Changeset 201679 in webkit

Timestamp:

Jun 4, 2016 12:20:17 AM (8 years ago)

Author:

Brent Fulgham

Message:

CSP: Content Security Policy directive, upgrade-insecure-requests (UIR)
​https://bugs.webkit.org/show_bug.cgi?id=143653
<rdar://problem/23032067>

Reviewed by Andy Estes.

Source/WebCore:

Modify our loading logic so that we recognize and upgrade insecure requests to secure
requests if the Content Security Policy directive 'upgrade-insecure-requests' is
present.

Add a static helper function to ContentSecurityPolicy to upgrade insecure URLs so
that we don't have to sprinkle the same code all over the loader system.

Tests: http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php

http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-simple-ws.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html
http/tests/ssl/iframe-upgrade.https.html
http/tests/ssl/upgrade-origin-usage.html
http/tests/websocket/tests/hybi/upgrade-simple-ws.html

• Modules/websockets/WebSocket.cpp:

(WebCore::WebSocket::connect): Upgrade insecure requests if the CSP
indicates we should.

• dom/Document.cpp:

(WebCore::Document::initSecurityContext): Populate new document CSP with sets of upgrade host and port combinations.

• dom/ScriptElement.cpp:

(WebCore::ScriptElement::requestScript): Upgrade insecure requests if
the CSP indicates we should.

• html/HTMLMediaElement.cpp:

(WebCore::HTMLMediaElement::loadResource): Ditto.

• loader/DocumentWriter.cpp:

(WebCore::DocumentWriter::begin): Ditto.

• loader/FormSubmission.cpp:

(WebCore::FormSubmission::create): Ditto.
(WebCore::FormSubmission::populateFrameLoadRequest): Add "Upgrade-Insecure-Requests"
header to frame load requests.

• loader/FrameLoader.cpp:

(WebCore::FrameLoader::addExtraFieldsToMainResourceRequest): Add the
'Update-Insecure-Requests' header field if necessary.
(WebCore::FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded): Added helper function.
(WebCore::FrameLoader::loadPostRequest): Upgrade insecure requests if the CSP
indicates we should.
(WebCore::FrameLoader::loadResourceSynchronously): Ditto.
(WebCore::FrameLoader::loadDifferentDocumentItem): If loading a form, add the
'Update-Insecure-Requests' header field if necessary.
(WebCore::createWindow): Upgrade insecure requests if the CSP
indicates we should.

• loader/FrameLoader.h:
• loader/PingLoader.cpp:

(WebCore::PingLoader::loadImage): Upgrade insecure requests if the CSP
indicates we should.
(WebCore::PingLoader::sendPing): Ditto.
(WebCore::PingLoader::sendViolationReport): Ditto.

• loader/ResourceLoader.cpp:

(WebCore::ResourceLoader::willSendRequestInternal): Ditto.

• loader/SubframeLoader.cpp:

(WebCore::SubframeLoader::requestFrame): Ditto.
(WebCore::SubframeLoader::requestObject): Ditto.

• loader/appcache/ApplicationCacheHost.cpp:

(WebCore::ApplicationCacheHost::shouldLoadResourceFromApplicationCache): Ditto.

• loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::requestImage): Ditto.
(WebCore::CachedResourceLoader::requestResource): Ditto.

• page/DOMWindow.cpp:

(WebCore::DOMWindow::createWindow): Add the 'Update-Insecure-Requests' header
field if necessary.

• page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::copyStateFrom): Populate upgraded resource set
from other context.
(WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Added helper function
to upgrade requests when the upgrade-insecure-requests CSP policy is present, or if
the host and port combination have previously been upgraded.
(WebCore::ContentSecurityPolicy::upgradeInsecureNavigationRequestIfNeeded): Added
helper function to upgrade requests that have been previously upgraded. Cross-site
navigations only get upgraded when they have been previously upgraded.
(WebCore::ContentSecurityPolicy::addInsecureNavigationRequestsToUpgrade): Added.
(WebCore::ContentSecurityPolicy::populateInsecureNavigationRequestsToUpgradeFromOther): Added.

• page/csp/ContentSecurityPolicy.h:

(WebCore::ContentSecurityPolicy::setUpgradeInsecureRequests): Added.
(WebCore::ContentSecurityPolicy::upgradeInsecureRequests): Added.

• page/csp/ContentSecurityPolicyDirectiveList.cpp:

(WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList): Use
more C++11 initializations.
(WebCore::ContentSecurityPolicyDirectiveList::setUpgradeInsecureRequests): Added.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Teach this function to
recognize the new directive.

