Changeset 196012 in webkit

Timestamp:

Feb 2, 2016 9:57:40 AM (8 years ago)

Author:

dbates@webkit.org

Message:

CSP: Support checking content security policy without a script execution context
​https://bugs.webkit.org/show_bug.cgi?id=153748
<rdar://problem/24439149>

Reviewed by Darin Alder.

Towards checking a Web Worker's content security policy against a redirected worker
script load or redirected XHR request for an XHR request initiated from it, we should
support instantiating a ContentSecurityPolicy object without a ScriptExecutionContext.

No functionality was changed. So, no new tests.

• dom/Document.cpp:

(WebCore::Document::initSecurityContext): Pass |this| as a reference instead of as a pointer.

• page/csp/ContentSecurityPolicy.cpp: Remove extraneous includes ScriptState.h, TextEncoding.h,

and URL.h as they are included by ContentSecurityPolicy.h, FormDataList.h and FormData.h, respectively.
(WebCore::CSPSource::CSPSource): Take a constant reference to a ContentSecurityPolicy instead
of a pointer since we never expected a null pointer.
(WebCore::CSPSource::schemeMatches): Move logic for checking the protocol of source "self"
from here to ContentSecurityPolicy::protocolMatchesSelf() because we may not have a security
origin if ContentSecurityPolicy was initiated without a ScriptExecutionContext object.
(WebCore::CSPSourceList::allowSelf): Added.
(WebCore::CSPSourceList::CSPSourceList): Take a constant reference to a ContentSecurityPolicy
instead of a pointer since we never expected a null pointer. Remove fields from member
initialization list that can be initialized using C++11 in-class initialization syntax.
(WebCore::CSPSourceList::matches): Call ContentSecurityPolicy::urlMatchesSelf() to match the
effective URL against the URL of source "self".
(WebCore::CSPSourceList::parse): Update code as necessary now that m_policy is a reference
instead of a pointer.
(WebCore::CSPSourceList::parseSource): Simplify code by setting internal member fields directly
instead of via member functions.
(WebCore::CSPSourceList::parsePath): Update code as necessary now that m_policy is a reference
instead of a pointer.
(WebCore::CSPDirective::CSPDirective): Take a constant reference to a ContentSecurityPolicy
instead of a pointer since we never expected a null pointer.
(WebCore::CSPDirective::policy): Return a reference to a const ContentSecurityPolicy.
(WebCore::MediaListDirective::MediaListDirective): Take a constant reference to a ContentSecurityPolicy
instead of a pointer since we never expected a null pointer.
(WebCore::MediaListDirective::parse): Update code as necessary now that m_policy is a reference
instead of a pointer.
(WebCore::SourceListDirective::SourceListDirective): Take a constant reference to a ContentSecurityPolicy
instead of a pointer since we never expected a null pointer.
(WebCore::SourceListDirective::allows): Write in terms of CSPSourceList::allowSelf() because we
may not have a security origin to get a URL from if ContentSecurityPolicy was initiated without
a ScriptExecutionContext object.
(WebCore::CSPDirectiveList::reportURIs): Change return type from Vector<URL> to Vector<String>
The caller will convert the strings to URLs with respect to the script execution context.
(WebCore::CSPDirectiveList::parseReportURI): Store the report URI as a string instead of a URL
because we may not have a security origin to compute the absolute URL if ContentSecurityPolicy
was initiated without a ScriptExecutionContext object.
(WebCore::CSPDirectiveList::CSPDirectiveList): Take a reference to a ContentSecurityPolicy
instead of a pointer since we never expected a null pointer. It would be better to take a const
reference to a ContentSecurityPolicy, but ContentSecurityPolicy::applySandboxPolicy() needs to set
state on ContentSecurityPolicy :(
(WebCore::CSPDirectiveList::create): Ditto.
(WebCore::CSPDirectiveList::reportViolation): Update code as necessary now that m_policy is a reference
instead of a pointer.
(WebCore::CSPDirectiveList::checkEvalAndReportViolation): Ditto.
(WebCore::CSPDirectiveList::checkInlineAndReportViolation): Ditto.
(WebCore::CSPDirectiveList::parseDirective): Ditto.
(WebCore::CSPDirectiveList::parseReportURI): Store the report URI as a string instead of a URL
because we may not have a security origin to compute the absolute URL if ContentSecurityPolicy
was initiated without a ScriptExecutionContext object.
(WebCore::CSPDirectiveList::setCSPDirective): Update code as necessary now that m_policy is a reference
instead of a pointer.
(WebCore::CSPDirectiveList::applySandboxPolicy): Ditto.
(WebCore::CSPDirectiveList::parseReflectedXSS): Ditto.
(WebCore::CSPDirectiveList::addDirective): Ditto.
(WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Modified to take the ScriptExecutionObject
as a reference and compute the CSPSource object for "self" and cache the protocol for "self". Removed
field m_overrideInlineStyleAllowed from the member initialization list and used C++11 in-class
initialization syntax to initialize it. Added overloaded constructor that takes a SecurityOrigin object.
We are not making use of this overloaded constructor at this time. We will in a subsequent patch.
(WebCore::ContentSecurityPolicy::didReceiveHeader): Store the eval disabled error message for
the last parsed policy in a member field instead of using it as part of disabling eval execution
on the script execution context because we may not have such a context.
(WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): Applies the content security
policy eval and sandbox restrictions to the script execution context.
(WebCore::ContentSecurityPolicy::urlMatchesSelf): Match the specified URL against the URL for
source "self".
(WebCore::ContentSecurityPolicy::protocolMatchesSelf): Match the protocol of the specified URL
against the protocol for source "self".
(WebCore::ContentSecurityPolicy::gatherReportURIs): Modified to use the script execution context
to compute the absolute URL for each report URI.
(WebCore::ContentSecurityPolicy::reportViolation): Bail out if we do not have a script execution
context.
(WebCore::ContentSecurityPolicy::logToConsole): Only log to the console if we have a script
execution context.
(WebCore::ContentSecurityPolicy::reportBlockedScriptExecutionToInspector): Only report blocked
script execution to the Web Inspector if we have a script execution context.
(WebCore::CSPSourceList::addSourceSelf): Deleted.
(WebCore::CSPSourceList::addSourceStar): Deleted.
(WebCore::CSPSourceList::addSourceUnsafeInline): Deleted.
(WebCore::CSPSourceList::addSourceUnsafeEval): Deleted.
(WebCore::CSPDirectiveList::gatherReportURIs): Deleted.
(WebCore::ContentSecurityPolicy::securityOrigin): Deleted.
(WebCore::ContentSecurityPolicy::url): Deleted.
(WebCore::ContentSecurityPolicy::completeURL): Deleted.
(WebCore::ContentSecurityPolicy::enforceSandboxFlags): Deleted.

