Changeset 129143 in webkit

Timestamp:

Sep 20, 2012 11:11:19 AM (12 years ago)

Author:

commit-queue@webkit.org

Message:

Support paths in Content Security Policy directives.
​https://bugs.webkit.org/show_bug.cgi?id=89750

Patch by Mike West <​mkwst@chromium.org> on 2012-09-20
Reviewed by Adam Barth.

Source/WebCore:

In CSP 1.0, paths are simply ignored: 'script-src
​http://example.com/path/to/a/file' would allow script to be loaded from
​http://example.com/path/to/a/file/javascript.js, but also from
​http://example.com/javascript.js.

This patch is an experimental implementation of more granular path
support in CSP source lists as proposed in the current editor's draft of
CSP 1.1. Paths are treated as specifying directories in which resources
can be found, and are implicitly terminated with a '/': in other words,
'script-src ​http://a.com/path' is the same as
'script-src ​http://a.com/path/'. Moreover, paths cannot contain either
'?' or '#' characters.

This is implemented outside the CSP_NEXT flag. All ports will be
effected.

Spec: ​https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#matching

Tests: http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html

http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html

• page/ContentSecurityPolicy.cpp:

(WebCore::CSPSource::CSPSource):

Store a path along with each CSP source.

(WebCore::CSPSource::matches):

Check the path when comparing a URL to the source.

(WebCore::CSPSource::pathMatches):

Compare the URL-decoded version of the resource to validate against
the source's stored path. If the resource's path begins with the
stored path, then it matches! If not, it doesn't.

(CSPSource):

Store a path along with each CSP source.

(WebCore::CSPSourceList::parse):

Pass a 'path' in when creating CSPSource objects.

(WebCore::CSPSourceList::parsePath):

Actually parse the path, flagging errors if '?' or '#' are present,
URL-decoding the result, and ensuring that a terminal '/' is
added if necessary.

(WebCore::CSPSourceList::addSourceSelf):

Ensure that 'self' sources have an empty path.

• page/ContentSecurityPolicy.h:

Dropping the "ignored path component" console warning.

LayoutTests:

• http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt:
• http/tests/security/contentSecurityPolicy/source-list-parsing-05.html:
• http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt:
• http/tests/security/contentSecurityPolicy/source-list-parsing-06.html:

The behavior of these tests changes based on the new functionality.

• http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html: Added.
• http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html: Added.

New tests for various path cases.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (10 diffs)
• Source/WebCore/page/ContentSecurityPolicy.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-09-20  Mike West  <mkwst@chromium.org>
+
+        Support paths in Content Security Policy directives.
+        https://bugs.webkit.org/show_bug.cgi?id=89750
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt:
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-05.html:
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt:
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-06.html:
+            The behavior of these tests changes based on the new functionality.
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html: Added.
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html: Added.
+            New tests for various path cases.
+
 2012-09-20  Joshua Bell  <jsbell@chromium.org>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/thisisa'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/thisisa' is being ignored. Be careful.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/path?query=string'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path?query=string".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/path#anchor'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path#anchor".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:8000/path?query=string'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path?query=string".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:8000/path#anchor'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path#anchor".
+
 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'pathwithasemicolon'.
 
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/this'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/this' is being ignored. Be careful.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/thisisa".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/this is a path with spaces".
+
 Paths should be ignored when evaluating sources. This test passes if FAIL does not appear in the output, and each of the tests generates a warning about the path component.
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05.html

@@ -6 +6 @@
 var tests = [
     ['yes', 'script-src 127.0.0.1:*/', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:*/path', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:*/path?query=string', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:*/path#anchor', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:*/path', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:*/path?query=string', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:*/path#anchor', 'resources/script.js'],
     ['yes', 'script-src 127.0.0.1:8000/', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:8000/path', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:8000/path?query=string', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:8000/path#anchor', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:8000/path', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:8000/path?query=string', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:8000/path#anchor', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
 ];
 </script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/thisisa'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/thisisa' is being ignored. Be careful.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:*/path?query=string'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path?query=string".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:*/path#anchor'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path#anchor".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:8000/path?query=string'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path?query=string".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:8000/path#anchor'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path#anchor".
+
 CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'pathwithasemicolon'.
 
