Changeset 133095 in webkit

Timestamp:

Oct 31, 2012 4:41:27 PM (11 years ago)

Author:

mkwst@chromium.org

Message:

Implement the canonical "Content-Security-Policy" header.
​https://bugs.webkit.org/show_bug.cgi?id=96765

Reviewed by Adam Barth.

Source/WebCore:

The CSP 1.0 specification defines the "Content-Security-Policy" header
as the canonical mechanism of defining a resource's security policy. Up
through this patch, we've implemented the functionality behind a prefix
in order to ensure compatibility with the standard once it's released as
a recommendation. Both the specification and WebKit's implementation are
far enough along in that process that it makes sense to support the
unprefixed header for sites that wish to opt-in to CSP 1.0.

As discussed on public-webappsec[1], we'll keep the experimental 1.1
features behind the prefixed header ('X-WebKit-CSP') until that standard
is far enough along to justify moving them out to the canonical header.

This patch defines the 'Content-Security-Policy' header for all ports,
just as the 'X-WebKit-CSP' header is currently supported on all ports.
Ports that have not opted-in to the CSP_NEXT flag will see exactly the
same behavior with both headers. Ports that have opted-in will see much
of CSP 1.1's current definition on the prefixed header, and CSP 1.0 on
the canonical header.

The functionality in this change is covered by the changes made to
existing tests. No expectations changed, only the headers that are sent.

• dom/Document.cpp:

(WebCore::Document::processHttpEquiv):

Add canonical header support to 'meta' element definitions.

• loader/FrameLoader.cpp:

(WebCore::FrameLoader::didBeginDocument):

Add canonical header support to FrameLoader.

• page/ContentSecurityPolicy.cpp:

(WebCore::CSPDirectiveList::headerType):

The ContentSecurityPolicy::HeaderType enum now has four values:
prefixed/report-only, unprefixed/report-only, prefixed/enforce, and
unprefixed/enforce. Instead of creating logic to output the proper
type based on internal flags, CSPDirectiveList now saves the value
provided at creation time, and returns it via this method.

(CSPDirectiveList):
(WebCore::CSPDirectiveList::CSPDirectiveList):

The constructor now accepts a type, which is stored on the object.
It also stores a new internal variable, 'm_experimental', which
defines whether or not experimental features ought to be available.
These features are still locked behind the CSP_NEXT flag, but that
might not be the case forever.

(WebCore::CSPDirectiveList::create):

The static constructor wrapper now passes the type into the real
constructor, which also now handles setting its internal variables.

(WebCore::CSPDirectiveList::parse):

'parse()' is given the header, so it makes sense to store it here as
well, rather than in the create wrapper.

(WebCore::CSPDirectiveList::addDirective):

1.1 directives remain locked behind CSP_NEXT, but now also require
that 'm_experimental' is set, signaling usage of the prefixed header
and an implicit opt-in to 1.1.

• page/ContentSecurityPolicy.h:

Added two new types to the HeaderTypes enum: PrefixedReportOnly, and
PrefixedEnforcePolicy. These map to 'X-WebKitCSP-Report-Only' and
'X-WebKit-CSP', respectively.

LayoutTests:

• http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html:
• http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html:
• http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html:
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html:

Updating these 1.1 tests along with the multiple-iframe-*.js test
"framework" to ensure that the experimental prefixed header is sent.

• http/tests/security/contentSecurityPolicy/blob-urls-match-self.html:
• http/tests/security/contentSecurityPolicy/combine-multiple-policies.html:
• http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html:
• http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html:
• http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html:
• http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html:
• http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html:
• http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html:
• http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html:
• http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html:
• http/tests/security/contentSecurityPolicy/duplicate-directive.html:
• http/tests/security/contentSecurityPolicy/eval-allowed.html:
• http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html:
• http/tests/security/contentSecurityPolicy/eval-blocked.html:
• http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html:
• http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html:
• http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html:
• http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html:
• http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html:
• http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html:
• http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-scheme.html:
• http/tests/security/contentSecurityPolicy/frame-src-allowed.html:
• http/tests/security/contentSecurityPolicy/frame-src-blocked.html:
• http/tests/security/contentSecurityPolicy/function-constructor-allowed.html:
• http/tests/security/contentSecurityPolicy/function-constructor-blocked.html:
• http/tests/security/contentSecurityPolicy/iframe-inside-csp.html:
• http/tests/security/contentSecurityPolicy/image-allowed.html:
• http/tests/security/contentSecurityPolicy/image-blocked.html:
• http/tests/security/contentSecurityPolicy/image-full-host-wildcard-allowed.html:
• http/tests/security/contentSecurityPolicy/image-host-wildcard-allowed.html:
• http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html:
• http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html:
• http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html:
• http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html:
• http/tests/security/contentSecurityPolicy/inline-script-allowed.html:
• http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html:
• http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html:
• http/tests/security/contentSecurityPolicy/inline-script-blocked.html:
• http/tests/security/contentSecurityPolicy/inline-style-allowed.html:
• http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html:
• http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html:
• http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html:
• http/tests/security/contentSecurityPolicy/inline-style-blocked.html:
• http/tests/security/contentSecurityPolicy/media-src-allowed.html:
• http/tests/security/contentSecurityPolicy/media-src-blocked.html:
• http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html:
• http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html:
• http/tests/security/contentSecurityPolicy/object-src-url-allowed.html:
• http/tests/security/contentSecurityPolicy/object-src-url-blocked.html:
• http/tests/security/contentSecurityPolicy/policy-does-not-affect-child.html:
• http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html:
• http/tests/security/contentSecurityPolicy/report-and-enforce.html:
• http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html:
• http/tests/security/contentSecurityPolicy/report-blocked-uri.html:
• http/tests/security/contentSecurityPolicy/report-only-from-header.php:
• http/tests/security/contentSecurityPolicy/report-only.html:
• http/tests/security/contentSecurityPolicy/report-uri.html:
• http/tests/security/contentSecurityPolicy/resources/echo-iframe.pl:
• http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl:

