Changeset 199612 in webkit

Timestamp:

Apr 15, 2016 3:23:44 PM (8 years ago)

Author:

dbates@webkit.org

Message:

CSP: Ignore paths in CSP matching after redirects
​https://bugs.webkit.org/show_bug.cgi?id=153154
<rdar://problem/24383215>

Reviewed by Brent Fulgham.

Source/WebCore:

For sub-resources that redirect, match the URL that is the result of the redirect against
the source expressions in Content Security Policy ignoring any paths in those source
expressions as per section Paths and Redirects of the Content Security Policy Level 2 spec.,
<​https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).

Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html

http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html
http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html
http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html
http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html
http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html
http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html
http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html
http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html
http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html
http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html
http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html
http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/object-redirect-allowed.html
http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/object-redirect-blocked.html
http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html
http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html
http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html

• loader/DocumentLoader.cpp:

(WebCore::DocumentLoader::willSendRequest): Define a local variable didReceiveRedirectResponse as
to whether this request follows from having received a redirect response from the server. Pass this
information to FrameLoader::checkIfFormActionAllowedByCSP() and PolicyChecker::checkNavigationPolicy()
for its consideration.

• loader/DocumentThreadableLoader.cpp:

(WebCore::DocumentThreadableLoader::redirectReceived): Pass whether we have a non-null redirect
response (i.e. received a redirect response from the server) to DocumentThreadableLoader::isAllowedByContentSecurityPolicy()
for its consideration.
(WebCore::DocumentThreadableLoader::loadRequest): Pass whether we performed a redirect to
DocumentThreadableLoader::isAllowedByContentSecurityPolicy() for its consideration.
(WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Modified to take a boolean
argument as to whether a redirect was performed. We pass this information to the appropriate
ContentSecurityPolicy method.

• loader/DocumentThreadableLoader.h:
• loader/FrameLoader.cpp:

(WebCore::FrameLoader::checkIfFormActionAllowedByCSP): Modified to take a boolean argument as to whether
a redirect response was received and passes this information to ContentSecurityPolicy::allowFormAction()
for its consideration.
(WebCore::FrameLoader::loadURL): Modified to tell PolicyChecker::checkNavigationPolicy() that the navigation
is not in response to having received a redirect response from the server.
(WebCore::FrameLoader::loadWithDocumentLoader): Ditto.

• loader/FrameLoader.h:
• loader/PolicyChecker.cpp:

(WebCore::isAllowedByContentSecurityPolicy): Modified to take a boolean argument as to whether
a redirect response was received and passes this information to the appropriate ContentSecurityPolicy member
function for consideration.
(WebCore::PolicyChecker::checkNavigationPolicy): Modified to take a boolean argument as to whether a redirect
response was received and passes this information through to WebCore::isAllowedByContentSecurityPolicy().

• loader/PolicyChecker.h:
• loader/SubresourceLoader.cpp:

(WebCore::SubresourceLoader::willSendRequestInternal): Modified to tell CachedResourceLoader::canRequest() that
the request is in response to having received a redirect response from the server.

• loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::canRequest): Modified to take a boolean argument as to whether a redirect
response was received and passes this information through to the appropriate ContentSecurityPolicy member
function for consideration.

• loader/cache/CachedResourceLoader.h:
• page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::allowScriptFromSource): Modified to take an argument as to whether a
redirect response was received and passes this information through to ContentSecurityPolicyDirectiveList.
(WebCore::ContentSecurityPolicy::allowObjectFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowChildContextFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowImageFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowStyleFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowFontFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowMediaFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowConnectToSource): Ditto.
(WebCore::ContentSecurityPolicy::allowFormAction): Ditto.

• page/csp/ContentSecurityPolicy.h:
• page/csp/ContentSecurityPolicyDirectiveList.cpp:

(WebCore::checkSource):
(WebCore::checkFrameAncestors):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext): Modified to take an argument
as to whether a redirect response was received and passes this information through to the CSP directive.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFont): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForImage): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle): Ditto.

• page/csp/ContentSecurityPolicyDirectiveList.h:
• page/csp/ContentSecurityPolicySource.cpp:

(WebCore::ContentSecurityPolicySource::matches): Modified to take an argument as to whether a redirect response
was received. When the specified URL follows from having received a redirect response then ignore the path
component of the source expression when checking for a match. Otherwise, consider the path component of the
source expression when performing the match.

• page/csp/ContentSecurityPolicySource.h:
• page/csp/ContentSecurityPolicySourceList.cpp:

(WebCore::ContentSecurityPolicySourceList::matches): Modified to take an argument as to whether a redirect
response was received and pass this information through to ContentSecurityPolicySource::matches().

• page/csp/ContentSecurityPolicySourceList.h:
• page/csp/ContentSecurityPolicySourceListDirective.cpp:

(WebCore::ContentSecurityPolicySourceListDirective::allows): Modified to take an argument as to whether a
redirect response was received and pass this information through to ContentSecurityPolicySourceList::matches().

• page/csp/ContentSecurityPolicySourceListDirective.h:

LayoutTests:

Add tests to ensure that we ignore the path component of a source expression when matching
a sub-resource URL that is the result of a redirect.

