Changeset 195948 in webkit
- Timestamp:
- Jan 31, 2016 7:10:00 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 10 added
- 26 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r195947 r195948 1 2016-01-31 Daniel Bates <dabates@apple.com> 2 3 CSP: Use the served CSP header for dedicated workers 4 https://bugs.webkit.org/show_bug.cgi?id=153157 5 <rdar://problem/24383254> 6 And 7 https://bugs.webkit.org/show_bug.cgi?id=153156 8 <rdar://problem/24383246> 9 10 Reviewed by Brent Fulgham. 11 12 Add new tests to ensure we block eval() in blob-, file-URL workers and block XHR in a file-URL worker. 13 14 * TestExpectations: Remove now passing tests http/tests/security/contentSecurityPolicy/worker-{multiple-csp-headers, without-own-csp}.html 15 and update the associated bug # for tests that fail. 16 * fast/workers/resources/worker-inherits-csp-blocks-eval.js: Added. 17 (catch): 18 * fast/workers/resources/worker-inherits-csp-blocks-xhr.js: Added. 19 (catch): 20 * fast/workers/worker-inherits-csp-blocks-eval-expected.txt: Added. 21 * fast/workers/worker-inherits-csp-blocks-eval.html: Added. 22 * fast/workers/worker-inherits-csp-blocks-xhr-expected.txt: Added. 23 * fast/workers/worker-inherits-csp-blocks-xhr.html: Added. 24 * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt: Added. 25 * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html: Added. 26 * http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt: Updated expected results as 27 the result was incorrect. 28 * http/tests/security/contentSecurityPolicy/worker-without-own-csp-expected.txt: Ditto. 29 30 2016-01-27 Daniel Bates <dabates@apple.com> 31 32 CSP: Use the served CSP header for dedicated workers 33 https://bugs.webkit.org/show_bug.cgi?id=153157 34 And 35 https://bugs.webkit.org/show_bug.cgi?id=153156 36 37 Reviewed by Brent Fulgham. 38 39 Remove some tests that now pass and update the expected results of existing tests. 40 41 * TestExpectations: 42 * http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt: 43 * http/tests/security/contentSecurityPolicy/worker-without-own-csp-expected.txt: 44 1 45 2016-01-31 Hunseop Jeong <hs85.jeong@samsung.com> 2 46 -
trunk/LayoutTests/TestExpectations
r195892 r195948 800 800 webkit.org/b/69359 http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked.html [ Failure ] 801 801 webkit.org/b/69359 http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked.html [ Failure ] 802 webkit.org/b/69359 http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html [ Failure ] 802 803 webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html 803 804 webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ] … … 817 818 webkit.org/b/153154 http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html 818 819 webkit.org/b/153155 http/tests/security/contentSecurityPolicy/style-src-blocked-error-event.html 819 webkit.org/b/153156 http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers.html [ Failure ]820 webkit.org/b/153157 http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html [ Failure ]821 webkit.org/b/153157 http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html [ Failure ]822 webkit.org/b/153157 http/tests/security/contentSecurityPolicy/worker-script-src.html [ Failure ]823 webkit.org/b/153157 http/tests/security/contentSecurityPolicy/worker-without-own-csp.html [ Failure ]824 820 webkit.org/b/153158 http/tests/security/contentSecurityPolicy/blob-urls-match-self.html [ Failure ] 825 821 webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-default-src-none.html [ Failure ] … … 843 839 webkit.org/b/153168 http/tests/security/contentSecurityPolicy/source-list-parsing-07.html [ Failure ] 844 840 webkit.org/b/153170 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html [ Failure ] 841 webkit.org/b/153562 http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html [ Failure ] 842 webkit.org/b/153562 http/tests/security/contentSecurityPolicy/worker-script-src.html [ Failure ] 845 843 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ] 846 844 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html # Needs expected file. -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt
r195367 r195948 1 CONSOLE MESSAGE: Refused to connect to 'http://127.0.0.1:8000/xmlhttprequest/resources/get.txt' because it violates the following Content Security Policy directive: "connect-src 'none'". 2 1 3 2 4 PASS Worker can have multiple CSP headers -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-own-csp-expected.txt
r195367 r195948 1 2 1 3 2 PASS Worker should not inherit document's CSP -
