSheet): Ditto. 38 (WebCore::CachedResourceLoader::requestScript): Ditto. 39 (WebCore::CachedResourceLoader::requestXSLStyleSheet): Ditto. 40 (WebCore::CachedResourceLoader::requestMedia): Update comment to express that we should assert 41 that the destination property is either video or audio. 42 (WebCore::CachedResourceLoader::requestIcon): Remove logic to set the destination property as 43 CachedResourceLoader::requestResource() is now responsible for doing this. 44 (WebCore::CachedResourceLoader::requestRawResource): Removed assertion as this function is used to 45 load many kinds of requests that have different destination properties. The caller is responsible 46 for setting the appropriate destintion property. 47 (WebCore::CachedResourceLoader::requestMainResource): Remove logic to set the destination property 48 as CachedResourceLoader::requestResource() is now responsible for doing this. 49 (WebCore::destinationForType): Helper function that maps CachedResource::Type to FetchOptions::Destination. 50 (WebCore::CachedResourceLoader::requestResource): Set the destination property on the request if not 51 already set. 52 * loader/cache/CachedResourceLoader.h: Segregate requestRawResource() from the other request functions 53 and add a comment to explain what it is used for. 54 * workers/Worker.cpp: 55 (WebCore::Worker::create): 56 * workers/WorkerScriptLoader.cpp: 57 (WebCore::WorkerScriptLoader::loadSynchronously): Set the destination property to FetchOptions::Destination::Script 58 and store it in an instance variable as we will need to reference it once we receive the HTTP response. 59 Note that this function is only used to support the Web API importScripts(). 60 (WebCore::WorkerScriptLoader::loadAsynchronously): Store the passed destination property in an 61 instance as we will need to reference it once we receive the HTTP response. 62 (WebCore::WorkerScriptLoader::didReceiveResponse): Check the MIME type of the response and 63 block the script if applicable. 64 * workers/WorkerScriptLoader.h: 65 * workers/service/ServiceWorkerJob.cpp: 66 (WebCore::ServiceWorkerJob::fetchScriptWithContext): Set the destination property to FetchOptions::Destination::Serviceworker. 67 1 68 2018-04-12 Antoine Quint <graouts@apple.com> 2 69 -
trunk/Source/WebCore/Sources.txt
r230226 r230602 1225 1225 loader/FrameLoader.cpp 1226 1226 loader/FrameLoaderStateMachine.cpp 1227 loader/FetchIdioms.cpp 1227 1228 loader/HTTPHeaderField.cpp 1228 1229 loader/HistoryController.cpp -
trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj
r230544 r230602 4060 4060 CE7B2DB51586ABAD0098B3FA /* TextAlternativeWithRange.h in Headers */ = {isa = PBXBuildFile; fileRef = CE7B2DB11586ABAD0098B3FA /* TextAlternativeWithRange.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4061 4061 CE7E17831C83A49100AD06AF /* ContentSecurityPolicyHash.h in Headers */ = {isa = PBXBuildFile; fileRef = CE7E17821C83A49100AD06AF /* ContentSecurityPolicyHash.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4062 CEBB8C3320786DCB00039547 /* FetchIdioms.h in Headers */ = {isa = PBXBuildFile; fileRef = CEBB8C3120786DCB00039547 /* FetchIdioms.h */; }; 4062 4063 CECADFC7153778FF00E37068 /* DictationAlternative.h in Headers */ = {isa = PBXBuildFile; fileRef = CECADFC3153778FF00E37068 /* DictationAlternative.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4063 4064 CECADFC9153778FF00E37068 /* DictationCommand.h in Headers */ = {isa = PBXBuildFile; fileRef = CECADFC5153778FF00E37068 /* DictationCommand.h */; }; … … 13350 13351 CE7B2DB21586ABAD0098B3FA /* TextAlternativeWithRange.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = TextAlternativeWithRange.mm; sourceTree = "<group>"; }; 13351 13352 CE7E17821C83A49100AD06AF /* ContentSecurityPolicyHash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ContentSecurityPolicyHash.h; path = csp/ContentSecurityPolicyHash.h; sourceTree = "<group>"; }; 13353 CEBB8C3120786DCB00039547 /* FetchIdioms.