• TestExpectations: Unskip test http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html as it now passes.
• http/tests/security/contentSecurityPolicy/audio-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/embed-redirect-blocked-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html: Added.
• http/tests/security/contentSecurityPolicy/embed-redirect-blocked2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html: Added.
• http/tests/security/contentSecurityPolicy/embed-redirect-blocked3-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html: Added.
• http/tests/security/contentSecurityPolicy/font-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html: Added.
• http/tests/security/contentSecurityPolicy/image-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/object-redirect-allowed.html: Added.
• http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/object-redirect-blocked-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/object-redirect-blocked.html: Added.
• http/tests/security/contentSecurityPolicy/object-redirect-blocked2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html: Added.
• http/tests/security/contentSecurityPolicy/object-redirect-blocked3-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html: Added.
• http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths-expected.txt: Update expected result now that we pass this test.
• http/tests/security/contentSecurityPolicy/resources/alert-pass.html:
• http/tests/security/contentSecurityPolicy/resources/redirect.pl: For resourceType == "image", load image ​http://127.0.0.1:8000/security/resources/abe.png

instead of ​http://127.0.0.1:8000/resources/square20.jpg as the latter does not exist.

• http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php:
• http/tests/security/contentSecurityPolicy/script-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/track-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/video-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html: Added.
• http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html:
• http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html.
• platform/ios-simulator/TestExpectations: Skip tests {embed, object}-redirect-blocked{2, 3}.html as they make

use of a plug-in and plug-ins are not supported on iOS.

• platform/wk2/TestExpectations: Skip tests {embed, object}-redirect-blocked3.html on WebKit2 as they fail

because of <​https://bugs.webkit.org/show_bug.cgi?id=156612>.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/TestExpectations (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked3-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked3-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/redirect.pl (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html (copied) (copied from trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html) (1 diff)
• LayoutTests/platform/ios-simulator/TestExpectations (modified) (1 diff)
• LayoutTests/platform/wk2/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/DocumentLoader.cpp (modified) (4 diffs)
• Source/WebCore/loader/DocumentThreadableLoader.cpp (modified) (3 diffs)
• Source/WebCore/loader/DocumentThreadableLoader.h (modified) (1 diff)
• Source/WebCore/loader/FrameLoader.cpp (modified) (4 diffs)
• Source/WebCore/loader/FrameLoader.h (modified) (1 diff)
• Source/WebCore/loader/PolicyChecker.cpp (modified) (3 diffs)
• Source/WebCore/loader/PolicyChecker.h (modified) (1 diff)
• Source/WebCore/loader/SubresourceLoader.cpp (modified) (1 diff)
• Source/WebCore/loader/cache/CachedResourceLoader.cpp (modified) (6 diffs)
• Source/WebCore/loader/cache/CachedResourceLoader.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicy.cpp (modified) (11 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicy.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (modified) (6 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySource.cpp (modified) (2 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicySource.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (modified) (2 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-04-15  Daniel Bates  <dabates@apple.com>
+
+        CSP: Ignore paths in CSP matching after redirects
+        https://bugs.webkit.org/show_bug.cgi?id=153154
+        <rdar://problem/24383215>
+
+        Reviewed by Brent Fulgham.
+
+        Add tests to ensure that we ignore the path component of a source expression when matching
+        a sub-resource URL that is the result of a redirect.
+
+        * TestExpectations: Unskip test http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html as it now passes.
+        * http/tests/security/contentSecurityPolicy/audio-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/embed-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/embed-redirect-blocked2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html: Added.
+        * http/tests/security/contentSecurityPolicy/embed-redirect-blocked3-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html: Added.
+        * http/tests/security/contentSecurityPolicy/font-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/image-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-redirect-blocked2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-redirect-blocked3-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html: Added.
+        * http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths-expected.txt: Update expected result now that we pass this test.
+        * http/tests/security/contentSecurityPolicy/resources/alert-pass.html:
+        * http/tests/security/contentSecurityPolicy/resources/redirect.pl: For resourceType == "image", load image http://127.0.0.1:8000/security/resources/abe.png
+        instead of http://127.0.0.1:8000/resources/square20.jpg as the latter does not exist.
+        * http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php:
+        * http/tests/security/contentSecurityPolicy/script-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/track-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/video-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html:
+        * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html.
+        * platform/ios-simulator/TestExpectations: Skip tests {embed, object}-redirect-blocked{2, 3}.html as they make
+        use of a plug-in and plug-ins are not supported on iOS.
+        * platform/wk2/TestExpectations: Skip tests {embed, object}-redirect-blocked3.html on WebKit2 as they fail
+        because of <https://bugs.webkit.org/show_bug.cgi?id=156612>.
+
 2016-04-15  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/LayoutTests/TestExpectations

@@ -816 +816 @@
 webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-allowed.html # Needs testRunner.getManifestThen()
 webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-blocked.html # Needs testRunner.getManifestThen()
-webkit.org/b/153154 http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html
 webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-error-event.html
 webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-error-event.html

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths-expected.txt

@@ -1 +1 @@
 
-CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl. Request header field Accept-Encoding is not allowed by Access-Control-Allow-Headers.
-FAIL: Timed out waiting for notifyDone to be called
 
+PASS CSP ignores paths of redirected resources in matching algorithm for scripts. 
+PASS CSP ignores paths of redirect resources in matching algorithm for images. 
+PASS CSP ignores paths of redirect resources in matching algorithm for frames. 
+PASS CSP ignores paths of redirected resources in matching algorithm for stylesheets. 
+PASS CSP ignores paths of redirect resources in matching algorithm for XHR. 
+

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html

@@ -1 +1 @@
 <script>
-alert('PASS');
+alert("PASS");
+
+var shouldNotifyDone = document.location.search.indexOf("?notifyDone=1") !== -1 && window.testRunner;
+if (shouldNotifyDone)
+    testRunner.notifyDone();
 </script>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/redirect.pl

@@ -12 +12 @@
 
 if ($resourceType eq "image") {
-    print "Location: http://127.0.0.1:8000/resources/square20.jpg";
+    print "Location: http://127.0.0.1:8000/security/resources/abe.png";
 }
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php

