Changeset 197724 in webkit

Timestamp:

Mar 7, 2016 9:39:26 PM (8 years ago)

Author:

dbates@webkit.org

Message:

CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
​https://bugs.webkit.org/show_bug.cgi?id=154122
<rdar://problem/24613336>

Reviewed by Brent Fulgham.

Source/WebCore:

Restrict matching of source expression * to HTTP or HTTPS URLs for all directives except
img-src and media-src. This policy is more restrictive than the policy described in section
Matching Source Expressions of the Content Security Policy 2.0 spec., <​https://www.w3.org/TR/2015/CR-CSP2-20150721>,
which restricts matching * to schemes that are not blob, data, or filesystem.

For directive img-src we restrict matching of * to HTTP, HTTPS, and data URLs. For directive
media-src we restrict matching of * to HTTP, HTTPS, data URLs and blob URLs. We use a
more lenient interpretation of * for directives img-src and media-src than required by
the spec. to mitigate web compatibility issues.

Tests: fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html

fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html
fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html
fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html
fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html
fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html
http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html
http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html
http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html
http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html
http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html
http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html
http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html
media/video-with-blob-url-allowed-by-csp-media-src-star.html
media/video-with-data-url-allowed-by-csp-media-src-star.html
media/video-with-file-url-blocked-by-csp-media-src-star.html

• page/csp/ContentSecurityPolicySourceList.cpp:

(WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar): Added.
(WebCore::ContentSecurityPolicySourceList::matches): Modified to only match * if ContentSecurityPolicySourceList::isProtocolAllowedByStar().
evaluates to true.

• page/csp/ContentSecurityPolicySourceList.h:

LayoutTests:

Add tests to ensure that we do not regress our interpretation of * with respect to directives
img-src, media-src, style-src, and default-src.

When running in WebKitTestRunner, skip the tests fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
and media/video-with-blob-url-allowed-by-csp-media-src-star.html as they make use of eventSender.beginDragWithFiles(),
which is not implement. We will need to fix <​https://bugs.webkit.org/show_bug.cgi?id=64285>
before we can run these tests in WebKitTestRunner.

• TestExpectations:
• fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html: Added.
• fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html: Added.
• fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html: Added.
• fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html: Added.
• fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html: Added.
• fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html: Added.
• fast/dom/HTMLImageElement/resources/green.png: Added.
• fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html: Added.
• fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html: Added.
• fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html: Added.
• fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html: Added.
• fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html: Added.
• fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html: Added.
• fast/dom/HTMLLinkElement/resources/red-background-color.css: Added.

(#test):

• http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html: Added.
• http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html: Added.
• http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html: Added.
• http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html: Added.
• http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html: Added.
• http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html: Added.
• http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html: Added.
• media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html: Added.
• media/video-with-blob-url-allowed-by-csp-media-src-star.html: Added.
• media/video-with-data-url-allowed-by-csp-media-src-star-expected.html: Added.
• media/video-with-data-url-allowed-by-csp-media-src-star.html: Added.
• media/video-with-file-url-blocked-by-csp-media-src-star-expected.html: Added.
• media/video-with-file-url-blocked-by-csp-media-src-star.html: Added.
• platform/wk2/TestExpectations:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html (added)
• LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html (added)
• LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html (added)
• LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html (added)
• LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html (added)
• LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html (added)
• LayoutTests/fast/dom/HTMLImageElement/resources/green.png (added)
• LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html (added)
• LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html (added)
• LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html (added)
• LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html (added)
• LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html (added)
• LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html (added)
• LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html (added)
• LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html (added)
• LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html (added)
• LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html (added)
• LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html (added)
• LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html (added)
• LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html (added)
• LayoutTests/platform/wk2/TestExpectations (modified) (2 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-03-07  Daniel Bates  <dabates@apple.com>
+
+        CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
+        https://bugs.webkit.org/show_bug.cgi?id=154122
+        <rdar://problem/24613336>
+
+        Reviewed by Brent Fulgham.
+
+        Add tests to ensure that we do not regress our interpretation of * with respect to directives
+        img-src, media-src, style-src, and default-src.
+
+        When running in WebKitTestRunner, skip the tests fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
+        and media/video-with-blob-url-allowed-by-csp-media-src-star.html as they make use of eventSender.beginDragWithFiles(),
+        which is not implement. We will need to fix <https://bugs.webkit.org/show_bug.cgi?id=64285>
+        before we can run these tests in WebKitTestRunner.
+
+        * TestExpectations:
+        * fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html: Added.
+        * fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html: Added.
+        * fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html: Added.
+        * fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html: Added.
+        * fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html: Added.
+        * fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html: Added.
+        * fast/dom/HTMLImageElement/resources/green.png: Added.
+        * fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html: Added.
+        * fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html: Added.
+        * fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html: Added.
+        * fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html: Added.
+        * fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html: Added.
+        * fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html: Added.
+        * fast/dom/HTMLLinkElement/resources/red-background-color.css: Added.
+        (#test):
+        * http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html: Added.
+        * media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html: Added.
+        * media/video-with-blob-url-allowed-by-csp-media-src-star.html: Added.
+        * media/video-with-data-url-allowed-by-csp-media-src-star-expected.html: Added.
+        * media/video-with-data-url-allowed-by-csp-media-src-star.html: Added.
+        * media/video-with-file-url-blocked-by-csp-media-src-star-expected.html: Added.
+        * media/video-with-file-url-blocked-by-csp-media-src-star.html: Added.
+        * platform/wk2/TestExpectations:
+
 2016-03-07  Alex Christensen  <achristensen@webkit.org>
 