trunk/Source/WebCore/CMakeLists.txt
r195764 r195948 2068 2068 2069 2069 page/csp/ContentSecurityPolicy.cpp 2070 page/csp/ContentSecurityPolicyResponseHeaders.cpp 2070 2071 2071 2072 page/scrolling/AxisScrollSnapOffsets.cpp -
trunk/Source/WebCore/ChangeLog
r195946 r195948 1 2016-01-31 Daniel Bates <dabates@apple.com> 2 3 CSP: Use the served CSP header for dedicated workers 4 https://bugs.webkit.org/show_bug.cgi?id=153157 5 <rdar://problem/24383254> 6 And 7 https://bugs.webkit.org/show_bug.cgi?id=153156 8 <rdar://problem/24383246> 9 10 Reviewed by Brent Fulgham. 11 12 Inspired by Blink commit: 13 <https://src.chromium.org/viewvc/blink?revision=194143&view=revision> 14 15 Implement support for respecting Content Security Policy (CSP) HTTP headers included in the 16 HTTP response for a Web Worker's script as per section Workers of the CSP 2.0 spec, 17 <https://w3c.github.io/webappsec-csp/2/#processing-model-workers> (29 August 2015). 18 19 Currently a Web Worker always inherits the CSP of its owner document. Instead a web worker 20 will inherit the CSP of its owner document only if its script is incapable of defining a 21 content security policy (i.e. its origin is a globally unique identifier). Otherwise, the 22 CSP HTTP headers delivered with the script will be used to define the CSP for the worker. 23 24 Tests: fast/workers/worker-inherits-csp-blocks-eval.html 25 fast/workers/worker-inherits-csp-blocks-xhr.html 26 http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html 27 28 * CMakeLists.txt: Add file ContentSecurityPolicyResponseHeaders.cpp. 29 * WebCore.vcxproj/WebCore.vcxproj: Add files ContentSecurityPolicyResponseHeaders.{cpp, h}. 30 * WebCore.vcxproj/WebCore.vcxproj.filters: Ditto. 31 * WebCore.xcodeproj/project.pbxproj: Ditto. 32 * dom/Document.cpp: 33 (WebCore::Document::processHttpEquiv): Update code to use enum class ContentSecurityPolicyHeaderType. 34 * loader/FrameLoader.cpp: 35 (WebCore::FrameLoader::didBeginDocument): Extract logic to collect Content Security Policy HTTP headers 36 into class ContentSecurityPolicyResponseHeaders and make use of it here. 37 * page/csp/ContentSecurityPolicy.cpp: 38 (WebCore::CSPDirectiveList::headerType): Modified to use enum class ContentSecurityPolicyHeaderType. 39 (WebCore::CSPDirectiveList::CSPDirectiveList): Ditto. 40 (WebCore::CSPDirectiveList::create): Ditto. 41 (WebCore::ContentSecurityPolicy::responseHeaders): Creates and returns a ContentSecurityPolicyResponseHeaders 42 object with the parsed CSP policy headers. 43 (WebCore::ContentSecurityPolicy::didReceiveHeaders): Processed the CSP policy headers represented by the 44 specified ContentSecurityPolicyResponseHeaders object. 45 (WebCore::ContentSecurityPolicy::deprecatedHeader): Deleted. 46 (WebCore::ContentSecurityPolicy::deprecatedHeaderType): Deleted. 47 * page/csp/ContentSecurityPolicy.h: Defines a class that represents a collection of CSP policy headers. 48 This class has two purposes: 49 - It extracts the CSP policy headers from a HTTP response (ResourceResponse object). We make use of 50 this functionality in both FrameLoader::didBeginDocument() and Worker::didReceiveResponse(). 51 - It serves as a memento that externalizes the internal CSP policy details of an instance of 52 ContentSecurityPolicy. We make use of this memento functionality to support inheriting the 53 CSP policy of the worker's owner document in a thread-safe manner. You can create and restore 54 a memento using ContentSecurityPolicy::responseHeaders() and ContentSecurityPolicy::didReceiveHeaders(), respectively. 55 * page/csp/ContentSecurityPolicyResponseHeaders.cpp: Added. 56 (WebCore::ContentSecurityPolicyResponseHeaders::ContentSecurityPolicyResponseHeaders): Extracts the 57 CSP HTTP headers from a ResourceResponse object. 58 (WebCore::ContentSecurityPolicyResponseHeaders::isolatedCopy): Make a copy of this object that is 59 safe to pass to another thread. 60 * page/csp/ContentSecurityPolicyResponseHeaders.h: Added. 61 * workers/DedicatedWorkerGlobalScope.cpp: 62 (WebCore::DedicatedWorkerGlobalScope::create): Modified to use class ContentSecurityPolicyResponseHeaders. 63 * workers/DedicatedWorkerGlobalScope.h: 64 * workers/DedicatedWorkerThread.cpp: 65 (WebCore::DedicatedWorkerThread::create): Ditto. 66 (WebCore::DedicatedWorkerThread::DedicatedWorkerThread): Ditto. 67 (WebCore::DedicatedWorkerThread::createWorkerGlobalScope): Ditto. 68 * workers/DedicatedWorkerThread.h: 69 * workers/Worker.cpp: 70 (WebCore::Worker::didReceiveResponse): Create a ContentSecurityPolicyResponseHeaders if the origin of 71 the worker's script is capable of providing a CSP. Otherwise, we will inherit the CSP of the worker's owner 72 document in Worker::notifyFinished(). 