@@ -1 +1 @@
 <?php
+require "determine-content-security-policy-header.php";
+
 header("Content-Type: application/xhtml+xml");
-header("Content-Security-Policy: script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000 'unsafe-inline'");
 echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
 echo '<?xml-stylesheet type="text/xsl" href="http://127.0.0.1:8000/resources/redirect.php?code=307&amp;url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.xsl"?>' . "\n";

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html

@@ -13 +13 @@
 </head>
 <body>
-<iframe src="resources/xsl-redirect-allowed.php"></iframe>
+<iframe src="resources/xsl-redirect-allowed.php?csp=script-src+http%3A//127.0.0.1%3A8000/resources/redirect.php+http%3A//localhost%3A8000+%27unsafe-inline%27"></iframe>
 </body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html

@@ -13 +13 @@
 </head>
 <body>
-<iframe src="resources/xsl-redirect-allowed.php"></iframe>
+<iframe src="resources/xsl-redirect-allowed.php?csp=script-src+http%3A//127.0.0.1%3A8000/resources/redirect.php+http%3A//localhost%3A8000/this-path-should-be-ignored-when-matching-a-redirected-request+%27unsafe-inline%27"></iframe>
 </body>
 </html>

trunk/LayoutTests/platform/ios-simulator/TestExpectations

@@ -90 +90 @@
 http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html
 http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html
+http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html
+http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html
 http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html
 http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html
+http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html
+http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html
 http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html
 http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html

trunk/LayoutTests/platform/wk2/TestExpectations

@@ -42 +42 @@
 ########################################
 ### START OF (1) Classified failures with bug reports
+
+webkit.org/b/156612 http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html [ Failure ]
+webkit.org/b/156612 http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html [ Failure ]
 
 # WebKitTestRunner needs to implement testRunner.dumpIconChanges().

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-04-15  Daniel Bates  <dabates@apple.com>
+
+        CSP: Ignore paths in CSP matching after redirects
+        https://bugs.webkit.org/show_bug.cgi?id=153154
+        <rdar://problem/24383215>
+
+        Reviewed by Brent Fulgham.
+
+        For sub-resources that redirect, match the URL that is the result of the redirect against
+        the source expressions in Content Security Policy ignoring any paths in those source
+        expressions as per section Paths and Redirects of the Content Security Policy Level 2 spec.,
+        <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).
+
+        Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html
+               http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html
+               http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html
+               http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html
+               http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html
+               http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html
+               http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html
+               http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html
+               http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/object-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/object-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html
+               http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html
+               http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html
+               http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::willSendRequest): Define a local variable didReceiveRedirectResponse as
+        to whether this request follows from having received a redirect response from the server. Pass this
+        information to FrameLoader::checkIfFormActionAllowedByCSP() and PolicyChecker::checkNavigationPolicy()
+        for its consideration.
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::redirectReceived): Pass whether we have a non-null redirect
+        response (i.e. received a redirect response from the server) to DocumentThreadableLoader::isAllowedByContentSecurityPolicy()
+        for its consideration.
+        (WebCore::DocumentThreadableLoader::loadRequest): Pass whether we performed a redirect to
+        DocumentThreadableLoader::isAllowedByContentSecurityPolicy() for its consideration.
+        (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Modified to take a boolean
+        argument as to whether a redirect was performed. We pass this information to the appropriate
+        ContentSecurityPolicy method.
+        * loader/DocumentThreadableLoader.h:
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::checkIfFormActionAllowedByCSP): Modified to take a boolean argument as to whether
+        a redirect response was received and passes this information to ContentSecurityPolicy::allowFormAction()
+        for its consideration.
+        (WebCore::FrameLoader::loadURL): Modified to tell PolicyChecker::checkNavigationPolicy() that the navigation
+        is not in response to having received a redirect response from the server.
+        (WebCore::FrameLoader::loadWithDocumentLoader): Ditto.
+        * loader/FrameLoader.h:
+        * loader/PolicyChecker.cpp:
+        (WebCore::isAllowedByContentSecurityPolicy): Modified to take a boolean argument as to whether
+        a redirect response was received and passes this information to the appropriate ContentSecurityPolicy member
+        function for consideration.
+        (WebCore::PolicyChecker::checkNavigationPolicy): Modified to take a boolean argument as to whether a redirect
+        response was received and passes this information through to WebCore::isAllowedByContentSecurityPolicy().
+        * loader/PolicyChecker.h:
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::willSendRequestInternal): Modified to tell CachedResourceLoader::canRequest() that
+        the request is in response to having received a redirect response from the server.
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::canRequest): Modified to take a boolean argument as to whether a redirect
+        response was received and passes this information through to the appropriate ContentSecurityPolicy member
+        function for consideration.
+        * loader/cache/CachedResourceLoader.h:
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowScriptFromSource): Modified to take an argument as to whether a
+        redirect response was received and passes this information through to ContentSecurityPolicyDirectiveList.
+        (WebCore::ContentSecurityPolicy::allowObjectFromSource): Ditto.
+        (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): Ditto.
+        (WebCore::ContentSecurityPolicy::allowChildContextFromSource): Ditto.
+        (WebCore::ContentSecurityPolicy::allowImageFromSource): Ditto.
+        (WebCore::ContentSecurityPolicy::allowStyleFromSource): Ditto.
+        (WebCore::ContentSecurityPolicy::allowFontFromSource): Ditto.
+        (WebCore::ContentSecurityPolicy::allowMediaFromSource): Ditto.
+        (WebCore::ContentSecurityPolicy::allowConnectToSource): Ditto.
+        (WebCore::ContentSecurityPolicy::allowFormAction): Ditto.
+        * page/csp/ContentSecurityPolicy.h:
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::checkSource):
+        (WebCore::checkFrameAncestors):
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext): Modified to take an argument
+        as to whether a redirect response was received and passes this information through to the CSP directive.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource): Ditto.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFont): Ditto.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction): Ditto.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame): Ditto.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForImage): Ditto.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia): Ditto.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource): Ditto.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript): Ditto.
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle): Ditto.
+        * page/csp/ContentSecurityPolicyDirectiveList.h:
+        * page/csp/ContentSecurityPolicySource.cpp:
+        (WebCore::ContentSecurityPolicySource::matches): Modified to take an argument as to whether a redirect response
+        was received. When the specified URL follows from having received a redirect response then ignore the path
+        component of the source expression when checking for a match. Otherwise, consider the path component of the
+        source expression when performing the match.
+        * page/csp/ContentSecurityPolicySource.h:
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::matches): Modified to take an argument as to whether a redirect
+        response was received and pass this information through to ContentSecurityPolicySource::matches().
+        * page/csp/ContentSecurityPolicySourceList.h:
+        * page/csp/ContentSecurityPolicySourceListDirective.cpp:
+        (WebCore::ContentSecurityPolicySourceListDirective::allows): Modified to take an argument as to whether a
+        redirect response was received and pass this information through to ContentSecurityPolicySourceList::matches().
+        * page/csp/ContentSecurityPolicySourceListDirective.h:
+
 2016-04-15  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/Source/WebCore/loader/DocumentLoader.cpp