trunk/LayoutTests/TestExpectations

@@ -855 +855 @@
 webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
 webkit.org/b/154522 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html
+webkit.org/b/155132 http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html [ Failure ]
 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
 

trunk/LayoutTests/platform/wk2/TestExpectations

@@ -626 +626 @@
 editing/pasteboard/file-drag-to-editable.html
 editing/pasteboard/file-input-files-access.html
+fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
 fast/dom/Window/window-postmessage-clone-frames.html
 fast/dom/Window/window-postmessage-clone.html
@@ -678 +679 @@
 http/tests/local/formdata/upload-events.html
 http/tests/security/clipboard/clipboard-file-access.html
+media/video-with-blob-url-allowed-by-csp-media-src-star.html
 media/video-src-blob.html
 storage/indexeddb/noblobs.html

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-03-07  Daniel Bates  <dabates@apple.com>
+
+        CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
+        https://bugs.webkit.org/show_bug.cgi?id=154122
+        <rdar://problem/24613336>
+
+        Reviewed by Brent Fulgham.
+
+        Restrict matching of source expression * to HTTP or HTTPS URLs for all directives except
+        img-src and media-src. This policy is more restrictive than the policy described in section
+        Matching Source Expressions of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721>,
+        which restricts matching * to schemes that are not blob, data, or filesystem.
+
+        For directive img-src we restrict matching of * to HTTP, HTTPS, and data URLs. For directive
+        media-src we restrict matching of * to HTTP, HTTPS, data URLs and blob URLs. We use a
+        more lenient interpretation of * for directives img-src and media-src than required by
+        the spec. to mitigate web compatibility issues.
+
+        Tests: fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
+               fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html
+               fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html
+               fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html
+               fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html
+               fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html
+               http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html
+               http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html
+               http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html
+               http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html
+               http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html
+               http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html
+               http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html
+               media/video-with-blob-url-allowed-by-csp-media-src-star.html
+               media/video-with-data-url-allowed-by-csp-media-src-star.html
+               media/video-with-file-url-blocked-by-csp-media-src-star.html
+
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar): Added.
+        (WebCore::ContentSecurityPolicySourceList::matches): Modified to only match * if ContentSecurityPolicySourceList::isProtocolAllowedByStar().
+        evaluates to true.
+        * page/csp/ContentSecurityPolicySourceList.h:
+
 2016-03-07  Brent Fulgham  <bfulgham@apple.com>
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

@@ -96 +96 @@
 }
 
+bool ContentSecurityPolicySourceList::isProtocolAllowedByStar(const URL& url) const
+{
+    // Although not allowed by the Content Security Policy Level 3 spec., we allow a data URL to match
+    // "img-src *" and either a data URL or blob URL to match "media-src *" for web compatibility.
+    // FIXME: We should not hardcode the directive names. We should make use of the constants in ContentSecurityPolicyDirectiveList.cpp.
+    // See <https://bugs.webkit.org/show_bug.cgi?id=155133>.
+    bool isAllowed = url.protocolIsInHTTPFamily();
+    if (equalLettersIgnoringASCIICase(m_directiveName, "img-src"))
+        isAllowed |= url.protocolIsData();
+    else if (equalLettersIgnoringASCIICase(m_directiveName, "media-src"))
+        isAllowed |= url.protocolIsData() || url.protocolIsBlob();
+    return isAllowed;
+}
+
 bool ContentSecurityPolicySourceList::matches(const URL& url)
 {
-    if (m_allowStar) {
-        // FIXME: Should only match for URLs whose scheme is not blob, data or filesystem.
-        // See <https://bugs.webkit.org/show_bug.cgi?id=154122> for more details.
-        return true;
-    }
+    if (m_allowStar && isProtocolAllowedByStar(url))
+        return true;
 
     if (m_allowSelf && m_policy.urlMatchesSelf(url))

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h

@@ -56 +56 @@
     bool parsePath(const UChar* begin, const UChar* end, String& path);
 
+    bool isProtocolAllowedByStar(const URL&) const;
+
     const ContentSecurityPolicy& m_policy;
     Vector<ContentSecurityPolicySource> m_list;