s/X-WebKit-CSP/Content-Security-Policy/g

• http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl:
• http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl:

Reworking these two scripts in order to support sending both
the experimental header and the canonical header, as required.

• http/tests/security/contentSecurityPolicy/resources/event-handler.pl:
• http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html:
• http/tests/security/contentSecurityPolicy/resources/javascript-url.pl:
• http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html:

s/X-WebKit-CSP/Content-Security-Policy/g

• http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js:

(testExperimentalPolicy):
(test):
(testImpl.iframe.onload):
(testImpl):

• http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:

(testPreescapedPolicy):
(testExperimentalPolicy):
(test):
(testImpl.iframe.onload):
(testImpl):

Reworking these two "frameworks" in order to support sending both
the experimental header and the canonical header, as required.

• http/tests/security/contentSecurityPolicy/resources/sandbox.php:
• http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php:
• http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html:
• http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html:
• http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html:
• http/tests/security/contentSecurityPolicy/sandbox-empty.html:
• http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html:
• http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed.html:
• http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked.html:
• http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html:
• http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src.html:
• http/tests/security/contentSecurityPolicy/style-allowed.html:
• http/tests/security/contentSecurityPolicy/style-blocked.html:
• http/tests/security/contentSecurityPolicy/worker-connect-src-allowed.html:
• http/tests/security/contentSecurityPolicy/worker-connect-src-blocked.html:
• http/tests/security/contentSecurityPolicy/worker-eval-blocked.html:
• http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html:
• http/tests/security/contentSecurityPolicy/worker-script-src.html:
• http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html:
• http/tests/security/contentSecurityPolicy/xsl-allowed.php:
• http/tests/security/contentSecurityPolicy/xsl-blocked.php:
• http/tests/security/contentSecurityPolicy/xsl-img-blocked.php:
• http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php:
• http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php:

s/X-WebKit-CSP/Content-Security-Policy/g

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/duplicate-directive.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-scheme.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/function-constructor-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/function-constructor-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/image-full-host-wildcard-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/image-host-wildcard-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/media-src-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/media-src-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/policy-does-not-affect-child.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header.php (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-only.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-iframe.pl (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/event-handler.pl (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/javascript-url.pl (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js (modified) (2 diffs)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js (modified) (2 diffs)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandbox.php (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/worker-eval-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/xsl-img-blocked.php (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (1 diff)
• Source/WebCore/loader/FrameLoader.cpp (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (7 diffs)
• Source/WebCore/page/ContentSecurityPolicy.h (modified) (1 diff)
• Source/WebKit/chromium/public/WebContentSecurityPolicy.h (modified) (1 diff)
• Source/WebKit/chromium/src/AssertMatchingEnums.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-10-31  Mike West  <mkwst@chromium.org>
+
+        Implement the canonical "Content-Security-Policy" header.
+        https://bugs.webkit.org/show_bug.cgi?id=96765
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html:
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html:
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html:
+            Updating these 1.1 tests along with the multiple-iframe-*.js test
+            "framework" to ensure that the experimental prefixed header is sent.
+        * http/tests/security/contentSecurityPolicy/blob-urls-match-self.html:
+        * http/tests/security/contentSecurityPolicy/combine-multiple-policies.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html:
+        * http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html:
+        * http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html:
+        * http/tests/security/contentSecurityPolicy/duplicate-directive.html:
+        * http/tests/security/contentSecurityPolicy/eval-allowed.html:
+        * http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html:
+        * http/tests/security/contentSecurityPolicy/eval-blocked.html:
+        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html:
+        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html:
+        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html:
+        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html:
+        * http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html:
+        * http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html:
+        * http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-scheme.html:
+        * http/tests/security/contentSecurityPolicy/frame-src-allowed.html:
+        * http/tests/security/contentSecurityPolicy/frame-src-blocked.html:
+        * http/tests/security/contentSecurityPolicy/function-constructor-allowed.html:
+        * http/tests/security/contentSecurityPolicy/function-constructor-blocked.html:
+        * http/tests/security/contentSecurityPolicy/iframe-inside-csp.html:
+        * http/tests/security/contentSecurityPolicy/image-allowed.html:
+        * http/tests/security/contentSecurityPolicy/image-blocked.html:
+        * http/tests/security/contentSecurityPolicy/image-full-host-wildcard-allowed.html:
+        * http/tests/security/contentSecurityPolicy/image-host-wildcard-allowed.html:
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html:
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html:
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html:
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html:
+        * http/tests/security/contentSecurityPolicy/inline-script-allowed.html:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked.html:
+        * http/tests/security/contentSecurityPolicy/inline-style-allowed.html:
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html:
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html:
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html:
+        * http/tests/security/contentSecurityPolicy/inline-style-blocked.html:
+        * http/tests/security/contentSecurityPolicy/media-src-allowed.html:
+        * http/tests/security/contentSecurityPolicy/media-src-blocked.html:
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html:
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html:
+        * http/tests/security/contentSecurityPolicy/object-src-url-allowed.html:
+        * http/tests/security/contentSecurityPolicy/object-src-url-blocked.html:
+        * http/tests/security/contentSecurityPolicy/policy-does-not-affect-child.html:
+        * http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html:
+        * http/tests/security/contentSecurityPolicy/report-and-enforce.html:
+        * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html:
+        * http/tests/security/contentSecurityPolicy/report-blocked-uri.html:
+        * http/tests/security/contentSecurityPolicy/report-only-from-header.php:
+        * http/tests/security/contentSecurityPolicy/report-only.html:
+        * http/tests/security/contentSecurityPolicy/report-uri.html:
+        * http/tests/security/contentSecurityPolicy/resources/echo-iframe.pl:
+        * http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl:
+            s/X-WebKit-CSP/Content-Security-Policy/g
+        * http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl:
+        * http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl:
+            Reworking these two scripts in order to support sending both
+            the experimental header and the canonical header, as required.
+        * http/tests/security/contentSecurityPolicy/resources/event-handler.pl:
+        * http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html:
+        * http/tests/security/contentSecurityPolicy/resources/javascript-url.pl:
+        * http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html:
+            s/X-WebKit-CSP/Content-Security-Policy/g
+        * http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js:
+        (testExperimentalPolicy):
+        (test):
+        (testImpl.iframe.onload):
+        (testImpl):
+        * http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:
+        (testPreescapedPolicy):
+        (testExperimentalPolicy):
+        (test):
+        (testImpl.iframe.onload):
+        (testImpl):
+            Reworking these two "frameworks" in order to support sending both
+            the experimental header and the canonical header, as required.
+        * http/tests/security/contentSecurityPolicy/resources/sandbox.php:
+        * http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php:
+        * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html:
+        * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html:
+        * http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html:
+        * http/tests/security/contentSecurityPolicy/sandbox-empty.html:
+        * http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html:
+        * http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed.html:
+        * http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked.html:
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html:
+        * http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src.html:
+        * http/tests/security/contentSecurityPolicy/style-allowed.html:
+        * http/tests/security/contentSecurityPolicy/style-blocked.html:
+        * http/tests/security/contentSecurityPolicy/worker-connect-src-allowed.html:
+        * http/tests/security/contentSecurityPolicy/worker-connect-src-blocked.html:
+        * http/tests/security/contentSecurityPolicy/worker-eval-blocked.html:
+        * http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html:
+        * http/tests/security/contentSecurityPolicy/worker-script-src.html:
+        * http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html:
+        * http/tests/security/contentSecurityPolicy/xsl-allowed.php:
+        * http/tests/security/contentSecurityPolicy/xsl-blocked.php:
+        * http/tests/security/contentSecurityPolicy/xsl-img-blocked.php:
+        * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php:
+        * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php:
+            s/X-WebKit-CSP/Content-Security-Policy/g
+
 2012-10-31  Otto Derek Cheung  <otcheung@rim.com>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html

@@ -16 +16 @@
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
     <p>
         This tests our handling of invalid `plugin-types` CSP directives.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html

@@ -12 +12 @@
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
     <p>
         This tests our handling of `data:` URLs, given a `plugin-types` CSP

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html

@@ -11 +11 @@
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
     <p>
         This tests our handling of non-`data:` URLs, given a `plugin-types` CSP

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html

@@ -12 +12 @@
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
   <p>
       None of these scripts should execute, as all the nonces are invalid.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html