@@ -504 +504 @@
     ASSERT(!newRequest.isNull());
 
-    if (!frameLoader()->checkIfFormActionAllowedByCSP(newRequest.url())) {
+    bool didReceiveRedirectResponse = !redirectResponse.isNull();
+    if (!frameLoader()->checkIfFormActionAllowedByCSP(newRequest.url(), didReceiveRedirectResponse)) {
         cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
         return;
@@ -510 +511 @@
 
     ASSERT(timing().fetchStart());
-    if (!redirectResponse.isNull()) {
+    if (didReceiveRedirectResponse) {
         // If the redirecting url is not allowed to display content from the target origin,
         // then block the redirect.
@@ -562 +563 @@
     setRequest(newRequest);
 
-    if (!redirectResponse.isNull()) {
+    if (didReceiveRedirectResponse) {
         // We checked application cache for initial URL, now we need to check it for redirected one.
         ASSERT(!m_substituteData.isValid());
@@ -577 +578 @@
     // listener tells us to. In practice that means the navigation policy needs to be decided
     // synchronously for these redirect cases.
-    if (redirectResponse.isNull())
+    if (!didReceiveRedirectResponse)
         return;
 
     ASSERT(!m_waitingForNavigationPolicy);
     m_waitingForNavigationPolicy = true;
-    frameLoader()->policyChecker().checkNavigationPolicy(newRequest, [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
+    frameLoader()->policyChecker().checkNavigationPolicy(newRequest, didReceiveRedirectResponse, [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
         continueAfterNavigationPolicy(request, shouldContinue);
     });

trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp

@@ -192 +192 @@
 
     Ref<DocumentThreadableLoader> protect(*this);
-    if (!isAllowedByContentSecurityPolicy(request.url())) {
+    if (!isAllowedByContentSecurityPolicy(request.url(), !redirectResponse.isNull())) {
         m_client->didFailRedirectCheck();
         request = ResourceRequest();
@@ -420 +420 @@
     // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
     // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
-    if (requestURL != response.url() && (!isAllowedByContentSecurityPolicy(response.url()) || !isAllowedRedirect(response.url()))) {
+    bool didRedirect = requestURL != response.url();
+    if (didRedirect && (!isAllowedByContentSecurityPolicy(response.url(), didRedirect) || !isAllowedRedirect(response.url()))) {
         m_client->didFailRedirectCheck();
         return;
@@ -432 +433 @@
 }
 
-bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url)
-{
+bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, bool didRedirect)
+{
+    bool overrideContentSecurityPolicy = false;
+    ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived = didRedirect ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
+
     switch (m_options.contentSecurityPolicyEnforcement) {
     case ContentSecurityPolicyEnforcement::DoNotEnforce:
         return true;
     case ContentSecurityPolicyEnforcement::EnforceChildSrcDirective:
-        return contentSecurityPolicy().allowChildContextFromSource(url, false); // Do not override policy
+        return contentSecurityPolicy().allowChildContextFromSource(url, overrideContentSecurityPolicy, redirectResponseReceived);
     case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
-        return contentSecurityPolicy().allowConnectToSource(url, false); // Do not override policy
+        return contentSecurityPolicy().allowConnectToSource(url, overrideContentSecurityPolicy, redirectResponseReceived);
     case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
-        return contentSecurityPolicy().allowScriptFromSource(url, false); // Do not override policy
+        return contentSecurityPolicy().allowScriptFromSource(url, overrideContentSecurityPolicy, redirectResponseReceived);
     }
     ASSERT_NOT_REACHED();

trunk/Source/WebCore/loader/DocumentThreadableLoader.h

@@ -95 +95 @@
         void loadRequest(const ResourceRequest&, SecurityCheckPolicy);
         bool isAllowedRedirect(const URL&);
-        bool isAllowedByContentSecurityPolicy(const URL&);
+        bool isAllowedByContentSecurityPolicy(const URL&, bool didRedirect = false);
 
         bool isXMLHttpRequest() const final;

trunk/Source/WebCore/loader/FrameLoader.cpp

@@ -937 +937 @@
 }
 
-bool FrameLoader::checkIfFormActionAllowedByCSP(const URL& url) const
+bool FrameLoader::checkIfFormActionAllowedByCSP(const URL& url, bool didReceiveRedirectResponse) const
 {
     if (m_submittedFormURL.isEmpty())
         return true;
 