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = FetchIdioms.h; sourceTree = "<group>"; }; 13354 CEBB8C3220786DCB00039547 /* FetchIdioms.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = FetchIdioms.cpp; sourceTree = "<group>"; }; 13352 13355 CECADFC2153778FF00E37068 /* DictationAlternative.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DictationAlternative.cpp; sourceTree = "<group>"; }; 13353 13356 CECADFC3153778FF00E37068 /* DictationAlternative.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DictationAlternative.h; sourceTree = "<group>"; }; … … 23910 23913 B255990D0D00D8B900BB825C /* EmptyClients.h */, 23911 23914 414DEDE51F9FE9150047C40D /* EmptyFrameLoaderClient.h */, 23915 CEBB8C3220786DCB00039547 /* FetchIdioms.cpp */, 23916 CEBB8C3120786DCB00039547 /* FetchIdioms.h */, 23912 23917 41AD75391CEF6BCE00A31486 /* FetchOptions.h */, 23913 23918 656D37230ADBA5DE00A4554D /* FormState.cpp */, … … 27535 27540 4129C9971F59B963009D7403 /* FetchBodySource.h in Headers */, 27536 27541 41D129DB1F3D143800D15E47 /* FetchHeaders.h in Headers */, 27542 CEBB8C3320786DCB00039547 /* FetchIdioms.h in Headers */, 27537 27543 4161E2D51FE48DC500EC2E96 /* FetchLoader.h in Headers */, 27538 27544 517A53581F5889E800DCDC0A /* FetchLoaderClient.h in Headers */, -
trunk/Source/WebCore/dom/LoadableClassicScript.cpp
r230346 r230602 27 27 #include "LoadableClassicScript.h" 28 28 29 #include "FetchIdioms.h" 29 30 #include "ScriptElement.h" 30 31 #include "ScriptSourceCode.h" … … 96 97 } 97 98 99 if (!m_error && shouldBlockResponseDueToMIMEType(m_cachedScript->response(), m_cachedScript->options().destination)) { 100 m_error = Error { 101 ErrorType::MIMEType, 102 ConsoleMessage { 103 MessageSource::Security, 104 MessageLevel::Error, 105 makeString("Refused to execute ", m_cachedScript->url().stringCenterEllipsizedToLength(), " as script because ", m_cachedScript->response().mimeType(), " is not a script MIME type.") 106 } 107 }; 108 } 109 98 110 if (!m_error && !resource.errorOccurred() && !matchIntegrityMetadata(resource, m_integrity)) { 99 111 m_error = Error { -
trunk/Source/WebCore/dom/LoadableScript.h
r228218 r230602 41 41 CachedScript, 42 42 CrossOriginLoad, 43 MIMEType, 43 44 Nosniff, 44 45 FailedIntegrityCheck, -
trunk/Source/WebCore/loader/FetchOptions.h
r225294 r230602 89 89 } 90 90 91 inline bool isScriptLikeDestination(FetchOptions::Destination destination) 92 { 93 return destination == FetchOptions::Destination::Script 94 || destination == FetchOptions::Destination::Serviceworker 95 || destination == FetchOptions::Destination::Worker; 96 } 97 91 98 } 92 99 -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp
r230489 r230602 198 198 ResourceErrorOr<CachedResourceHandle<CachedImage>> CachedResourceLoader::requestImage(CachedResourceRequest&& request) 199 199 { 200 request.setDestinationIfNotSet(FetchOptions::Destination::Image);201 200 if (Frame* frame = this->frame()) { 202 201 if (frame->loader().pageDismissalEventBeingDispatched() != FrameLoader::PageDismissalType::None) { … … 216 215 ResourceErrorOr<CachedResourceHandle<CachedFont>> CachedResourceLoader::requestFont(CachedResourceRequest&& request, bool isSVG) 217 216 { 218 request.setDestinationIfNotSet(FetchOptions::Destination::Font);219 217 #if ENABLE(SVG_FONTS) 220 218 if (isSVG) … … 229 227 ResourceErrorOr<CachedResourceHandle<CachedTextTrack>> CachedResourceLoader::requestTextTrack(CachedResourceRequest&& request) 230 228 { 231 request.setDestinationIfNotSet(FetchOptions::Destination::Track);232 229 return castCachedResourceTo<CachedTextTrack>(requestResource(CachedResource::TextTrackResource, WTFMove(request))); 233 230 } … … 236 233 ResourceErrorOr<CachedResourceHandle<CachedCSSStyleSheet>> CachedResourceLoader::requestCSSStyleSheet(CachedResourceRequest&& request) 237 234 { 238 request.setDestinationIfNotSet(FetchOptions::Destination::Style);239 235 return castCachedResourceTo<CachedCSSStyleSheet>(requestResource(CachedResource::CSSStyleSheet, WTFMove(request))); 