Changeset 284254 in webkit


Ignore:
Timestamp:
Oct 15, 2021 10:39:39 AM (9 months ago)
Author:
Kate Cheney
Message:

CSP: Implement src-elem and src-attr directives
https://bugs.webkit.org/show_bug.cgi?id=231751
<rdar://problem/83332874>

Reviewed by Brent Fulgham.

LayoutTests/imported/w3c:

  • web-platform-tests/content-security-policy/child-src/child-src-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/child-src/child-src-redirect-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/default-src-inline-blocked.sub-expected.txt: Added.
  • web-platform-tests/content-security-policy/default-src/default-src-inline-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/generic/generic-0_1-img-src-expected.txt:
  • web-platform-tests/content-security-policy/generic/generic-0_1-script-src-expected.txt:
  • web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub-expected.txt:
  • web-platform-tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp-expected.txt:
  • web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-expected.txt:
  • web-platform-tests/content-security-policy/reporting/report-uri-effective-directive-expected.txt:
  • web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked-expected.txt:
  • web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed-expected.txt:
  • web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked-expected.txt:
  • web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked-expected.txt:
  • web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed-expected.txt:
  • web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed-expected.txt:
  • web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/script-src/script-src-1_1-expected.txt:
  • web-platform-tests/content-security-policy/script-src/script-src-1_10-expected.txt:
  • web-platform-tests/content-security-policy/script-src/script-src-1_2-expected.txt:
  • web-platform-tests/content-security-policy/script-src/script-src-1_2_1-expected.txt:
  • web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy-expected.txt:
  • web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub-expected.txt:
  • web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub-expected.txt:
  • web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub-expected.txt:
  • web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked-expected.txt:
  • web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed-expected.txt:
  • web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked-expected.txt:
  • web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked-expected.txt:
  • web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed-expected.txt:
  • web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed-expected.txt:
  • web-platform-tests/content-security-policy/style-src/injected-inline-script-blocked.sub-expected.txt: Added.
  • web-platform-tests/content-security-policy/style-src/injected-inline-style-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub-expected.txt:
  • web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked-expected.txt: Added.
  • web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/style-src/style-src-hash-blocked-expected.txt:
  • web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-blocked-expected.txt:
  • web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked-expected.txt:
  • web-platform-tests/content-security-policy/style-src/style-src-inline-style-blocked-expected.txt:
  • web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-expected.txt:
  • web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub-expected.txt:
  • web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href-expected.txt:
  • web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-expected.txt:
  • web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open-expected.txt:
  • web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href-expected.txt:
  • web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-expected.txt:
  • web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open-expected.txt:
  • web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes-expected.txt:
  • web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash-expected.txt:
  • web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes-expected.txt:
  • web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash-expected.txt:
  • web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub-expected.txt:
  • web-platform-tests/content-security-policy/generic/generic-0_10_1.sub-expected.txt:
  • web-platform-tests/content-security-policy/generic/generic-0_2_2.sub-expected.txt:
  • web-platform-tests/content-security-policy/generic/generic-0_2_3-expected.txt:
  • web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt:
  • web-platform-tests/content-security-policy/style-src/style-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/style-src/style-src-imported-style-blocked-expected.txt:
  • web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub-expected.txt:
  • web-platform-tests/content-security-policy/style-src/style-src-none-blocked-expected.txt:
  • web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked-expected.txt:
  • web-platform-tests/content-security-policy/svg/svg-inline.sub-expected.txt:

Source/WebCore:

Implement script-src-elem, script-src-attr, style-src-elem, and
style-src-attr directives. *-elem directives specify load policy for
<script> and <style> elements. *-attr directives specify load policy
for inline event handlers or inline style applied to individual DOM elements.

To match behavior of wpt tests and other browsers, we should report
the violated directive as accurately as possible even if a more
general directive was specified in the policy. For example, reporting
the violated directive as script-src even if default-src was
specified, and script-src-elem even if only script-src was specified.
To do this I added a nameForReporting() method in the
ContentSecurityPolicySourceListDirective class that gets set when we
check the load for violations.

Console messages should not change, in fact, we should consider making
them more specific in the future.

  • page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
(WebCore::ContentSecurityPolicy::allowInlineScript const):
(WebCore::ContentSecurityPolicy::allowInlineStyle const):
We can reuse the check for unsafe hashes to determine if we should
report a style-src-elem or style-src-attr violation.

(WebCore::ContentSecurityPolicy::reportViolation const):

  • page/csp/ContentSecurityPolicyDirective.cpp:

(WebCore::ContentSecurityPolicyDirective::~ContentSecurityPolicyDirective):
Need a destructor now that we have virtual functions.

  • page/csp/ContentSecurityPolicyDirective.h:

(WebCore::ContentSecurityPolicyDirective::nameForReporting const):

  • page/csp/ContentSecurityPolicyDirectiveList.cpp:

(WebCore::ContentSecurityPolicyDirectiveList::create):
unsafe-eval should still have script-src as a violated directive.

(WebCore::ContentSecurityPolicyDirectiveList::operativeDirective const):
(WebCore::ContentSecurityPolicyDirectiveList::operativeDirectiveScript const):
(WebCore::ContentSecurityPolicyDirectiveList::operativeDirectiveStyle const):
elem/attr directives fall back to their respective general directives
if the more specific ones do not exist.

(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeEval const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForParserInsertedScript const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptAttribute const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleElement const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleAttribute const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptNonce const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleNonce const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFont const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForImage const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript const):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle const):
(WebCore::ContentSecurityPolicyDirectiveList::addDirective):
(WebCore::ContentSecurityPolicyDirectiveList::strictDynamicIncluded):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript const): Deleted.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyle const): Deleted.

  • page/csp/ContentSecurityPolicyDirectiveList.h:
  • page/csp/ContentSecurityPolicyDirectiveNames.cpp:
  • page/csp/ContentSecurityPolicyDirectiveNames.h:
  • page/csp/ContentSecurityPolicySourceListDirective.h:

(WebCore::ContentSecurityPolicySourceListDirective::setNameForReporting):

LayoutTests:

  • http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt:
  • http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt:

These should both be reproting frame-src as the violated directive,
confirmed this behavior against Chrome.