73 (WebCore::Worker::notifyFinished): Pass the appropriate CSP response headers to WorkerMessagingProxy::startWorkerGlobalScope(). 74 * workers/Worker.h: 75 * workers/WorkerGlobalScope.cpp: 76 (WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): Renamed; formerly named applyContentSecurityPolicyFromString(). 77 Modified to take a ContentSecurityPolicyResponseHeaders and apply it to the ContentSecurityPolicy object associated with the worker. 78 (WebCore::WorkerGlobalScope::applyContentSecurityPolicyFromString): Deleted. 79 * workers/WorkerGlobalScope.h: 80 * workers/WorkerMessagingProxy.cpp: 81 (WebCore::WorkerMessagingProxy::startWorkerGlobalScope): Pass the worker's ContentSecurityPolicyResponseHeaders object. 82 * workers/WorkerThread.cpp: 83 (WebCore::WorkerThreadStartupData::WorkerThreadStartupData): Added field m_contentSecurityPolicyResponseHeaders to store 84 the CSP response headers to be applied to the worker's ContentSecurityPolicy object. 85 (WebCore::WorkerThread::WorkerThread): Modified to use ContentSecurityPolicyResponseHeaders. 86 (WebCore::WorkerThread::workerThread): Pass the ContentSecurityPolicyResponseHeaders object from the start up data struct 87 to DedicatedWorkerThread::createWorkerGlobalScope(). 88 * workers/WorkerThread.h: 89 1 90 2016-01-31 Darin Adler <darin@apple.com> 2 91 -
trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj
r195764 r195948 7305 7305 <ClCompile Include="..\page\animation\CompositeAnimation.cpp" /> 7306 7306 <ClCompile Include="..\page\csp\ContentSecurityPolicy.cpp" /> 7307 <ClCompile Include="..\page\csp\ContentSecurityPolicyResponseHeaders.cpp" /> 7307 7308 <ClCompile Include="..\page\ContextMenuContext.cpp" /> 7308 7309 <ClCompile Include="..\page\ContextMenuController.cpp" /> … … 20702 20703 <ClInclude Include="..\page\animation\CompositeAnimation.h" /> 20703 20704 <ClInclude Include="..\page\csp\ContentSecurityPolicy.h" /> 20705 <ClInclude Include="..\page\csp\ContentSecurityPolicyResponseHeaders.h" /> 20704 20706 <ClInclude Include="..\page\ContextMenuClient.h" /> 20705 20707 <ClInclude Include="..\page\ContextMenuContext.h" /> -
trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj.filters
r195764 r195948 681 681 <Filter>page\csp</Filter> 682 682 </ClCompile> 683 <ClCompile Include="..\page\csp\ContentSecurityPolicyResponseHeaders.cpp"> 684 <Filter>page\csp</Filter> 685 </ClCompile> 683 686 <ClCompile Include="..\page\ContextMenuController.cpp"> 684 687 <Filter>page</Filter> … … 7668 7671 </ClInclude> 7669 7672 <ClInclude Include="..\page\csp\ContentSecurityPolicy.h"> 7673 <Filter>page\csp</Filter> 7674 </ClInclude> 7675 <ClInclude Include="..\page\csp\ContentSecurityPolicyResponseHeaders.h"> 7670 7676 <Filter>page\csp</Filter> 7671 7677 </ClInclude> -
trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj
r195764 r195948 6168 6168 CE1252551A1BEC0E00864480 /* NSURLDownloadSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = CE1252541A1BEC0E00864480 /* NSURLDownloadSPI.h */; settings = {ATTRIBUTES = (Private, ); }; }; 6169 6169 CE12525B1A1C018200864480 /* CFNetworkSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = CE12525A1A1C018200864480 /* CFNetworkSPI.h */; settings = {ATTRIBUTES = (Private, ); }; }; 6170 CE6DADF91C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp in Sources */ = {isa = PBXBuildFile; fileRef = CE6DADF71C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp */; }; 6171 CE6DADFA1C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h in Headers */ = {isa = PBXBuildFile; fileRef = CE6DADF81C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h */; }; 6170 6172 CE7B2DB31586ABAD0098B3FA /* AlternativeTextUIController.h in Headers */ = {isa = PBXBuildFile; fileRef = CE7B2DAF1586ABAD0098B3FA /* AlternativeTextUIController.h */; settings = {ATTRIBUTES = (Private, ); }; }; 6171 6173 CE7B2DB41586ABAD0098B3FA /* AlternativeTextUIController.mm in Sources */ = {isa = PBXBuildFile; fileRef = CE7B2DB01586ABAD0098B3FA /* AlternativeTextUIController.mm */; }; … … 14096 14098 CE5CB1B314EDAB6F00BB2795 /* EventSender.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = EventSender.h; sourceTree = "<group>"; }; 14097 14099 CE6D89294C7AACE0AD89B3DD /* MathMLMencloseElement.