-    return m_frame.document()->contentSecurityPolicy()->allowFormAction(url);
+    auto redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
+    return m_frame.document()->contentSecurityPolicy()->allowFormAction(url, false /* overrideContentSecurityPolicy */, redirectResponseReceived);
 }
 
@@ -1241 +1242 @@
         policyChecker().stopCheck();
         policyChecker().setLoadType(newLoadType);
-        policyChecker().checkNavigationPolicy(request, oldDocumentLoader.get(), formState.release(), [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
+        policyChecker().checkNavigationPolicy(request, false /* didReceiveRedirectResponse */, oldDocumentLoader.get(), formState.release(), [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
             continueFragmentScrollAfterNavigationPolicy(request, shouldContinue);
         });
@@ -1431 +1432 @@
         oldDocumentLoader->setLastCheckedRequest(ResourceRequest());
         policyChecker().stopCheck();
-        policyChecker().checkNavigationPolicy(loader->request(), oldDocumentLoader.get(), formState, [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
+        policyChecker().checkNavigationPolicy(loader->request(), false /* didReceiveRedirectResponse */, oldDocumentLoader.get(), formState, [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
             continueFragmentScrollAfterNavigationPolicy(request, shouldContinue);
         });
@@ -1458 +1459 @@
     }
 
-    policyChecker().checkNavigationPolicy(loader->request(), loader, formState, [this, allowNavigationToInvalidURL](const ResourceRequest& request, PassRefPtr<FormState> formState, bool shouldContinue) {
+    policyChecker().checkNavigationPolicy(loader->request(), false /* didReceiveRedirectResponse */, loader, formState, [this, allowNavigationToInvalidURL](const ResourceRequest& request, PassRefPtr<FormState> formState, bool shouldContinue) {
         continueLoadAfterNavigationPolicy(request, formState, shouldContinue, allowNavigationToInvalidURL);
     });

trunk/Source/WebCore/loader/FrameLoader.h

@@ -227 +227 @@
     SandboxFlags effectiveSandboxFlags() const;
 
-    bool checkIfFormActionAllowedByCSP(const URL&) const;
+    bool checkIfFormActionAllowedByCSP(const URL&, bool didReceiveRedirectResponse) const;
 
     Frame* opener();

trunk/Source/WebCore/loader/PolicyChecker.cpp

@@ -50 +50 @@
 namespace WebCore {
 
-static bool isAllowedByContentSecurityPolicy(const URL& url, const Element* ownerElement)
+static bool isAllowedByContentSecurityPolicy(const URL& url, const Element* ownerElement, bool didReceiveRedirectResponse)
 {
     if (!ownerElement)
         return true;
+    auto redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
     if (is<HTMLPlugInElement>(ownerElement))
-        return ownerElement->document().contentSecurityPolicy()->allowObjectFromSource(url, ownerElement->isInUserAgentShadowTree());
-    return ownerElement->document().contentSecurityPolicy()->allowChildFrameFromSource(url, ownerElement->isInUserAgentShadowTree());
+        return ownerElement->document().contentSecurityPolicy()->allowObjectFromSource(url, ownerElement->isInUserAgentShadowTree(), redirectResponseReceived);
+    return ownerElement->document().contentSecurityPolicy()->allowChildFrameFromSource(url, ownerElement->isInUserAgentShadowTree(), redirectResponseReceived);
 }
 
@@ -67 +68 @@
 }
 
-void PolicyChecker::checkNavigationPolicy(const ResourceRequest& newRequest, NavigationPolicyDecisionFunction function)
-{
-    checkNavigationPolicy(newRequest, m_frame.loader().activeDocumentLoader(), nullptr, WTFMove(function));
-}
-
-void PolicyChecker::checkNavigationPolicy(const ResourceRequest& request, DocumentLoader* loader, PassRefPtr<FormState> formState, NavigationPolicyDecisionFunction function)
+void PolicyChecker::checkNavigationPolicy(const ResourceRequest& newRequest, bool didReceiveRedirectResponse, NavigationPolicyDecisionFunction function)
+{
+    checkNavigationPolicy(newRequest, didReceiveRedirectResponse, m_frame.loader().activeDocumentLoader(), nullptr, WTFMove(function));
+}
+
+void PolicyChecker::checkNavigationPolicy(const ResourceRequest& request, bool didReceiveRedirectResponse, DocumentLoader* loader, PassRefPtr<FormState> formState, NavigationPolicyDecisionFunction function)
 {
     NavigationAction action = loader->triggeringAction();
@@ -97 +98 @@
     }
 
-    if (!isAllowedByContentSecurityPolicy(request.url(), m_frame.ownerElement())) {
+    if (!isAllowedByContentSecurityPolicy(request.url(), m_frame.ownerElement(), didReceiveRedirectResponse)) {
         function(request, 0, false);
         return;

trunk/Source/WebCore/loader/PolicyChecker.h

@@ -56 +56 @@
     explicit PolicyChecker(Frame&);
 
