Changeset 198936 in webkit
- Timestamp:
- Mar 31, 2016 6:54:47 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 8 added
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r198928 r198936 1 2016-03-31 Daniel Bates <dabates@apple.com> 2 3 REGRESSION (r197724): <object>/<embed> with no URL does not match source * 4 https://bugs.webkit.org/show_bug.cgi?id=156079 5 <rdar://problem/25470805> 6 7 Reviewed by Brent Fulgham. 8 9 Add tests to ensure that HTML object and embed elements are allowed by source *. 10 11 * platform/ios-simulator/TestExpectations: Skip added tests as plugins are not supported on iOS. 12 * http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star-expected.txt: Added. 13 * http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html: Added. 14 * http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star-expected.txt: Added. 15 * http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html: Added. 16 * http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star-expected.txt: Added. 17 * http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html: Added. 18 * http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star-expected.txt: Added. 19 * http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html: Added. 20 1 21 2016-03-31 Saam barati <sbarati@apple.com> 2 22 -
trunk/LayoutTests/platform/ios-simulator/TestExpectations
r198910 r198936 88 88 http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html 89 89 http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html 90 http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html 91 http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html 90 92 http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html 91 93 http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html 92 94 http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html 93 95 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html 96 http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html 97 http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html 94 98 95 99 # Pointer-lock not supported on iOS -
trunk/Source/WebCore/ChangeLog
r198932 r198936 1 2016-03-31 Daniel Bates <dabates@apple.com> 2 3 REGRESSION (r197724): <object>/<embed> with no URL does not match source * 4 https://bugs.webkit.org/show_bug.cgi?id=156079 5 <rdar://problem/25470805> 6 7 Reviewed by Brent Fulgham. 8 9 Fixes an issue where HTML object and embed elements that are not associated with a URL are 10 allowed to load when object-src/default-src contains source *. More generally, we allow 11 such elements to load so long as object-src/default-src is not 'none' per section object-src 12 of the Content Security Policy Level 3 spec., <http://w3c.github.io/webappsec-csp> (Editor's Draft, 29 February 2016). 13 14 Tests: http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html 15 http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html 16 http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html 17 http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html 18 19 * page/csp/ContentSecurityPolicy.cpp: 20 (WebCore::ContentSecurityPolicy::allowObjectFromSource): Modified to call violatedDirectiveInAnyPolicy() passing 21 ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes. 22 * page/csp/ContentSecurityPolicyDirectiveList.cpp: 23 (WebCore::checkSource): Modified to take argument of type ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone (defaults to false) 24 and pass it through to ContentSecurityPolicySourceListDirective. 25 (WebCore::checkFrameAncestors): Explicitly pass ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No 26 to avoid URL from having the compiler implicitly convert it to a String and selecting override ContentSecurityPolicySourceListDirective::allows(const String&), 27 which will lead to incorrect results. We will look to make this code less error prone in <https://bugs.webkit.org/show_bug.cgi?id=156086>. 28 (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource): Modified to take argument of type 29 ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone and pass it through. 30 * page/csp/ContentSecurityPolicyDirectiveList.h: 31 * page/csp/ContentSecurityPolicySourceList.cpp: 32 (WebCore::ContentSecurityPolicySourceList::parse): Set instance variable m_isNone to true so that we can differentiate 33 a source list with value 'none' from a source list that lists one or more sources or non-none keywords. 34 * page/csp/ContentSecurityPolicySourceList.h: 35 (WebCore::ContentSecurityPolicySourceList::isNone): Added. 36 * page/csp/ContentSecurityPolicySourceListDirective.cpp: 37 (WebCore::ContentSecurityPolicySourceListDirective::allows): Modified to take argument of type ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone 38 and updated code to return true for an empty URL only if this argument is ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes and 39 the source list does not have value 'none'. 40 * page/csp/ContentSecurityPolicySourceListDirective.h: 41 1 42 2016-03-31 Saam barati <sbarati@apple.com> 2 43 -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