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MathMLMencloseElement.h; sourceTree = "<group>"; }; 14100 CE6DADF71C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = ContentSecurityPolicyResponseHeaders.cpp; path = csp/ContentSecurityPolicyResponseHeaders.cpp; sourceTree = "<group>"; }; 14101 CE6DADF81C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ContentSecurityPolicyResponseHeaders.h; path = csp/ContentSecurityPolicyResponseHeaders.h; sourceTree = "<group>"; }; 14098 14102 CE7B2DAF1586ABAD0098B3FA /* AlternativeTextUIController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AlternativeTextUIController.h; sourceTree = "<group>"; }; 14099 14103 CE7B2DB01586ABAD0098B3FA /* AlternativeTextUIController.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = AlternativeTextUIController.mm; sourceTree = "<group>"; }; … … 22964 22968 97C471D912F925BC0086354B /* ContentSecurityPolicy.cpp */, 22965 22969 97C471DA12F925BD0086354B /* ContentSecurityPolicy.h */, 22970 CE6DADF71C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp */, 22971 CE6DADF81C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h */, 22966 22972 ); 22967 22973 name = csp; … … 25002 25008 7C93F34E1AA6BF0700A98BAB /* ContentExtensionCompiler.h in Headers */, 25003 25009 7CFDC57D1AC1D80500E24A57 /* ContentExtensionError.h in Headers */, 25010 CE6DADFA1C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h in Headers */, 25004 25011 26F0C8981A2E724B002794F8 /* ContentExtensionParser.h in Headers */, 25005 25012 26F0C89C1A2EC110002794F8 /* ContentExtensionRule.h in Headers */, … … 31699 31706 A5DEBDA316FB908700836FE0 /* WebKitPlaybackTargetAvailabilityEvent.cpp in Sources */, 31700 31707 31C0FF240E4CEB6E007D6FE5 /* WebKitTransitionEvent.cpp in Sources */, 31708 CE6DADF91C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp in Sources */, 31701 31709 0FCF332E0F2B9A25004B6795 /* WebLayer.mm in Sources */, 31702 31710 0709D78E1AE55554004E42F8 /* WebMediaSessionManager.cpp in Sources */, -
trunk/Source/WebCore/dom/Document.cpp
r195927 r195948 3259 3259 3260 3260 case HTTPHeaderName::ContentSecurityPolicy: 3261 contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy ::Enforce);3261 contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::Enforce); 3262 3262 break; 3263 3263 3264 3264 case HTTPHeaderName::ContentSecurityPolicyReportOnly: 3265 contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy ::Report);3265 contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::Report); 3266 3266 break; 3267 3267 3268 3268 case HTTPHeaderName::XWebKitCSP: 3269 contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy ::PrefixedEnforce);3269 contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::PrefixedEnforce); 3270 3270 break; 3271 3271 3272 3272 case HTTPHeaderName::XWebKitCSPReportOnly: 3273 contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy ::PrefixedReport);3273 contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::PrefixedReport); 3274 3274 break; 3275 3275 -
trunk/Source/WebCore/loader/FrameLoader.cpp
r195790 r195948 686 686 m_frame.document()->parseDNSPrefetchControlHeader(dnsPrefetchControl); 687 687 688 String policyValue = m_documentLoader->response().httpHeaderField(HTTPHeaderName::ContentSecurityPolicy); 689 if (!policyValue.isEmpty()) 690 m_frame.document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::Enforce); 691 692 policyValue = m_documentLoader->response().httpHeaderField(HTTPHeaderName::ContentSecurityPolicyReportOnly); 693 if (!policyValue.isEmpty()) 694 m_frame.document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::Report); 695 696 policyValue = m_documentLoader->response().httpHeaderField(HTTPHeaderName::XWebKitCSP); 697 if (!policyValue.isEmpty()) 698 m_frame.document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::PrefixedEnforce); 699 700 policyValue = m_documentLoader->response().httpHeaderField(HTTPHeaderName::XWebKitCSPReportOnly); 701 if (!policyValue.isEmpty()) 702 m_frame.document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::PrefixedReport); 688 m_frame.document()->contentSecurityPolicy()->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(m_documentLoader->response())); 703 689 704 690 String headerContentLanguage = m_documentLoader->response().httpHeaderField(HTTPHeaderName::ContentLanguage); -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