  • http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
  • http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
Location:
trunk
Files:
5 added
97 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r284253 r284254  
     12021-10-15  Kate Cheney  <katherine_cheney@apple.com>
     2
     3        CSP: Implement src-elem and src-attr directives
     4        https://bugs.webkit.org/show_bug.cgi?id=231751
     5        <rdar://problem/83332874>
     6
     7        Reviewed by Brent Fulgham.
     8
     9        * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
     10        * http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt:
     11        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
     12        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
     13        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
     14        * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
     15        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
     16        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
     17        * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
     18        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
     19        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt:
     20        * http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt:
     21        These should both be reproting frame-src as the violated directive,
     22        confirmed this behavior against Chrome.
     23
     24        * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
     25        * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
     26        * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
     27        * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
     28        * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
     29        * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
     30        * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
     31        * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
     32
    1332021-10-15  Ayumi Kojima  <ayumi_kojima@apple.com>
    234

  • trunk/LayoutTests/TestExpectations

    r284235 r284254  
    908908
    909909# Skip Content Security Policy tests that time out
    910 imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/ [ Skip ]
    911 imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/ [ Skip ]
    912910imported/w3c/web-platform-tests/content-security-policy/navigate-to/href-location-cross-origin-allowed.sub.html [ Skip ]
    913911imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-error-event.html [ Skip ]

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt

    r284067 r284254  
    77REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
    88=== POST DATA ===
    9 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.py","referrer":"","violated-directive":"default-src","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.py","blocked-uri":"inline","status-code":200}}
     9{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports-expected.txt

    r283111 r284254  
    1414REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=script-blocked-sends-multiple-reports-report-only
    1515=== POST DATA ===
    16 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src http://example.com 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-report-only","blocked-uri":"http://localhost:8000","status-code":200}}
     16{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src http://example.com 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-report-only","blocked-uri":"http://localhost:8000","status-code":200}}
    1717
    1818--------
     
    2626REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-1
    2727=== POST DATA ===
    28 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src http://127.0.0.1:8000 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-1","blocked-uri":"http://localhost:8000","status-code":200}}
     28{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src http://127.0.0.1:8000 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-1","blocked-uri":"http://localhost:8000","status-code":200}}
    2929
    3030--------
     
    3838REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-2
    3939=== POST DATA ===
    40 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":" script-src http://127.0.0.1:8000 https://127.0.0.1:8443 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-2","blocked-uri":"http://localhost:8000","status-code":200}}
     40{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/script-blocked-sends-multiple-reports.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":" script-src http://127.0.0.1:8000 https://127.0.0.1:8443 'unsafe-inline'; report-uri ../resources/save-report.py?test=script-blocked-sends-multiple-reports-enforced-2","blocked-uri":"http://localhost:8000","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt

    r284067 r284254  
    1414REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py
    1515=== POST DATA ===
    16 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
     16{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt

    r284067 r284254  
    1414REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py
    1515=== POST DATA ===
    16 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
     16{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt

    r284067 r284254  
    1414REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py
    1515=== POST DATA ===
    16 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
     16{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt

    r284067 r284254  
    1414REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py
    1515=== POST DATA ===
    16 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
     16{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt

    r284067 r284254  
    1616REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py
    1717=== POST DATA ===
    18 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}
     18{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt

    r284067 r284254  
    1414REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py
    1515=== POST DATA ===
    16 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
     16{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt

    r284067 r284254  
    1414REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py
    1515=== POST DATA ===
    16 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
     16{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt

    r284067 r284254  
    1717REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py
    1818=== POST DATA ===
    19 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}
     19{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src-expected.txt

    r283111 r284254  
    99PASS window.e.referrer is ""
    1010PASS window.e.blockedURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"
    11 PASS window.e.violatedDirective is "child-src"
     11PASS window.e.violatedDirective is "frame-src"
    1212PASS window.e.effectiveDirective is "child-src"
    1313PASS window.e.originalPolicy is "child-src 'none'"

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-child-src.html

    r283111 r284254  
    1212    "referrer": document.referrer,
    1313    "blockedURI": "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html",
    14     "violatedDirective": "child-src",
     14    "violatedDirective": "frame-src",
    1515    "effectiveDirective": "child-src",
    1616    "originalPolicy": "child-src 'none'",

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src-expected.txt

    r283111 r284254  
    99PASS window.e.referrer is ""
    1010PASS window.e.blockedURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"
    11 PASS window.e.violatedDirective is "default-src"
     11PASS window.e.violatedDirective is "frame-src"
    1212PASS window.e.effectiveDirective is "child-src"
    1313PASS window.e.originalPolicy is "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securityviolationpolicy-block-frame-using-default-src.html

    r283111 r284254  
    1212    "referrer": document.referrer,
    1313    "blockedURI": "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html",
    14     "violatedDirective": "default-src",
     14    "violatedDirective": "frame-src",
    1515    "effectiveDirective": "child-src",
    1616    "originalPolicy": "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'",

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt

    r284067 r284254  
    99REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
    1010=== POST DATA ===
    11 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
     11{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt

    r284067 r284254  
    88REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
    99=== POST DATA ===
    10 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
     10{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt

    r284067 r284254  
    88REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
    99=== POST DATA ===
    10 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
     10{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt

    r284067 r284254  
    99REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
    1010=== POST DATA ===
    11 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
     11{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt

    r284067 r284254  
    1414REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
    1515=== POST DATA ===
    16 {"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"inline","status-code":0}}
     16{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"inline","status-code":0}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt

    r284067 r284254  
    77REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
    88=== POST DATA ===
    9 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
     9{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt

    r284067 r284254  
    1212REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
    1313=== POST DATA ===
    14 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"inline","status-code":200}}
     14{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt

    r284067 r284254  
    77REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
    88=== POST DATA ===
    9 {"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.py","blocked-uri":"inline","status-code":200}}
     9{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.py","referrer":"","violated-directive":"script-src-elem","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.py","blocked-uri":"inline","status-code":200}}

  • trunk/LayoutTests/imported/w3c/ChangeLog

    r284241 r284254  
     12021-10-15  Kate Cheney  <katherine_cheney@apple.com>
     2
     3        CSP: Implement src-elem and src-attr directives
     4        https://bugs.webkit.org/show_bug.cgi?id=231751
     5        <rdar://problem/83332874>
     6
     7        Reviewed by Brent Fulgham.
     8
     9        * web-platform-tests/content-security-policy/child-src/child-src-blocked.sub-expected.txt:
     10        * web-platform-tests/content-security-policy/child-src/child-src-redirect-blocked.sub-expected.txt:
     11        * web-platform-tests/content-security-policy/default-src-inline-blocked.sub-expected.txt: Added.
     12        * web-platform-tests/content-security-policy/default-src/default-src-inline-blocked.sub-expected.txt:
     13        * web-platform-tests/content-security-policy/generic/generic-0_1-img-src-expected.txt:
     14        * web-platform-tests/content-security-policy/generic/generic-0_1-script-src-expected.txt:
     15        * web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub-expected.txt:
     16        * web-platform-tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp-expected.txt:
     17        * web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-expected.txt:
     18        * web-platform-tests/content-security-policy/reporting/report-uri-effective-directive-expected.txt:
     19        * web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked-expected.txt:
     20        * web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed-expected.txt:
     21        * web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked-expected.txt:
     22        * web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked-expected.txt:
     23        * web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed-expected.txt:
     24        * web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed-expected.txt:
     25        * web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub-expected.txt:
     26        * web-platform-tests/content-security-policy/script-src/script-src-1_1-expected.txt:
     27        * web-platform-tests/content-security-policy/script-src/script-src-1_10-expected.txt:
     28        * web-platform-tests/content-security-policy/script-src/script-src-1_2-expected.txt:
     29        * web-platform-tests/content-security-policy/script-src/script-src-1_2_1-expected.txt:
     30        * web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy-expected.txt:
     31        * web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub-expected.txt:
     32        * web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub-expected.txt:
     33        * web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub-expected.txt:
     34        * web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub-expected.txt:
     35        * web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked-expected.txt:
     36        * web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed-expected.txt:
     37        * web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked-expected.txt:
     38        * web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked-expected.txt:
     39        * web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed-expected.txt:
     40        * web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed-expected.txt:
     41        * web-platform-tests/content-security-policy/style-src/injected-inline-script-blocked.sub-expected.txt: Added.
     42        * web-platform-tests/content-security-policy/style-src/injected-inline-style-blocked.sub-expected.txt:
     43        * web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub-expected.txt:
     44        * web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked-expected.txt: Added.
     45        * web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked.sub-expected.txt:
     46        * web-platform-tests/content-security-policy/style-src/style-src-hash-blocked-expected.txt:
     47        * web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-blocked-expected.txt:
     48        * web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked-expected.txt:
     49        * web-platform-tests/content-security-policy/style-src/style-src-inline-style-blocked-expected.txt:
     50        * web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-expected.txt:
     51        * web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub-expected.txt:
     52        * web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub-expected.txt:
     53        * web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub-expected.txt:
     54        * web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href-expected.txt:
     55        * web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-expected.txt:
     56        * web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open-expected.txt:
     57        * web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href-expected.txt:
     58        * web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-expected.txt:
     59        * web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open-expected.txt:
     60        * web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes-expected.txt:
     61        * web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash-expected.txt:
     62        * web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes-expected.txt:
     63        * web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash-expected.txt:
     64        * web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub-expected.txt:
     65        * web-platform-tests/content-security-policy/generic/generic-0_10_1.sub-expected.txt:
     66        * web-platform-tests/content-security-policy/generic/generic-0_2_2.sub-expected.txt:
     67        * web-platform-tests/content-security-policy/generic/generic-0_2_3-expected.txt:
     68        * web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt:
     69        * web-platform-tests/content-security-policy/style-src/style-blocked.sub-expected.txt:
     70        * web-platform-tests/content-security-policy/style-src/style-src-imported-style-blocked-expected.txt:
     71        * web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub-expected.txt:
     72        * web-platform-tests/content-security-policy/style-src/style-src-none-blocked-expected.txt:
     73        * web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked-expected.txt:
     74        * web-platform-tests/content-security-policy/svg/svg-inline.sub-expected.txt:
     75
    1762021-10-15  Alexey Shvayka  <shvaikalesh@gmail.com>
    277