• page/csp/ContentSecurityPolicy.h:

(WebCore::ContentSecurityPolicy::enforceSandboxFlags): Accumulates the parsed sandbox flags. We
will apply the sandbox flags in ContentSecurityPolicy::applyPolicyToScriptExecutionContext().

• workers/WorkerGlobalScope.cpp:

(WebCore::WorkerGlobalScope::WorkerGlobalScope): Instantiate ContentSecurityPolicy.
(WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): Move instantiation of
ContentSecurityPolicy from here to constructor.

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• dom/Document.cpp (modified) (2 diffs)
• page/csp/ContentSecurityPolicy.cpp (modified) (50 diffs)
• page/csp/ContentSecurityPolicy.h (modified) (7 diffs)
• workers/WorkerGlobalScope.cpp (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-02-02  Daniel Bates  <dabates@apple.com>
+
+        CSP: Support checking content security policy without a script execution context
+        https://bugs.webkit.org/show_bug.cgi?id=153748
+        <rdar://problem/24439149>
+
+        Reviewed by Darin Alder.
+
+        Towards checking a Web Worker's content security policy against a redirected worker
+        script load or redirected XHR request for an XHR request initiated from it, we should
+        support instantiating a ContentSecurityPolicy object without a ScriptExecutionContext.
+
+        No functionality was changed. So, no new tests.
+
+        * dom/Document.cpp:
+        (WebCore::Document::initSecurityContext): Pass |this| as a reference instead of as a pointer.
+        * page/csp/ContentSecurityPolicy.cpp: Remove extraneous includes ScriptState.h, TextEncoding.h,
+        and URL.h as they are included by ContentSecurityPolicy.h, FormDataList.h and FormData.h, respectively.
+        (WebCore::CSPSource::CSPSource): Take a constant reference to a ContentSecurityPolicy instead
+        of a pointer since we never expected a null pointer.
+        (WebCore::CSPSource::schemeMatches): Move logic for checking the protocol of source "self"
+        from here to ContentSecurityPolicy::protocolMatchesSelf() because we may not have a security
+        origin if ContentSecurityPolicy was initiated without a ScriptExecutionContext object.
+        (WebCore::CSPSourceList::allowSelf): Added.
+        (WebCore::CSPSourceList::CSPSourceList): Take a constant reference to a ContentSecurityPolicy
+        instead of a pointer since we never expected a null pointer. Remove fields from member
+        initialization list that can be initialized using C++11 in-class initialization syntax.
+        (WebCore::CSPSourceList::matches): Call ContentSecurityPolicy::urlMatchesSelf() to match the
+        effective URL against the URL of source "self".
+        (WebCore::CSPSourceList::parse): Update code as necessary now that m_policy is a reference
+        instead of a pointer.
+        (WebCore::CSPSourceList::parseSource): Simplify code by setting internal member fields directly
+        instead of via member functions.
+        (WebCore::CSPSourceList::parsePath): Update code as necessary now that m_policy is a reference
+        instead of a pointer.
+        (WebCore::CSPDirective::CSPDirective): Take a constant reference to a ContentSecurityPolicy
+        instead of a pointer since we never expected a null pointer.
+        (WebCore::CSPDirective::policy): Return a reference to a const ContentSecurityPolicy.
+        (WebCore::MediaListDirective::MediaListDirective): Take a constant reference to a ContentSecurityPolicy
+        instead of a pointer since we never expected a null pointer.
+        (WebCore::MediaListDirective::parse): Update code as necessary now that m_policy is a reference
+        instead of a pointer.
+        (WebCore::SourceListDirective::SourceListDirective): Take a constant reference to a ContentSecurityPolicy
+        instead of a pointer since we never expected a null pointer.
+        (WebCore::SourceListDirective::allows): Write in terms of CSPSourceList::allowSelf() because we
+        may not have a security origin to get a URL from if ContentSecurityPolicy was initiated without
+        a ScriptExecutionContext object.
+        (WebCore::CSPDirectiveList::reportURIs): Change return type from Vector<URL> to Vector<String>
+        The caller will convert the strings to URLs with respect to the script execution context.
+        (WebCore::CSPDirectiveList::parseReportURI): Store the report URI as a string instead of a URL
+        because we may not have a security origin to compute the absolute URL if ContentSecurityPolicy
+        was initiated without a ScriptExecutionContext object.
+        (WebCore::CSPDirectiveList::CSPDirectiveList): Take a reference to a ContentSecurityPolicy
+        instead of a pointer since we never expected a null pointer. It would be better to take a const
