Changeset 171150 in webkit

Timestamp:

Jul 16, 2014 1:31:06 PM (10 years ago)

Author:

mkwst@chromium.org

Message:

CSP: Drop 'script-nonce' directive.
​https://bugs.webkit.org/show_bug.cgi?id=134926

Reviewed by Darin Adler.

Source/WebCore:
This patch drops the outdated 'script-nonce' Content Security
Policy directive. It was removed from the spec, and replaced in
CSP2 with a new 'script-src' syntax. We should implement that
instead.

Until then, removing the outdated syntax will ensure that no one
ends up relying on it in WebKit's implementation.

This should have limited web-visible impact, as the feature is
behind the CSP_NEXT flag, which is not enabled by default.

• dom/ScriptElement.cpp:

(WebCore::ScriptElement::requestScript):
(WebCore::ScriptElement::executeScript):

• page/ContentSecurityPolicy.cpp:

(WebCore::CSPDirectiveList::allowJavaScriptURLs):
(WebCore::CSPDirectiveList::allowInlineEventHandlers):
(WebCore::CSPDirectiveList::addDirective):
(WebCore::NonceDirective::NonceDirective): Deleted.
(WebCore::NonceDirective::allows): Deleted.
(WebCore::NonceDirective::parse): Deleted.
(WebCore::CSPDirectiveList::checkNonce): Deleted.
(WebCore::CSPDirectiveList::checkNonceAndReportViolation): Deleted.
(WebCore::CSPDirectiveList::allowScriptNonce): Deleted.
(WebCore::isAllowedByAllWithNonce): Deleted.
(WebCore::ContentSecurityPolicy::allowScriptNonce): Deleted.
(WebCore::ContentSecurityPolicy::reportInvalidNonce): Deleted.

• page/ContentSecurityPolicy.h:

LayoutTests:
Dropping the nonce tests, as we're removing the functionality.

• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt: Removed.
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html: Removed.
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt: Removed.
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html: Removed.
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt: Removed.
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html: Removed.
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt: Removed.
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html: Removed.
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Removed.
• http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Removed.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt (deleted)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html (deleted)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt (deleted)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html (deleted)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt (deleted)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html (deleted)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt (deleted)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html (deleted)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt (deleted)
• LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html (deleted)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/ScriptElement.cpp (modified) (2 diffs)
• Source/WebCore/page/ContentSecurityPolicy.cpp (modified) (18 diffs)
• Source/WebCore/page/ContentSecurityPolicy.h (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-07-16  Mike West  <mkwst@chromium.org>
+
+        CSP: Drop 'script-nonce' directive.
+        https://bugs.webkit.org/show_bug.cgi?id=134926
+
+        Reviewed by Darin Adler.
+
+        Dropping the nonce tests, as we're removing the functionality.
+
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed-expected.txt: Removed.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-allowed.html: Removed.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-expected.txt: Removed.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked.html: Removed.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt: Removed.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html: Removed.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked-expected.txt: Removed.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html: Removed.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed-expected.txt: Removed.
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html: Removed.
+
 2014-07-16  Jer Noble  <jer.noble@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2014-07-16  Mike West  <mkwst@chromium.org>
+
+        CSP: Drop 'script-nonce' directive.
+        https://bugs.webkit.org/show_bug.cgi?id=134926
+
+        Reviewed by Darin Adler.
+
+        This patch drops the outdated 'script-nonce' Content Security
+        Policy directive. It was removed from the spec, and replaced in
+        CSP2 with a new 'script-src' syntax. We should implement that
+        instead.
+
+        Until then, removing the outdated syntax will ensure that no one
+        ends up relying on it in WebKit's implementation.
+
+        This should have limited web-visible impact, as the feature is
+        behind the CSP_NEXT flag, which is not enabled by default.
+
+        * dom/ScriptElement.cpp:
+        (WebCore::ScriptElement::requestScript):
+        (WebCore::ScriptElement::executeScript):
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirectiveList::allowJavaScriptURLs):
+        (WebCore::CSPDirectiveList::allowInlineEventHandlers):
+        (WebCore::CSPDirectiveList::addDirective):
+        (WebCore::NonceDirective::NonceDirective): Deleted.
+        (WebCore::NonceDirective::allows): Deleted.
+        (WebCore::NonceDirective::parse): Deleted.
+        (WebCore::CSPDirectiveList::checkNonce): Deleted.
+        (WebCore::CSPDirectiveList::checkNonceAndReportViolation): Deleted.
+        (WebCore::CSPDirectiveList::allowScriptNonce): Deleted.
+        (WebCore::isAllowedByAllWithNonce): Deleted.
+        (WebCore::ContentSecurityPolicy::allowScriptNonce): Deleted.
+        (WebCore::ContentSecurityPolicy::reportInvalidNonce): Deleted.
+        * page/ContentSecurityPolicy.h:
+
 2014-07-16  Jer Noble  <jer.noble@apple.com>
 

trunk/Source/WebCore/dom/ScriptElement.cpp

@@ -248 +248 @@
     if (!m_element.inDocument() || &m_element.document() != &originalDocument.get())
         return false;
-    if (!m_element.document().contentSecurityPolicy()->allowScriptNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.document().url(), m_startLineNumber, m_element.document().completeURL(sourceUrl)))
-        return false;
 