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/blob-urls-do-not-match-self.sub-expected.txt

    r283111 r284254  
    22
    33
    4 FAIL Expecting logs: ["violated-directive=script-src-elem"] assert_unreached: unexpected log: violated-directive=script-src Reached unreachable code
     4PASS Expecting logs: ["violated-directive=script-src-elem"]
    55

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-blocked.sub-expected.txt

    r283111 r284254  
    33
    44
    5 FAIL Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] assert_unreached: unexpected log: violated-directive=child-src Reached unreachable code
     5PASS Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"]
    66

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/child-src/child-src-redirect-blocked.sub-expected.txt

    r283111 r284254  
    33
    44
    5 FAIL Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"] assert_unreached: unexpected log: violated-directive=child-src Reached unreachable code
     5PASS Expecting logs: ["PASS IFrame #1 generated a load event.", "violated-directive=frame-src"]
    66

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/default-src/default-src-inline-blocked.sub-expected.txt

    r283111 r284254  
    22
    33
    4 FAIL Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"] assert_unreached: unexpected log: violated-directive=default-src Reached unreachable code
     4PASS Expecting logs: ["violated-directive=script-src-elem","violated-directive=script-src-elem"]
    55

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-img-src-expected.txt

    r283111 r284254  
    33
    44PASS Verify cascading of default-src to img-src policy
    5 FAIL Should fire violation events for every failed violation assert_equals: expected "img-src" but got "default-src"
     5PASS Should fire violation events for every failed violation
    66

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_1-script-src-expected.txt

    r283111 r284254  
    44PASS Verify cascading of default-src to script-src policy: block
    55PASS Verify cascading of default-src to script-src policy: allow
    6 FAIL Should fire violation events for every failed violation assert_equals: expected "script-src-elem" but got "default-src"
     6PASS Should fire violation events for every failed violation
    77

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_10_1.sub-expected.txt

    r283111 r284254  
    33
    44PASS Prevents access to external scripts.
    5 FAIL Should fire violation events for every failed violation assert_equals: expected "script-src-elem" but got "script-src"
     5PASS Should fire violation events for every failed violation
    66

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_2.sub-expected.txt

    r283111 r284254  
    33
    44PASS Prevents access to external scripts.
    5 FAIL Should fire violation events for every failed violation assert_equals: expected "script-src-elem" but got "script-src"
     5PASS Should fire violation events for every failed violation
    66

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/generic/generic-0_2_3-expected.txt

    r283111 r284254  
    33
    44PASS Prevents access to external scripts.
    5 FAIL Should fire violation events for every failed violation assert_equals: expected "script-src-elem" but got "script-src"
     5PASS Should fire violation events for every failed violation
    66

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/meta/combine-header-and-meta-policies.sub-expected.txt

    r283111 r284254  
    33
    44
    5 FAIL Expecting logs: ["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"] assert_unreached: unexpected log: violated-directive=style-src Reached unreachable code
     5PASS Expecting logs: ["TEST COMPLETE", "violated-directive=img-src", "violated-directive=style-src-elem"]
    66PASS combine-header-and-meta-policies
    77

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/javascript-url-navigation-inherits-csp-expected.txt

    r283111 r284254  
    11
    2 FAIL Violation report status OK. assert_true: violated-directive value of  "default-src" did not match frame-src. expected true got false
     2PASS Violation report status OK.
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-javascript-parent-initiated-parent-csp-expected.txt

    r284067 r284254  
    11
    22
    3 FAIL Should not have executed the javascript url assert_equals: expected "script-src-attr" but got "script-src"
     3PASS Should not have executed the javascript url
    44

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/reporting/report-uri-effective-directive-expected.txt

    r283111 r284254  
    11
    2 FAIL Violation report status OK. assert_true: violated-directive value of  "default-src" did not match script-src. expected true got false
     2PASS Violation report status OK.
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-allowed-src-blocked-expected.txt

    r267651 r284254  
    1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-attr'.
    2 
    3 CONSOLE MESSAGE: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
    41
    52
    6 Harness Error (TIMEOUT), message = null
     3PASS Should not fire a security policy violation event
    74
    8 NOTRUN Should not fire a security policy violation event
    9 

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-attr-blocked-src-allowed-expected.txt

    r267651 r284254  
    1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-attr'.
    21
    32
     3PASS Should fire a security policy violation event
    44
    5 Harness Error (TIMEOUT), message = null
    6 
    7 NOTRUN Should fire a security policy violation event
    8 

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-attr-blocked-expected.txt

    r267651 r284254  
    1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-elem'.
    2 
    3 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-attr'.
    41
    52
    6 
    7 Harness Error (TIMEOUT), message = null
    8 
    9 NOTRUN Should fire a security policy violation for the attribute
     3PASS Should fire a security policy violation for the attribute
    104PASS Should execute the inline script block
    115

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-allowed-src-blocked-expected.txt

    r267651 r284254  
    1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-elem'.
    21
    3 CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
     2PASS Should not fire a security policy violation event
    43
    5 Harness Error (TIMEOUT), message = null
    6 
    7 NOTRUN Should not fire a security policy violation event
    8 

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-attr-allowed-expected.txt

    r267651 r284254  
    1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-elem'.
    2 
    3 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-attr'.
    41
    52
    6 
    7 Harness Error (TIMEOUT), message = null
    8 
    9 NOTRUN Should fire a security policy violation for the attribute
     3PASS Should fire a security policy violation for the attribute
    104PASS Should execute the inline script attribute
    115