+        reference to a ContentSecurityPolicy, but ContentSecurityPolicy::applySandboxPolicy() needs to set
+        state on ContentSecurityPolicy :(
+        (WebCore::CSPDirectiveList::create): Ditto.
+        (WebCore::CSPDirectiveList::reportViolation): Update code as necessary now that m_policy is a reference
+        instead of a pointer.
+        (WebCore::CSPDirectiveList::checkEvalAndReportViolation): Ditto.
+        (WebCore::CSPDirectiveList::checkInlineAndReportViolation): Ditto.
+        (WebCore::CSPDirectiveList::parseDirective): Ditto.
+        (WebCore::CSPDirectiveList::parseReportURI): Store the report URI as a string instead of a URL
+        because we may not have a security origin to compute the absolute URL if ContentSecurityPolicy
+        was initiated without a ScriptExecutionContext object.
+        (WebCore::CSPDirectiveList::setCSPDirective): Update code as necessary now that m_policy is a reference
+        instead of a pointer.
+        (WebCore::CSPDirectiveList::applySandboxPolicy): Ditto.
+        (WebCore::CSPDirectiveList::parseReflectedXSS): Ditto.
+        (WebCore::CSPDirectiveList::addDirective): Ditto.
+        (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Modified to take the ScriptExecutionObject
+        as a reference and compute the CSPSource object for "self" and cache the protocol for "self". Removed
+        field m_overrideInlineStyleAllowed from the member initialization list and used C++11 in-class
+        initialization syntax to initialize it. Added overloaded constructor that takes a SecurityOrigin object.
+        We are not making use of this overloaded constructor at this time. We will in a subsequent patch.
+        (WebCore::ContentSecurityPolicy::didReceiveHeader): Store the eval disabled error message for
+        the last parsed policy in a member field instead of using it as part of disabling eval execution
+        on the script execution context because we may not have such a context.
+        (WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): Applies the content security
+        policy eval and sandbox restrictions to the script execution context.
+        (WebCore::ContentSecurityPolicy::urlMatchesSelf): Match the specified URL against the URL for
+        source "self".
+        (WebCore::ContentSecurityPolicy::protocolMatchesSelf): Match the protocol of the specified URL
+        against the protocol for source "self".
+        (WebCore::ContentSecurityPolicy::gatherReportURIs): Modified to use the script execution context
+        to compute the absolute URL for each report URI.
+        (WebCore::ContentSecurityPolicy::reportViolation): Bail out if we do not have a script execution
+        context.
+        (WebCore::ContentSecurityPolicy::logToConsole): Only log to the console if we have a script
+        execution context.
+        (WebCore::ContentSecurityPolicy::reportBlockedScriptExecutionToInspector): Only report blocked
+        script execution to the Web Inspector if we have a script execution context.
+        (WebCore::CSPSourceList::addSourceSelf): Deleted.
+        (WebCore::CSPSourceList::addSourceStar): Deleted.
+        (WebCore::CSPSourceList::addSourceUnsafeInline): Deleted.
+        (WebCore::CSPSourceList::addSourceUnsafeEval): Deleted.
+        (WebCore::CSPDirectiveList::gatherReportURIs): Deleted.
+        (WebCore::ContentSecurityPolicy::securityOrigin): Deleted.
+        (WebCore::ContentSecurityPolicy::url): Deleted.
+        (WebCore::ContentSecurityPolicy::completeURL): Deleted.
+        (WebCore::ContentSecurityPolicy::enforceSandboxFlags): Deleted.
+        * page/csp/ContentSecurityPolicy.h:
+        (WebCore::ContentSecurityPolicy::enforceSandboxFlags): Accumulates the parsed sandbox flags. We
+        will apply the sandbox flags in ContentSecurityPolicy::applyPolicyToScriptExecutionContext().
+        * workers/WorkerGlobalScope.cpp:
+        (WebCore::WorkerGlobalScope::WorkerGlobalScope): Instantiate ContentSecurityPolicy.
+        (WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): Move instantiation of
+        ContentSecurityPolicy from here to constructor.
+
 2016-02-02  Eric Carlson  <eric.carlson@apple.com>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -5129 +5129 @@
         setCookieURL(URL(ParsedURLString, emptyString()));
         setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::createUnique()));
-        setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
+        setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(*this));
         return;
     }
@@ -5142 +5142 @@
 
     setSecurityOriginPolicy(SecurityOriginPolicy::create(isSandboxed(SandboxOrigin) ? SecurityOrigin::createUnique() : SecurityOrigin::create(m_url)));
-    setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
+    setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(*this));
 