@@ -12 +12 @@
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
   <p>
     None of these scripts should execute even though there are parse errors in the policy.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html

@@ -11 +11 @@
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
   <p>
       All of these scripts should execute, as all the nonces are valid.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html

@@ -2 +2 @@
 <html>
     <head>
-        <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'self'">
+        <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'">
     </head>
     <body>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'">
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://localhost:8000">
+<meta http-equiv="Content-Security-Policy" content="connect-src http://localhost:8000">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src ws://127.0.0.1:8880">
+<meta http-equiv="Content-Security-Policy" content="connect-src ws://127.0.0.1:8880">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src ws://127.0.0.1:8880">
+<meta http-equiv="Content-Security-Policy" content="connect-src ws://127.0.0.1:8880">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="default-src 'self' about: 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="default-src 'self' about: 'unsafe-inline'">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="default-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/duplicate-directive.html

@@ -2 +2 @@
 <html>
     <head>
-        <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'; script-src 'none'">
+        <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; script-src 'none'">
         <script>
         if (window.testRunner) {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'unsafe-eval'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html

@@ -3 +3 @@
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
 <iframe src="about:blank"></iframe>
 Eval should be blocked in the iframe, but inline script should be allowed.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'unsafe-eval'">
 </head>
 <pre>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
 </head>
 <pre>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'unsafe-eval'">
 </head>
 <pre>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
 </head>
 <pre>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html

@@ -2 +2 @@
 <html>
     <head>
-        <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'self'">
+        <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'">
     </head>
     <body>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html

@@ -3 +3 @@
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="frame-src 'none'; object-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'; object-src 'none'">
 These frames should not be blocked by Content-Security-Policy.  It's pointless
 to block about:blank iframes because blocking a frame just results in

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-scheme.html

@@ -3 +3 @@
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="frame-src about:">
+<meta http-equiv="Content-Security-Policy" content="frame-src about:">
 This iframe should not be blocked by Content-Security-Policy:
 <iframe src="about:blank"></iframe>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-allowed.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP" content="frame-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="frame-src 'self'">
 <script src="resources/dump-as-text.js"></script>
 <iframe src="resources/alert-pass.html"></iframe>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP" content="frame-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
 <script src="resources/dump-as-text.js"></script>
 <iframe src="resources/alert-fail.html"></iframe>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/function-constructor-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'unsafe-eval'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/function-constructor-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
 <script src="resources/dump-as-text.js"></script>
 <iframe src="resources/sandboxed-eval.php"></iframe>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="img-src *; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="img-src *; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="img-src 'none'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-full-host-wildcard-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="img-src *.127.0.0.1:8000; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="img-src *.127.0.0.1:8000; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-host-wildcard-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="img-src *.0.1:8000; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="img-src *.0.1:8000; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:* 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:* 'unsafe-inline'">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:*">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:*">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:* 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:* 'unsafe-inline'">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:*; options goofy">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:*; options goofy">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:*; options goofy">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:*; options goofy">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:*">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:*">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'unsafe-inline'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'unsafe-inline'">
 <style>
 .target {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'unsafe-inline'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html

@@ -2 +2 @@
 <html style="background-color: blue;">
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'unsafe-inline'">
 <style>
 .target {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-allowed.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP" content="media-src http://127.0.0.1:8000">
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000">
 <video></video>
 <script src=../../../media-resources/media-file.js></script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/media-src-blocked.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP" content="media-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="media-src 'none'">
 <video></video>
 <script src=../../../media-resources/media-file.js></script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html

@@ -6 +6 @@
   testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="object-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="object-src 'self'">
 </head>
 <body>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html

@@ -6 +6 @@
   testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="object-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
 </head>
 <body>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-allowed.html

@@ -6 +6 @@
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="object-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="object-src 'self'">
 </head>
 <body>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked.html

@@ -6 +6 @@
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="object-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
 </head>
 <body>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/policy-does-not-affect-child.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
 <script src="resources/dump-as-text.js"></script>
 <iframe src="resources/alert-pass.html"></iframe>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="img-src https:; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="img-src https:; script-src 'unsafe-inline'">
 <script>
     if (window.testRunner) {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP" content="img-src 'none'">
-<meta http-equiv="X-WebKit-CSP-Report-Only" content="script-src 'self'; report-uri resources/save-report.php">
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'self'; report-uri resources/save-report.php">
 <script>
 // This script block will trigger a violation report but shouldn't be blocked.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP-Report-Only" content="img-src 'none'; report-uri resources/save-report.php">
+<meta http-equiv="Content-Security-Policy-Report-Only" content="img-src 'none'; report-uri resources/save-report.php">
 The origin of this image should show up in the violation report.
 <img src="http://localhost:8080/security/resources/abe.png">