r195743 r195948 772 772 WTF_MAKE_FAST_ALLOCATED; 773 773 public: 774 static std::unique_ptr<CSPDirectiveList> create(ContentSecurityPolicy*, const String&, ContentSecurityPolicy ::HeaderType);775 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy ::HeaderType);774 static std::unique_ptr<CSPDirectiveList> create(ContentSecurityPolicy*, const String&, ContentSecurityPolicyHeaderType); 775 CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType); 776 776 777 777 const String& header() const { return m_header; } 778 ContentSecurityPolicy ::HeaderType headerType() const { return m_headerType; }778 ContentSecurityPolicyHeaderType headerType() const { return m_headerType; } 779 779 780 780 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const; … … 836 836 837 837 String m_header; 838 ContentSecurityPolicy ::HeaderType m_headerType;838 ContentSecurityPolicyHeaderType m_headerType; 839 839 840 840 bool m_reportOnly; … … 860 860 }; 861 861 862 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurityPolicy ::HeaderType type)862 CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurityPolicyHeaderType type) 863 863 : m_policy(policy) 864 864 , m_headerType(type) … … 867 867 , m_reflectedXSSDisposition(ContentSecurityPolicy::ReflectedXSSUnset) 868 868 { 869 m_reportOnly = (type == ContentSecurityPolicy ::Report || type == ContentSecurityPolicy::PrefixedReport);870 } 871 872 std::unique_ptr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* policy, const String& header, ContentSecurityPolicy ::HeaderType type)869 m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport); 870 } 871 872 std::unique_ptr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* policy, const String& header, ContentSecurityPolicyHeaderType type) 873 873 { 874 874 auto directives = std::make_unique<CSPDirectiveList>(policy, type); … … 1372 1372 } 1373 1373 1374 void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType type) 1374 ContentSecurityPolicyResponseHeaders ContentSecurityPolicy::responseHeaders() const 1375 { 1376 ContentSecurityPolicyResponseHeaders result; 1377 result.m_headers.reserveInitialCapacity(m_policies.size()); 1378 for (auto& policy : m_policies) 1379 result.m_headers.uncheckedAppend({ policy->header(), policy->headerType() }); 1380 return result; 1381 } 1382 1383 void ContentSecurityPolicy::didReceiveHeaders(const ContentSecurityPolicyResponseHeaders& headers) 1384 { 1385 for (auto& header : headers.m_headers) 1386 didReceiveHeader(header.first, header.second); 1387 } 1388 1389 void ContentSecurityPolicy::didReceiveHeader(const String& header, ContentSecurityPolicyHeaderType type) 1375 1390 { 1376 1391 // RFC2616, section 4.2 specifies that headers appearing multiple times can … … 1402 1417 { 1403 1418 m_overrideInlineStyleAllowed = value; 1404 }1405 1406 const String& ContentSecurityPolicy::deprecatedHeader() const1407 {1408 return m_policies.isEmpty() ? emptyString() : m_policies[0]->header();1409 }1410 1411 ContentSecurityPolicy::HeaderType ContentSecurityPolicy::deprecatedHeaderType() const1412 {1413 return m_policies.isEmpty() ? Enforce : m_policies[0]->headerType();1414 1419 } 1415 1420 -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h
r195711 r195948 27 27 #define ContentSecurityPolicy_h 28 28 29 #include "ContentSecurityPolicyResponseHeaders.h" 29 30 #include "URL.h" 30 31 #include "ScriptState.h" … … 57 58 void copyStateFrom(const ContentSecurityPolicy*); 58 59 59 enum HeaderType {60 Report,61 Enforce,62 PrefixedReport,63 PrefixedEnforce64 };65 66 60 enum class ReportingStatus { 67 61 SendReport, … … 78 72 }; 79 73 80 void didReceiveHeader(const String&, HeaderType); 81 82 // These functions are wrong because they assume that there is only one header. 83 // FIXME: Replace them with functions that return vectors. 84 const String& deprecatedHeader() const; 85 HeaderType deprecatedHeaderType() const; 74 ContentSecurityPolicyResponseHeaders responseHeaders() const; 75 void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&); 76 void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType); 86 77 87 78 bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const; -
trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp
r194496 r195948 32 32 #include "DedicatedWorkerGlobalScope.h" 33 33 34 #include "ContentSecurityPolicyResponseHeaders.h" 34 35 #include "DOMWindow.h" 35 36 #include "DedicatedWorkerThread.h" … … 40 41 namespace WebCore { 41 42 42 Ref<DedicatedWorkerGlobalScope> DedicatedWorkerGlobalScope::create(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, PassRefPtr<SecurityOrigin> topOrigin)43 Ref<DedicatedWorkerGlobalScope> DedicatedWorkerGlobalScope::create(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, PassRefPtr<SecurityOrigin> topOrigin) 43 44 { 44 45 Ref<DedicatedWorkerGlobalScope> context = adoptRef(*new DedicatedWorkerGlobalScope(url, userAgent, thread, topOrigin)); 45 context->applyContentSecurityPolicy FromString(contentSecurityPolicy, contentSecurityPolicyType);46 context->applyContentSecurityPolicyResponseHeaders(contentSecurityPolicyResponseHeaders); 46 47 return context; 47 48 } -
trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h
r181169 r195948 32 32 #define DedicatedWorkerGlobalScope_h 33 33 34 #include "ContentSecurityPolicy.h"35 34 #include "MessagePort.h" 36 35 #include "WorkerGlobalScope.h" … … 38 37 namespace WebCore { 39 38 39 class ContentSecurityPolicyResponseHeaders; 40 40 class DedicatedWorkerThread; 41 41 … … 43 43 public: 44 44 typedef WorkerGlobalScope Base; 45 static Ref<DedicatedWorkerGlobalScope> create(const URL&, const String& userAgent, DedicatedWorkerThread&, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, PassRefPtr<SecurityOrigin> topOrigin);45 static Ref<DedicatedWorkerGlobalScope> create(const URL&, const String& userAgent, DedicatedWorkerThread&, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin); 46 46 virtual ~DedicatedWorkerGlobalScope(); 47 47 -
trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp
r195785 r195948 39 39 namespace WebCore { 40 40 41 DedicatedWorkerThread::DedicatedWorkerThread(const URL& url, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerObjectProxy& workerObjectProxy, WorkerThreadStartMode startMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, const SecurityOrigin* topOrigin)42 : WorkerThread(url, userAgent, sourceCode, workerLoaderProxy, workerObjectProxy, startMode, contentSecurityPolicy , contentSecurityPolicyType, topOrigin)41 DedicatedWorkerThread::DedicatedWorkerThread(const URL& url, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerObjectProxy& workerObjectProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin) 42 : WorkerThread(url, userAgent, sourceCode, workerLoaderProxy, workerObjectProxy, startMode, contentSecurityPolicyResponseHeaders, topOrigin) 43 43 , m_workerObjectProxy(workerObjectProxy) 44 44 { … … 49 49 } 50 50 51 Ref<WorkerGlobalScope> DedicatedWorkerThread::createWorkerGlobalScope(const URL& url, const String& userAgent, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, PassRefPtr<SecurityOrigin> topOrigin)51 Ref<WorkerGlobalScope> DedicatedWorkerThread::createWorkerGlobalScope(const URL& url, const String& userAgent, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, PassRefPtr<SecurityOrigin> topOrigin) 52 52 { 53 return DedicatedWorkerGlobalScope::create(url, userAgent, *this, contentSecurityPolicy , contentSecurityPolicyType, topOrigin);53 return DedicatedWorkerGlobalScope::create(url, userAgent, *this, contentSecurityPolicyResponseHeaders, topOrigin); 54 54 } 55 55 -
trunk/Source/WebCore/workers/DedicatedWorkerThread.h
r195786 r195948 31 31 #define DedicatedWorkerThread_h 32 32 33 #include "ContentSecurityPolicy.h"34 33 #include "WorkerThread.h" 35 34 36 35 namespace WebCore { 37 36 37 class ContentSecurityPolicyResponseHeaders; 38 38 class WorkerObjectProxy; 39 39 … … 49 49 50 50 protected: 51 virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType, PassRefPtr<SecurityOrigin> topOrigin) override;51 virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin) override; 52 52 virtual void runEventLoop() override; 53 53 54 54 private: 55 DedicatedWorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerObjectProxy&, WorkerThreadStartMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType, const SecurityOrigin* topOrigin);55 DedicatedWorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerObjectProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin); 56 56 57 57 WorkerObjectProxy& m_workerObjectProxy; -
trunk/Source/WebCore/workers/Worker.cpp
r194496 r195948 32 32 #include "DOMWindow.h" 33 33 #include "CachedResourceLoader.h" 34 #include "ContentSecurityPolicy.h" 34 35 #include "Document.h" 35 36 #include "EventListener.h" … … 41 42 #include "MessageEvent.h" 42 43 #include "NetworkStateNotifier.h" 44 #include "SecurityOrigin.h" 43 45 #include "TextEncoding.h" 44 46 #include "WorkerGlobalScopeProxy.h" … … 151 153 } 152 154 153 void Worker::didReceiveResponse(unsigned long identifier, const ResourceResponse& )155 void Worker::didReceiveResponse(unsigned long identifier, const ResourceResponse& response) 154 156 { 157 const URL& responseURL = response.url(); 158 if (!responseURL.protocolIs("blob") && !responseURL.protocolIs("file") && !SecurityOrigin::create(responseURL)->isUnique()) 159 m_contentSecurityPolicyResponseHeaders = ContentSecurityPolicyResponseHeaders(response); 155 160 InspectorInstrumentation::didReceiveScriptResponse(scriptExecutionContext(), identifier); 156 161 } … … 161 166 dispatchEvent(Event::create(eventNames().errorEvent, false, true)); 162 167 else { 