     if (Settings* settings = this->settings()) {

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

@@ -39 +39 @@
 #include "SchemeRegistry.h"
 #include "ScriptController.h"
-#include "ScriptState.h"
 #include "SecurityOrigin.h"
 #include "SecurityPolicyViolationEvent.h"
-#include "TextEncoding.h"
-#include "URL.h"
 #include <inspector/InspectorValues.h>
 #include <inspector/ScriptCallStack.h>
@@ -216 +213 @@
 class CSPSource {
 public:
-    CSPSource(ContentSecurityPolicy* policy, const String& scheme, const String& host, int port, const String& path, bool hostHasWildcard, bool portHasWildcard)
+    CSPSource(const ContentSecurityPolicy& policy, const String& scheme, const String& host, int port, const String& path, bool hostHasWildcard, bool portHasWildcard)
         : m_policy(policy)
         , m_scheme(scheme)
@@ -239 +236 @@
     bool schemeMatches(const URL& url) const
     {
-        if (m_scheme.isEmpty()) {
-            String protectedResourceScheme(m_policy->securityOrigin()->protocol());
-#if ENABLE(CSP_NEXT)
-            if (equalLettersIgnoringASCIICase(protectedResourceScheme, "http"))
-                return url.protocolIsInHTTPFamily();
-#endif
-            return equalIgnoringASCIICase(url.protocol(), protectedResourceScheme);
-        }
+        if (m_scheme.isEmpty())
+            return m_policy.protocolMatchesSelf(url);
         return equalIgnoringASCIICase(url.protocol(), m_scheme);
     }
@@ -293 +284 @@
     bool isSchemeOnly() const { return m_host.isEmpty(); }
 
-    ContentSecurityPolicy* m_policy;
+    const ContentSecurityPolicy& m_policy;
     String m_scheme;
     String m_host;
@@ -305 +296 @@
 class CSPSourceList {
 public:
-    CSPSourceList(ContentSecurityPolicy*, const String& directiveName);
+    CSPSourceList(const ContentSecurityPolicy&, const String& directiveName);
 
     void parse(const String&);
@@ -311 +302 @@
     bool allowInline() const { return m_allowInline; }
     bool allowEval() const { return m_allowEval; }
+    bool allowSelf() const { return m_allowSelf; }
 
 private:
@@ -321 +313 @@
     bool parsePath(const UChar* begin, const UChar* end, String& path);
 
-    void addSourceSelf();
-    void addSourceStar();
-    void addSourceUnsafeInline();
-    void addSourceUnsafeEval();
-
-    ContentSecurityPolicy* m_policy;
+    const ContentSecurityPolicy& m_policy;
     Vector<CSPSource> m_list;
     String m_directiveName;
-    bool m_allowStar;
-    bool m_allowInline;
-    bool m_allowEval;
+    bool m_allowSelf { false };
+    bool m_allowStar { false };
+    bool m_allowInline { false };
+    bool m_allowEval { false };
 };
 
-CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& directiveName)
+CSPSourceList::CSPSourceList(const ContentSecurityPolicy& policy, const String& directiveName)
     : m_policy(policy)
     , m_directiveName(directiveName)
-    , m_allowStar(false)
-    , m_allowInline(false)
-    , m_allowEval(false)
 {
 }
@@ -358 +343 @@
 
     URL effectiveURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
+
+    if (m_allowSelf && m_policy.urlMatchesSelf(effectiveURL))
+        return true;
 
     for (auto& entry : m_list) {
@@ -394 +382 @@
                 continue;
             if (isDirectiveName(host))
-                m_policy->reportDirectiveAsSourceExpression(m_directiveName, host);
+                m_policy.reportDirectiveAsSourceExpression(m_directiveName, host);
             m_list.append(CSPSource(m_policy, scheme, host, port, path, hostHasWildcard, portHasWildcard));
         } else
-            m_policy->reportInvalidSourceExpression(m_directiveName, String(beginSource, position - beginSource));
+            m_policy.reportInvalidSourceExpression(m_directiveName, String(beginSource, position - beginSource));
 
         ASSERT(position == end || isASCIISpace(*position));
@@ -416 +404 @@
 
     if (end - begin == 1 && *begin == '*') {
-        addSourceStar();
+        m_allowStar = true;
         return true;
     }
 
     if (equalLettersIgnoringASCIICase(begin, end - begin, "'self'")) {
-        addSourceSelf();
+        m_allowSelf = true;
         return true;
     }
 
     if (equalLettersIgnoringASCIICase(begin, end - begin, "'unsafe-inline'")) {
-        addSourceUnsafeInline();
+        m_allowInline = true;
         return true;
     }
 
     if (equalLettersIgnoringASCIICase(begin, end - begin, "'unsafe-eval'")) {
-        addSourceUnsafeEval();
+        m_allowEval = true;
         return true;
     }
@@ -591 +579 @@
     //                ^                               ^
     if (position < end)
-        m_policy->reportInvalidPathCharacter(m_directiveName, String(begin, end - begin), *position);
+        m_policy.reportInvalidPathCharacter(m_directiveName, String(begin, end - begin), *position);
 
     path = decodeURLEscapeSequences(String(begin, position - begin));
@@ -631 +619 @@
 }
 