• page/csp/ContentSecurityPolicyDirectiveList.h:
• page/csp/ContentSecurityPolicyDirectiveNames.cpp:
• page/csp/ContentSecurityPolicyDirectiveNames.h:
• platform/network/HTTPHeaderNames.in: Add new 'Upgrade-Insecure-Requests' header field.
• xml/XMLHttpRequest.cpp:

(WebCore::XMLHttpRequest::open): Upgrade insecure requests if the CSP if needed.

LayoutTests:

Some of these tests are based on a set of Blink patches by Mike West <​mkwst@chromium.org>.
<​https://src.chromium.org/viewvc/blink?revision=192607&view=revision>,
<​https://codereview.chromium.org/1178093002>, <​https://codereview.chromium.org/1964303003>

The rest of them are based on our own mixedContent tests, revised for upgraded requests.

Note that WebSockets are not part of this testing at present due to ​https://bugs.webkit.org/show_bug.cgi?id=157884.

• http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html: Added.
• http/tests/security/resources/post-origin-to-parent.html: Added.
• http/tests/ssl/iframe-upgrade.https-expected.txt: Added.
• http/tests/ssl/iframe-upgrade.https.html: Added.
• http/tests/ssl/upgrade-origin-usage-expected.txt: Added.
• http/tests/ssl/upgrade-origin-usage.html: Added.
• http/tests/ssl/resources/origin-usage-iframe-1.html: Added.
• http/tests/ssl/resources/origin-usage-iframe-1.manifest: Added.
• http/tests/ssl/resources/origin-usage-iframe-2.html: Added.
• http/tests/ssl/resources/origin-usage-iframe-2.manifest: Added.
• http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt: Added.
• http/tests/websocket/tests/hybi/upgrade-simple-ws.html: Added.
• TestExpectations: Skip http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-simple-ws.html since the

WebSocket server does not currently support wss sockets.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-frame.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-frame.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-window.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-window.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html (added)
• LayoutTests/http/tests/security/resources/post-origin-to-parent.html (added)
• LayoutTests/http/tests/ssl/iframe-upgrade.https-expected.txt (added)
• LayoutTests/http/tests/ssl/iframe-upgrade.https.html (added)
• LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.html (added)
• LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.manifest (added)
• LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.html (added)
• LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.manifest (added)
• LayoutTests/http/tests/ssl/upgrade-origin-usage-expected.txt (added)
• LayoutTests/http/tests/ssl/upgrade-origin-usage.html (added)
• LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt (added)
• LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws.html (added)
• LayoutTests/platform/mac/TestExpectations (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/websockets/WebSocket.cpp (modified) (2 diffs)
• Source/WebCore/dom/Document.cpp (modified) (2 diffs)
• Source/WebCore/dom/ScriptElement.cpp (modified) (2 diffs)
• Source/WebCore/loader/DocumentWriter.cpp (modified) (3 diffs)
• Source/WebCore/loader/FormSubmission.cpp (modified) (4 diffs)
• Source/WebCore/loader/FrameLoader.cpp (modified) (7 diffs)
• Source/WebCore/loader/FrameLoader.h (modified) (1 diff)
• Source/WebCore/loader/PingLoader.cpp (modified) (5 diffs)
• Source/WebCore/loader/SubframeLoader.cpp (modified) (3 diffs)
• Source/WebCore/loader/appcache/ApplicationCacheHost.cpp (modified) (4 diffs)
• Source/WebCore/loader/cache/CachedResourceLoader.cpp (modified) (3 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicy.cpp (modified) (3 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicy.h (modified) (4 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (modified) (3 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (modified) (2 diffs)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp (modified) (1 diff)
• Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h (modified) (1 diff)
• Source/WebCore/platform/network/HTTPHeaderNames.in (modified) (1 diff)
• Source/WebCore/xml/XMLHttpRequest.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2016-06-04  Brent Fulgham  <bfulgham@apple.com>
+
+        CSP: Content Security Policy directive, upgrade-insecure-requests (UIR)
+        https://bugs.webkit.org/show_bug.cgi?id=143653
+        <rdar://problem/23032067>
+
+        Reviewed by Andy Estes.
+
+        Some of these tests are based on a set of Blink patches by Mike West <mkwst@chromium.org>.
+        <https://src.chromium.org/viewvc/blink?revision=192607&view=revision>,
+        <https://codereview.chromium.org/1178093002>, <https://codereview.chromium.org/1964303003>
+
+        The rest of them are based on our own mixedContent tests, revised for upgraded requests.
+
+        Note that WebSockets are not part of this testing at present due to https://bugs.webkit.org/show_bug.cgi?id=157884.
+
+        * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html: Added.
+        * http/tests/security/resources/post-origin-to-parent.html: Added.
+        * http/tests/ssl/iframe-upgrade.https-expected.txt: Added.
+        * http/tests/ssl/iframe-upgrade.https.html: Added.
+        * http/tests/ssl/upgrade-origin-usage-expected.txt: Added.
+        * http/tests/ssl/upgrade-origin-usage.html: Added.
+        * http/tests/ssl/resources/origin-usage-iframe-1.html: Added.
+        * http/tests/ssl/resources/origin-usage-iframe-1.manifest: Added.
+        * http/tests/ssl/resources/origin-usage-iframe-2.html: Added.
+        * http/tests/ssl/resources/origin-usage-iframe-2.manifest: Added.
+        * http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt: Added.
+        * http/tests/websocket/tests/hybi/upgrade-simple-ws.html: Added.
+        * TestExpectations: Skip http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-simple-ws.html since the
+        WebSocket server does not currently support wss sockets.
+
 2016-06-03  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/LayoutTests/platform/mac/TestExpectations

