Changeset 146758 in webkit

Timestamp:

Mar 25, 2013 5:20:23 AM (11 years ago)

Author:

mkwst@chromium.org

Message:

CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports.
​https://bugs.webkit.org/show_bug.cgi?id=113039

Reviewed by Jochen Eisinger.

Source/WebCore:

I'd originally assumed that we didn't need to be quite so careful when
handing URLs to JavaScript via SecurityPolicyViolationEvents. This was
a mistake. Cross-origin URLs aren't accessible to JavaScript currently
and there's no reason that we should begin exposing them via an event.

This patch extracts the stripping logic from the existing reports into
stripURLForUseInReport(), and uses that new method when populating the
event and report objects.

Relatedly, we were doing the wrong thing with 'file:' URLs, which this
patch made clear. Now they're treated the same as 'data:' et al.

Spec: ​https://dvcs.w3.org/hg/content-security-policy/rev/45f6ccaba0ef

Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html

http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html
http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html
http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html

• page/ContentSecurityPolicy.cpp:

(WebCore::stripURLForUseInReport):

Extract the logic from blockedURI out into a reusable method:
cross-origin URLs are stripped down to the ASCII serialization of
their origin, and non-heirarchical (and 'file:') URLs are stripped
down to the ASCII serialization of their protocol.

(WebCore::gatherSecurityPolicyViolationEventData):
(WebCore::ContentSecurityPolicy::reportViolation):

Use ::stripURLForUseInReport for blockedURL and sourceFile
attributes in these two methods.

LayoutTests:

• http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt.
• http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt.
• http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html: Added.
• http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html: Added.
• http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt:
• http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt.
• http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html: Added.
• http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html:
• http/tests/security/contentSecurityPolicy/resources/securitypolicyviolation-test.js: Added.

Updating tests to cover cross-origin scenarios: load cross-origin
images, and cross-origin scripts that inject images. The former
should strip the image URL down to the origin, the latter the
script URL.

• http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html: Added.
• platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added.
• platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added.

This patch changes the behavior of 'file:' URLs to behave similarly
to 'data:'/'blob:', etc. We weren't previously testing this, now we
are. We need platform-specific results for Chromium and GTK, since
those ports have enabled CSP_NEXT, which adds a field to the report.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt) (2 diffs)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt (modified) (2 diffs)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt (copied) (copied from trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt) (2 diffs)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/securitypolicyviolation-test.js (added)
• LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (added)
• LayoutTests/platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (5 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-03-25  Mike West  <mkwst@chromium.org>
+
+        CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports.
+        https://bugs.webkit.org/show_bug.cgi?id=113039
+
+        Reviewed by Jochen Eisinger.
+
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt.
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt.
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt.
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html:
+        * http/tests/security/contentSecurityPolicy/resources/securitypolicyviolation-test.js: Added.
+            Updating tests to cover cross-origin scenarios: load cross-origin
+            images, and cross-origin scripts that inject images. The former
+            should strip the image URL down to the origin, the latter the
+            script URL.
+        * http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html: Added.
+        * platform/chromium/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added.
+        * platform/gtk/http/tests/security/contentSecurityPolicy/report-blocked-file-uri-expected.txt: Added.
+            This patch changes the behavior of 'file:' URLs to behave similarly
+            to 'data:'/'blob:', etc. We weren't previously testing this, now we
+            are. We need platform-specific results for Chromium and GTK, since
+            those ports have enabled CSP_NEXT, which adds a field to the report.
+
 2013-03-25  Zoltan Arvai  <zarvai@inf.u-szeged.hu>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
+CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
 
-Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
+Check that a SecurityPolicyViolationEvent strips detail from cross-origin blocked URLs.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
 
 
-PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
+Kicking off the tests:
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html"
 PASS window.e.referrer is ""
-PASS window.e.blockedURI is "http://127.0.0.1:8000/security/resources/abe.png"
+PASS window.e.blockedURI is "http://localhost:8000"
 PASS window.e.violatedDirective is "img-src 'none'"
 PASS window.e.effectiveDirective is "img-src"
 PASS window.e.originalPolicy is "img-src 'none'"
-PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
-PASS window.e.lineNumber is 30
+PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html"
+PASS window.e.lineNumber is 23
 PASS successfullyParsed is true
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
 
-Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
+Check that a SecurityPolicyViolationEvent strips detail from cross-origin URLs upon blocking an image injected via script.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
 
 
-PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
+Kicking off the tests:
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html"
 PASS window.e.referrer is ""
 PASS window.e.blockedURI is "http://127.0.0.1:8000/security/resources/abe.png"
@@ -12 +13 @@
 PASS window.e.effectiveDirective is "img-src"
 PASS window.e.originalPolicy is "img-src 'none'"
-PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
-PASS window.e.lineNumber is 30
+PASS window.e.sourceURL is "http://localhost:8000"
+PASS window.e.lineNumber is 3
 PASS successfullyParsed is true
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-expected.txt

@@ -6 +6 @@
 
 
+Kicking off the tests:
 PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
 PASS window.e.referrer is ""
@@ -13 +14 @@
 PASS window.e.originalPolicy is "img-src 'none'"
 PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
-PASS window.e.lineNumber is 30
+PASS window.e.lineNumber is 23
 PASS successfullyParsed is true
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script-expected.txt

@@ -1 +1 @@
 CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
 
-Check that a SecurityPolicyViolationEvent is fired upon blocking an image.
+Check that a SecurityPolicyViolationEvent is fired upon blocking an image injected via script.
 
 On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
 
 
-PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
+Kicking off the tests:
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html"
 PASS window.e.referrer is ""
 PASS window.e.blockedURI is "http://127.0.0.1:8000/security/resources/abe.png"
@@ -12 +13 @@
 PASS window.e.effectiveDirective is "img-src"
 PASS window.e.originalPolicy is "img-src 'none'"
-PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html"
-PASS window.e.lineNumber is 30
+PASS window.e.sourceURL is "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/inject-image.js"
+PASS window.e.lineNumber is 3
 PASS successfullyParsed is true
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image.html

@@ -4 +4 @@
     <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
     <script src="/js-test-resources/js-test-pre.js"></script>
+    <script src="../resources/securitypolicyviolation-test.js"></script>
     <script>
         description('Check that a SecurityPolicyViolationEvent is fired upon blocking an image.');
 
-        window.jsTestIsAsync = true;
+        var expectations = {
+            'documentURI': document.location.toString(),
+            'referrer': document.referrer,
+            'blockedURI': 'http://127.0.0.1:8000/security/resources/abe.png',
+            'violatedDirective': 'img-src \'none\'',
+            'effectiveDirective': 'img-src',
+            'originalPolicy': 'img-src \'none\'',
+            'sourceURL': document.location.toString(),
+            'lineNumber': 23
+        };
 
-        document.addEventListener('securitypolicyviolation', function handleEvent(e) {
-            var expectations = {
-                'documentURI': document.location.toString(),
-                'referrer': document.referrer,
-                'blockedURI': 'http://127.0.0.1:8000/security/resources/abe.png',
-                'violatedDirective': 'img-src \'none\'',
-                'effectiveDirective': 'img-src',
-                'originalPolicy': 'img-src \'none\'',
-                'sourceURL': document.location.toString(),
-                'lineNumber': 30
-            };
-            window.e = e;
-            for (key in expectations)
-                shouldBe('window.e.' + key, JSON.stringify(expectations[key]));
-            finishJSTest();
-        });
-
-        window.onload = function () {
+        function run() {
             var img = document.createElement('img');
             img.src = '/security/resources/abe.png';
             document.body.appendChild(img);
-        };
+        }
     </script>
     <script src="/js-test-resources/js-test-post.js"></script>