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP-Report-Only" content="img-src 'none'; report-uri resources/save-report.php">
+<meta http-equiv="Content-Security-Policy-Report-Only" content="img-src 'none'; report-uri resources/save-report.php">
 The URI of this image should show up in the violation report.
 <img src="../resources/abe.png#the-fragment-should-not-be-in-report">

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header.php

@@ -1 +1 @@
 <?php
-header("X-WebKit-CSP-Report-Only: script-src 'self'; report-uri resources/save-report.php");
+header("Content-Security-Policy-Report-Only: script-src 'self'; report-uri resources/save-report.php");
 ?>
 <script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP-Report-Only" content="script-src 'self'; report-uri resources/save-report.php">
+<meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'self'; report-uri resources/save-report.php">
 <script>
 // This script block will trigger a violation report but shouldn't be blocked.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'; report-uri resources/save-report.php">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri resources/save-report.php">
 <script>
 // This script block will trigger a violation report.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-iframe.pl

@@ -6 +6 @@
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+print "Content-Security-Policy: ".$cgi->param('csp')."\n\n";
 
 print "<!DOCTYPE html>\n";

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl

@@ -6 +6 @@
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp1')."\n";
-print "X-WebKit-CSP: ".$cgi->param('csp2')."\n\n";
+print "Content-Security-Policy: ".$cgi->param('csp1')."\n";
+print "Content-Security-Policy: ".$cgi->param('csp2')."\n\n";
 
 my ($text, $replacement) = ("FAIL", "PASS");

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl

@@ -6 +6 @@
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+if ($cgi->param('experimental') eq 'true') {
+    print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+} else {
+    print "Content-Security-Policy: ".$cgi->param('csp')."\n\n";
+}
 
 print "<!DOCTYPE html>\n";

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl

@@ -6 +6 @@
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+if ($cgi->param('experimental') eq 'true') {
+    print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+} else {
+    print "Content-Security-Policy: ".$cgi->param('csp')."\n\n";
+}
 
 my ($text, $replacement) = ("FAIL", "PASS");

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/event-handler.pl

@@ -6 +6 @@
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+print "Content-Security-Policy: ".$cgi->param('csp')."\n\n";
 
 my ($text, $replacement) = ("FAIL", "PASS");

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'; report-uri save-report.php">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri save-report.php">
 <script>
 // This script block will trigger a violation report.

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/javascript-url.pl

@@ -6 +6 @@
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+print "Content-Security-Policy: ".$cgi->param('csp')."\n\n";
 
 my $text = "PASS";

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html

@@ -1 @@
-<meta http-equiv="X-WebKit-CSP" content="default-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
 This page includes an insecure script that alerts "FAIL", but that script is blocked by CSP.
 <script src="http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js"></script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js

@@ -5 +5 @@
 }
 
+function testExperimentalPolicy() {
+    testImpl(true);
+}
+
 function test() {
+    testImpl(false);
+}
+
+function testImpl(experimental) {
     if (tests.length === 0)
         return finishTesting();
-    var baseURL = "http://127.0.0.1:8000/security/contentSecurityPolicy/";
+    var baseURL = "/security/contentSecurityPolicy/";
     var current = tests.shift();
     var iframe = document.createElement("iframe");
     iframe.src = baseURL + "resources/echo-object-data.pl?" +
+                 "experimental=" + (experimental ? "true" : "false") +
                  "&csp=" + escape(current[1]);
 
@@ -30 +39 @@
         iframe.src += "&type=application/x-webkit-test-netscape";
 
-    iframe.onload = test;
+    iframe.onload = function() { testImpl(experimental); };
     document.body.appendChild(iframe);
 }

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js

@@ -6 +6 @@
 
 function testPreescapedPolicy() {
-    testImpl(true);
+    testImpl(false, true);
+}
+
+function testExperimentalPolicy() {
+    testImpl(true, false);
 }
 
 function test() {
-    testImpl(false);
+    testImpl(false, false);
 }
 
-function testImpl(preescapedPolicy) {
+function testImpl(experimental, preescapedPolicy) {
     if (tests.length === 0)
         return finishTesting();
 
-    var baseURL = "http://127.0.0.1:8000/security/contentSecurityPolicy/";
+    var baseURL = "/security/contentSecurityPolicy/";
     var current = tests.shift();
     var iframe = document.createElement("iframe");
@@ -30 +34 @@
 
     iframe.src = baseURL + "resources/echo-script-src.pl?" +
-                 "should_run=" + encodeURIComponent(current[0]) +
+                 "experimental=" + (experimental ? "true" : "false") +
+                 "&should_run=" + encodeURIComponent(current[0]) +
                  "&csp=" + policy + "&q=" + scriptToLoad;
     if (current[3])
       iframe.src += "&nonce=" + encodeURIComponent(current[3]);
 
-    iframe.onload = test;
+    iframe.onload = function() { testImpl(experimental, preescapedPolicy); };
     document.body.appendChild(iframe);
 }