-void CSPSourceList::addSourceSelf()
-{
-    m_list.append(CSPSource(m_policy, m_policy->securityOrigin()->protocol(), m_policy->securityOrigin()->host(), m_policy->securityOrigin()->port(), String(), false, false));
-}
-
-void CSPSourceList::addSourceStar()
-{
-    m_allowStar = true;
-}
-
-void CSPSourceList::addSourceUnsafeInline()
-{
-    m_allowInline = true;
-}
-
-void CSPSourceList::addSourceUnsafeEval()
-{
-    m_allowEval = true;
-}
-
 class CSPDirective {
 public:
-    CSPDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
+    CSPDirective(const String& name, const String& value, const ContentSecurityPolicy& policy)
         : m_name(name)
         , m_text(name + ' ' + value)
@@ -663 +631 @@
 
 protected:
-    const ContentSecurityPolicy* policy() const { return m_policy; }
+    const ContentSecurityPolicy& policy() const { return m_policy; }
 
 private:
     String m_name;
     String m_text;
-    ContentSecurityPolicy* m_policy;
+    const ContentSecurityPolicy& m_policy;
 };
 
 class MediaListDirective : public CSPDirective {
 public:
-    MediaListDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
+    MediaListDirective(const String& name, const String& value, const ContentSecurityPolicy& policy)
         : CSPDirective(name, value, policy)
     {
@@ -694 +662 @@
         // 'plugin-types ____;' OR 'plugin-types;'
         if (value.isEmpty()) {
-            policy()->reportInvalidPluginTypes(value);
+            policy().reportInvalidPluginTypes(value);
             return;
         }
@@ -710 +678 @@
             if (!skipExactly<isMediaTypeCharacter>(position, end)) {
                 skipWhile<isNotASCIISpace>(position, end);
-                policy()->reportInvalidPluginTypes(String(begin, position - begin));
+                policy().reportInvalidPluginTypes(String(begin, position - begin));
                 continue;
             }
@@ -719 +687 @@
             if (!skipExactly(position, end, '/')) {
                 skipWhile<isNotASCIISpace>(position, end);
-                policy()->reportInvalidPluginTypes(String(begin, position - begin));
+                policy().reportInvalidPluginTypes(String(begin, position - begin));
                 continue;
             }
@@ -727 +695 @@
             if (!skipExactly<isMediaTypeCharacter>(position, end)) {
                 skipWhile<isNotASCIISpace>(position, end);
-                policy()->reportInvalidPluginTypes(String(begin, position - begin));
+                policy().reportInvalidPluginTypes(String(begin, position - begin));
                 continue;
             }
@@ -736 +704 @@
             if (position < end && isNotASCIISpace(*position)) {
                 skipWhile<isNotASCIISpace>(position, end);
-                policy()->reportInvalidPluginTypes(String(begin, position - begin));
+                policy().reportInvalidPluginTypes(String(begin, position - begin));
                 continue;
             }
@@ -750 +718 @@
 class SourceListDirective : public CSPDirective {
 public:
-    SourceListDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
+    SourceListDirective(const String& name, const String& value, const ContentSecurityPolicy& policy)
         : CSPDirective(name, value, policy)
         , m_sourceList(policy, name)
@@ -759 +727 @@
     bool allows(const URL& url)
     {
-        return m_sourceList.matches(url.isEmpty() ? policy()->url() : url);
+        // FIXME: We should investigate returning false for an empty URL.
+        if (url.isEmpty())
+            return m_sourceList.allowSelf();
+        return m_sourceList.matches(url);
     }
 
@@ -772 +743 @@
     WTF_MAKE_FAST_ALLOCATED;
 public:
-    static std::unique_ptr<CSPDirectiveList> create(ContentSecurityPolicy*, const String&, ContentSecurityPolicyHeaderType);
-    CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType);
+    static std::unique_ptr<CSPDirectiveList> create(ContentSecurityPolicy&, const String&, ContentSecurityPolicyHeaderType);
+    CSPDirectiveList(ContentSecurityPolicy&, ContentSecurityPolicyHeaderType);
 
     const String& header() const { return m_header; }
@@ -796 +767 @@
     bool allowBaseURI(const URL&, ContentSecurityPolicy::ReportingStatus) const;
 
-    void gatherReportURIs(DOMStringList&) const;
     const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
     ContentSecurityPolicy::ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
     bool isReportOnly() const { return m_reportOnly; }
-    const Vector<URL>& reportURIs() const { return m_reportURIs; }
+    const Vector<String>& reportURIs() const { return m_reportURIs; }
 
 private:
@@ -833 +803 @@
     bool denyIfEnforcingPolicy() const { return m_reportOnly; }
 
-    ContentSecurityPolicy* m_policy;
+    // FIXME: Make this a const reference once we teach applySandboxPolicy() to store its policy as opposed to applying it directly onto ContentSecurityPolicy.
+    ContentSecurityPolicy& m_policy;
 
     String m_header;
@@ -855 +826 @@
     std::unique_ptr<SourceListDirective> m_styleSrc;
 
-    Vector<URL> m_reportURIs;
+    Vector<String> m_reportURIs;
 
     String m_evalDisabledErrorMessage;
 };
 
-CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurityPolicyHeaderType type)
+CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy& policy, ContentSecurityPolicyHeaderType type)
     : m_policy(policy)
     , m_headerType(type)
@@ -870 +841 @@
 }
 
-std::unique_ptr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* policy, const String& header, ContentSecurityPolicyHeaderType type)
+std::unique_ptr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy& policy, const String& header, ContentSecurityPolicyHeaderType type)
 {
     auto directives = std::make_unique<CSPDirectiveList>(policy, type);
@@ -881 +852 @@
 
     if (directives->isReportOnly() && directives->reportURIs().isEmpty())
-        policy->reportMissingReportURI(header);
+        policy.reportMissingReportURI(header);
 
     return directives;
@@ -889 +860 @@
 {
     String message = m_reportOnly ? "[Report Only] " + consoleMessage : consoleMessage;
-    m_policy->reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, state);
+    m_policy.reportViolation(directiveText, effectiveDirective, message, blockedURL, m_reportURIs, m_header, contextURL, contextLine, state);
 }
 