-    void checkNavigationPolicy(const ResourceRequest&, DocumentLoader*, PassRefPtr<FormState>, NavigationPolicyDecisionFunction);
-    void checkNavigationPolicy(const ResourceRequest&, NavigationPolicyDecisionFunction);
+    void checkNavigationPolicy(const ResourceRequest&, bool didReceiveRedirectResponse, DocumentLoader*, PassRefPtr<FormState>, NavigationPolicyDecisionFunction);
+    void checkNavigationPolicy(const ResourceRequest&, bool didReceiveRedirectResponse, NavigationPolicyDecisionFunction);
     void checkNewWindowPolicy(const NavigationAction&, const ResourceRequest&, PassRefPtr<FormState>, const String& frameName, NewWindowPolicyDecisionFunction);
     void checkContentPolicy(const ResourceResponse&, ContentPolicyDecisionFunction);

trunk/Source/WebCore/loader/SubresourceLoader.cpp

@@ -186 +186 @@
                 m_frame->mainFrame().diagnosticLoggingClient().logDiagnosticMessageWithResult(DiagnosticLoggingKeys::cachedResourceRevalidationKey(), emptyString(), DiagnosticLoggingResultFail, ShouldSample::Yes);
         }
-        
-        if (!m_documentLoader->cachedResourceLoader().canRequest(m_resource->type(), newRequest.url(), options())) {
+
+        if (!m_documentLoader->cachedResourceLoader().canRequest(m_resource->type(), newRequest.url(), options(), false /* forPreload */, true /* didReceiveRedirectResponse */)) {
             cancel();
             return;

trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

@@ -374 +374 @@
 }
 
-bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool forPreload)
+bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool forPreload, bool didReceiveRedirectResponse)
 {
     if (document() && !document()->securityOrigin()->canDisplay(url)) {
@@ -384 +384 @@
 
     bool skipContentSecurityPolicyCheck = options.contentSecurityPolicyImposition() == ContentSecurityPolicyImposition::SkipPolicyCheck;
+    ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
 
     // Some types of resources can be loaded only from the same origin.  Other
@@ -425 +426 @@
 #if ENABLE(XSLT)
     case CachedResource::XSLStyleSheet:
-        if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck))
+        if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
             return false;
         break;
 #endif
     case CachedResource::Script:
-        if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck))
+        if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
             return false;
         if (frame() && !frame()->settings().isScriptEnabled())
@@ -436 +437 @@
         break;
     case CachedResource::CSSStyleSheet:
-        if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, skipContentSecurityPolicyCheck))
+        if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
             return false;
         break;
     case CachedResource::SVGDocumentResource:
     case CachedResource::ImageResource:
-        if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, skipContentSecurityPolicyCheck))
+        if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
             return false;
         break;
@@ -448 +449 @@
 #endif
     case CachedResource::FontResource: {
-        if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, skipContentSecurityPolicyCheck))
+        if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
             return false;
         break;
@@ -463 +464 @@
     case CachedResource::TextTrackResource:
 #endif
-        if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, skipContentSecurityPolicyCheck))
+        if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
             return false;
         break;

trunk/Source/WebCore/loader/cache/CachedResourceLoader.h

@@ -132 +132 @@
     void checkForPendingPreloads();
     void printPreloadStats();
-    bool canRequest(CachedResource::Type, const URL&, const ResourceLoaderOptions&, bool forPreload = false);
+
+    bool canRequest(CachedResource::Type, const URL&, const ResourceLoaderOptions&, bool forPreload = false, bool didReceiveRedirectResponse = false);
 
     static const ResourceLoaderOptions& defaultCachedResourceOptions();

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

@@ -366 +366 @@
 }
 
-bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, bool overrideContentSecurityPolicy) const
-{
-    if (overrideContentSecurityPolicy)
-        return true;
-    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
-        return true;
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForScript, url);
+bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+{
+    if (overrideContentSecurityPolicy)
+        return true;
+    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
+        return true;
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForScript, url, redirectResponseReceived == RedirectResponseReceived::Yes);
     if (!violatedDirective)
         return true;
@@ -380 +380 @@
 }
 
-bool ContentSecurityPolicy::allowObjectFromSource(const URL& url, bool overrideContentSecurityPolicy) const
+bool ContentSecurityPolicy::allowObjectFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
 {
     if (overrideContentSecurityPolicy)
@@ -389 +389 @@
     // "If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based
     // on the specified type), it MUST be blocked if object-src's value is 'none', but will otherwise be allowed".
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes);
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes);
     if (!violatedDirective)
         return true;
@@ -397 +397 @@
 }
 
-bool ContentSecurityPolicy::allowChildFrameFromSource(const URL& url, bool overrideContentSecurityPolicy) const
-{
-    if (overrideContentSecurityPolicy)
-        return true;
-    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
-        return true;
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url);
+bool ContentSecurityPolicy::allowChildFrameFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+{
+    if (overrideContentSecurityPolicy)
+        return true;
+    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
+        return true;
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url, redirectResponseReceived == RedirectResponseReceived::Yes);
     if (!violatedDirective)
         return true;
@@ -412 +412 @@
 }
 
-bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, bool overrideContentSecurityPolicy) const
-{
-    if (overrideContentSecurityPolicy)
-        return true;
-    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
-        return true;
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, url);
+bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+{
+    if (overrideContentSecurityPolicy)
+        return true;
+    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
+        return true;
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, url, redirectResponseReceived == RedirectResponseReceived::Yes);
     if (!violatedDirective)
         return true;
@@ -426 +426 @@
 }
 
-bool ContentSecurityPolicy::allowImageFromSource(const URL& url, bool overrideContentSecurityPolicy) const
-{
-    if (overrideContentSecurityPolicy)
-        return true;
-    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
-        return true;
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForImage, url);
+bool ContentSecurityPolicy::allowImageFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+{
+    if (overrideContentSecurityPolicy)
+        return true;
+    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
+        return true;
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForImage, url, redirectResponseReceived == RedirectResponseReceived::Yes);
     if (!violatedDirective)
         return true;
@@ -440 +440 @@
 }
 
-bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, bool overrideContentSecurityPolicy) const
-{
-    if (overrideContentSecurityPolicy)
-        return true;
-    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
-        return true;
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle, url);
+bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+{
+    if (overrideContentSecurityPolicy)
+        return true;
+    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
+        return true;
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle, url, redirectResponseReceived == RedirectResponseReceived::Yes);
     if (!violatedDirective)
         return true;
@@ -454 +454 @@
 }
 
-bool ContentSecurityPolicy::allowFontFromSource(const URL& url, bool overrideContentSecurityPolicy) const
-{
-    if (overrideContentSecurityPolicy)
-        return true;
-    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
-        return true;
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFont, url);
+bool ContentSecurityPolicy::allowFontFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+{
+    if (overrideContentSecurityPolicy)
+        return true;
+    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
+        return true;
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFont, url, redirectResponseReceived == RedirectResponseReceived::Yes);
     if (!violatedDirective)
         return true;
@@ -468 +468 @@
 }
 
-bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, bool overrideContentSecurityPolicy) const
-{
-    if (overrideContentSecurityPolicy)
-        return true;
-    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
-        return true;
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia, url);
+bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+{
+    if (overrideContentSecurityPolicy)
+        return true;
+    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
+        return true;
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia, url, redirectResponseReceived == RedirectResponseReceived::Yes);
     if (!violatedDirective)
         return true;
@@ -482 +482 @@
 }
 
-bool ContentSecurityPolicy::allowConnectToSource(const URL& url, bool overrideContentSecurityPolicy) const
-{
-    if (overrideContentSecurityPolicy)
-        return true;
-    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
-        return true;
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url);
+bool ContentSecurityPolicy::allowConnectToSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+{
+    if (overrideContentSecurityPolicy)
+        return true;
+    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
+        return true;
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
     if (!violatedDirective)
         return true;
@@ -496 +496 @@
 }
 
-bool ContentSecurityPolicy::allowFormAction(const URL& url, bool overrideContentSecurityPolicy) const
-{
-    if (overrideContentSecurityPolicy)
-        return true;
-    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
-        return true;
-    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, url);
+bool ContentSecurityPolicy::allowFormAction(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+{
+    if (overrideContentSecurityPolicy)
+        return true;
+    if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
+        return true;
+    const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, url, redirectResponseReceived == RedirectResponseReceived::Yes);
     if (!violatedDirective)
         return true;

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h

@@ -76 +76 @@
     void processHTTPEquiv(const String& content, ContentSecurityPolicyHeaderType type) { didReceiveHeader(content, type, ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta); }
 
+    bool allowScriptWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
+    bool allowStyleWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
+
     bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false) const;
     bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false) const;
-    bool allowScriptWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
     bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, bool overrideContentSecurityPolicy = false) const;
-    bool allowStyleWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
     bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, bool overrideContentSecurityPolicy = false) const;
+
     bool allowEval(JSC::ExecState*, bool overrideContentSecurityPolicy = false) const;
+
     bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowChildContextFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowMediaFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false) const;
+
+    bool allowFrameAncestors(const Frame&, const URL&, bool overrideContentSecurityPolicy = false) const;
+
+    enum class RedirectResponseReceived { No, Yes };
+    bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+    bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+    bool allowChildContextFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+    bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+    bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+    bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+    bool allowMediaFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+    bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+    bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+
+    bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
     bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false) const;
-    bool allowFrameAncestors(const Frame&, const URL&, bool overrideContentSecurityPolicy = false) const;
 
     void setOverrideAllowInlineStyle(bool);

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

@@ -62 +62 @@
 }
 
-static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty = ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No)
-{
-    return !directive || directive->allows(url, shouldAllowEmptyURLIfSourceListEmpty);
+static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url, bool didReceiveRedirectResponse = false, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty = ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No)
+{
+    return !directive || directive->allows(url, didReceiveRedirectResponse, shouldAllowEmptyURLIfSourceListEmpty);
 }
 
@@ -81 +81 @@
     if (!directive)
         return true;
+    bool didReceiveRedirectResponse = false;
     for (Frame* current = frame.tree().parent(); current; current = current->tree().parent()) {
-        if (!directive->allows(current->document()->url(), ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No))
+        if (!directive->allows(current->document()->url(), didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No))
             return false;
     }
@@ -190 +191 @@
 }
 
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext(const URL& url) const
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext(const URL& url, bool didReceiveRedirectResponse) const
 {
     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_childSrc.get());
-    if (checkSource(operativeDirective, url))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource(const URL& url) const
+    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource(const URL& url, bool didReceiveRedirectResponse) const
 {
     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_connectSrc.get());
-    if (checkSource(operativeDirective, url))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFont(const URL& url) const
+    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFont(const URL& url, bool didReceiveRedirectResponse) const
 {
     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_fontSrc.get());
-    if (checkSource(operativeDirective, url))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction(const URL& url) const
-{
-    if (checkSource(m_formAction.get(), url))
+    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction(const URL& url, bool didReceiveRedirectResponse) const
+{
+    if (checkSource(m_formAction.get(), url, didReceiveRedirectResponse))
         return nullptr;
     return m_formAction.get();
 }
 
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame(const URL& url) const
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame(const URL& url, bool didReceiveRedirectResponse) const
 {
     if (url.isBlankURL())
@@ -229 +230 @@
     // context by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested> (29 August 2015).
     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get());
-    if (checkSource(operativeDirective, url))
+    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
         return nullptr;
     return operativeDirective;
@@ -241 +242 @@
 }
 