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-03-25  Mike West  <mkwst@chromium.org>
+
+        CSP 1.1: Strip URLs in SecurityPolicyViolationEvents, just as we do for POSTed violation reports.
+        https://bugs.webkit.org/show_bug.cgi?id=113039
+
+        Reviewed by Jochen Eisinger.
+
+        I'd originally assumed that we didn't need to be quite so careful when
+        handing URLs to JavaScript via SecurityPolicyViolationEvents. This was
+        a mistake. Cross-origin URLs aren't accessible to JavaScript currently
+        and there's no reason that we should begin exposing them via an event.
+
+        This patch extracts the stripping logic from the existing reports into
+        stripURLForUseInReport(), and uses that new method when populating the
+        event and report objects.
+
+        Relatedly, we were doing the wrong thing with 'file:' URLs, which this
+        patch made clear. Now they're treated the same as 'data:' et al.
+
+        Spec: https://dvcs.w3.org/hg/content-security-policy/rev/45f6ccaba0ef
+
+        Tests: http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image-from-script.html
+               http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-cross-origin-image.html
+               http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-block-image-from-script.html
+               http/tests/security/contentSecurityPolicy/report-blocked-file-uri.html
+
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::stripURLForUseInReport):
+            Extract the logic from blockedURI out into a reusable method:
+            cross-origin URLs are stripped down to the ASCII serialization of
+            their origin, and non-heirarchical (and 'file:') URLs are stripped
+            down to the ASCII serialization of their protocol.
+        (WebCore::gatherSecurityPolicyViolationEventData):
+        (WebCore::ContentSecurityPolicy::reportViolation):
+            Use ::stripURLForUseInReport for blockedURL and sourceFile
+            attributes in these two methods.
+
 2013-03-25  Eugene Klyuchnikov  <eustas@chromium.org>
 

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -1673 +1673 @@
 }
 
+static String stripURLForUseInReport(Document* document, const KURL& url)
+{
+    if (!url.isValid())
+        return String();
+    if (!url.isHierarchical() || url.protocolIs("file"))
+        return url.protocol();
+    return document->securityOrigin()->canRequest(url) ? url.strippedForUseAsReferrer() : SecurityOrigin::create(url)->toString();
+}
+
 #if ENABLE(CSP_NEXT)
 static void gatherSecurityPolicyViolationEventData(SecurityPolicyViolationEventInit& init, Document* document, const String& directiveText, const String& effectiveDirective, const KURL& blockedURL, const String& header)
@@ -1678 +1687 @@
     init.documentURI = document->url().string();
     init.referrer = document->referrer();
-    init.blockedURI = blockedURL.isValid() ? blockedURL.string() : String();
+    init.blockedURI = stripURLForUseInReport(document, blockedURL);
     init.violatedDirective = directiveText;
     init.effectiveDirective = effectiveDirective;
@@ -1693 +1702 @@
     if (callFrame.lineNumber()) {
         KURL source = KURL(ParsedURLString, callFrame.sourceURL());
-        init.sourceURL = source.string();
+        init.sourceURL = stripURLForUseInReport(document, source);
         init.lineNumber = callFrame.lineNumber();
     }
@@ -1745 +1754 @@
 #endif
     cspReport->setString("original-policy", header);
-    if (blockedURL.isValid())
-        if (blockedURL.isHierarchical())
-            cspReport->setString("blocked-uri", document->securityOrigin()->canRequest(blockedURL) ? blockedURL.strippedForUseAsReferrer() : SecurityOrigin::create(blockedURL)->toString());
-        else
-            cspReport->setString("blocked-uri", blockedURL.protocol());
-    else
-        cspReport->setString("blocked-uri", String());
+    cspReport->setString("blocked-uri", stripURLForUseInReport(document, blockedURL));
 
     RefPtr<ScriptCallStack> stack = createScriptCallStack(2, false);
@@ -1759 +1762 @@
         if (callFrame.lineNumber()) {
             KURL source = KURL(ParsedURLString, callFrame.sourceURL());
-            cspReport->setString("source-file", document->securityOrigin()->canRequest(source) ? source.strippedForUseAsReferrer() : SecurityOrigin::create(source)->toString());
+            cspReport->setString("source-file", stripURLForUseInReport(document, source));
             cspReport->setNumber("line-number", callFrame.lineNumber());
         }