240 236 } … … 270 266 ResourceErrorOr<CachedResourceHandle<CachedScript>> CachedResourceLoader::requestScript(CachedResourceRequest&& request) 271 267 { 272 request.setDestinationIfNotSet(FetchOptions::Destination::Script);273 268 return castCachedResourceTo<CachedScript>(requestResource(CachedResource::Script, WTFMove(request))); 274 269 } … … 277 272 ResourceErrorOr<CachedResourceHandle<CachedXSLStyleSheet>> CachedResourceLoader::requestXSLStyleSheet(CachedResourceRequest&& request) 278 273 { 279 request.setDestinationIfNotSet(FetchOptions::Destination::Xslt);280 274 return castCachedResourceTo<CachedXSLStyleSheet>(requestResource(CachedResource::XSLStyleSheet, WTFMove(request))); 281 275 } … … 296 290 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> CachedResourceLoader::requestMedia(CachedResourceRequest&& request) 297 291 { 298 // FIXME: Set destination to either audio or video.292 // FIXME: Assert request.options().destination is FetchOptions::Destination::{Audio, Video}. 299 293 return castCachedResourceTo<CachedRawResource>(requestResource(CachedResource::MediaResource, WTFMove(request))); 300 294 } … … 302 296 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> CachedResourceLoader::requestIcon(CachedResourceRequest&& request) 303 297 { 304 request.setDestinationIfNotSet(FetchOptions::Destination::Image);305 298 return castCachedResourceTo<CachedRawResource>(requestResource(CachedResource::Icon, WTFMove(request))); 306 299 } … … 308 301 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> CachedResourceLoader::requestRawResource(CachedResourceRequest&& request) 309 302 { 310 ASSERT(request.options().destination == FetchOptions::Destination::EmptyString || request.options().serviceWorkersMode == ServiceWorkersMode::None);311 303 return castCachedResourceTo<CachedRawResource>(requestResource(CachedResource::RawResource, WTFMove(request))); 312 304 } … … 320 312 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> CachedResourceLoader::requestMainResource(CachedResourceRequest&& request) 321 313 { 322 request.setDestinationIfNotSet(FetchOptions::Destination::Document);323 314 return castCachedResourceTo<CachedRawResource>(requestResource(CachedResource::MainResource, WTFMove(request))); 324 315 } … … 739 730 } 740 731 732 static FetchOptions::Destination destinationForType(CachedResource::Type type) 733 { 734 switch (type) { 735 case CachedResource::MainResource: 736 case CachedResource::SVGDocumentResource: 737 return FetchOptions::Destination::Document; 738 case CachedResource::ImageResource: 739 case CachedResource::Icon: 740 return FetchOptions::Destination::Image; 741 case CachedResource::CSSStyleSheet: 742 return FetchOptions::Destination::Style; 743 case CachedResource::Script: 744 return FetchOptions::Destination::Script; 745 case CachedResource::FontResource: 746 #if ENABLE(SVG_FONTS) 747 case CachedResource::SVGFontResource: 748 #endif 749 return FetchOptions::Destination::Font; 750 #if ENABLE(XSLT) 751 case CachedResource::XSLStyleSheet: 752 return FetchOptions::Destination::Xslt; 753 #endif 754 #if ENABLE(VIDEO_TRACK) 755 case CachedResource::TextTrackResource: 756 return FetchOptions::Destination::Track; 757 #endif 758 #if ENABLE(APPLICATION_MANIFEST) 759 case CachedResource::ApplicationManifest: 760 return FetchOptions::Destination::Manifest; 761 #endif 762 case CachedResource::Beacon: 763 case CachedResource::LinkPrefetch: 764 case CachedResource::RawResource: 765 case CachedResource::MediaResource: 766 // The caller is responsible for setting the appropriate destination. 767 return FetchOptions::Destination::EmptyString; 768 } 769 } 770 741 771 ResourceErrorOr<CachedResourceHandle<CachedResource>> CachedResourceLoader::requestResource(CachedResource::Type type, CachedResourceRequest&& request, ForPreload forPreload, DeferOption defer) 742 772 { 773 request.setDestinationIfNotSet(destinationForType(type)); 774 743 775 // Entry point to https://fetch.spec.whatwg.org/#main-fetch. 744 776 std::unique_ptr<ResourceRequest> originalRequest; -