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/this'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/this' is being ignored. Be careful.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/thisisa".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/this is a path with spaces".
+
 Paths should be ignored when evaluating sources. This test passes if FAIL does not appear in the output, and each of the tests generates a warning about the path component.
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06.html

@@ -6 +6 @@
 var tests = [
     ['yes', 'script-src http://127.0.0.1:*/', 'resources/script.js'],
-    ['yes', 'script-src http://127.0.0.1:*/path', 'resources/script.js'],
-    ['yes', 'script-src http://127.0.0.1:*/path?query=string', 'resources/script.js'],
-    ['yes', 'script-src http://127.0.0.1:*/path#anchor', 'resources/script.js'],
+    ['no', 'script-src http://127.0.0.1:*/path', 'resources/script.js'],
+    ['no', 'script-src http://127.0.0.1:*/path?query=string', 'resources/script.js'],
+    ['no', 'script-src http://127.0.0.1:*/path#anchor', 'resources/script.js'],
     ['yes', 'script-src http://127.0.0.1:8000/', 'resources/script.js'],
-    ['yes', 'script-src http://127.0.0.1:8000/path', 'resources/script.js'],
-    ['yes', 'script-src http://127.0.0.1:8000/path?query=string', 'resources/script.js'],
-    ['yes', 'script-src http://127.0.0.1:8000/path#anchor', 'resources/script.js'],
-    ['yes', 'script-src http://127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
-    ['yes', 'script-src http://127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
+    ['no', 'script-src http://127.0.0.1:8000/path', 'resources/script.js'],
+    ['no', 'script-src http://127.0.0.1:8000/path?query=string', 'resources/script.js'],
+    ['no', 'script-src http://127.0.0.1:8000/path#anchor', 'resources/script.js'],
+    ['no', 'script-src http://127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
+    ['no', 'script-src http://127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
 ];
 </script>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-09-20  Mike West  <mkwst@chromium.org>
+
+        Support paths in Content Security Policy directives.
+        https://bugs.webkit.org/show_bug.cgi?id=89750
+
+        Reviewed by Adam Barth.
+
+        In CSP 1.0, paths are simply ignored: 'script-src
+        http://example.com/path/to/a/file' would allow script to be loaded from
+        http://example.com/path/to/a/file/javascript.js, but also from
+        http://example.com/javascript.js.
+
+        This patch is an experimental implementation of more granular path
+        support in CSP source lists as proposed in the current editor's draft of
+        CSP 1.1. Paths are treated as specifying directories in which resources
+        can be found, and are implicitly terminated with a '/': in other words,
+        'script-src http://a.com/path' is the same as
+        'script-src http://a.com/path/'. Moreover, paths cannot contain either
+        '?' or '#' characters.
+
+        This is implemented outside the CSP_NEXT flag. All ports will be
+        effected.
+
+        Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#matching
+
+        Tests: http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html
+               http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPSource::CSPSource):
+            Store a path along with each CSP source.
+        (WebCore::CSPSource::matches):
+            Check the path when comparing a URL to the source.
+        (WebCore::CSPSource::pathMatches):
+            Compare the URL-decoded version of the resource to validate against
+            the source's stored path. If the resource's path begins with the
+            stored path, then it matches! If not, it doesn't.
+        (CSPSource):
+            Store a path along with each CSP source.
+        (WebCore::CSPSourceList::parse):
+            Pass a 'path' in when creating CSPSource objects.
+        (WebCore::CSPSourceList::parsePath):
+            Actually parse the path, flagging errors if '?' or '#' are present,
+            URL-decoding the result, and ensuring that a terminal '/' is
+            added if necessary.
+        (WebCore::CSPSourceList::addSourceSelf):
+            Ensure that 'self' sources have an empty path.
+        * page/ContentSecurityPolicy.h:
+            Dropping the "ignored path component" console warning.
+
 2012-09-20  Joanmarie Diggs  <jdiggs@igalia.com>
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -72 +72 @@
 }
 