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandbox.php

@@ -1 +1 @@
 <?php
-header("X-WebKit-CSP: sandbox " . $_GET["sandbox"]);
+header("Content-Security-Policy: sandbox " . $_GET["sandbox"]);
 ?>
 <!DOCTYPE html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php

@@ -1 +1 @@
 <?php
-header("X-WebKit-CSP: sandbox allow-scripts");
+header("Content-Security-Policy: sandbox allow-scripts");
 ?>
 <script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html

@@ -3 +3 @@
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="sandbox allow-scripts">
+<meta http-equiv="Content-Security-Policy" content="sandbox allow-scripts">
 This test passes if it does alert pass.
 <iframe src="data:text/html,<script>alert('PASS');</script>"></iframe>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html

@@ -3 +3 @@
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="sandbox allow-scripts">
+<meta http-equiv="Content-Security-Policy" content="sandbox allow-scripts">
 This test passes if it does alert pass.
 <script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html

@@ -3 +3 @@
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="sandbox">
+<meta http-equiv="Content-Security-Policy" content="sandbox">
 This test passes if it doesn't alert fail.
 <iframe src="data:text/html,<script>alert('FAIL');</script>"></iframe>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html

@@ -3 +3 @@
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="sandbox">
+<meta http-equiv="Content-Security-Policy" content="sandbox">
 This test passes if it doesn't alert fail.
 <script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="default-src about:; script-src 'self' 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="default-src about:; script-src 'self' 'unsafe-inline'">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000"/>
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000"/>
 <script>
 if (window.testRunner) {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src 'none'"/>
+<meta http-equiv="Content-Security-Policy" content="connect-src 'none'"/>
 <script>
 if (window.testRunner) {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://localhost:8000"<script>
+<meta http-equiv="Content-Security-Policy" content="connect-src http://localhost:8000"<script>
 <script>
 if (window.testRunner)

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
 <script src="resources/dump-as-text.js"></script>
 </head>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src *; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src *; script-src 'unsafe-inline'">
 <link rel="stylesheet" href="resources/blue.css">
 <script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'unsafe-inline'">
 <link rel="stylesheet" href="resources/blue.css">
 <script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-allowed.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000"/>
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000"/>
 <script>
 if (window.testRunner) {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src 'none'"/>
+<meta http-equiv="Content-Security-Policy" content="connect-src 'none'"/>
 <script>
 if (window.testRunner) {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-eval-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self' 'unsafe-inline'"/>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"/>
 <script>
 if (window.testRunner) {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self' 'unsafe-inline'"/>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"/>
 <script>
 if (window.testRunner) {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'"/>
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'"/>
 <script>
 if (window.testRunner) {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self' 'unsafe-inline'"/>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"/>
 <script>
 if (window.testRunner) {

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php

@@ -1 +1 @@
 <?php
 header("Content-Type: application/xhtml+xml");
-header("X-WebKit-CSP: script-src * 'unsafe-inline'");
+header("Content-Security-Policy: script-src * 'unsafe-inline'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php

@@ -1 +1 @@
 <?php
 header("Content-Type: application/xhtml+xml");
-header("X-WebKit-CSP: script-src 'unsafe-inline'");
+header("Content-Security-Policy: script-src 'unsafe-inline'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-img-blocked.php

@@ -1 +1 @@
 <?php
 header("Content-Type: text/xml");
-header("X-WebKit-CSP: img-src 'none'");
+header("Content-Security-Policy: img-src 'none'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php

@@ -1 +1 @@
 <?php
 header("Content-Type: application/xhtml+xml");
-header("X-WebKit-CSP: style-src *; script-src 'unsafe-inline'");
+header("Content-Security-Policy: style-src *; script-src 'unsafe-inline'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php

