Changeset 197724 in webkit
- Timestamp:
- Mar 7, 2016 9:39:26 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 34 added
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r197720 r197724 1 2016-03-07 Daniel Bates <dabates@apple.com> 2 3 CSP: Source '*' should not match URLs with schemes blob, data, or filesystem 4 https://bugs.webkit.org/show_bug.cgi?id=154122 5 <rdar://problem/24613336> 6 7 Reviewed by Brent Fulgham. 8 9 Add tests to ensure that we do not regress our interpretation of * with respect to directives 10 img-src, media-src, style-src, and default-src. 11 12 When running in WebKitTestRunner, skip the tests fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html 13 and media/video-with-blob-url-allowed-by-csp-media-src-star.html as they make use of eventSender.beginDragWithFiles(), 14 which is not implement. We will need to fix <https://bugs.webkit.org/show_bug.cgi?id=64285> 15 before we can run these tests in WebKitTestRunner. 16 17 * TestExpectations: 18 * fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html: Added. 19 * fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html: Added. 20 * fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html: Added. 21 * fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html: Added. 22 * fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html: Added. 23 * fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html: Added. 24 * fast/dom/HTMLImageElement/resources/green.png: Added. 25 * fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html: Added. 26 * fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html: Added. 27 * fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html: Added. 28 * fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html: Added. 29 * fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html: Added. 30 * fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html: Added. 31 * fast/dom/HTMLLinkElement/resources/red-background-color.css: Added. 32 (#test): 33 * http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt: Added. 34 * http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html: Added. 35 * http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt: Added. 36 * http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html: Added. 37 * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt: Added. 38 * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html: Added. 39 * http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt: Added. 40 * http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html: Added. 41 * http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt: Added. 42 * http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html: Added. 43 * http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt: Added. 44 * http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html: Added. 45 * http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt: Added. 46 * http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html: Added. 47 * media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html: Added. 48 * media/video-with-blob-url-allowed-by-csp-media-src-star.html: Added. 49 * media/video-with-data-url-allowed-by-csp-media-src-star-expected.html: Added. 50 * media/video-with-data-url-allowed-by-csp-media-src-star.html: Added. 51 * media/video-with-file-url-blocked-by-csp-media-src-star-expected.html: Added. 52 * media/video-with-file-url-blocked-by-csp-media-src-star.html: Added. 53 * platform/wk2/TestExpectations: 54 1 55 2016-03-07 Alex Christensen <achristensen@webkit.org> 2 56 -
trunk/LayoutTests/TestExpectations
r197697 r197724 855 855 webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ] 856 856 webkit.org/b/154522 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html 857 webkit.org/b/155132 http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html [ Failure ] 857 858 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ] 858 859 -
trunk/LayoutTests/platform/wk2/TestExpectations
r197700 r197724 626 626 editing/pasteboard/file-drag-to-editable.html 627 627 editing/pasteboard/file-input-files-access.html 628 fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html 628 629 fast/dom/Window/window-postmessage-clone-frames.html 629 630 fast/dom/Window/window-postmessage-clone.html … … 678 679 http/tests/local/formdata/upload-events.html 679 680 http/tests/security/clipboard/clipboard-file-access.html 681 media/video-with-blob-url-allowed-by-csp-media-src-star.html 680 682 media/video-src-blob.html 681 683 storage/indexeddb/noblobs.html -
trunk/Source/WebCore/ChangeLog
r197721 r197724 1 2016-03-07 Daniel Bates <dabates@apple.com> 2 3 CSP: Source '*' should not match URLs with schemes blob, data, or filesystem 4 https://bugs.webkit.org/show_bug.cgi?id=154122 5 <rdar://problem/24613336> 6 7 Reviewed by Brent Fulgham. 8 9 Restrict matching of source expression * to HTTP or HTTPS URLs for all directives except 10 img-src and media-src. This policy is more restrictive than the policy described in section 11 Matching Source Expressions of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721>, 12 which restricts matching * to schemes that are not blob, data, or filesystem. 13 14 For directive img-src we restrict matching of * to HTTP, HTTPS, and data URLs. For directive 15 media-src we restrict matching of * to HTTP, HTTPS, data URLs and blob URLs. We use a 16 more lenient interpretation of * for directives img-src and media-src than required by 17 the spec. to mitigate web compatibility issues. 18 19 Tests: fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html 20 fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html 21 fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html 22 fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html 23 fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html 24 fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html 25 http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html 26 http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html 27 http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html 28 http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html 29 http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html 30 http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html 31 http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html 32 media/video-with-blob-url-allowed-by-csp-media-src-star.html 33 media/video-with-data-url-allowed-by-csp-media-src-star.html 34 media/video-with-file-url-blocked-by-csp-media-src-star.html 35 36 * page/csp/ContentSecurityPolicySourceList.cpp: 37 (WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar): Added. 38 (WebCore::ContentSecurityPolicySourceList::matches): Modified to only match * if ContentSecurityPolicySourceList::isProtocolAllowedByStar(). 39 evaluates to true. 40 * page/csp/ContentSecurityPolicySourceList.h: 41 1 42 2016-03-07 Brent Fulgham <bfulgham@apple.com> 2 43 -
trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp
r196655 r197724 96 96 } 97 97 98 bool ContentSecurityPolicySourceList::isProtocolAllowedByStar(const URL& url) const 99 { 100 // Although not allowed by the Content Security Policy Level 3 spec., we allow a data URL to match 101 // "img-src *" and either a data URL or blob URL to match "media-src *" for web compatibility. 102 // FIXME: We should not hardcode the directive names. We should make use of the constants in ContentSecurityPolicyDirectiveList.cpp. 103 // See <https://bugs.webkit.org/show_bug.cgi?id=155133>. 104 bool isAllowed = url.protocolIsInHTTPFamily(); 105 if (equalLettersIgnoringASCIICase(m_directiveName, "img-src")) 106 isAllowed |= url.protocolIsData(); 107 else if (equalLettersIgnoringASCIICase(m_directiveName, "media-src")) 108 isAllowed |= url.protocolIsData() || url.protocolIsBlob(); 109 return isAllowed; 110 } 111 98 112 bool ContentSecurityPolicySourceList::matches(const URL& url) 99 113 { 100 if (m_allowStar) { 101 // FIXME: Should only match for URLs whose scheme is not blob, data or filesystem. 102 // See <https://bugs.webkit.org/show_bug.cgi?id=154122> for more details. 103 return true; 104 } 114 if (m_allowStar && isProtocolAllowedByStar(url)) 115 return true; 105 116 106 117 if (m_allowSelf && m_policy.urlMatchesSelf(url)) -
trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h
r196350 r197724 56 56 bool parsePath(const UChar* begin, const UChar* end, String& path); 57 57 58 bool isProtocolAllowedByStar(const URL&) const; 59 58 60 const ContentSecurityPolicy& m_policy; 59 61 Vector<ContentSecurityPolicySource> m_list;
Note: See TracChangeset
for help on using the changeset viewer.