@@ -1348 +1348 @@
 
 webkit.org/b/158101 imported/blink/http/tests/plugins/get-url-notify-on-removal.html [ Pass Timeout ]
+
+webkit.org/b/143653 [ Yosemite ] http/tests/websocket/tests/hybi/upgrade-simple-ws.html [ Skip ] # Timeout

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-06-04  Brent Fulgham  <bfulgham@apple.com>
+
+        CSP: Content Security Policy directive, upgrade-insecure-requests (UIR)
+        https://bugs.webkit.org/show_bug.cgi?id=143653
+        <rdar://problem/23032067>
+
+        Reviewed by Andy Estes.
+
+        Modify our loading logic so that we recognize and upgrade insecure requests to secure
+        requests if the Content Security Policy directive 'upgrade-insecure-requests' is
+        present.
+        
+        Add a static helper function to ContentSecurityPolicy to upgrade insecure URLs so
+        that we don't have to sprinkle the same code all over the loader system.
+
+        Tests: http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-simple-ws.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html
+               http/tests/ssl/iframe-upgrade.https.html
+               http/tests/ssl/upgrade-origin-usage.html
+               http/tests/websocket/tests/hybi/upgrade-simple-ws.html
+
+        * Modules/websockets/WebSocket.cpp:
+        (WebCore::WebSocket::connect): Upgrade insecure requests if the CSP
+        indicates we should.
+        * dom/Document.cpp:
+        (WebCore::Document::initSecurityContext): Populate new document CSP with sets of upgrade host and port combinations.
+        * dom/ScriptElement.cpp:
+        (WebCore::ScriptElement::requestScript): Upgrade insecure requests if
+        the CSP indicates we should.
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::loadResource): Ditto.
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::begin): Ditto.
+        * loader/FormSubmission.cpp:
+        (WebCore::FormSubmission::create): Ditto.
+        (WebCore::FormSubmission::populateFrameLoadRequest): Add "Upgrade-Insecure-Requests"
+        header to frame load requests.
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::addExtraFieldsToMainResourceRequest): Add the
+        'Update-Insecure-Requests' header field if necessary.
+        (WebCore::FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded): Added helper function.
+        (WebCore::FrameLoader::loadPostRequest): Upgrade insecure requests if the CSP
+        indicates we should.
+        (WebCore::FrameLoader::loadResourceSynchronously): Ditto.
+        (WebCore::FrameLoader::loadDifferentDocumentItem): If loading a form, add the
+        'Update-Insecure-Requests' header field if necessary.
+        (WebCore::createWindow): Upgrade insecure requests if the CSP
+        indicates we should.
+        * loader/FrameLoader.h:
+        * loader/PingLoader.cpp:
+        (WebCore::PingLoader::loadImage): Upgrade insecure requests if the CSP
+        indicates we should.
+        (WebCore::PingLoader::sendPing): Ditto.
+        (WebCore::PingLoader::sendViolationReport): Ditto.
+        * loader/ResourceLoader.cpp:
+        (WebCore::ResourceLoader::willSendRequestInternal): Ditto.
+        * loader/SubframeLoader.cpp:
+        (WebCore::SubframeLoader::requestFrame): Ditto.
+        (WebCore::SubframeLoader::requestObject): Ditto.
+        * loader/appcache/ApplicationCacheHost.cpp:
+        (WebCore::ApplicationCacheHost::shouldLoadResourceFromApplicationCache): Ditto.
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::requestImage): Ditto.
+        (WebCore::CachedResourceLoader::requestResource): Ditto.
+        * page/DOMWindow.cpp:
+        (WebCore::DOMWindow::createWindow): Add the 'Update-Insecure-Requests' header
+        field if necessary.
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::copyStateFrom): Populate upgraded resource set
+        from other context.
+        (WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Added helper function
+        to upgrade requests when the upgrade-insecure-requests CSP policy is present, or if
+        the host and port combination have previously been upgraded.
+        (WebCore::ContentSecurityPolicy::upgradeInsecureNavigationRequestIfNeeded): Added
+        helper function to upgrade requests that have been previously upgraded. Cross-site
+        navigations only get upgraded when they have been previously upgraded.
+        (WebCore::ContentSecurityPolicy::addInsecureNavigationRequestsToUpgrade): Added.
+        (WebCore::ContentSecurityPolicy::populateInsecureNavigationRequestsToUpgradeFromOther): Added.
+        * page/csp/ContentSecurityPolicy.h:
+        (WebCore::ContentSecurityPolicy::setUpgradeInsecureRequests): Added.
+        (WebCore::ContentSecurityPolicy::upgradeInsecureRequests): Added.
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList): Use
+        more C++11 initializations.
+        (WebCore::ContentSecurityPolicyDirectiveList::setUpgradeInsecureRequests): Added.
+        (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Teach this function to
+        recognize the new directive.
+        * page/csp/ContentSecurityPolicyDirectiveList.h:
+        * page/csp/ContentSecurityPolicyDirectiveNames.cpp:
+        * page/csp/ContentSecurityPolicyDirectiveNames.h:
+        * platform/network/HTTPHeaderNames.in: Add new 'Upgrade-Insecure-Requests' header field.
+        * xml/XMLHttpRequest.cpp:
+        (WebCore::XMLHttpRequest::open): Upgrade insecure requests if the CSP if needed.
+
 2016-06-03  Myles C. Maxfield  <mmaxfield@apple.com>
 

