Changeset 196581 in webkit
- Timestamp:
- Feb 15, 2016 10:53:59 AM (8 years ago)
- Location:
- trunk
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r196579 r196581 1 2016-02-15 Daniel Bates <dabates@apple.com> 2 3 CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource 4 https://bugs.webkit.org/show_bug.cgi?id=154177 5 <rdar://problem/22708772> 6 7 Reviewed by Brent Fulgham. 8 9 Update test case and expected result to test that a schemeless source expression 10 matches an HTTPS subresource (and does not trigger a Content Security Policy violation) 11 when the page is served over HTTP. 12 13 * http/tests/security/contentSecurityPolicy/source-list-parsing-10-expected.txt: 14 * http/tests/security/contentSecurityPolicy/source-list-parsing-10.html: Change "no" to "yes" 15 so that we consider it a success (and continue printing "PASS") when we load and execute the 16 script, <https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js>. 17 1 18 2016-02-15 Ryan Haddad <ryanhaddad@apple.com> 2 19 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-10-expected.txt
r146141 r196581 1 CONSOLE MESSAGE: Refused to load the script 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8443".2 3 1 None of these scripts should execute even though there are parse errors in the policy. 4 2 -
trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-10.html
r146141 r196581 6 6 var tests = [ 7 7 ['yes', 'script-src 127.0.0.1:8000', 'resources/script.js'], 8 [' no', 'script-src 127.0.0.1:8443', 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js'],8 ['yes', 'script-src 127.0.0.1:8443', 'https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js'], 9 9 ]; 10 10 </script> -
trunk/Source/WebCore/ChangeLog
r196578 r196581 1 2016-02-15 Daniel Bates <dabates@apple.com> 2 3 CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource 4 https://bugs.webkit.org/show_bug.cgi?id=154177 5 <rdar://problem/22708772> 6 7 Reviewed by Brent Fulgham. 8 9 Allow a schemeless source expression to match an HTTP or HTTPS subresource when the page is 10 delivered over HTTP as per section Matching Source Expressions of the Content Security Policy 11 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721/> (21 July 2015). 12 13 Currently we have logic that implements this functionality, but it is guarded behind the compile- 14 time macro ENABLE(CSP_NEXT) that is disabled by default. Instead we should always compile such 15 code. In subsequent commits we will move more code out from under the ENABLE(CSP_NEXT)-guard 16 towards removing the ENABLE_CSP_NEXT macro entirely. 17 18 * page/csp/ContentSecurityPolicy.cpp: 19 (WebCore::ContentSecurityPolicy::protocolMatchesSelf): 20 1 21 2016-02-15 Konstantin Tokarev <annulen@yandex.ru> 2 22 -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
r196526 r196581 148 148 bool ContentSecurityPolicy::protocolMatchesSelf(const URL& url) const 149 149 { 150 #if ENABLE(CSP_NEXT)151 150 if (equalLettersIgnoringASCIICase(m_selfSourceProtocol, "http")) 152 151 return url.protocolIsInHTTPFamily(); 153 #endif154 152 return equalIgnoringASCIICase(url.protocol(), m_selfSourceProtocol); 155 153 }
Note: See TracChangeset
for help on using the changeset viewer.