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForImage(const URL& url) const
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForImage(const URL& url, bool didReceiveRedirectResponse) const
 {
     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_imgSrc.get());
-    if (checkSource(operativeDirective, url))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia(const URL& url) const
+    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia(const URL& url, bool didReceiveRedirectResponse) const
 {
     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_mediaSrc.get());
-    if (checkSource(operativeDirective, url))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource(const URL& url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty) const
+    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource(const URL& url, bool didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty) const
 {
     if (url.isBlankURL())
         return nullptr;
     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_objectSrc.get());
-    if (checkSource(operativeDirective, url, shouldAllowEmptyURLIfSourceListEmpty))
+    if (checkSource(operativeDirective, url, didReceiveRedirectResponse, shouldAllowEmptyURLIfSourceListEmpty))
         return nullptr;
     return operativeDirective;
@@ -274 +275 @@
 }
 
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url) const
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse) const
 {
     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
-    if (checkSource(operativeDirective, url))
-        return nullptr;
-    return operativeDirective;
-}
-
-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle(const URL& url) const
+    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
+        return nullptr;
+    return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle(const URL& url, bool didReceiveRedirectResponse) const
 {
     ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
-    if (checkSource(operativeDirective, url))
+    if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
         return nullptr;
     return operativeDirective;

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h

@@ -58 +58 @@
 
     const ContentSecurityPolicyDirective* violatedDirectiveForBaseURI(const URL&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForChildContext(const URL&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForConnectSource(const URL&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForFont(const URL&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForFormAction(const URL&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForFrame(const URL&) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForChildContext(const URL&, bool didReceiveRedirectResponse) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForConnectSource(const URL&, bool didReceiveRedirectResponse) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForFont(const URL&, bool didReceiveRedirectResponse) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForFormAction(const URL&, bool didReceiveRedirectResponse) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForFrame(const URL&, bool didReceiveRedirectResponse) const;
     const ContentSecurityPolicyDirective* violatedDirectiveForFrameAncestor(const Frame&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForImage(const URL&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForMedia(const URL&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForImage(const URL&, bool didReceiveRedirectResponse) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForMedia(const URL&, bool didReceiveRedirectResponse) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&, bool didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone) const;
     const ContentSecurityPolicyDirective* violatedDirectiveForPluginType(const String& type, const String& typeAttribute) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&) const;
-    const ContentSecurityPolicyDirective* violatedDirectiveForStyle(const URL&) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&, bool didReceiveRedirectResponse) const;
+    const ContentSecurityPolicyDirective* violatedDirectiveForStyle(const URL&, bool didReceiveRedirectResponse) const;
 
     const ContentSecurityPolicyDirective* defaultSrc() const { return m_defaultSrc.get(); }

trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp

@@ -44 +44 @@
 }
 
-bool ContentSecurityPolicySource::matches(const URL& url) const
+bool ContentSecurityPolicySource::matches(const URL& url, bool didReceiveRedirectResponse) const
 {
     if (!schemeMatches(url))
@@ -50 +50 @@
     if (isSchemeOnly())
         return true;
-    return hostMatches(url) && portMatches(url) && pathMatches(url);
+    return hostMatches(url) && portMatches(url) && (didReceiveRedirectResponse || pathMatches(url));
 }
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.h

@@ -39 +39 @@
     ContentSecurityPolicySource(const ContentSecurityPolicy&, const String& scheme, const String& host, int port, const String& path, bool hostHasWildcard, bool portHasWildcard);
 
-    bool matches(const URL&) const;
+    bool matches(const URL&, bool didReceiveRedirectResponse = false) const;
 
 private:

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

@@ -129 +129 @@
 }
 
-bool ContentSecurityPolicySourceList::matches(const URL& url)
+bool ContentSecurityPolicySourceList::matches(const URL& url, bool didReceiveRedirectResponse)
 {
     if (m_allowStar && isProtocolAllowedByStar(url))
@@ -138 +138 @@
 
     for (auto& entry : m_list) {
-        if (entry.matches(url))
+        if (entry.matches(url, didReceiveRedirectResponse))
             return true;
     }

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h

@@ -46 +46 @@
     void parse(const String&);
 
-    bool matches(const URL&);
+    bool matches(const URL&, bool didReceiveRedirectResponse);
     bool matches(const ContentSecurityPolicyHash&) const;
     bool matches(const String& nonce) const;

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp

@@ -41 +41 @@
 }
 
-bool ContentSecurityPolicySourceListDirective::allows(const URL& url, ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty)
+bool ContentSecurityPolicySourceListDirective::allows(const URL& url, bool didReceiveRedirectResponse, ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty)
 {
     if (url.isEmpty())
         return shouldAllowEmptyURLIfSourceListEmpty == ShouldAllowEmptyURLIfSourceListIsNotNone::Yes && !m_sourceList.isNone();
-    return m_sourceList.matches(url);
+    return m_sourceList.matches(url, didReceiveRedirectResponse);
 }
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h

@@ -40 +40 @@
 
     enum class ShouldAllowEmptyURLIfSourceListIsNotNone { No, Yes };
-    bool allows(const URL&, ShouldAllowEmptyURLIfSourceListIsNotNone);
+    bool allows(const URL&, bool didReceiveRedirectResponse, ShouldAllowEmptyURLIfSourceListIsNotNone);
     bool allows(const ContentSecurityPolicyHash&) const;
     bool allows(const String& nonce) const;