trunk/Source/WebCore/Modules/websockets/WebSocket.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2011 Google Inc.  All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -231 +232 @@
         return;
     }
+
+    scriptExecutionContext()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(m_url, ContentSecurityPolicy::InsecureRequestType::Load);
+    
     if (!portAllowed(m_url)) {
         scriptExecutionContext()->addConsoleMessage(MessageSource::JS, MessageLevel::Error, "WebSocket port " + String::number(m_url.port()) + " blocked");

trunk/Source/WebCore/dom/Document.cpp

@@ -5161 +5161 @@
     // If we do not obtain a meaningful origin from the URL, then we try to
     // find one via the frame hierarchy.
-
-    Frame* ownerFrame = m_frame->tree().parent();
+    Frame* parentFrame = m_frame->tree().parent();
+    Frame* openerFrame = m_frame->loader().opener();
+
+    Frame* ownerFrame = parentFrame;
     if (!ownerFrame)
-        ownerFrame = m_frame->loader().opener();
+        ownerFrame = openerFrame;
 
     if (!ownerFrame) {
@@ -5170 +5172 @@
         return;
     }
-
+    
+    Document* openerDocument = openerFrame ? openerFrame->document() : nullptr;
+
+    // Per <http://www.w3.org/TR/upgrade-insecure-requests/>, new browsing contexts must inherit from an
+    // ongoing set of upgraded requests. When opening a new browsing context, we need to capture its
+    // existing upgrade request. Nested browsing contexts are handled during DocumentWriter::begin.
+    if (openerDocument)
+        contentSecurityPolicy()->inheritInsecureNavigationRequestsToUpgradeFromOpener(*openerDocument->contentSecurityPolicy());
+    
     if (isSandboxed(SandboxOrigin)) {
         // If we're supposed to inherit our security origin from our owner,

trunk/Source/WebCore/dom/ScriptElement.cpp

@@ -3 +3 @@
  *           (C) 1999 Antti Koivisto (koivisto@kde.org)
  *           (C) 2001 Dirk Mueller (mueller@kde.org)
- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2016 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
  *
@@ -265 +265 @@
         CachedResourceRequest request(ResourceRequest(m_element.document().completeURL(sourceUrl)), options);
 
+        m_element.document().contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
+
         String crossOriginMode = m_element.fastGetAttribute(HTMLNames::crossoriginAttr);
         if (!crossOriginMode.isNull()) {

trunk/Source/WebCore/loader/DocumentWriter.cpp

@@ -30 +30 @@
 #include "DocumentWriter.h"
 