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src-attr-elem/script-src-elem-blocked-src-allowed-expected.txt

    r267651 r284254  
    1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-elem'.
    21
     2PASS Should fire a spv event
    33
    4 Harness Error (TIMEOUT), message = null
    5 
    6 NOTRUN Should fire a spv event
    7 

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/injected-inline-script-blocked.sub-expected.txt

    r283111 r284254  
    11
    2 FAIL Expecting logs: ["violated-directive=script-src-elem","blocked-uri=inline"] assert_unreached: unexpected log: violated-directive=script-src Reached unreachable code
     2PASS Expecting logs: ["violated-directive=script-src-elem","blocked-uri=inline"]
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_1-expected.txt

    r283111 r284254  
    44PASS Inline script block
    55PASS Inline event handler
    6 FAIL Should fire policy violation events assert_unreached: Unexpected directive broken Reached unreachable code
     6PASS Should fire policy violation events
    77

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_10-expected.txt

    r283111 r284254  
    22
    33
    4 FAIL Test that securitypolicyviolation event is fired assert_equals: expected "script-src-elem" but got "default-src"
     4PASS Test that securitypolicyviolation event is fired
    55PASS Verify that data: as script src doesn't run with this policy
    66

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2-expected.txt

    r283111 r284254  
    44PASS Inline script block
    55PASS Inline event handler
    6 FAIL Should fire policy violation events assert_unreached: Unexpected directive broken Reached unreachable code
     6PASS Should fire policy violation events
    77

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-1_2_1-expected.txt

    r283111 r284254  
    22
    33
    4 FAIL Test that securitypolicyviolation event is fired assert_equals: expected "script-src-elem" but got "script-src"
     4PASS Test that securitypolicyviolation event is fired
    55PASS DOM manipulation inline tests
    66

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt

    r283111 r284254  
    11
    2 FAIL Should fire securitypolicyviolation event assert_equals: expected "script-src-elem" but got "script-src"
     2FAIL Should fire securitypolicyviolation event assert_equals: expected "report" but got "enforce"
    33FAIL External script in a script tag with matching SRI hash should run. assert_true: External script ran. expected true got false
    44

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-hash-policy-expected.txt

    r283111 r284254  
    11
    22PASS Test that script executes if allowed by proper hash values
    3 FAIL Test that the securitypolicyviolation event is fired assert_equals: expected "script-src-elem" but got "script-src"
     3PASS Test that the securitypolicyviolation event is fired
    44

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-and-scripthash.sub-expected.txt

    r283111 r284254  
    22
    33
    4 FAIL Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"] assert_unreached: unexpected alert: violated-directive=script-src Reached unreachable code
     4PASS Expecting alerts: ["PASS (1/3)","PASS (2/3)","PASS (3/3)"]
    55

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-basic-blocked.sub-expected.txt

    r283111 r284254  
    22
    33
    4 FAIL Expecting alerts: ["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"] assert_unreached: unexpected alert: violated-directive=script-src Reached unreachable code
     4PASS Expecting alerts: ["PASS (closely-quoted nonce)","PASS (nonce w/whitespace)", "violated-directive=script-src-elem", "violated-directive=script-src-elem", "violated-directive=script-src-elem"]
    55

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/scriptnonce-ignore-unsafeinline.sub-expected.txt

    r283111 r284254  
    22
    33
    4 FAIL Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"] assert_unreached: unexpected alert: violated-directive=script-src Reached unreachable code
     4PASS Expecting alerts: ["PASS (1/2)","PASS (2/2)", "violated-directive=script-src-elem"]
    55

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/srcdoc-doesnt-bypass-script-src.sub-expected.txt

    r283111 r284254  
    11
    22
    3 FAIL Expecting logs: ["violated-directive=script-src-elem"] assert_unreached: unexpected log: violated-directive=script-src Reached unreachable code
     3PASS Expecting logs: ["violated-directive=script-src-elem"]
    44

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-allowed-src-blocked-expected.txt

    r246330 r284254  
    11
    2 FAIL Should apply the style attribute assert_true: expected true got false
     2PASS Should apply the style attribute
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-attr-blocked-src-allowed-expected.txt

    r267651 r284254  
    1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'style-src-attr'.
    21
     2PASS Should fire a security policy violation event
     3PASS The attribute style should not be applied
    34
    4 Harness Error (TIMEOUT), message = null
    5 
    6 NOTRUN Should fire a security policy violation event
    7 FAIL The attribute style should not be applied assert_equals: expected 0 but got 10
    8 

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-attr-blocked-expected.txt

    r267651 r284254  
    1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'style-src-elem'.
    21
    3 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'style-src-attr'.
     2PASS Should fire a security policy violation for the attribute
     3PASS The attribute style should not be applied and the inline style should be applied
    44
    5 
    6 Harness Error (TIMEOUT), message = null
    7 
    8 NOTRUN Should fire a security policy violation for the attribute
    9 FAIL The attribute style should not be applied and the inline style should be applied assert_equals: expected 0 but got 10
    10 

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-allowed-src-blocked-expected.txt

    r246330 r284254  
    11
    2 FAIL Inline style should be applied assert_equals: expected 1 but got 0
     2PASS Inline style should be applied
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-attr-allowed-expected.txt

    r267651 r284254  
    1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'style-src-elem'.
    21
    3 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'script-src-attr'.
     2PASS Should fire a security policy violation for the inline block
     3PASS The inline style should not be applied and the attribute style should be applied
    44
    5 
    6 Harness Error (TIMEOUT), message = null
    7 
    8 NOTRUN Should fire a security policy violation for the inline block
    9 FAIL The inline style should not be applied and the attribute style should be applied assert_equals: expected 0 but got 1
    10 

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src-attr-elem/style-src-elem-blocked-src-allowed-expected.txt

    r267651 r284254  
    1 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'style-src-elem'.
    21
     2PASS Should fire a security policy violation event
     3PASS The inline style should not be applied
    34
    4 Harness Error (TIMEOUT), message = null
    5 
    6 NOTRUN Should fire a security policy violation event
    7 FAIL The inline style should not be applied assert_equals: expected 0 but got 1
    8 

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/injected-inline-style-blocked.sub-expected.txt

    r283111 r284254  
    22PASS 2/2
    33
    4 FAIL Expecting logs: ["violated-directive=style-src-elem","PASS"] assert_unreached: unexpected log: violated-directive=style-src Reached unreachable code
     4PASS Expecting logs: ["violated-directive=style-src-elem","PASS"]
    55

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-allowed-while-cloning-objects.sub-expected.txt

    r283111 r284254  
    99Yet another div.
    1010
    11 FAIL Test that violation report event was fired assert_equals: expected "style-src-attr" but got "style-src"
     11PASS Test that violation report event was fired
    1212PASS inline-style-allowed-while-cloning-objects
    1313FAIL inline-style-allowed-while-cloning-objects 1 null is not an object (evaluating 'node2.style.background.match(/yellow/)[0]')