     ASSERT(!m_cachedScript);
@@ -283 +281 @@
         return;
 
-    if (!m_element.document().contentSecurityPolicy()->allowScriptNonce(m_element.fastGetAttribute(HTMLNames::nonceAttr), m_element.document().url(), m_startLineNumber))
-        return;
-
     if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber))
         return;

trunk/Source/WebCore/page/ContentSecurityPolicy.cpp

@@ -68 +68 @@
 }
 
-bool isNonceCharacter(UChar c)
-{
-    return (c >= 0x21 && c <= 0x7e) && c != ',' && c != ';'; // VCHAR - ',' - ';'
-}
-
 bool isSourceCharacter(UChar c)
 {
@@ -125 +120 @@
 static const char formAction[] = "form-action";
 static const char pluginTypes[] = "plugin-types";
-static const char scriptNonce[] = "script-nonce";
 #if ENABLE(CSP_NEXT)
 static const char reflectedXSS[] = "reflected-xss";
@@ -147 +141 @@
         || equalIgnoringCase(name, formAction)
         || equalIgnoringCase(name, pluginTypes)
-        || equalIgnoringCase(name, scriptNonce)
         || equalIgnoringCase(name, reflectedXSS)
 #endif
@@ -665 +658 @@
 };
 
-class NonceDirective : public CSPDirective {
-public:
-    NonceDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
-        : CSPDirective(name, value, policy)
-    {
-        parse(value);
-    }
-
-    bool allows(const String& nonce) const
-    {
-        return (!m_scriptNonce.isEmpty() && nonce.stripWhiteSpace() == m_scriptNonce);
-    }
-
-private:
-    void parse(const String& value)
-    {
-        String nonce;
-        auto characters = StringView(value).upconvertedCharacters();
-        const UChar* position = characters;
-        const UChar* end = position + value.length();
-
-        skipWhile<isASCIISpace>(position, end);
-        const UChar* nonceBegin = position;
-        if (position == end) {
-            policy()->reportInvalidNonce(String());
-            m_scriptNonce = "";
-            return;
-        }
-        skipWhile<isNonceCharacter>(position, end);
-        if (nonceBegin < position)
-            nonce = String(nonceBegin, position - nonceBegin);
-
-        // Trim off trailing whitespace: If we're not at the end of the string, log
-        // an error.
-        skipWhile<isASCIISpace>(position, end);
-        if (position < end) {
-            policy()->reportInvalidNonce(value);
-            m_scriptNonce = "";
-        } else
-            m_scriptNonce = nonce;
-    }
-
-    String m_scriptNonce;
-};
-
 class MediaListDirective : public CSPDirective {
 public:
@@ -822 +770 @@
     bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
     bool allowEval(JSC::ExecState*, ContentSecurityPolicy::ReportingStatus) const;
-    bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL&) const;
     bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ContentSecurityPolicy::ReportingStatus) const;
 
@@ -847 +794 @@
     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
     void parseReportURI(const String& name, const String& value);
-    void parseScriptNonce(const String& name, const String& value);
     void parsePluginTypes(const String& name, const String& value);
     void parseReflectedXSS(const String& name, const String& value);
@@ -861 +807 @@
     bool checkEval(SourceListDirective*) const;
     bool checkInline(SourceListDirective*) const;
-    bool checkNonce(NonceDirective*, const String&) const;
     bool checkSource(SourceListDirective*, const URL&) const;
     bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
@@ -869 +814 @@
     bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = 0) const;
     bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const;
-    bool checkNonceAndReportViolation(NonceDirective*, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
 
     bool checkSourceAndReportViolation(SourceListDirective*, const URL&, const String& effectiveDirective) const;
@@ -886 +830 @@
 
     std::unique_ptr<MediaListDirective> m_pluginTypes;
-    std::unique_ptr<NonceDirective> m_scriptNonce;
     std::unique_ptr<SourceListDirective> m_baseURI;
     std::unique_ptr<SourceListDirective> m_connectSrc;
@@ -946 +889 @@
 }
 