@@ -932 +903 @@
     reportViolation(directive->text(), scriptSrc, consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", URL(), contextURL, contextLine, state);
     if (!m_reportOnly) {
-        m_policy->reportBlockedScriptExecutionToInspector(directive->text());
+        m_policy.reportBlockedScriptExecutionToInspector(directive->text());
         return false;
     }
@@ -964 +935 @@
     if (!m_reportOnly) {
         if (isScript)
-            m_policy->reportBlockedScriptExecutionToInspector(directive->text());
+            m_policy.reportBlockedScriptExecutionToInspector(directive->text());
         return false;
     }
@@ -1114 +1085 @@
 }
 
-void CSPDirectiveList::gatherReportURIs(DOMStringList& list) const
-{
-    for (auto& uri : m_reportURIs)
-        list.append(uri.string());
-}
-
 bool CSPDirectiveList::allowFormAction(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
@@ -1184 +1149 @@
     if (nameBegin == position) {
         skipWhile<isNotASCIISpace>(position, end);
-        m_policy->reportUnsupportedDirective(String(nameBegin, position - nameBegin));
+        m_policy.reportUnsupportedDirective(String(nameBegin, position - nameBegin));
         return false;
     }
@@ -1195 +1160 @@
     if (!skipExactly<isASCIISpace>(position, end)) {
         skipWhile<isNotASCIISpace>(position, end);
-        m_policy->reportUnsupportedDirective(String(nameBegin, position - nameBegin));
+        m_policy.reportUnsupportedDirective(String(nameBegin, position - nameBegin));
         return false;
     }
@@ -1205 +1170 @@
 
     if (position != end) {
-        m_policy->reportInvalidDirectiveValueCharacter(name, String(valueBegin, end - valueBegin));
+        m_policy.reportInvalidDirectiveValueCharacter(name, String(valueBegin, end - valueBegin));
         return false;
     }
@@ -1220 +1185 @@
 {
     if (!m_reportURIs.isEmpty()) {
-        m_policy->reportDuplicateDirective(name);
+        m_policy.reportDuplicateDirective(name);
         return;
     }
@@ -1234 +1199 @@
         skipWhile<isNotASCIISpace>(position, end);
 
-        if (urlBegin < position) {
-            String url = String(urlBegin, position - urlBegin);
-            m_reportURIs.append(m_policy->completeURL(url));
-        }
+        if (urlBegin < position)
+            m_reportURIs.append(value.substring(urlBegin - characters, position - urlBegin));
     }
 }
@@ -1246 +1209 @@
 {
     if (directive) {
-        m_policy->reportDuplicateDirective(name);
+        m_policy.reportDuplicateDirective(name);
         return;
     }
@@ -1255 +1218 @@
 {
     if (m_haveSandboxPolicy) {
-        m_policy->reportDuplicateDirective(name);
+        m_policy.reportDuplicateDirective(name);
         return;
     }
     m_haveSandboxPolicy = true;
     String invalidTokens;
-    m_policy->enforceSandboxFlags(SecurityContext::parseSandboxPolicy(sandboxPolicy, invalidTokens));
+    m_policy.enforceSandboxFlags(SecurityContext::parseSandboxPolicy(sandboxPolicy, invalidTokens));
     if (!invalidTokens.isNull())
-        m_policy->reportInvalidSandboxFlags(invalidTokens);
+        m_policy.reportInvalidSandboxFlags(invalidTokens);
 }
 
@@ -1268 +1231 @@
 {
     if (m_reflectedXSSDisposition != ContentSecurityPolicy::ReflectedXSSUnset) {
-        m_policy->reportDuplicateDirective(name);
+        m_policy.reportDuplicateDirective(name);
         m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
         return;
@@ -1275 +1238 @@
     if (value.isEmpty()) {
         m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
-        m_policy->reportInvalidReflectedXSS(value);
+        m_policy.reportInvalidReflectedXSS(value);
         return;
     }
@@ -1297 +1260 @@
     else {
         m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
-        m_policy->reportInvalidReflectedXSS(value);
+        m_policy.reportInvalidReflectedXSS(value);
         return;
     }
@@ -1308 +1271 @@
     //        ^
     m_reflectedXSSDisposition = ContentSecurityPolicy::ReflectedXSSInvalid;
-    m_policy->reportInvalidReflectedXSS(value);
+    m_policy.reportInvalidReflectedXSS(value);
 }
 