+#include "ContentSecurityPolicy.h"
 #include "DOMImplementation.h"
 #include "DOMWindow.h"
@@ -144 +145 @@
         document->createDOMWindow();
 
+    // Per <http://www.w3.org/TR/upgrade-insecure-requests/>, we need to retain an ongoing set of upgraded
+    // requests in new navigation contexts. Although this information is present when we construct the
+    // Document object, it is discard in the subsequent 'clear' statements below. So, we must capture it
+    // so we can restore it.
+    HashSet<RefPtr<SecurityOrigin>> insecureNavigationRequestsToUpgrade;
+    bool upgradeInsecureRequests = false;
+    if (auto* existingDocument = m_frame->document()) {
+        upgradeInsecureRequests = existingDocument->contentSecurityPolicy()->upgradeInsecureRequests();
+        insecureNavigationRequestsToUpgrade = existingDocument->contentSecurityPolicy()->takeNavigationRequestsToUpgrade();
+    }
+    
     m_frame->loader().clear(document.ptr(), !shouldReuseDefaultView, !shouldReuseDefaultView);
     clear();
@@ -157 +169 @@
     m_frame->loader().setOutgoingReferrer(url);
     m_frame->setDocument(document.copyRef());
+
+    document->contentSecurityPolicy()->setUpgradeInsecureRequests(upgradeInsecureRequests);
+    document->contentSecurityPolicy()->setInsecureNavigationRequestsToUpgrade(WTFMove(insecureNavigationRequestsToUpgrade));
 
     if (m_decoder)

trunk/Source/WebCore/loader/FormSubmission.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2010 Google Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -32 +33 @@
 #include "FormSubmission.h"
 
+#include "ContentSecurityPolicy.h"
 #include "DOMFormData.h"
 #include "Document.h"
@@ -189 +191 @@
     String encodingType = copiedAttributes.encodingType();
 
+    document.contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(actionURL, ContentSecurityPolicy::InsecureRequestType::FormSubmission);
+
     if (copiedAttributes.method() == PostMethod) {
         isMultiPartForm = copiedAttributes.isMultiPartForm();
@@ -270 +274 @@
     frameRequest.resourceRequest().setURL(requestURL());
     FrameLoader::addHTTPOriginIfNeeded(frameRequest.resourceRequest(), m_origin);
-}
-
-}
+    FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded(frameRequest.resourceRequest());
+}
+
+}

trunk/Source/WebCore/loader/FrameLoader.cpp

@@ -370 +370 @@
 
     addHTTPOriginIfNeeded(frameRequest.resourceRequest(), outgoingOrigin());
+    m_frame.document()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(frameRequest.resourceRequest(), ContentSecurityPolicy::InsecureRequestType::Navigation);
 
     loadFrameRequest(frameRequest, triggeringEvent, nullptr);
@@ -2548 +2549 @@
     // If we are only preparing to load the main resource, that is previous load's load type!
     addExtraFieldsToRequest(request, m_loadType, true);
+
+    // Upgrade-Insecure-Requests should only be added to main resource requests
+    addHTTPUpgradeInsecureRequestsIfNeeded(request);
 }
 
@@ -2654 +2658 @@
 }
 
+void FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded(ResourceRequest& request)
+{
+    if (request.url().protocolIs("https")) {
+        // FIXME: Identify HSTS cases and avoid adding the header. <https://bugs.webkit.org/show_bug.cgi?id=157885>
+        return;
+    }
+
+    request.setHTTPHeaderField(HTTPHeaderName::UpgradeInsecureRequests, ASCIILiteral("1"));
+}
+
 void FrameLoader::loadPostRequest(const FrameLoadRequest& request, const String& referrer, FrameLoadType loadType, Event* event, PassRefPtr<FormState> prpFormState)
 {
@@ -2677 +2691 @@
     workingResourceRequest.setHTTPContentType(contentType);
     addExtraFieldsToRequest(workingResourceRequest, loadType, true);
+
+    if (Document* document = m_frame.document())
+        document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(workingResourceRequest, ContentSecurityPolicy::InsecureRequestType::Load);
 
     NavigationAction action(workingResourceRequest, loadType, true, event, request.shouldOpenExternalURLsPolicy(), request.downloadAttribute());
@@ -2736 +2753 @@
 #endif
 
