Changeset 196655 in webkit

Timestamp:

Feb 16, 2016 1:18:19 PM (8 years ago)

Author:

dbates@webkit.org

Message:

CSP: Fix parsing of 'host/path' source expressions
​https://bugs.webkit.org/show_bug.cgi?id=153170
<rdar://problem/24383407>

Reviewed by Brent Fulgham.

Source/WebCore:

Merged from Blink (patch by Mike West):
<​https://src.chromium.org/viewvc/blink?revision=154875&view=revision>

Fixes an issue where a source of the form example.com/A/ was incorrectly considered
invalid and hence such a requested resource would be blocked. A source of this form
is valid by the definition of host-source in section Source List Syntax of the Content
Security Policy 2.0 spec., <​http://www.w3.org/TR/2015/CR-CSP2-20150721/>.

• page/csp/ContentSecurityPolicySourceList.cpp:

(WebCore::ContentSecurityPolicySourceList::parseSource):

LayoutTests:

Remove entry for test http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html
as it now passes.

• TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-02-16  Daniel Bates  <dabates@apple.com>
+
+        CSP: Fix parsing of 'host/path' source expressions
+        https://bugs.webkit.org/show_bug.cgi?id=153170
+        <rdar://problem/24383407>
+
+        Reviewed by Brent Fulgham.
+
+        Remove entry for test http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html
+        as it now passes.
+
+        * TestExpectations:
+
 2016-02-16  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -834 +834 @@
 webkit.org/b/153166 webkit.org/b/153242 http/tests/security/contentSecurityPolicy/report-and-enforce.html [ Failure ]
 webkit.org/b/153166 webkit.org/b/153242 http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html [ Failure ]
-webkit.org/b/153170 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html [ Failure ]
 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-02-16  Daniel Bates  <dabates@apple.com>
+
+        CSP: Fix parsing of 'host/path' source expressions
+        https://bugs.webkit.org/show_bug.cgi?id=153170
+        <rdar://problem/24383407>
+
+        Reviewed by Brent Fulgham.
+
+        Merged from Blink (patch by Mike West):
+        <https://src.chromium.org/viewvc/blink?revision=154875&view=revision>
+
+        Fixes an issue where a source of the form example.com/A/ was incorrectly considered
+        invalid and hence such a requested resource would be blocked. A source of this form
+        is valid by the definition of host-source in section Source List Syntax of the Content
+        Security Policy 2.0 spec., <http://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::parseSource):
+
 2016-02-16  Daniel Bates  <dabates@apple.com>
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

@@ -199 +199 @@
         // host/path || host/ || /
         //     ^            ^    ^
-        if (!parseHost(beginHost, position, host, hostHasWildcard)
-            || !parsePath(position, end, path)
-            || position != end)
-            return false;
-        return true;
+        return parseHost(beginHost, position, host, hostHasWildcard) && parsePath(position, end, path);
     }