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/inline-style-attribute-blocked.sub-expected.txt

    r283111 r284254  
    11
    2 FAIL Expecting logs: ["violated-directive=style-src-attr","PASS"] assert_unreached: unexpected log: violated-directive=style-src Reached unreachable code
     2PASS Expecting logs: ["violated-directive=style-src-attr","PASS"]
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-blocked.sub-expected.txt

    r283111 r284254  
    11
    2 FAIL Expecting logs: ["violated-directive=style-src-elem","PASS"] assert_unreached: unexpected log: violated-directive=style-src Reached unreachable code
     2PASS Expecting logs: ["violated-directive=style-src-elem","PASS"]
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-hash-blocked-expected.txt

    r283111 r284254  
    22PASS Should load the style with a correct hash
    33PASS Should not load style that does not match hash
    4 FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src" but got "style-src-elem"
     4PASS Should fire a securitypolicyviolation event
    55Lorem ipsum
    66Lorem ipsum

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-imported-style-blocked-expected.txt

    r283111 r284254  
    11
    22PASS @import stylesheet should not load because it does not match style-src
    3 FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src" but got "style-src-elem"
     3PASS Should fire a securitypolicyviolation event
    44Lorem ipsum

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-inline-style-blocked-expected.txt

    r283111 r284254  
    11
    22PASS Injected style attributes should not be applied
    3 FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src" but got "style-src-elem"
     3PASS Should fire a securitypolicyviolation event
    44Lorem ipsum

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-injected-stylesheet-blocked.sub-expected.txt

    r283111 r284254  
    11
    22PASS Programatically injected stylesheet should not load
    3 FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src" but got "style-src-elem"
     3PASS Should fire a securitypolicyviolation event
    44Lorem ipsum

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-attribute-blocked-expected.txt

    r283111 r284254  
    11
    22PASS Inline style attribute should not be applied without 'unsafe-inline'
    3 FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src" but got "style-src-attr"
     3PASS Should fire a securitypolicyviolation event
    44Lorem ipsum

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-blocked-expected.txt

    r283111 r284254  
    11
    22PASS Inline style element should not load without 'unsafe-inline'
    3 FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src" but got "style-src-elem"
     3PASS Should fire a securitypolicyviolation event
    44Lorem ipsum

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-inline-style-nonce-blocked-expected.txt

    r283111 r284254  
    11
    22PASS Should not load inline style element with invalid nonce
    3 FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src" but got "style-src-elem"
     3PASS Should fire a securitypolicyviolation event
    44Lorem ipsum

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-none-blocked-expected.txt

    r283111 r284254  
    11
    22PASS Should not stylesheet when style-src is 'none'
    3 FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src" but got "style-src-elem"
     3PASS Should fire a securitypolicyviolation event
    44Lorem ipsum

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-stylesheet-nonce-blocked-expected.txt

    r283111 r284254  
    11
    22PASS Should not load stylesheet without correct nonce
    3 FAIL Should fire a securitypolicyviolation event assert_equals: expected "style-src" but got "style-src-elem"
     3PASS Should fire a securitypolicyviolation event
    44Lorem ipsum

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylehash-basic-blocked.sub-expected.txt

    r283111 r284254  
    22
    33
    4 FAIL Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"] assert_unreached: unexpected alert: violated-directive=style-src Reached unreachable code
     4PASS Expecting alerts: ["PASS: The 'p' element's text is green, which means the style was correctly applied.", "violated-directive=style-src-elem"]
    55

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-allowed.sub-expected.txt

    r283111 r284254  
    66
    77
    8 FAIL Should fire securitypolicyviolation assert_equals: expected "style-src-elem" but got "style-src"
     8PASS Should fire securitypolicyviolation
    99PASS stylenonce-allowed
    1010PASS stylenonce-allowed 1

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/style-src/stylenonce-blocked.sub-expected.txt

    r283111 r284254  
    44
    55
    6 FAIL Should fire securitypolicyviolation assert_equals: expected "style-src-elem" but got "style-src"
     6PASS Should fire securitypolicyviolation
    77PASS stylenonce-blocked
    88

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/svg/svg-inline.sub-expected.txt

    r283111 r284254  
    22
    33
    4 FAIL Should fire violation event assert_equals: expected "script-src-elem" but got "script-src"
     4PASS Should fire violation event
    55PASS
    66

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href-expected.txt

    r283111 r284254  
    11
    2 FAIL Test that the javascript: src is not allowed to run assert_equals: expected "script-src-elem" but got "script-src"
     2PASS Test that the javascript: src is not allowed to run
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-href_blank-expected.txt

    r283111 r284254  
    11
    2 FAIL Test that the javascript: src is not allowed to run assert_equals: expected "script-src-elem" but got "script-src"
     2PASS Test that the javascript: src is not allowed to run
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_missing_unsafe_hashes-window_open-expected.txt

    r283111 r284254  
    11
    2 FAIL Test that the javascript: src is not allowed to run assert_equals: expected "script-src-elem" but got "script-src"
     2PASS Test that the javascript: src is not allowed to run
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href-expected.txt

    r283111 r284254  
    11
    2 FAIL Test that the javascript: src is not allowed to run assert_equals: expected "script-src-elem" but got "script-src"
     2PASS Test that the javascript: src is not allowed to run
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-href_blank-expected.txt

    r283111 r284254  
    11
    2 FAIL Test that the javascript: src is not allowed to run assert_equals: expected "script-src-elem" but got "script-src"
     2PASS Test that the javascript: src is not allowed to run
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/javascript_src_denied_wrong_hash-window_open-expected.txt

    r283111 r284254  
    11
    2 FAIL Test that the javascript: src is not allowed to run assert_equals: expected "script-src-elem" but got "script-src"
     2PASS Test that the javascript: src is not allowed to run
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_missing_unsafe_hashes-expected.txt

    r283111 r284254  
    11
    2 FAIL Test that the inline event handler is not allowed to run assert_equals: expected "script-src-attr" but got "script-src"
     2PASS Test that the inline event handler is not allowed to run
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_denied_wrong_hash-expected.txt

    r283111 r284254  
    11
    2 FAIL Test that the inline event handler is not allowed to run assert_equals: expected "script-src-attr" but got "script-src"
     2PASS Test that the inline event handler is not allowed to run
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_missing_unsafe_hashes-expected.txt

    r283111 r284254  
    11
    2 FAIL Test that the inline style attribute is blocked assert_equals: expected "style-src-attr" but got "style-src"
     2PASS Test that the inline style attribute is blocked
    33

  • trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_denied_wrong_hash-expected.txt

    r283111 r284254  
    11
    2 FAIL Test that the inline style attribute is blocked assert_equals: expected "style-src-attr" but got "style-src"
     2PASS Test that the inline style attribute is blocked
    33