@@ -1338 +1301 @@
         parseReportURI(name, value);
 #if ENABLE(CSP_NEXT)
-    else if (m_policy->experimentalFeaturesEnabled()) {
+    else if (m_policy.experimentalFeaturesEnabled()) {
         if (equalLettersIgnoringASCIICase(name, baseURI))
             setCSPDirective<SourceListDirective>(name, value, m_baseURI);
@@ -1348 +1311 @@
             parseReflectedXSS(name, value);
         else
-            m_policy->reportUnsupportedDirective(name);
+            m_policy.reportUnsupportedDirective(name);
     }
 #endif
     else
-        m_policy->reportUnsupportedDirective(name);
-}
-
-ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
-    : m_scriptExecutionContext(scriptExecutionContext)
-    , m_overrideInlineStyleAllowed(false)
-{
+        m_policy.reportUnsupportedDirective(name);
+}
+
+ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext& scriptExecutionContext)
+    : m_scriptExecutionContext(&scriptExecutionContext)
+    , m_sandboxFlags(SandboxNone)
+{
+    ASSERT(scriptExecutionContext.securityOrigin());
+    auto& securityOrigin = *scriptExecutionContext.securityOrigin();
+    m_selfSourceProtocol = securityOrigin.protocol();
+    m_selfSource = std::make_unique<CSPSource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false);
+}
+
+ContentSecurityPolicy::ContentSecurityPolicy(const SecurityOrigin& securityOrigin)
+    : m_sandboxFlags(SandboxNone)
+{
+    m_selfSourceProtocol = securityOrigin.protocol();
+    m_selfSource = std::make_unique<CSPSource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false);
 }
 
@@ -1401 +1375 @@
         // header1,header2 OR header1
         //        ^                  ^
-        std::unique_ptr<CSPDirectiveList> policy = CSPDirectiveList::create(this, String(begin, position - begin), type);
+        std::unique_ptr<CSPDirectiveList> policy = CSPDirectiveList::create(*this, String(begin, position - begin), type);
         if (!policy->allowEval(0, ContentSecurityPolicy::ReportingStatus::SuppressReport))
-            m_scriptExecutionContext->disableEval(policy->evalDisabledErrorMessage());
+            m_lastPolicyEvalDisabledErrorMessage = policy->evalDisabledErrorMessage();
 
         m_policies.append(policy.release());
@@ -1412 +1386 @@
         begin = position;
     }
+
+    if (m_scriptExecutionContext)
+        applyPolicyToScriptExecutionContext();
+}
+
+void ContentSecurityPolicy::applyPolicyToScriptExecutionContext()
+{
+    ASSERT(m_scriptExecutionContext);
+    if (!m_lastPolicyEvalDisabledErrorMessage.isNull())
+        m_scriptExecutionContext->disableEval(m_lastPolicyEvalDisabledErrorMessage);
+    if (m_sandboxFlags != SandboxNone && is<Document>(m_scriptExecutionContext))
+        m_scriptExecutionContext->enforceSandboxFlags(m_sandboxFlags);
 }
 
@@ -1417 +1403 @@
 {
     m_overrideInlineStyleAllowed = value;
+}
+
+bool ContentSecurityPolicy::urlMatchesSelf(const URL& url) const
+{
+    return m_selfSource->matches(url);
+}
+
+bool ContentSecurityPolicy::protocolMatchesSelf(const URL& url) const
+{
+#if ENABLE(CSP_NEXT)
+    if (equalLettersIgnoringASCIICase(m_selfSourceProtocol, "http"))
+        return url.protocolIsInHTTPFamily();
+#endif
+    return equalIgnoringASCIICase(url.protocol(), m_selfSourceProtocol);
 }
 
@@ -1574 +1574 @@
 void ContentSecurityPolicy::gatherReportURIs(DOMStringList& list) const
 {
-    for (auto& policy : m_policies)
-        policy->gatherReportURIs(list);
-}
-
-SecurityOrigin* ContentSecurityPolicy::securityOrigin() const
-{
-    return m_scriptExecutionContext->securityOrigin();
-}
-
-const URL& ContentSecurityPolicy::url() const
-{
-    return m_scriptExecutionContext->url();
-}
-
-URL ContentSecurityPolicy::completeURL(const String& url) const
-{
-    return m_scriptExecutionContext->completeURL(url);
-}
-
-void ContentSecurityPolicy::enforceSandboxFlags(SandboxFlags mask) const
-{
-    m_scriptExecutionContext->enforceSandboxFlags(mask);
+    ASSERT(m_scriptExecutionContext);
+    for (auto& policy : m_policies) {
+        for (auto& url : policy->reportURIs())
+            list.append(m_scriptExecutionContext->completeURL(url).string());
+    }
 }
 
@@ -1629 +1612 @@
 #endif
 
-void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<URL>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const
+void ContentSecurityPolicy::reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<String>& reportURIs, const String& header, const String& contextURL, const WTF::OrdinalNumber& contextLine, JSC::ExecState* state) const
 {
     logToConsole(consoleMessage, contextURL, contextLine, state);
 
     // FIXME: Support sending reports from worker.
-    if (!is<Document>(*m_scriptExecutionContext))
+    if (!is<Document>(m_scriptExecutionContext))
         return;
 
@@ -1691 +1674 @@
 
     for (const auto& url : reportURIs)
-        PingLoader::sendViolationReport(*frame, url, report.copyRef());
+        PingLoader::sendViolationReport(*frame, document.completeURL(url), report.copyRef());
 }
 
@@ -1775 +1758 @@
 {
     // FIXME: <http://webkit.org/b/114317> ContentSecurityPolicy::logToConsole should include a column number
-    m_scriptExecutionContext->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, contextURL, contextLine.oneBasedInt(), 0, state);
+    if (m_scriptExecutionContext)
+        m_scriptExecutionContext->addConsoleMessage(MessageSource::Security, MessageLevel::Error, message, contextURL, contextLine.oneBasedInt(), 0, state);
 }
 
 void ContentSecurityPolicy::reportBlockedScriptExecutionToInspector(const String& directiveText) const
 {
-    InspectorInstrumentation::scriptExecutionBlockedByCSP(m_scriptExecutionContext, directiveText);
+    if (m_scriptExecutionContext)
+        InspectorInstrumentation::scriptExecutionBlockedByCSP(m_scriptExecutionContext, directiveText);
 }
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h