+bool isPathComponentCharacter(UChar c)
+{
+    return c != '?' && c != '#';
+}
+
 bool isHostCharacter(UChar c)
 {
@@ -133 +138 @@
 class CSPSource {
 public:
-    CSPSource(const String& scheme, const String& host, int port, bool hostHasWildcard, bool portHasWildcard)
+    CSPSource(const String& scheme, const String& host, int port, const String& path, bool hostHasWildcard, bool portHasWildcard)
         : m_scheme(scheme)
         , m_host(host)
         , m_port(port)
+        , m_path(path)
         , m_hostHasWildcard(hostHasWildcard)
         , m_portHasWildcard(portHasWildcard)
@@ -148 +154 @@
         if (isSchemeOnly())
             return true;
-        return hostMatches(url) && portMatches(url);
+        return hostMatches(url) && portMatches(url) && pathMatches(url);
     }
 
@@ -166 +172 @@
     }
 
+    bool pathMatches(const KURL& url) const
+    {
+        if (m_path.isEmpty())
+            return true;
+
+        String path = decodeURLEscapeSequences(url.path());
+
+        return path.startsWith(m_path, false);
+    }
+
     bool portMatches(const KURL& url) const
     {
@@ -190 +206 @@
     String m_host;
     int m_port;
+    String m_path;
 
     bool m_hostHasWildcard;
@@ -288 +305 @@
             if (scheme.isEmpty())
                 scheme = m_policy->securityOrigin()->protocol();
-            if (!path.isEmpty())
-                m_policy->reportIgnoredPathComponent(m_directiveName, String(beginSource, position - beginSource), path);
-            m_list.append(CSPSource(scheme, host, port, hostHasWildcard, portHasWildcard));
+            m_list.append(CSPSource(scheme, host, port, path, hostHasWildcard, portHasWildcard));
         } else
             m_policy->reportInvalidSourceExpression(m_directiveName, String(beginSource, position - beginSource));
@@ -475 +490 @@
 }
 
-// FIXME: Deal with an actual path. This just sucks up everything to the end of the string.
 bool CSPSourceList::parsePath(const UChar* begin, const UChar* end, String& path)
 {
@@ -481 +495 @@
     ASSERT(path.isEmpty());
 
-    if (begin == end)
-        return false;
-
-    path = String(begin, end - begin);
+    const UChar* position = begin;
+    skipWhile<isPathComponentCharacter>(position, end);
+    // path/to/file.js?query=string || path/to/file.js#anchor
+    //                ^                               ^
+    if (position < end)
+        return false;
+
+    path = decodeURLEscapeSequences(String(begin, end - begin));
+    if (!path.endsWith('/'))
+        path = path + '/';
+
+    ASSERT(position == end && path.endsWith('/'));
     return true;
 }
@@ -521 +543 @@
 void CSPSourceList::addSourceSelf()
 {
-    m_list.append(CSPSource(m_policy->securityOrigin()->protocol(), m_policy->securityOrigin()->host(), m_policy->securityOrigin()->port(), false, false));
+    m_list.append(CSPSource(m_policy->securityOrigin()->protocol(), m_policy->securityOrigin()->host(), m_policy->securityOrigin()->port(), String(), false, false));
 }
 
@@ -1551 +1573 @@
 }
 
-void ContentSecurityPolicy::reportIgnoredPathComponent(const String& directiveName, const String& completeSource, const String& path) const
-{
-    String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains the source '", completeSource, "'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '", path, "' is being ignored. Be careful.");
-    logToConsole(message);
-}
-
 void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source) const
 {

trunk/Source/WebCore/page/ContentSecurityPolicy.h

@@ -101 +101 @@
 
     void reportDuplicateDirective(const String&) const;
-    void reportIgnoredPathComponent(const String& directiveName, const String& completeSource, const String& path) const;
     void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
     void reportInvalidNonce(const String&) const;