  • trunk/Source/WebCore/ChangeLog

    r284247 r284254  
     12021-10-15  Kate Cheney  <katherine_cheney@apple.com>
     2
     3        CSP: Implement src-elem and src-attr directives
     4        https://bugs.webkit.org/show_bug.cgi?id=231751
     5        <rdar://problem/83332874>
     6
     7        Reviewed by Brent Fulgham.
     8
     9        Implement script-src-elem, script-src-attr, style-src-elem, and
     10        style-src-attr directives. *-elem directives specify load policy for
     11        <script> and <style> elements. *-attr directives specify load policy
     12        for inline event handlers or inline style applied to individual DOM elements.
     13
     14        To match behavior of wpt tests and other browsers, we should report
     15        the violated directive as accurately as possible even if a more
     16        general directive was specified in the policy. For example, reporting
     17        the violated directive as script-src even if default-src was
     18        specified, and script-src-elem even if only script-src was specified.
     19        To do this I added a nameForReporting() method in the
     20        ContentSecurityPolicySourceListDirective class that gets set when we
     21        check the load for violations.
     22
     23        Console messages should not change, in fact, we should consider making
     24        them more specific in the future.
     25
     26        * page/csp/ContentSecurityPolicy.cpp:
     27        (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
     28        (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
     29        (WebCore::ContentSecurityPolicy::allowInlineScript const):
     30        (WebCore::ContentSecurityPolicy::allowInlineStyle const):
     31        We can reuse the check for unsafe hashes to determine if we should
     32        report a style-src-elem or style-src-attr violation.
     33
     34        (WebCore::ContentSecurityPolicy::reportViolation const):
     35        * page/csp/ContentSecurityPolicyDirective.cpp:
     36        (WebCore::ContentSecurityPolicyDirective::~ContentSecurityPolicyDirective):
     37        Need a destructor now that we have virtual functions.
     38
     39        * page/csp/ContentSecurityPolicyDirective.h:
     40        (WebCore::ContentSecurityPolicyDirective::nameForReporting const):
     41        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
     42        (WebCore::ContentSecurityPolicyDirectiveList::create):
     43        unsafe-eval should still have script-src as a violated directive.
     44
     45        (WebCore::ContentSecurityPolicyDirectiveList::operativeDirective const):
     46        (WebCore::ContentSecurityPolicyDirectiveList::operativeDirectiveScript const):
     47        (WebCore::ContentSecurityPolicyDirectiveList::operativeDirectiveStyle const):
     48        elem/attr directives fall back to their respective general directives
     49        if the more specific ones do not exist.
     50
     51        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeEval const):
     52        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript const):
     53        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle const):
     54        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForParserInsertedScript const):
     55        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement const):
     56        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptAttribute const):
     57        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleElement const):
     58        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleAttribute const):
     59        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash const):
     60        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash const):
     61        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptNonce const):
     62        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleNonce const):
     63        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext const):
     64        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource const):
     65        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFont const):
     66        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame const):
     67        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForImage const):
     68        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest const):
     69        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia const):
     70        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource const):
     71        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript const):
     72        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle const):
     73        (WebCore::ContentSecurityPolicyDirectiveList::addDirective):
     74        (WebCore::ContentSecurityPolicyDirectiveList::strictDynamicIncluded):
     75        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript const): Deleted.
     76        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyle const): Deleted.
     77        * page/csp/ContentSecurityPolicyDirectiveList.h:
     78        * page/csp/ContentSecurityPolicyDirectiveNames.cpp:
     79        * page/csp/ContentSecurityPolicyDirectiveNames.h:
     80        * page/csp/ContentSecurityPolicySourceListDirective.h:
     81        (WebCore::ContentSecurityPolicySourceListDirective::setNameForReporting):
     82
    1832021-10-15  Simon Fraser  <simon.fraser@apple.com>
    284

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

    r284080 r284254  
    412412    };
    413413
    414     return checkHashAndReportViolation(source, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
     414    return checkHashAndReportViolation(source, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
    415415}
    416416
     
    429429    };
    430430
    431     return checkHashAndReportViolation(source, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
     431    return checkHashAndReportViolation(source, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptAttribute, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
    432432}
    433433
     
    472472    auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
    473473        TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
    474         String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, url, "Refused to load");
    475         // FIXME: (rdar://83332874) implement scriptSrcElem properly.
     474        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, url, "Refused to load");
    476475        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, url.string(), consoleMessage, String(), sourcePosition);
    477476    };
     
    495494    // FIXME: We should not report that the inline script violated a policy when its hash matched a source
    496495    // expression in the policy and the page has more than one policy. See <https://bugs.webkit.org/show_bug.cgi?id=159832>.
    497     return checkHashAndReportViolation(scriptContent.toString(), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript, &ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
     496    return checkHashAndReportViolation(scriptContent.toString(), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement, &ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
    498497}
    499498
     
    505504        return true;
    506505    auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
     506        auto name = shouldCheckUnsafeHashes == CheckUnsafeHashes::Yes ? ContentSecurityPolicyDirectiveNames::styleSrcAttr : ContentSecurityPolicyDirectiveNames::styleSrcElem;
    507507        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, URL(), "Refused to apply a stylesheet", "its hash, its nonce, or 'unsafe-inline'");
    508         reportViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
    509     };
    510 
    511     auto searchPolicy = shouldCheckUnsafeHashes == CheckUnsafeHashes::Yes ? &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle : &ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash;
     508        reportViolation(name, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
     509    };
     510
     511    if (shouldCheckUnsafeHashes == CheckUnsafeHashes::Yes)
     512        return checkHashAndReportViolation(styleContent.toString(), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleAttribute, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle, m_hashAlgorithmsForInlineStylesheets, handleViolatedDirective);
    512513
    513514    // FIXME: We should not report that the inline stylesheet violated a policy when its hash matched a source
    514515    // expression in the policy and the page has more than one policy. See <https://bugs.webkit.org/show_bug.cgi?id=159832>.
    515     return checkHashAndReportViolation(styleContent.toString(), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyle, searchPolicy, m_hashAlgorithmsForInlineStylesheets, handleViolatedDirective);
     516    return checkHashAndReportViolation(styleContent.toString(), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleElement, &ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash, m_hashAlgorithmsForInlineStylesheets, handleViolatedDirective);
    516517}
    517518
     
    722723{
    723724    // FIXME: Extract source file and source position from JSC::ExecState.
    724     return reportViolation(violatedDirective, effectiveViolatedDirective.name().convertToASCIILowercase(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
     725    return reportViolation(violatedDirective, effectiveViolatedDirective.nameForReporting().convertToASCIILowercase(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
    725726}
    726727
     
    733734void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state) const
    734735{
    735     return reportViolation(effectiveViolatedDirective, violatedDirective.name().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state, preRedirectURL);
     736    return reportViolation(effectiveViolatedDirective, violatedDirective.nameForReporting().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state, preRedirectURL);
    736737}
    737738

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirective.cpp

    r198657 r284254  
    3131namespace WebCore {
    3232
     33ContentSecurityPolicyDirective::~ContentSecurityPolicyDirective()
     34{
     35}
     36
    3337bool ContentSecurityPolicyDirective::isDefaultSrc() const
    3438{

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirective.h

    r248762 r284254  
    4343    }
    4444
     45    virtual ~ContentSecurityPolicyDirective() = 0;
     46
    4547    const String& name() const { return m_name; }
    4648    const String& text() const { return m_text; }
     49    virtual const String& nameForReporting() const { return m_name; }
    4750
    4851    const ContentSecurityPolicyDirectiveList& directiveList() const { return m_directiveList; }

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

    r284067 r284254  
    141141    directives->parse(header, from);
    142142
    143     if (!checkEval(directives->operativeDirective(directives->m_scriptSrc.get()))) {
    144         directives->setEvalDisabledErrorMessage(makeString("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get())->text(), "\".\n"));
    145         directives->setWebAssemblyDisabledErrorMessage(makeString("Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get())->text(), "\".\n"));
     143    if (!checkEval(directives->operativeDirective(directives->m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc))) {
     144        directives->setEvalDisabledErrorMessage(makeString("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc)->text(), "\".\n"));
     145        directives->setWebAssemblyDisabledErrorMessage(makeString("Refused to create a WebAssembly object because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc)->text(), "\".\n"));
    146146    }
    147147
     