163 WorkerThreadStartMode startMode = DontPauseWorkerGlobalScopeOnStart;164 m_contextProxy->startWorkerGlobalScope(m_scriptLoader->url(), scriptExecutionContext()->userAgent(m_scriptLoader->url()), m_scriptLoader->script(), startMode);168 const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders = m_contentSecurityPolicyResponseHeaders ? m_contentSecurityPolicyResponseHeaders.value() : scriptExecutionContext()->contentSecurityPolicy()->responseHeaders(); 169 m_contextProxy->startWorkerGlobalScope(m_scriptLoader->url(), scriptExecutionContext()->userAgent(m_scriptLoader->url()), m_scriptLoader->script(), contentSecurityPolicyResponseHeaders, DontPauseWorkerGlobalScopeOnStart); 165 170 InspectorInstrumentation::scriptImported(scriptExecutionContext(), m_scriptLoader->identifier(), m_scriptLoader->script()); 166 171 } -
trunk/Source/WebCore/workers/Worker.h
r192848 r195948 30 30 #include "AbstractWorker.h" 31 31 #include "ActiveDOMObject.h" 32 #include "ContentSecurityPolicyResponseHeaders.h" 32 33 #include "EventListener.h" 33 34 #include "EventTarget.h" … … 35 36 #include "WorkerScriptLoaderClient.h" 36 37 #include <wtf/Forward.h> 38 #include <wtf/Optional.h> 37 39 #include <wtf/PassRefPtr.h> 38 40 #include <wtf/RefPtr.h> … … 84 86 RefPtr<WorkerScriptLoader> m_scriptLoader; 85 87 WorkerGlobalScopeProxy* m_contextProxy; // The proxy outlives the worker to perform thread shutdown. 88 Optional<ContentSecurityPolicyResponseHeaders> m_contentSecurityPolicyResponseHeaders; 86 89 }; 87 90 -
trunk/Source/WebCore/workers/WorkerGlobalScope.cpp
r195588 r195948 86 86 } 87 87 88 void WorkerGlobalScope::applyContentSecurityPolicy FromString(const String& policy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType)88 void WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders(const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders) 89 89 { 90 90 setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this)); 91 contentSecurityPolicy()->didReceiveHeader (policy, contentSecurityPolicyType);91 contentSecurityPolicy()->didReceiveHeaders(contentSecurityPolicyResponseHeaders); 92 92 } 93 93 -
trunk/Source/WebCore/workers/WorkerGlobalScope.h
r193426 r195948 28 28 #define WorkerGlobalScope_h 29 29 30 #include "ContentSecurityPolicy.h"31 30 #include "EventListener.h" 32 31 #include "EventTarget.h" … … 46 45 47 46 class Blob; 47 class ContentSecurityPolicyResponseHeaders; 48 48 class ScheduledAction; 49 49 class WorkerLocation; … … 132 132 protected: 133 133 WorkerGlobalScope(const URL&, const String& userAgent, WorkerThread&, PassRefPtr<SecurityOrigin> topOrigin); 134 void applyContentSecurityPolicy FromString(const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType);134 void applyContentSecurityPolicyResponseHeaders(const ContentSecurityPolicyResponseHeaders&); 135 135 136 136 virtual void logExceptionToConsole(const String& errorMessage, const String& sourceURL, int lineNumber, int columnNumber, RefPtr<Inspector::ScriptCallStack>&&) override; -
trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h
r193426 r195948 39 39 namespace WebCore { 40 40 41 class ContentSecurityPolicyResponseHeaders; 41 42 class URL; 42 43 class Worker; … … 49 50 virtual ~WorkerGlobalScopeProxy() { } 50 51 51 virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode) = 0;52 virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, WorkerThreadStartMode) = 0; 52 53 53 54 virtual void terminateWorkerGlobalScope() = 0; -
trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp
r194496 r195948 73 73 } 74 74 75 void WorkerMessagingProxy::startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode)75 void WorkerMessagingProxy::startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, WorkerThreadStartMode startMode) 76 76 { 77 77 // FIXME: This need to be revisited when we support nested worker one day 78 78 ASSERT(m_scriptExecutionContext); 79 79 Document& document = downcast<Document>(*m_scriptExecutionContext); 80 RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode, document.contentSecurityPolicy()->deprecatedHeader(), document.contentSecurityPolicy()->deprecatedHeaderType(), document.topOrigin());80 RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode, contentSecurityPolicyResponseHeaders, document.topOrigin()); 81 81 workerThreadCreated(thread); 82 82 thread->start(); -
trunk/Source/WebCore/workers/WorkerMessagingProxy.h