+    m_frame.document()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(newRequest, ContentSecurityPolicy::InsecureRequestType::Load);
+    
     if (error.isNull()) {
         ASSERT(!newRequest.isNull());
@@ -3319 +3338 @@
         RefPtr<SecurityOrigin> securityOrigin = SecurityOrigin::createFromString(item.referrer());
         addHTTPOriginIfNeeded(request, securityOrigin->toString());
+        addHTTPUpgradeInsecureRequestsIfNeeded(request);
 
         // Make sure to add extra fields to the request after the Origin header is added for the FormData case.
@@ -3609 +3629 @@
         requestWithReferrer.resourceRequest().setHTTPReferrer(referrer);
     FrameLoader::addHTTPOriginIfNeeded(requestWithReferrer.resourceRequest(), openerFrame.loader().outgoingOrigin());
+    FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded(requestWithReferrer.resourceRequest());
 
     Page* oldPage = openerFrame.page();

trunk/Source/WebCore/loader/FrameLoader.h

@@ -203 +203 @@
     
     static void addHTTPOriginIfNeeded(ResourceRequest&, const String& origin);
+    static void addHTTPUpgradeInsecureRequestsIfNeeded(ResourceRequest&);
 
     FrameLoaderClient& client() const { return m_client; }

trunk/Source/WebCore/loader/PingLoader.cpp

@@ -2 +2 @@
  * Copyright (C) 2010 Google Inc. All rights reserved.
  * Copyright (C) 2015 Roopesh Chander (roop@roopc.net)
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -34 +35 @@
 #include "PingLoader.h"
 
+#include "ContentSecurityPolicy.h"
 #include "Document.h"
 #include "FormData.h"
@@ -81 +83 @@
 #endif
 
+    if (Document* document = frame.document())
+        document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request, ContentSecurityPolicy::InsecureRequestType::Load);
+
     request.setHTTPHeaderField(HTTPHeaderName::CacheControl, "max-age=0");
     String referrer = SecurityPolicy::generateReferrerHeader(frame.document()->referrerPolicy(), request.url(), frame.loader().outgoingReferrer());
@@ -102 +107 @@
         return;
 #endif
+
+    frame.document()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request, ContentSecurityPolicy::InsecureRequestType::Load);
 
     request.setHTTPMethod("POST");
@@ -133 +140 @@
         return;
 #endif
+
+    if (Document* document = frame.document())
+        document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request, ContentSecurityPolicy::InsecureRequestType::Load);
 
     request.setHTTPMethod(ASCIILiteral("POST"));

trunk/Source/WebCore/loader/SubframeLoader.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
  * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
  * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
@@ -232 +232 @@
         completedURL = completeURL(url);
 
+    document()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(completedURL, ContentSecurityPolicy::InsecureRequestType::Load);
+
     bool hasFallbackContent = is<HTMLObjectElement>(ownerElement) && downcast<HTMLObjectElement>(ownerElement).hasFallbackContent();
 
@@ -301 +303 @@
 }
 
-Frame* SubframeLoader::loadOrRedirectSubframe(HTMLFrameOwnerElement& ownerElement, const URL& url, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
-{
+Frame* SubframeLoader::loadOrRedirectSubframe(HTMLFrameOwnerElement& ownerElement, const URL& requestUrl, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
+{
+    URL url = requestUrl;
+    ownerElement.document().contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(url, ContentSecurityPolicy::InsecureRequestType::Load);
+
     Frame* frame = ownerElement.contentFrame();
     if (frame)

trunk/Source/WebCore/loader/appcache/ApplicationCacheHost.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2008-2016 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
 #include "ApplicationCacheGroup.h"
 #include "ApplicationCacheResource.h"
+#include "ContentSecurityPolicy.h"
 #include "DocumentLoader.h"
 #include "DOMApplicationCache.h"
@@ -371 +372 @@
 }
 
-bool ApplicationCacheHost::shouldLoadResourceFromApplicationCache(const ResourceRequest& request, ApplicationCacheResource*& resource)
+bool ApplicationCacheHost::shouldLoadResourceFromApplicationCache(const ResourceRequest& originalRequest, ApplicationCacheResource*& resource)
 {
     ApplicationCache* cache = applicationCache();
@@ -377 +378 @@
         return false;
 
+    ResourceRequest request(originalRequest);
+    if (Frame* loaderFrame = m_documentLoader.frame()) {
+        if (Document* document = loaderFrame->document())
+            document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request, ContentSecurityPolicy::InsecureRequestType::Load);
+    }
+    
     // If the resource is not to be fetched using the HTTP GET mechanism or equivalent, or if its URL has a different
     // <scheme> component than the application cache's manifest, then fetch the resource normally.

trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

@@ -3 +3 @@
     Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
     Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
-    Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
+    Copyright (C) 2004-2016 Apple Inc. All rights reserved.
     Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
 
@@ -180 +180 @@
     if (Frame* frame = this->frame()) {
         if (frame->loader().pageDismissalEventBeingDispatched() != FrameLoader::PageDismissalType::None) {
+            if (Document* document = frame->document())
+                document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
             URL requestURL = request.resourceRequest().url();
             if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL, request.options(), request.forPreload()))
@@ -548 +550 @@
 CachedResourceHandle<CachedResource> CachedResourceLoader::requestResource(CachedResource::Type type, CachedResourceRequest& request)
 {
+    if (Document* document = this->document())
+        document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
+    
     URL url = request.resourceRequest().url();
     

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

@@ -47 +47 @@
 #include "ParsingUtilities.h"
 #include "PingLoader.h"
+#include "ResourceRequest.h"
 #include "RuntimeEnabledFeatures.h"
 #include "SchemeRegistry.h"
@@ -112 +113 @@
     for (auto& policy : other->m_policies)
         didReceiveHeader(policy->header(), policy->headerType(), ContentSecurityPolicy::PolicyFrom::Inherited);
+
+    m_upgradeInsecureRequests = other->m_upgradeInsecureRequests;
+    m_insecureNavigationRequestsToUpgrade.add(other->m_insecureNavigationRequestsToUpgrade.begin(), other->m_insecureNavigationRequestsToUpgrade.end());
 }
 
@@ -755 +759 @@
 #endif
 }
+
+void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(ResourceRequest& request, InsecureRequestType requestType)
+{
+    URL url = request.url();
+    upgradeInsecureRequestIfNeeded(url, requestType);
+    request.setURL(url);
+}
+
+void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(URL& url, InsecureRequestType requestType)
+{
+    if (!url.protocolIs("http") && !url.protocolIs("ws"))
+        return;
+
+    bool upgradeRequest = m_insecureNavigationRequestsToUpgrade.contains(SecurityOrigin::create(url));
+    if (requestType == InsecureRequestType::Load || requestType == InsecureRequestType::FormSubmission)
+        upgradeRequest |= m_upgradeInsecureRequests;
     
-}
+    if (!upgradeRequest)
+        return;
+
+    if (url.protocolIs("http"))
+        url.setProtocol("https");
+    else if (url.protocolIs("ws"))
+        url.setProtocol("wss");
+    else
+        return;
+    
+    if (url.port() == 80)
+        url.setPort(443);
+}
+
+void ContentSecurityPolicy::setUpgradeInsecureRequests(bool upgradeInsecureRequests)
+{
+    m_upgradeInsecureRequests = upgradeInsecureRequests;
+    if (!m_upgradeInsecureRequests)
+        return;
+
+    if (!m_scriptExecutionContext)
+        return;
+
+    // Store the upgrade domain as an 'insecure' protocol so we can quickly identify
+    // origins we should upgrade.
+    URL upgradeURL = m_scriptExecutionContext->url();
+    if (upgradeURL.protocolIs("https"))
+        upgradeURL.setProtocol("http");
+    else if (upgradeURL.protocolIs("wss"))
+        upgradeURL.setProtocol("ws");
+    
+    m_insecureNavigationRequestsToUpgrade.add(SecurityOrigin::create(upgradeURL));
+}
+
+void ContentSecurityPolicy::inheritInsecureNavigationRequestsToUpgradeFromOpener(const ContentSecurityPolicy& other)
+{
+    m_insecureNavigationRequestsToUpgrade.add(other.m_insecureNavigationRequestsToUpgrade.begin(), other.m_insecureNavigationRequestsToUpgrade.end());
+}
+
+HashSet<RefPtr<SecurityOrigin>>&& ContentSecurityPolicy::takeNavigationRequestsToUpgrade()
+{
+    return WTFMove(m_insecureNavigationRequestsToUpgrade);
+}
+
+void ContentSecurityPolicy::setInsecureNavigationRequestsToUpgrade(HashSet<RefPtr<SecurityOrigin>>&& insecureNavigationRequests)
+{
+    m_insecureNavigationRequestsToUpgrade = WTFMove(insecureNavigationRequests);
+}
+
+}

trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h

@@ -28 +28 @@
 
 #include "ContentSecurityPolicyResponseHeaders.h"
+#include "SecurityOrigin.h"
+#include "SecurityOriginHash.h"
+#include <wtf/HashSet.h>
 #include <wtf/OptionSet.h>
 #include <wtf/Vector.h>
@@ -48 +51 @@
 class Frame;
 class JSDOMWindowShell;
+class ResourceRequest;
 class ScriptExecutionContext;
 class SecurityOrigin;
@@ -149 +153 @@
     bool protocolMatchesSelf(const URL&) const;
 