@@ -1 +1 @@
 <?php
 header("Content-Type: application/xhtml+xml");
-header("X-WebKit-CSP: style-src 'none'; script-src * 'unsafe-inline'");
+header("Content-Security-Policy: style-src 'none'; script-src * 'unsafe-inline'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-10-31  Mike West  <mkwst@chromium.org>
+
+        Implement the canonical "Content-Security-Policy" header.
+        https://bugs.webkit.org/show_bug.cgi?id=96765
+
+        Reviewed by Adam Barth.
+
+        The CSP 1.0 specification defines the "Content-Security-Policy" header
+        as the canonical mechanism of defining a resource's security policy. Up
+        through this patch, we've implemented the functionality behind a prefix
+        in order to ensure compatibility with the standard once it's released as
+        a recommendation. Both the specification and WebKit's implementation are
+        far enough along in that process that it makes sense to support the
+        unprefixed header for sites that wish to opt-in to CSP 1.0.
+
+        As discussed on public-webappsec[1], we'll keep the experimental 1.1
+        features behind the prefixed header ('X-WebKit-CSP') until that standard
+        is far enough along to justify moving them out to the canonical header.
+
+        This patch defines the 'Content-Security-Policy' header for all ports,
+        just as the 'X-WebKit-CSP' header is currently supported on all ports.
+        Ports that have not opted-in to the CSP_NEXT flag will see exactly the
+        same behavior with both headers. Ports that have opted-in will see much
+        of CSP 1.1's current definition on the prefixed header, and CSP 1.0 on
+        the canonical header.
+
+        The functionality in this change is covered by the changes made to
+        existing tests. No expectations changed, only the headers that are sent.
+
+        * dom/Document.cpp:
+        (WebCore::Document::processHttpEquiv):
+            Add canonical header support to 'meta' element definitions.
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::didBeginDocument):
+            Add canonical header support to FrameLoader.
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirectiveList::headerType):
+            The ContentSecurityPolicy::HeaderType enum now has four values:
+            prefixed/report-only, unprefixed/report-only, prefixed/enforce, and
+            unprefixed/enforce. Instead of creating logic to output the proper
+            type based on internal flags, CSPDirectiveList now saves the value
+            provided at creation time, and returns it via this method.
+        (CSPDirectiveList):
+        (WebCore::CSPDirectiveList::CSPDirectiveList):
+            The constructor now accepts a type, which is stored on the object.
+            It also stores a new internal variable, 'm_experimental', which
+            defines whether or not experimental features ought to be available.
+            These features are still locked behind the CSP_NEXT flag, but that
+            might not be the case forever.
+        (WebCore::CSPDirectiveList::create):
+            The static constructor wrapper now passes the type into the real
+            constructor, which also now handles setting its internal variables.
+        (WebCore::CSPDirectiveList::parse):
+            'parse()' is given the header, so it makes sense to store it here as
+            well, rather than in the create wrapper.
+        (WebCore::CSPDirectiveList::addDirective):
+            1.1 directives remain locked behind CSP_NEXT, but now also require
+            that 'm_experimental' is set, signaling usage of the prefixed header
+            and an implicit opt-in to 1.1.
+        * page/ContentSecurityPolicy.h:
+            Added two new types to the HeaderTypes enum: PrefixedReportOnly, and
+            PrefixedEnforcePolicy. These map to 'X-WebKitCSP-Report-Only' and
+            'X-WebKit-CSP', respectively.
+
 2012-10-31  Roger Fong  <roger_fong@apple.com>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -2967 +2967 @@
             }
         }
-    } else if (equalIgnoringCase(equiv, "x-webkit-csp"))
-        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::EnforcePolicy);
+    } else if (equalIgnoringCase(equiv, "content-security-policy"))
+        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::EnforceStableDirectives);
+    else if (equalIgnoringCase(equiv, "content-security-policy-report-only"))
+        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::ReportStableDirectives);
+    else if (equalIgnoringCase(equiv, "x-webkit-csp"))
+        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::EnforceAllDirectives);
     else if (equalIgnoringCase(equiv, "x-webkit-csp-report-only"))
-        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::ReportOnly);
+        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::ReportAllDirectives);
 }
 

trunk/Source/WebCore/loader/FrameLoader.cpp

@@ -661 +661 @@
             m_frame->document()->parseDNSPrefetchControlHeader(dnsPrefetchControl);
 
-        String contentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP");
-        if (!contentSecurityPolicy.isEmpty())
-            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(contentSecurityPolicy, ContentSecurityPolicy::EnforcePolicy);
-
-        String reportOnlyContentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP-Report-Only");
-        if (!reportOnlyContentSecurityPolicy.isEmpty())
-            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(reportOnlyContentSecurityPolicy, ContentSecurityPolicy::ReportOnly);
+        String policyValue = m_documentLoader->response().httpHeaderField("Content-Security-Policy");
+        if (!policyValue.isEmpty())
+            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::EnforceStableDirectives);
+
+        policyValue = m_documentLoader->response().httpHeaderField("Content-Security-Policy-Report-Only");
+        if (!policyValue.isEmpty())
+            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::ReportStableDirectives);
+
+        policyValue = m_documentLoader->response().httpHeaderField("X-WebKit-CSP");
+        if (!policyValue.isEmpty())
+            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::EnforceAllDirectives);
+
+        policyValue = m_documentLoader->response().httpHeaderField("X-WebKit-CSP-Report-Only");
+        if (!policyValue.isEmpty())
+            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::ReportAllDirectives);
 
         String headerContentLanguage = m_documentLoader->response().httpHeaderField("Content-Language");