@@ -1 +1 @@
 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +29 @@
 
 #include "ContentSecurityPolicyResponseHeaders.h"
-#include "URL.h"
 #include "ScriptState.h"
-#include <memory>
-#include <wtf/RefCounted.h>
 #include <wtf/Vector.h>
 #include <wtf/text/TextPosition.h>
-#include <wtf/text/WTFString.h>
 
 namespace WTF {
@@ -43 +40 @@
 
 class CSPDirectiveList;
+class CSPSource;
 class DOMStringList;
 class ScriptExecutionContext;
 class SecurityOrigin;
+class URL;
 
+typedef Vector<std::unique_ptr<CSPDirectiveList>> CSPDirectiveListVector;
 typedef int SandboxFlags;
-typedef Vector<std::unique_ptr<CSPDirectiveList>> CSPDirectiveListVector;
 
 class ContentSecurityPolicy {
     WTF_MAKE_FAST_ALLOCATED;
 public:
-    explicit ContentSecurityPolicy(ScriptExecutionContext*);
+    explicit ContentSecurityPolicy(ScriptExecutionContext&);
+    explicit ContentSecurityPolicy(const SecurityOrigin&);
     ~ContentSecurityPolicy();
 
     void copyStateFrom(const ContentSecurityPolicy*);
-
-    enum class ReportingStatus {
-        SendReport,
-        SuppressReport
-    };
 
     // Be sure to update the behavior of XSSAuditor::combineXSSProtectionHeaderAndCSP whenever you change this enum's content or ordering.
@@ -71 +66 @@
         BlockReflectedXSS
     };
+    ReflectedXSSDisposition reflectedXSSDisposition() const;
 
     ContentSecurityPolicyResponseHeaders responseHeaders() const;
@@ -76 +72 @@
     void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType);
 
+    enum class ReportingStatus {
+        SendReport,
+        SuppressReport
+    };
     bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
     bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
@@ -82 +82 @@
     bool allowEval(JSC::ExecState* = nullptr, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
     bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
-
     bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
     bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
@@ -94 +93 @@
     bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
 
-    ReflectedXSSDisposition reflectedXSSDisposition() const;
-
     void setOverrideAllowInlineStyle(bool);
 
     bool isActive() const;
+
     void gatherReportURIs(DOMStringList&) const;
 
+    String evalDisabledErrorMessage() const;
+
+    bool experimentalFeaturesEnabled() const;
+
+    static bool shouldBypassMainWorldContentSecurityPolicy(ScriptExecutionContext&);
+
+    // The following functions are used by internal data structures to call back into this object when parsing, validating,
+    // and applying a Content Security Policy.
+    // FIXME: We should make the various directives serve only as state stores for the parsed policy and remove these functions.
+    // This class should traverse the directives, validating the policy, and applying it to the script execution context.
+
+    // Used by MediaListDirective
+    void reportInvalidPluginTypes(const String&) const;
+
+    // Used by CSPSourceList
     void reportDirectiveAsSourceExpression(const String& directiveName, const String& sourceExpression) const;
+    void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
+    void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
+    bool urlMatchesSelf(const URL&) const;
+
+    // Used by CSPDirectiveList
     void reportDuplicateDirective(const String&) const;
     void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
-    void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
-    void reportInvalidPluginTypes(const String&) const;
     void reportInvalidSandboxFlags(const String&) const;
-    void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
     void reportInvalidReflectedXSS(const String&) const;
     void reportMissingReportURI(const String&) const;
     void reportUnsupportedDirective(const String&) const;
-    void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<URL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
+    void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<String>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
+    void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
+    void enforceSandboxFlags(SandboxFlags sandboxFlags) { m_sandboxFlags |= sandboxFlags; }
 
-    void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
-
-    const URL& url() const;
-    URL completeURL(const String&) const;
-    SecurityOrigin* securityOrigin() const;
-    void enforceSandboxFlags(SandboxFlags) const;
-    String evalDisabledErrorMessage() const;
-
-    bool experimentalFeaturesEnabled() const;
-    static bool shouldBypassMainWorldContentSecurityPolicy(ScriptExecutionContext&);
+    // Used by CSPSource
+    bool protocolMatchesSelf(const URL&) const;
 
 private:
     void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
+    void applyPolicyToScriptExecutionContext();
 
-    ScriptExecutionContext* m_scriptExecutionContext;
-    bool m_overrideInlineStyleAllowed;
+    ScriptExecutionContext* m_scriptExecutionContext { nullptr };
+    std::unique_ptr<CSPSource> m_selfSource;
+    String m_selfSourceProtocol;
     CSPDirectiveListVector m_policies;
+    String m_lastPolicyEvalDisabledErrorMessage;
+    SandboxFlags m_sandboxFlags;
+    bool m_overrideInlineStyleAllowed { false };
 };
 

trunk/Source/WebCore/workers/WorkerGlobalScope.cpp

@@ -73 +73 @@
 {
     setSecurityOriginPolicy(SecurityOriginPolicy::create(SecurityOrigin::create(url)));
+    setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(*this));
 }
 
@@ -88 +89 @@
 void WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders(const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders)
 {
-    setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
     contentSecurityPolicy()->didReceiveHeaders(contentSecurityPolicyResponseHeaders);
 }