+    void setUpgradeInsecureRequests(bool);
+    bool upgradeInsecureRequests() const { return m_upgradeInsecureRequests; }
+    enum class InsecureRequestType { Load, FormSubmission, Navigation };
+    void upgradeInsecureRequestIfNeeded(ResourceRequest&, InsecureRequestType);
+    void upgradeInsecureRequestIfNeeded(URL&, InsecureRequestType);
+
+    HashSet<RefPtr<SecurityOrigin>>&& takeNavigationRequestsToUpgrade();
+    void inheritInsecureNavigationRequestsToUpgradeFromOpener(const ContentSecurityPolicy&);
+    void setInsecureNavigationRequestsToUpgrade(HashSet<RefPtr<SecurityOrigin>>&&);
+
 private:
     void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
@@ -175 +189 @@
     bool m_overrideInlineStyleAllowed { false };
     bool m_isReportingEnabled { true };
+    bool m_upgradeInsecureRequests { false };
     OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineScripts;
     OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineStylesheets;
+    HashSet<RefPtr<SecurityOrigin>> m_insecureNavigationRequestsToUpgrade;
 };
 

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

@@ -101 +101 @@
     : m_policy(policy)
     , m_headerType(type)
-    , m_reportOnly(false)
-    , m_haveSandboxPolicy(false)
 {
     m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
@@ -434 +432 @@
     if (!invalidTokens.isNull())
         m_policy.reportInvalidSandboxFlags(invalidTokens);
+}
+
+void ContentSecurityPolicyDirectiveList::setUpgradeInsecureRequests(const String& name)
+{
+    if (m_reportOnly) {
+        m_policy.reportInvalidDirectiveInReportOnlyMode(name);
+        return;
+    }
+    if (m_upgradeInsecureRequests) {
+        m_policy.reportDuplicateDirective(name);
+        return;
+    }
+    m_upgradeInsecureRequests = true;
+    m_policy.setUpgradeInsecureRequests(true);
 }
 
@@ -482 +494 @@
     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reportURI))
         parseReportURI(name, value);
+    else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::upgradeInsecureRequests))
+        setUpgradeInsecureRequests(name);
     else
         m_policy.reportUnsupportedDirective(name);

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h

@@ -87 +87 @@
     void addDirective(const String& name, const String& value);
     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
+    void setUpgradeInsecureRequests(const String& name);
 
     template <class CSPDirectiveType>
@@ -101 +102 @@
     ContentSecurityPolicyHeaderType m_headerType;
 
-    bool m_reportOnly;
-    bool m_haveSandboxPolicy;
+    bool m_reportOnly { false };
+    bool m_haveSandboxPolicy { false };
+    bool m_upgradeInsecureRequests { false };
 
     std::unique_ptr<ContentSecurityPolicyMediaListDirective> m_pluginTypes;

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp

@@ -47 +47 @@
 const char* const scriptSrc = "script-src";
 const char* const styleSrc = "style-src";
+const char* const upgradeInsecureRequests = "upgrade-insecure-requests";
     
 } // namespace ContentSecurityPolicyDirectiveNames

trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h

@@ -46 +46 @@
 extern const char* const scriptSrc;
 extern const char* const styleSrc;
+extern const char* const upgradeInsecureRequests;
 
 } // namespace ContentSecurityPolicyDirectiveNames

trunk/Source/WebCore/platform/network/HTTPHeaderNames.in

@@ -90 +90 @@
 Transfer-Encoding
 Upgrade
+Upgrade-Insecure-Requests
 User-Agent
 Vary

trunk/Source/WebCore/xml/XMLHttpRequest.cpp

@@ -1 +1 @@
 /*
- *  Copyright (C) 2004, 2006, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2004-2016 Apple Inc. All rights reserved.
  *  Copyright (C) 2005-2007 Alexey Proskuryakov <ap@webkit.org>
  *  Copyright (C) 2007, 2008 Julien Chaffraix <jchaffraix@webkit.org>
@@ -481 +481 @@
 
     m_url = url;
+    scriptExecutionContext()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(m_url, ContentSecurityPolicy::InsecureRequestType::Load);
 
     m_async = async;