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -773 +773 @@
 
     const String& header() const { return m_header; }
-    ContentSecurityPolicy::HeaderType headerType() const { return m_reportOnly ? ContentSecurityPolicy::ReportOnly : ContentSecurityPolicy::EnforcePolicy; }
+    ContentSecurityPolicy::HeaderType headerType() const { return m_headerType; }
 
     bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
@@ -797 +797 @@
 
 private:
-    explicit CSPDirectiveList(ContentSecurityPolicy*);
+    CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType);
 
     void parse(const String&);
@@ -834 +834 @@
 
     String m_header;
-
+    ContentSecurityPolicy::HeaderType m_headerType;
+
+    bool m_experimental;
     bool m_reportOnly;
     bool m_haveSandboxPolicy;
@@ -856 +858 @@
 };
 
-CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy)
+CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurityPolicy::HeaderType type)
     : m_policy(policy)
+    , m_headerType(type)
+    , m_experimental(false)
     , m_reportOnly(false)
     , m_haveSandboxPolicy(false)
 {
+    m_reportOnly = (type == ContentSecurityPolicy::ReportStableDirectives || type == ContentSecurityPolicy::ReportAllDirectives);
+    m_experimental = (type == ContentSecurityPolicy::ReportAllDirectives || type == ContentSecurityPolicy::EnforceAllDirectives);
 }
 
 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* policy, const String& header, ContentSecurityPolicy::HeaderType type)
 {
-    OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy));
+    OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy, type));
     directives->parse(header);
-    directives->m_header = header;
-
-    switch (type) {
-    case ContentSecurityPolicy::ReportOnly:
-        directives->m_reportOnly = true;
-        return directives.release();
-    case ContentSecurityPolicy::EnforcePolicy:
-        ASSERT(!directives->m_reportOnly);
-        break;
-    }
 
     if (!directives->checkEval(directives->operativeDirective(directives->m_scriptSrc.get()))) {
@@ -1152 +1148 @@
 void CSPDirectiveList::parse(const String& policy)
 {
+    m_header = policy;
     if (policy.isEmpty())
         return;
@@ -1298 +1295 @@
         parseReportURI(name, value);
 #if ENABLE(CSP_NEXT)
-    else if (equalIgnoringCase(name, formAction))
-        setCSPDirective<SourceListDirective>(name, value, m_formAction);
-    else if (equalIgnoringCase(name, pluginTypes))
-        setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
-    else if (equalIgnoringCase(name, scriptNonce))
-        setCSPDirective<NonceDirective>(name, value, m_scriptNonce);
+    else if (m_experimental) {
+        if (equalIgnoringCase(name, formAction))
+            setCSPDirective<SourceListDirective>(name, value, m_formAction);
+        else if (equalIgnoringCase(name, pluginTypes))
+            setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
+        else if (equalIgnoringCase(name, scriptNonce))
+            setCSPDirective<NonceDirective>(name, value, m_scriptNonce);
+    }
 #endif
     else
@@ -1369 +1368 @@
 ContentSecurityPolicy::HeaderType ContentSecurityPolicy::deprecatedHeaderType() const
 {
-    return m_policies.isEmpty() ? EnforcePolicy : m_policies[0]->headerType();
+    return m_policies.isEmpty() ? EnforceStableDirectives : m_policies[0]->headerType();
 }
 

trunk/Source/WebCore/page/ContentSecurityPolicy.h

@@ -61 +61 @@
 
     enum HeaderType {
-        ReportOnly,
-        EnforcePolicy
+        ReportStableDirectives,
+        EnforceStableDirectives,
+        ReportAllDirectives,
+        EnforceAllDirectives
     };
 

trunk/Source/WebKit/chromium/public/WebContentSecurityPolicy.h

@@ -35 +35 @@
 
 enum WebContentSecurityPolicyType {
-    WebContentSecurityPolicyTypeReportOnly,
-    WebContentSecurityPolicyTypeEnforcePolicy
+    WebContentSecurityPolicyTypeReportStableDirectives,
+    WebContentSecurityPolicyTypeEnforceStableDirectives,
+    WebContentSecurityPolicyTypeReportAllDirectives,
+    WebContentSecurityPolicyTypeEnforceAllDirectives,
 };
 

trunk/Source/WebKit/chromium/src/AssertMatchingEnums.cpp

@@ -621 +621 @@
 COMPILE_ASSERT_MATCHING_ENUM(WebReferrerPolicyOrigin, ReferrerPolicyOrigin);
 
-COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeReportOnly, ContentSecurityPolicy::ReportOnly);
-COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeEnforcePolicy, ContentSecurityPolicy::EnforcePolicy);
+COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeReportStableDirectives, ContentSecurityPolicy::ReportStableDirectives);
+COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeEnforceStableDirectives, ContentSecurityPolicy::EnforceStableDirectives);
+COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeReportAllDirectives, ContentSecurityPolicy::ReportAllDirectives);
+COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeEnforceAllDirectives, ContentSecurityPolicy::EnforceAllDirectives);
 
 COMPILE_ASSERT_MATCHING_ENUM(WebURLResponse::Unknown, ResourceResponse::Unknown);