r193426 r195948 41 41 namespace WebCore { 42 42 43 class ContentSecurityPolicyResponseHeaders; 43 44 class DedicatedWorkerThread; 44 45 class ScriptExecutionContext; … … 52 53 // Implementations of WorkerGlobalScopeProxy. 53 54 // (Only use these methods in the worker object thread.) 54 virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode) override;55 virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, WorkerThreadStartMode) override; 55 56 virtual void terminateWorkerGlobalScope() override; 56 57 virtual void postMessageToWorkerGlobalScope(PassRefPtr<SerializedScriptValue>, std::unique_ptr<MessagePortChannelArray>) override; -
trunk/Source/WebCore/workers/WorkerThread.cpp
r195537 r195948 29 29 #include "WorkerThread.h" 30 30 31 #include "ContentSecurityPolicyResponseHeaders.h" 31 32 #include "DedicatedWorkerGlobalScope.h" 32 33 #include "ScriptSourceCode.h" … … 70 71 WTF_MAKE_NONCOPYABLE(WorkerThreadStartupData); WTF_MAKE_FAST_ALLOCATED; 71 72 public: 72 WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, const SecurityOrigin* topOrigin);73 WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin); 73 74 74 75 URL m_scriptURL; … … 76 77 String m_sourceCode; 77 78 WorkerThreadStartMode m_startMode; 78 String m_contentSecurityPolicy; 79 ContentSecurityPolicy::HeaderType m_contentSecurityPolicyType; 79 ContentSecurityPolicyResponseHeaders m_contentSecurityPolicyResponseHeaders; 80 80 RefPtr<SecurityOrigin> m_topOrigin; 81 81 }; 82 82 83 WorkerThreadStartupData::WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, const SecurityOrigin* topOrigin)83 WorkerThreadStartupData::WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin) 84 84 : m_scriptURL(scriptURL.isolatedCopy()) 85 85 , m_userAgent(userAgent.isolatedCopy()) 86 86 , m_sourceCode(sourceCode.isolatedCopy()) 87 87 , m_startMode(startMode) 88 , m_contentSecurityPolicy(contentSecurityPolicy.isolatedCopy()) 89 , m_contentSecurityPolicyType(contentSecurityPolicyType) 88 , m_contentSecurityPolicyResponseHeaders(contentSecurityPolicyResponseHeaders.isolatedCopy()) 90 89 , m_topOrigin(topOrigin ? &topOrigin->isolatedCopy().get() : nullptr) 91 90 { 92 91 } 93 92 94 WorkerThread::WorkerThread(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerReportingProxy& workerReportingProxy, WorkerThreadStartMode startMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, const SecurityOrigin* topOrigin)93 WorkerThread::WorkerThread(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerReportingProxy& workerReportingProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin) 95 94 : m_threadID(0) 96 95 , m_workerLoaderProxy(workerLoaderProxy) 97 96 , m_workerReportingProxy(workerReportingProxy) 98 , m_startupData(std::make_unique<WorkerThreadStartupData>(scriptURL, userAgent, sourceCode, startMode, contentSecurityPolicy , contentSecurityPolicyType, topOrigin))97 , m_startupData(std::make_unique<WorkerThreadStartupData>(scriptURL, userAgent, sourceCode, startMode, contentSecurityPolicyResponseHeaders, topOrigin)) 99 98 #if ENABLE(NOTIFICATIONS) || ENABLE(LEGACY_NOTIFICATIONS) 100 99 , m_notificationClient(0) … … 146 145 { 147 146 LockHolder lock(m_threadCreationMutex); 148 m_workerGlobalScope = createWorkerGlobalScope(m_startupData->m_scriptURL, m_startupData->m_userAgent, m_startupData->m_contentSecurityPolicy , m_startupData->m_contentSecurityPolicyType, m_startupData->m_topOrigin.release());147 m_workerGlobalScope = createWorkerGlobalScope(m_startupData->m_scriptURL, m_startupData->m_userAgent, m_startupData->m_contentSecurityPolicyResponseHeaders, m_startupData->m_topOrigin.release()); 149 148 150 149 if (m_runLoop.terminated()) { -
trunk/Source/WebCore/workers/WorkerThread.h
r188594 r195948 28 28 #define WorkerThread_h 29 29 30 #include "ContentSecurityPolicy.h"31 30 #include "WorkerRunLoop.h" 32 31 #include <memory> … … 37 36 namespace WebCore { 38 37 38 class ContentSecurityPolicyResponseHeaders; 39 39 class URL; 40 40 class NotificationClient; … … 69 69 70 70 protected: 71 WorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerReportingProxy&, WorkerThreadStartMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType, const SecurityOrigin* topOrigin);71 WorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerReportingProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin); 72 72 73 73 // Factory method for creating a new worker context for the thread. 74 virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType, PassRefPtr<SecurityOrigin> topOrigin) = 0;74 virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin) = 0; 75 75 76 76 // Executes the event loop for the worker thread. Derived classes can override to perform actions before/after entering the event loop.
Note: See TracChangeset
for help on using the changeset viewer.