Changeset 200030 in webkit
- Timestamp:
- Apr 25, 2016 9:27:34 AM (8 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r200029 r200030 1 2016-04-25 Daniel Bates <dabates@apple.com> 2 3 REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self' 4 https://bugs.webkit.org/show_bug.cgi?id=156935 5 <rdar://problem/25351286> 6 7 Reviewed by Darin Adler. 8 9 Add tests to ensure that we match 'self' correctly in an iframe with an about:blank document. 10 11 * http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt: Added. 12 * http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html: Added. 13 * http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt: Added. 14 * http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html: Added. 15 1 16 2016-04-25 Ryan Haddad <ryanhaddad@apple.com> 2 17 -
trunk/Source/WebCore/ChangeLog
r199986 r200030 1 2016-04-25 Daniel Bates <dabates@apple.com> 2 3 REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self' 4 https://bugs.webkit.org/show_bug.cgi?id=156935 5 <rdar://problem/25351286> 6 7 Reviewed by Darin Adler. 8 9 Fixes an issue where subresource load may be blocked by the Content Security Policy (CSP) if its URL only 10 matched 'self'. In particular, the load would be blocked if initiated from a document that inherited the 11 origin of its owner document (e.g. the document contained in <iframe src="about:blank"></iframe>). 12 13 Following r196012 we compute and cache 'self' and its protocol on instantiation of a ContentSecurityPolicy 14 object for use when matching a URL against it. These cached values become out-of-date if the document 15 subsequently inherits the origin of its owner document. Therefore matches against 'self' will fail and 16 CSP will block a load if its not otherwise allowed by the policy. Previously we would compute 'self' when 17 parsing the definition of a source list and compute the protocol for 'self' each time we tried to match a 18 URL against 'self'. So, 'self' would always be up-to-date with respect to the origin of the document. 19 20 Tests: http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html 21 http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html 22 23 * page/csp/ContentSecurityPolicy.cpp: 24 (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Extract out logic for computing and caching 25 'self' and its protocol into ContentSecurityPolicy::updateSourceSelf() and make use of this function. 26 (WebCore::ContentSecurityPolicy::updateSourceSelf): Computes and caches 'self' and its protocol with 27 respect to the specified SecurityOrigin. 28 (WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): Call ContentSecurityPolicy::updateSourceSelf() 29 to ensure that we have an up-to-date representation for 'self' and the protocol of 'self' which can 30 become out-of-date if the document inherited the origin of its owner document. 31 * page/csp/ContentSecurityPolicy.h: 32 1 33 2016-04-25 Youenn Fablet <youenn.fablet@crf.canon.fr> 2 34 -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
r199612 r200030 92 92 { 93 93 ASSERT(scriptExecutionContext.securityOrigin()); 94 auto& securityOrigin = *scriptExecutionContext.securityOrigin(); 95 m_selfSourceProtocol = securityOrigin.protocol(); 96 m_selfSource = std::make_unique<ContentSecurityPolicySource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false); 94 updateSourceSelf(*scriptExecutionContext.securityOrigin()); 97 95 } 98 96 … … 101 99 , m_sandboxFlags(SandboxNone) 102 100 { 103 m_selfSourceProtocol = securityOrigin.protocol(); 104 m_selfSource = std::make_unique<ContentSecurityPolicySource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false); 101 updateSourceSelf(securityOrigin); 105 102 } 106 103 … … 176 173 } 177 174 175 void ContentSecurityPolicy::updateSourceSelf(const SecurityOrigin& securityOrigin) 176 { 177 m_selfSourceProtocol = securityOrigin.protocol(); 178 m_selfSource = std::make_unique<ContentSecurityPolicySource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false); 179 } 180 178 181 void ContentSecurityPolicy::applyPolicyToScriptExecutionContext() 179 182 { 180 183 ASSERT(m_scriptExecutionContext); 184 185 // Update source self as the security origin may have changed between the time we were created and now. 186 // For instance, we may have been initially created for an about:blank iframe that later inherited the 187 // security origin of its owner document. 188 ASSERT(m_scriptExecutionContext->securityOrigin()); 189 updateSourceSelf(*m_scriptExecutionContext->securityOrigin()); 190 181 191 if (!m_lastPolicyEvalDisabledErrorMessage.isNull()) 182 192 m_scriptExecutionContext->disableEval(m_lastPolicyEvalDisabledErrorMessage); -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h
r199642 r200030 150 150 private: 151 151 void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const; 152 void updateSourceSelf(const SecurityOrigin&); 152 153 void applyPolicyToScriptExecutionContext(); 153 154
Note: See TracChangeset
for help on using the changeset viewer.