-bool CSPDirectiveList::checkNonce(NonceDirective* directive, const String& nonce) const
-{
-    return !directive || directive->allows(nonce);
-}
-
 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const URL& url) const
 {
@@ -985 +923 @@
     }
     return true;
-}
-
-bool CSPDirectiveList::checkNonceAndReportViolation(NonceDirective* directive, const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
-{
-    if (checkNonce(directive, nonce))
-        return true;
-    reportViolation(directive->text(), scriptNonce, consoleMessage + "\"" + directive->text() + "\".\n", URL(), contextURL, contextLine);
-    return denyIfEnforcingPolicy();
 }
 
@@ -1065 +995 @@
 {
     DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute JavaScript URL because it violates the following Content Security Policy directive: ")));
-    if (reportingStatus == ContentSecurityPolicy::SendReport) {
-        return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
-                && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine));
-    } else {
-        return (checkInline(operativeDirective(m_scriptSrc.get()))
-                && checkNonce(m_scriptNonce.get(), String()));
-    }
+    return reportingStatus == ContentSecurityPolicy::SendReport ?
+        checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
+        : checkInline(operativeDirective(m_scriptSrc.get()));
 }
 
@@ -1077 +1003 @@
 {
     DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute inline event handler because it violates the following Content Security Policy directive: ")));
-    if (reportingStatus == ContentSecurityPolicy::SendReport) {
-        return (checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
-                && checkNonceAndReportViolation(m_scriptNonce.get(), String(), consoleMessage, contextURL, contextLine));
-    } else {
-        return (checkInline(operativeDirective(m_scriptSrc.get()))
-                && checkNonce(m_scriptNonce.get(), String()));
-    }
+    return reportingStatus == ContentSecurityPolicy::SendReport ?
+        checkInlineAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, contextURL, contextLine, true)
+        : checkInline(operativeDirective(m_scriptSrc.get()));
 }
 
@@ -1108 +1030 @@
         checkEvalAndReportViolation(operativeDirective(m_scriptSrc.get()), consoleMessage, String(), WTF::OrdinalNumber::beforeFirst(), state) :
         checkEval(operativeDirective(m_scriptSrc.get()));
-}
-
-bool CSPDirectiveList::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url) const
-{
-    DEPRECATED_DEFINE_STATIC_LOCAL(String, consoleMessage, (ASCIILiteral("Refused to execute script because it violates the following Content Security Policy directive: ")));
-    if (url.isEmpty())
-        return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, consoleMessage, contextURL, contextLine);
-    return checkNonceAndReportViolation(m_scriptNonce.get(), nonce, "Refused to load '" + url.stringCenterEllipsizedToLength() + "' because it violates the following Content Security Policy directive: ", contextURL, contextLine);
 }
 
@@ -1416 +1330 @@
         else if (equalIgnoringCase(name, pluginTypes))
             setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
-        else if (equalIgnoringCase(name, scriptNonce))
-            setCSPDirective<NonceDirective>(name, value, m_scriptNonce);
         else if (equalIgnoringCase(name, reflectedXSS))
             parseReflectedXSS(name, value);
@@ -1517 +1429 @@
 }
 
-template<bool (CSPDirectiveList::*allowed)(const String&, const String&, const WTF::OrdinalNumber&, const URL&) const>
-bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url)
-{
-    for (size_t i = 0; i < policies.size(); ++i) {
-        if (!(policies[i].get()->*allowed)(nonce, contextURL, contextLine, url))
-            return false;
-    }
-    return true;
-}
-
 template<bool (CSPDirectiveList::*allowFromURL)(const URL&, ContentSecurityPolicy::ReportingStatus) const>
 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
@@ -1574 +1476 @@
     }
     return String();
-}
-
-bool ContentSecurityPolicy::allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& url) const
-{
-    return isAllowedByAllWithNonce<&CSPDirectiveList::allowScriptNonce>(m_policies, nonce, contextURL, contextLine, url);
 }
 
@@ -1846 +1743 @@
 }
 
-void ContentSecurityPolicy::reportInvalidNonce(const String& nonce) const
-{
-    String message = makeString("Ignoring invalid Content Security Policy script nonce: '", nonce, "'.\n");
-    logToConsole(message);
-}
-
 void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source) const
 {

trunk/Source/WebCore/page/ContentSecurityPolicy.h

@@ -90 +90 @@
     bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, ReportingStatus = SendReport) const;
     bool allowEval(JSC::ExecState* = 0, ReportingStatus = SendReport) const;
-    bool allowScriptNonce(const String& nonce, const String& contextURL, const WTF::OrdinalNumber& contextLine, const URL& = URL()) const;
     bool allowPluginType(const String& type, const String& typeAttribute, const URL&, ReportingStatus = SendReport) const;
 
@@ -115 +114 @@
     void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
     void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
-    void reportInvalidNonce(const String&) const;
     void reportInvalidPluginTypes(const String&) const;
     void reportInvalidSandboxFlags(const String&) const;