Changeset 198936 in webkit

Timestamp:

Mar 31, 2016 6:54:47 PM (8 years ago)

Author:

dbates@webkit.org

Message:

REGRESSION (r197724): <object>/<embed> with no URL does not match source *
​https://bugs.webkit.org/show_bug.cgi?id=156079
<rdar://problem/25470805>

Reviewed by Brent Fulgham.

Source/WebCore:

Fixes an issue where HTML object and embed elements that are not associated with a URL are
allowed to load when object-src/default-src contains source *. More generally, we allow
such elements to load so long as object-src/default-src is not 'none' per section object-src
of the Content Security Policy Level 3 spec., <​http://w3c.github.io/webappsec-csp> (Editor's Draft, 29 February 2016).

Tests: http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html

http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html
http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html
http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html

• page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::allowObjectFromSource): Modified to call violatedDirectiveInAnyPolicy() passing
ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes.

• page/csp/ContentSecurityPolicyDirectiveList.cpp:

(WebCore::checkSource): Modified to take argument of type ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone (defaults to false)
and pass it through to ContentSecurityPolicySourceListDirective.
(WebCore::checkFrameAncestors): Explicitly pass ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No
to avoid URL from having the compiler implicitly convert it to a String and selecting override ContentSecurityPolicySourceListDirective::allows(const String&),
which will lead to incorrect results. We will look to make this code less error prone in <​https://bugs.webkit.org/show_bug.cgi?id=156086>.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource): Modified to take argument of type
ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone and pass it through.

• page/csp/ContentSecurityPolicyDirectiveList.h:
• page/csp/ContentSecurityPolicySourceList.cpp:

(WebCore::ContentSecurityPolicySourceList::parse): Set instance variable m_isNone to true so that we can differentiate
a source list with value 'none' from a source list that lists one or more sources or non-none keywords.

• page/csp/ContentSecurityPolicySourceList.h:

(WebCore::ContentSecurityPolicySourceList::isNone): Added.

• page/csp/ContentSecurityPolicySourceListDirective.cpp:

(WebCore::ContentSecurityPolicySourceListDirective::allows): Modified to take argument of type ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone
and updated code to return true for an empty URL only if this argument is ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes and
the source list does not have value 'none'.

• page/csp/ContentSecurityPolicySourceListDirective.h:

LayoutTests:

Add tests to ensure that HTML object and embed elements are allowed by source *.

• platform/ios-simulator/TestExpectations: Skip added tests as plugins are not supported on iOS.
• http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html: Added.
• http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html: Added.
• http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html: Added.
• http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html (added)
• LayoutTests/platform/ios-simulator/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicy.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (modified) (3 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (modified) (2 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-03-31  Daniel Bates  <dabates@apple.com>
+
+        REGRESSION (r197724): <object>/<embed> with no URL does not match source *
+        https://bugs.webkit.org/show_bug.cgi?id=156079
+        <rdar://problem/25470805>
+
+        Reviewed by Brent Fulgham.
+
+        Add tests to ensure that HTML object and embed elements are allowed by source *.
+
+        * platform/ios-simulator/TestExpectations: Skip added tests as plugins are not supported on iOS.
+        * http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html: Added.
+
 2016-03-31  Saam barati  <sbarati@apple.com>
 

trunk/LayoutTests/platform/ios-simulator/TestExpectations

@@ -88 +88 @@
 http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html
 http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html
+http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html
+http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html
 http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html
 http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html
 http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html
 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html
+http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html
+http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html
 
