Changeset 131317 in webkit

Timestamp:

Oct 15, 2012 10:33:12 AM (12 years ago)

Author:

mkwst@chromium.org

Message:

CSP source expressions should support paths at file-level granularity.
​https://bugs.webkit.org/show_bug.cgi?id=99250

Reviewed by Adam Barth.

Source/WebCore:

After a bit of discussion on public-webappsec[1], path support for CSP
source expressions has been tuned to support file-level granularity. In
particular, this means that:

• 'example.com/js' matches a file named 'js'
• 'example.com/js/' matches all files under a directory named 'js' (note the trailing slash)
• 'example.com/js/file.js' matches only a file named 'file.js' inside a directory named 'js'

Though this is part of the CSP 1.1 spec, it continues to be exposed
outside the CSP_NEXT flag for back-compatibility.

Test cases have been added to the existing
http/tests/security/contentSecurityPolicy/source-list-parsing-paths-*
in order ensure that the new functionality works correctly.

• page/ContentSecurityPolicy.cpp:

(WebCore::CSPSource::pathMatches):

If the path ends with '/', do a prefix check. If not, check for an
exact match.

(WebCore::CSPSourceList::parsePath):

Don't automatically append a '/' to paths.

LayoutTests:

• http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html:

Adjust tests by adding trailing slashes to source expressions that
should match directories.

• http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt:
• http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html:

Adjust tests to check the new behavior: matching individiual files,
and matching directories only with a trailing '/'.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-10-15  Mike West  <mkwst@chromium.org>
+
+        CSP source expressions should support paths at file-level granularity.
+        https://bugs.webkit.org/show_bug.cgi?id=99250
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html:
+            Adjust tests by adding trailing slashes to source expressions that
+            should match directories.
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt:
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html:
+            Adjust tests to check the new behavior: matching individiual files,
+            and matching directories only with a trailing '/'.
+
 2012-10-15  Jay Civelli  <jcivelli@chromium.org>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html

@@ -11 +11 @@
     ['no', 'script-src 127.0.0.1:8000/not-security', 'resources/script.js'],
     ['no', 'script-src 127.0.0.1:8000/security%3bnot-contentSecurityPolicy', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:*/' + security, 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:*/security', resources + '/script.js'],
-    ['yes', 'script-src 127.0.0.1:*/' + security, resources + '/script.js'],
+    ['yes', 'script-src 127.0.0.1:*/' + security + '/', 'resources/script.js'],
+    ['yes', 'script-src 127.0.0.1:*/security/', resources + '/script.js'],
+    ['yes', 'script-src 127.0.0.1:*/' + security + '/', resources + '/script.js'],
 ];
 </script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security#query=string'. The fragment identifier, including the '#', will be ignored.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security?query=string'. The query component, including the '?', will be ignored.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security#query=string'. The fragment identifier, including the '#', will be ignored.
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security#query=string".
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security/#query=string'. The fragment identifier, including the '#', will be ignored.
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/security/?query=string'. The query component, including the '?', will be ignored.
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security/#query=string'. The fragment identifier, including the '#', will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security/#query=string".
 
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security?query=string'. The query component, including the '?', will be ignored.
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security?query=string".
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains a source with an invalid path: '/not-security/?query=string'. The query component, including the '?', will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security/?query=string".
 
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'not-contentSecurityPolicy'.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/security".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/security/contentSecurityPolicy/resources/script.js/".
 
 Resources should be rejected unless they match a whitelisted path.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html

@@ -5 +5 @@
 <script>
 var tests = [
-    ['yes', 'script-src 127.0.0.1:*/security#query=string', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:*/security?query=string', 'resources/script.js'],
-    ['no', 'script-src 127.0.0.1:*/not-security#query=string', 'resources/script.js'],
-    ['no', 'script-src 127.0.0.1:*/not-security?query=string', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:*/security', 'resources/script.js'],
+    ['yes', 'script-src 127.0.0.1:*/security/#query=string', 'resources/script.js'],
+    ['yes', 'script-src 127.0.0.1:*/security/?query=string', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:*/not-security/#query=string', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:*/not-security/?query=string', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:*/security', 'resources/script.js'],
     ['yes', 'script-src 127.0.0.1:*/security/', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:*/security/contentSecurityPolicy', 'resources/script.js'],
-    ['yes', 'script-src 127.0.0.1:8000/security;not-contentSecurityPolicy', 'resources/script.js'],
+    ['yes', 'script-src 127.0.0.1:*/security/contentSecurityPolicy/resources/script.js', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:*/security/contentSecurityPolicy/resources/script.js/', 'resources/script.js']
 ];
 </script>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-10-15  Mike West  <mkwst@chromium.org>
+
+        CSP source expressions should support paths at file-level granularity.
+        https://bugs.webkit.org/show_bug.cgi?id=99250
+
+        Reviewed by Adam Barth.
+
+        After a bit of discussion on public-webappsec[1], path support for CSP
+        source expressions has been tuned to support file-level granularity. In
+        particular, this means that:
+
+        - 'example.com/js' matches a file named 'js'
+        - 'example.com/js/' matches all files under a directory named 'js'
+          (note the trailing slash)
+        - 'example.com/js/file.js' matches only a file named 'file.js'
+          inside a directory named 'js'
+
+        Though this is part of the CSP 1.1 spec, it continues to be exposed
+        outside the CSP_NEXT flag for back-compatibility.
+
+        Test cases have been added to the existing
+        http/tests/security/contentSecurityPolicy/source-list-parsing-paths-*
+        in order ensure that the new functionality works correctly.
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPSource::pathMatches):
+            If the path ends with '/', do a prefix check. If not, check for an
+            exact match.
+        (WebCore::CSPSourceList::parsePath):
+            Don't automatically append a '/' to paths.
+
 2012-10-15  George Staikos  <staikos@webkit.org>
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -182 +182 @@
         String path = decodeURLEscapeSequences(url.path());
 
-        return path.startsWith(m_path, false);
+        if (m_path.endsWith("/"))
+            return path.startsWith(m_path, false);
+
+        return path == m_path;
     }
 
@@ -506 +509 @@
 
     path = decodeURLEscapeSequences(String(begin, position - begin));
-    if (!path.endsWith('/'))
-        path = path + '/';
 
     ASSERT(position <= end);
     ASSERT(position == end || (*position == '#' || *position == '?'));
-    ASSERT(path.endsWith('/'));
     return true;
 }