trunk/Source/WebCore/loader/cache/CachedResourceLoader.h
r229563 r230602 88 88 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> requestIcon(CachedResourceRequest&&); 89 89 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> requestBeaconResource(CachedResourceRequest&&); 90 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> requestRawResource(CachedResourceRequest&&);91 90 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> requestMainResource(CachedResourceRequest&&); 92 91 ResourceErrorOr<CachedResourceHandle<CachedSVGDocument>> requestSVGDocument(CachedResourceRequest&&); … … 101 100 ResourceErrorOr<CachedResourceHandle<CachedApplicationManifest>> requestApplicationManifest(CachedResourceRequest&&); 102 101 #endif 102 103 // Called to load Web Worker main script, Service Worker main script, importScripts(), XHR, 104 // EventSource, Fetch, and App Cache. 105 ResourceErrorOr<CachedResourceHandle<CachedRawResource>> requestRawResource(CachedResourceRequest&&); 103 106 104 107 // Logs an access denied message to the console for the specified URL. -
trunk/Source/WebCore/workers/Worker.cpp
r230374 r230602 108 108 options.cache = FetchOptions::Cache::Default; 109 109 options.redirect = FetchOptions::Redirect::Follow; 110 options.destination = FetchOptions::Destination::Worker; 110 111 worker->m_scriptLoader->loadAsynchronously(context, WTFMove(request), WTFMove(options), contentSecurityPolicyEnforcement, ServiceWorkersMode::All, worker); 111 112 return WTFMove(worker); -
trunk/Source/WebCore/workers/WorkerScriptLoader.cpp
r230374 r230602 29 29 30 30 #include "ContentSecurityPolicy.h" 31 #include "FetchIdioms.h" 31 32 #include "ResourceResponse.h" 32 33 #include "ScriptExecutionContext.h" … … 50 51 51 52 m_url = url; 53 m_destination = FetchOptions::Destination::Script; 52 54 53 55 std::unique_ptr<ResourceRequest> request(createResourceRequest(initiatorIdentifier)); … … 66 68 options.sendLoadCallbacks = SendCallbacks; 67 69 options.contentSecurityPolicyEnforcement = contentSecurityPolicyEnforcement; 70 options.destination = m_destination; 68 71 #if ENABLE(SERVICE_WORKER) 69 72 options.serviceWorkersMode = workerGlobalScope.isServiceWorkerGlobalScope() ? ServiceWorkersMode::None : ServiceWorkersMode::All; … … 78 81 m_client = &client; 79 82 m_url = scriptRequest.url(); 83 m_destination = fetchOptions.destination; 80 84 81 85 ASSERT(scriptRequest.httpMethod() == "GET"); … … 133 137 } 134 138 139 if (shouldBlockResponseDueToMIMEType(response, m_destination)) { 140 String message = makeString("Refused to execute ", response.url().stringCenterEllipsizedToLength(), " as script because ", response.mimeType(), " is not a script MIME type."); 141 m_error = ResourceError { errorDomainWebKitInternal, 0, response.url(), message, ResourceError::Type::General }; 142 m_failed = true; 143 return; 144 } 145 135 146 m_responseURL = response.url(); 136 147 m_responseMIMEType = response.mimeType(); -
trunk/Source/WebCore/workers/WorkerScriptLoader.h
r230374 r230602 28 28 29 29 #include "ContentSecurityPolicyResponseHeaders.h" 30 #include "FetchOptions.h" 30 31 #include "ResourceError.h" 31 32 #include "ResourceRequest.h" … … 92 93 URL m_responseURL; 93 94 String m_responseMIMEType; 95 FetchOptions::Destination m_destination; 94 96 ContentSecurityPolicyResponseHeaders m_contentSecurityPolicy; 95 97 unsigned long m_identifier { 0 }; -
trunk/Source/WebCore/workers/service/ServiceWorkerJob.cpp
r230374 r230602 103 103 options.cache = cachePolicy; 104 104 options.redirect = FetchOptions::Redirect::Error; 105 options.destination = FetchOptions::Destination::Serviceworker; 105 106 m_scriptLoader->loadAsynchronously(context, WTFMove(request), WTFMove(options), ContentSecurityPolicyEnforcement::DoNotEnforce, ServiceWorkersMode::None, *this); 106 107 }
Note: See TracChangeset
for help on using the changeset viewer.