 # Pointer-lock not supported on iOS

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-03-31  Daniel Bates  <dabates@apple.com>
+
+        REGRESSION (r197724): <object>/<embed> with no URL does not match source *
+        https://bugs.webkit.org/show_bug.cgi?id=156079
+        <rdar://problem/25470805>
+
+        Reviewed by Brent Fulgham.
+
+        Fixes an issue where HTML object and embed elements that are not associated with a URL are
+        allowed to load when object-src/default-src contains source *. More generally, we allow
+        such elements to load so long as object-src/default-src is not 'none' per section object-src
+        of the Content Security Policy Level 3 spec., <http://w3c.github.io/webappsec-csp> (Editor's Draft, 29 February 2016).
+
+        Tests: http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html
+               http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html
+               http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html
+               http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html
+
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowObjectFromSource): Modified to call violatedDirectiveInAnyPolicy() passing
+        ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes.
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::checkSource): Modified to take argument of type ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone (defaults to false)
+        and pass it through to ContentSecurityPolicySourceListDirective.
+        (WebCore::checkFrameAncestors): Explicitly pass ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No
+        to avoid URL from having the compiler implicitly convert it to a String and selecting override ContentSecurityPolicySourceListDirective::allows(const String&),
+        which will lead to incorrect results. We will look to make this code less error prone in <https://bugs.webkit.org/show_bug.cgi?id=156086>.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource): Modified to take argument of type
+        ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone and pass it through.
+        * page/csp/ContentSecurityPolicyDirectiveList.h:
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::parse): Set instance variable m_isNone to true so that we can differentiate
+        a source list with value 'none' from a source list that lists one or more sources or non-none keywords.
+        * page/csp/ContentSecurityPolicySourceList.h:
+        (WebCore::ContentSecurityPolicySourceList::isNone): Added.
+        * page/csp/ContentSecurityPolicySourceListDirective.cpp:
+        (WebCore::ContentSecurityPolicySourceListDirective::allows): Modified to take argument of type ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone
+        and updated code to return true for an empty URL only if this argument is ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes and
+        the source list does not have value 'none'.
+        * page/csp/ContentSecurityPolicySourceListDirective.h:
+
 2016-03-31  Saam barati  <sbarati@apple.com>
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

@@ -386 +386 @@
     if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
         return true;
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url);
+    // As per section object-src of the Content Security Policy Level 3 spec., <http://w3c.github.io/webappsec-csp> (Editor's Draft, 29 February 2016),
+    // "If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based
+    // on the specified type), it MUST be blocked if object-src's value is 'none', but will otherwise be allowed".
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes);
     if (!violatedDirective)
         return true;

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

@@ -62 +62 @@
 }
 
-static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url)
-{
-    return !directive || directive->allows(url);
+static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty = ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No)
+{
+    return !directive || directive->allows(url, shouldAllowEmptyURLIfSourceListEmpty);
 }
 
@@ -82 +82 @@
         return true;
     for (Frame* current = frame.tree().parent(); current; current = current->tree().parent()) {
-        if (!directive->allows(current->document()->url()))
+        if (!directive->allows(current->document()->url(), ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No))
             return false;
     }
@@ -258 +258 @@
 }
 
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource(const URL& url) const
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource(const URL& url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty) const
 {
     if (url.isBlankURL())
         return nullptr;
     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_objectSrc.get());
-    if (checkSource(operativeDirective, url))
+    if (checkSource(operativeDirective, url, shouldAllowEmptyURLIfSourceListEmpty))
         return nullptr;
     return operativeDirective;

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h

@@ -66 +66 @@
     const ContentSecurityPolicyDirective* violatedDirectiveForImage(const URL&) const;
     const ContentSecurityPolicyDirective* violatedDirectiveForMedia(const URL&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone) const;
     const ContentSecurityPolicyDirective* violatedDirectiveForPluginType(const String& type, const String& typeAttribute) const;
     const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&) const;

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

@@ -120 +120 @@
 void ContentSecurityPolicySourceList::parse(const String& value)
 {
-    // We represent 'none' as an empty m_list.
-    if (isSourceListNone(value))
+    if (isSourceListNone(value)) {
+        m_isNone = true;
         return;
+    }
     auto characters = StringView(value).upconvertedCharacters();
     parse(characters, characters + value.length());

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h

@@ -55 +55 @@
     bool allowEval() const { return m_allowEval; }
     bool allowSelf() const { return m_allowSelf; }
+    bool isNone() const { return m_isNone; }
 
 private:
@@ -81 +82 @@
     bool m_allowInline { false };
     bool m_allowEval { false };
+    bool m_isNone { false };
 };
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp

@@ -41 +41 @@
 }
 
-bool ContentSecurityPolicySourceListDirective::allows(const URL& url)
+bool ContentSecurityPolicySourceListDirective::allows(const URL& url, ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty)
 {
-    // FIXME: We should investigate returning false for an empty URL.
     if (url.isEmpty())
-        return m_sourceList.allowSelf();
+        return shouldAllowEmptyURLIfSourceListEmpty == ShouldAllowEmptyURLIfSourceListIsNotNone::Yes && !m_sourceList.isNone();
     return m_sourceList.matches(url);
 }

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h

@@ -39 +39 @@
     ContentSecurityPolicySourceListDirective(const ContentSecurityPolicyDirectiveList&, const String& name, const String& value);
 
-    bool allows(const URL&);
+    enum class ShouldAllowEmptyURLIfSourceListIsNotNone { No, Yes };
+    bool allows(const URL&, ShouldAllowEmptyURLIfSourceListIsNotNone);
     bool allows(const ContentSecurityPolicyHash&) const;
     bool allows(const String& nonce) const;