    152152}
    153153
    154 ContentSecurityPolicySourceListDirective* ContentSecurityPolicyDirectiveList::operativeDirective(ContentSecurityPolicySourceListDirective* directive) const
    155 {
    156     return directive ? directive : m_defaultSrc.get();
     154ContentSecurityPolicySourceListDirective* ContentSecurityPolicyDirectiveList::operativeDirective(ContentSecurityPolicySourceListDirective* directive, const String& nameForReporting) const
     155{
     156    if (directive) {
     157        directive->setNameForReporting(nameForReporting);
     158        return directive;
     159    }
     160
     161    if (m_defaultSrc.get())
     162        m_defaultSrc.get()->setNameForReporting(nameForReporting);
     163
     164    return m_defaultSrc.get();
     165}
     166
     167ContentSecurityPolicySourceListDirective* ContentSecurityPolicyDirectiveList::operativeDirectiveScript(ContentSecurityPolicySourceListDirective* directive, const String& nameForReporting) const
     168{
     169    if (directive) {
     170        directive->setNameForReporting(nameForReporting);
     171        return directive;
     172    }
     173    return operativeDirective(m_scriptSrc.get(), nameForReporting);
     174}
     175
     176ContentSecurityPolicySourceListDirective* ContentSecurityPolicyDirectiveList::operativeDirectiveStyle(ContentSecurityPolicySourceListDirective* directive, const String& nameForReporting) const
     177{
     178    if (directive) {
     179        directive->setNameForReporting(nameForReporting);
     180        return directive;
     181    }
     182    return operativeDirective(m_styleSrc.get(), nameForReporting);
    157183}
    158184
    159185const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeEval() const
    160186{
    161     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
     187    auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
    162188    if (checkEval(operativeDirective))
    163189        return nullptr;
     
    167193const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript(const ContentSecurityPolicyHash& hash) const
    168194{
    169     auto* operativeDirective = this->operativeDirective(m_scriptSrc.get());
     195    auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
    170196    if (checkUnsafeHashes(operativeDirective, hash))
    171197        return nullptr;
     
    175201const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle(const ContentSecurityPolicyHash& hash) const
    176202{
    177     auto* operativeDirective = this->operativeDirective(m_styleSrc.get());
     203    auto* operativeDirective = this->operativeDirective(m_styleSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
    178204    if (checkUnsafeHashes(operativeDirective, hash))
    179205        return nullptr;
     
    181207}
    182208
    183 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript() const
    184 {
    185     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
     209const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForParserInsertedScript(ParserInserted parserInserted) const
     210{
     211    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
     212    if (checkNonParserInsertedScripts(operativeDirective, parserInserted))
     213        return nullptr;
     214
     215    return operativeDirective;
     216}
     217
     218const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptElement() const
     219{
     220    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
    186221    if (checkInline(operativeDirective))
    187222        return nullptr;
     
    189224}
    190225
    191 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForParserInsertedScript(ParserInserted parserInserted) const
    192 {
    193     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
    194     if (checkNonParserInsertedScripts(operativeDirective, parserInserted))
    195         return nullptr;
    196 
    197     return operativeDirective;
    198 }
    199 
    200 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyle() const
    201 {
    202     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
     226const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScriptAttribute() const
     227{
     228    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcAttr.get(), ContentSecurityPolicyDirectiveNames::scriptSrcAttr);
    203229    if (checkInline(operativeDirective))
    204230        return nullptr;
     
    206232}
    207233
     234const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleElement() const
     235{
     236    auto* operativeDirective = this->operativeDirectiveStyle(m_styleSrcElem.get(), ContentSecurityPolicyDirectiveNames::styleSrcElem);
     237    if (checkInline(operativeDirective))
     238        return nullptr;
     239    return operativeDirective;
     240}
     241
     242const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyleAttribute() const
     243{
     244    auto* operativeDirective = this->operativeDirectiveStyle(m_styleSrcAttr.get(), ContentSecurityPolicyDirectiveNames::styleSrcAttr);
     245    if (checkInline(operativeDirective))
     246        return nullptr;
     247    return operativeDirective;
     248}
     249
    208250const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash(const ContentSecurityPolicyHash& hash) const
    209251{
    210     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
     252    auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
    211253    if (checkHash(operativeDirective, hash))
    212254        return nullptr;
     
    216258const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash(const ContentSecurityPolicyHash& hash) const
    217259{
    218     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
     260    auto* operativeDirective = this->operativeDirective(m_styleSrc.get(), ContentSecurityPolicyDirectiveNames::styleSrc);
    219261    if (checkHash(operativeDirective, hash))
    220262        return nullptr;
     
    224266const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptNonce(const String& nonce) const
    225267{
    226     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
     268    auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
    227269    if (checkNonce(operativeDirective, nonce))
    228270        return nullptr;
     
    232274const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleNonce(const String& nonce) const
    233275{
    234     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
     276    auto* operativeDirective = this->operativeDirectiveStyle(m_styleSrcElem.get(), ContentSecurityPolicyDirectiveNames::styleSrc);
    235277    if (checkNonce(operativeDirective, nonce))
    236278        return nullptr;
     
    247289const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext(const URL& url, bool didReceiveRedirectResponse) const
    248290{
    249     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_childSrc.get());
     291    auto* operativeDirective = this->operativeDirective(m_childSrc.get(), ContentSecurityPolicyDirectiveNames::childSrc);
    250292    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
    251293        return nullptr;
     
    255297const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource(const URL& url, bool didReceiveRedirectResponse) const
    256298{
    257     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_connectSrc.get());
     299    auto* operativeDirective = this->operativeDirective(m_connectSrc.get(), ContentSecurityPolicyDirectiveNames::connectSrc);
    258300    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
    259301        return nullptr;
     
    263305const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFont(const URL& url, bool didReceiveRedirectResponse) const
    264306{
    265     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_fontSrc.get());
     307    auto* operativeDirective = this->operativeDirective(m_fontSrc.get(), ContentSecurityPolicyDirectiveNames::fontSrc);
    266308    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
    267309        return nullptr;
     
    283325    // We must enforce the frame-src directive (if specified) before enforcing the child-src directive for a nested browsing
    284326    // context by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested> (29 August 2015).
    285     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get());
     327    auto* operativeDirective = this->operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get(), ContentSecurityPolicyDirectiveNames::frameSrc);
    286328    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
    287329        return nullptr;
     
    305347const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForImage(const URL& url, bool didReceiveRedirectResponse) const
    306348{
    307     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_imgSrc.get());
     349    auto* operativeDirective = this->operativeDirective(m_imgSrc.get(), ContentSecurityPolicyDirectiveNames::imgSrc);
    308350    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
    309351        return nullptr;
     
    314356const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest(const URL& url, bool didReceiveRedirectResponse) const
    315357{
    316     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_manifestSrc.get());
     358    auto* operativeDirective = this->operativeDirective(m_manifestSrc.get(), ContentSecurityPolicyDirectiveNames::manifestSrc);
    317359    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
    318360        return nullptr;
     