r198657 r198936 386 386 if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol())) 387 387 return true; 388 const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url); 388 // As per section object-src of the Content Security Policy Level 3 spec., <http://w3c.github.io/webappsec-csp> (Editor's Draft, 29 February 2016), 389 // "If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based 390 // on the specified type), it MUST be blocked if object-src's value is 'none', but will otherwise be allowed". 391 const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes); 389 392 if (!violatedDirective) 390 393 return true; -
trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
r198657 r198936 62 62 } 63 63 64 static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url )65 { 66 return !directive || directive->allows(url );64 static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty = ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No) 65 { 66 return !directive || directive->allows(url, shouldAllowEmptyURLIfSourceListEmpty); 67 67 } 68 68 … … 82 82 return true; 83 83 for (Frame* current = frame.tree().parent(); current; current = current->tree().parent()) { 84 if (!directive->allows(current->document()->url() ))84 if (!directive->allows(current->document()->url(), ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No)) 85 85 return false; 86 86 } … … 258 258 } 259 259 260 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource(const URL& url ) const260 const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource(const URL& url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty) const 261 261 { 262 262 if (url.isBlankURL()) 263 263 return nullptr; 264 264 ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_objectSrc.get()); 265 if (checkSource(operativeDirective, url ))265 if (checkSource(operativeDirective, url, shouldAllowEmptyURLIfSourceListEmpty)) 266 266 return nullptr; 267 267 return operativeDirective; -
trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h
r198657 r198936 66 66 const ContentSecurityPolicyDirective* violatedDirectiveForImage(const URL&) const; 67 67 const ContentSecurityPolicyDirective* violatedDirectiveForMedia(const URL&) const; 68 const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL& ) const;68 const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone) const; 69 69 const ContentSecurityPolicyDirective* violatedDirectiveForPluginType(const String& type, const String& typeAttribute) const; 70 70 const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&) const; -
trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp
r198657 r198936 120 120 void ContentSecurityPolicySourceList::parse(const String& value) 121 121 { 122 // We represent 'none' as an empty m_list.123 if (isSourceListNone(value))122 if (isSourceListNone(value)) { 123 m_isNone = true; 124 124 return; 125 } 125 126 auto characters = StringView(value).upconvertedCharacters(); 126 127 parse(characters, characters + value.length()); -
trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h
r197944 r198936 55 55 bool allowEval() const { return m_allowEval; } 56 56 bool allowSelf() const { return m_allowSelf; } 57 bool isNone() const { return m_isNone; } 57 58 58 59 private: … … 81 82 bool m_allowInline { false }; 82 83 bool m_allowEval { false }; 84 bool m_isNone { false }; 83 85 }; 84 86 -
trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp
r198657 r198936 41 41 } 42 42 43 bool ContentSecurityPolicySourceListDirective::allows(const URL& url )43 bool ContentSecurityPolicySourceListDirective::allows(const URL& url, ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty) 44 44 { 45 // FIXME: We should investigate returning false for an empty URL.46 45 if (url.isEmpty()) 47 return m_sourceList.allowSelf();46 return shouldAllowEmptyURLIfSourceListEmpty == ShouldAllowEmptyURLIfSourceListIsNotNone::Yes && !m_sourceList.isNone(); 48 47 return m_sourceList.matches(url); 49 48 } -
trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h
r198657 r198936 39 39 ContentSecurityPolicySourceListDirective(const ContentSecurityPolicyDirectiveList&, const String& name, const String& value); 40 40 41 bool allows(const URL&); 41 enum class ShouldAllowEmptyURLIfSourceListIsNotNone { No, Yes }; 42 bool allows(const URL&, ShouldAllowEmptyURLIfSourceListIsNotNone); 42 43 bool allows(const ContentSecurityPolicyHash&) const; 43 44 bool allows(const String& nonce) const;
Note: See TracChangeset
for help on using the changeset viewer.