    323365const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia(const URL& url, bool didReceiveRedirectResponse) const
    324366{
    325     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_mediaSrc.get());
     367    auto* operativeDirective = this->operativeDirective(m_mediaSrc.get(), ContentSecurityPolicyDirectiveNames::mediaSrc);
    326368    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
    327369        return nullptr;
     
    333375    if (url.protocolIsAbout())
    334376        return nullptr;
    335     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_objectSrc.get());
     377    auto* operativeDirective = this->operativeDirective(m_objectSrc.get(), ContentSecurityPolicyDirectiveNames::objectSrc);
    336378    if (checkSource(operativeDirective, url, didReceiveRedirectResponse, shouldAllowEmptyURLIfSourceListEmpty))
    337379        return nullptr;
     
    348390const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse) const
    349391{
    350     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
     392    auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
    351393    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
    352394        return nullptr;
     
    356398const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle(const URL& url, bool didReceiveRedirectResponse) const
    357399{
    358     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
     400    auto* operativeDirective = this->operativeDirective(m_styleSrc.get(), ContentSecurityPolicyDirectiveNames::styleSrcElem);
    359401    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
    360402        return nullptr;
     
    536578        setCSPDirective<ContentSecurityPolicySourceListDirective>(WTFMove(directive), m_scriptSrc);
    537579        m_policy.addHashAlgorithmsForInlineScripts(m_scriptSrc->hashAlgorithmsUsed());
     580    } else if (equalIgnoringASCIICase(directive.name, ContentSecurityPolicyDirectiveNames::scriptSrcElem)) {
     581        setCSPDirective<ContentSecurityPolicySourceListDirective>(WTFMove(directive), m_scriptSrcElem);
     582        m_policy.addHashAlgorithmsForInlineScripts(m_scriptSrcElem->hashAlgorithmsUsed());
     583    } else if (equalIgnoringASCIICase(directive.name, ContentSecurityPolicyDirectiveNames::scriptSrcAttr)) {
     584        setCSPDirective<ContentSecurityPolicySourceListDirective>(WTFMove(directive), m_scriptSrcAttr);
     585        m_policy.addHashAlgorithmsForInlineScripts(m_scriptSrcAttr->hashAlgorithmsUsed());
    538586    } else if (equalIgnoringASCIICase(directive.name, ContentSecurityPolicyDirectiveNames::styleSrc)) {
    539587        setCSPDirective<ContentSecurityPolicySourceListDirective>(WTFMove(directive), m_styleSrc);
    540588        m_policy.addHashAlgorithmsForInlineStylesheets(m_styleSrc->hashAlgorithmsUsed());
     589    } else if (equalIgnoringASCIICase(directive.name, ContentSecurityPolicyDirectiveNames::styleSrcElem)) {
     590        setCSPDirective<ContentSecurityPolicySourceListDirective>(WTFMove(directive), m_styleSrcElem);
     591        m_policy.addHashAlgorithmsForInlineStylesheets(m_styleSrcElem->hashAlgorithmsUsed());
     592    } else if (equalIgnoringASCIICase(directive.name, ContentSecurityPolicyDirectiveNames::styleSrcAttr)) {
     593        setCSPDirective<ContentSecurityPolicySourceListDirective>(WTFMove(directive), m_styleSrcAttr);
     594        m_policy.addHashAlgorithmsForInlineStylesheets(m_styleSrcAttr->hashAlgorithmsUsed());
    541595    } else if (equalIgnoringASCIICase(directive.name, ContentSecurityPolicyDirectiveNames::objectSrc))
    542596        setCSPDirective<ContentSecurityPolicySourceListDirective>(WTFMove(directive), m_objectSrc);
     
    585639bool ContentSecurityPolicyDirectiveList::strictDynamicIncluded()
    586640{
    587     ContentSecurityPolicySourceListDirective* directive = this->operativeDirective(m_scriptSrc.get());
     641    ContentSecurityPolicySourceListDirective* directive = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrc);
    588642    return directive && directive->allowNonParserInsertedScripts();
    589643}

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h

    r284067 r284254  
    4747
    4848    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeEval() const;
    49     const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineScript() const;
    5049    const ContentSecurityPolicyDirective* violatedDirectiveForParserInsertedScript(ParserInserted) const;
    51     const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineStyle() const;
     50    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineScriptElement() const;
     51    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineScriptAttribute() const;
     52    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineStyleElement() const;
     53    const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeInlineStyleAttribute() const;
    5254
    5355    const ContentSecurityPolicyDirective* violatedDirectiveForScriptHash(const ContentSecurityPolicyHash&) const;
     
    109111    void setCSPDirective(ParsedDirective&&, std::unique_ptr<CSPDirectiveType>&);
    110112
    111     ContentSecurityPolicySourceListDirective* operativeDirective(ContentSecurityPolicySourceListDirective*) const;
     113    ContentSecurityPolicySourceListDirective* operativeDirective(ContentSecurityPolicySourceListDirective*, const String&) const;
     114    ContentSecurityPolicySourceListDirective* operativeDirectiveScript(ContentSecurityPolicySourceListDirective*, const String&) const;
     115    ContentSecurityPolicySourceListDirective* operativeDirectiveStyle(ContentSecurityPolicySourceListDirective*, const String&) const;
    112116
    113117    void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
     
    142146    std::unique_ptr<ContentSecurityPolicySourceListDirective> m_scriptSrc;
    143147    std::unique_ptr<ContentSecurityPolicySourceListDirective> m_styleSrc;
    144    
     148    std::unique_ptr<ContentSecurityPolicySourceListDirective> m_scriptSrcElem;
     149    std::unique_ptr<ContentSecurityPolicySourceListDirective> m_scriptSrcAttr;
     150    std::unique_ptr<ContentSecurityPolicySourceListDirective> m_styleSrcElem;
     151    std::unique_ptr<ContentSecurityPolicySourceListDirective> m_styleSrcAttr;
     152
    145153    Vector<String> m_reportURIs;
    146154   

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp

    r283192 r284254  
    4949const char* const sandbox = "sandbox";
    5050const char* const scriptSrc = "script-src";
     51const char* const scriptSrcAttr = "script-src-attr";
    5152const char* const scriptSrcElem = "script-src-elem";
    5253const char* const styleSrc = "style-src";
     54const char* const styleSrcAttr = "style-src-attr";
     55const char* const styleSrcElem = "style-src-elem";
    5356const char* const upgradeInsecureRequests = "upgrade-insecure-requests";
    5457const char* const blockAllMixedContent = "block-all-mixed-content";

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h

    r283192 r284254  
    4949extern const char* const scriptSrc;
    5050extern const char* const scriptSrcElem;
     51extern const char* const scriptSrcAttr;
    5152extern const char* const styleSrc;
     53extern const char* const styleSrcAttr;
     54extern const char* const styleSrcElem;
    5255extern const char* const upgradeInsecureRequests;
    5356extern const char* const blockAllMixedContent;

  • trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h

    r284067 r284254  
    4949    OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithmsUsed() const { return m_sourceList.hashAlgorithmsUsed(); }
    5050
     51    void setNameForReporting(const String& name) { m_nameForReporting = name; }
     52    const String& nameForReporting() const final { return !m_nameForReporting.isEmpty() ? m_nameForReporting : name(); }
     53
    5154private:
     55    String m_nameForReporting;
    5256    ContentSecurityPolicySourceList m_sourceList;
    5357};
Note: See TracChangeset for help on using the changeset viewer.