Context Navigation

← Previous Changeset
Next Changeset →

Changeset 204164 in webkit

Timestamp:

Aug 5, 2016 12:39:01 AM (8 years ago)

Author:

commit-queue@webkit.org

Message:

[Fetch API] Activate CSP checks
https://bugs.webkit.org/show_bug.cgi?id=160445

Patch by Youenn Fablet <youenn@apple.com> on 2016-08-05
Reviewed by Daniel Bates.

LayoutTests/imported/w3c:

web-platform-tests/fetch/api/policies/csp-blocked-expected.txt:
web-platform-tests/fetch/api/policies/csp-blocked-worker-expected.txt:

Source/WebCore:

Tests: http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html

http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html

Modules/fetch/FetchLoader.cpp:

(WebCore::FetchLoader::start): Adding CSP and URL upgrade checks.

LayoutTests:

http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-fetch-in-main-frame-window.html: Added.
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html:
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame-expected.txt: Added.
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html: Added.
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker-expected.txt: Added.
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html: Added.
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt:
platform/mac-wk2/TestExpectations: Marking new worker test as failing at loading https resource from loader.

It gets a "The certificate for this server is invalid" error.

platform/wk2/TestExpectations: Marking new frame test as timing out for WK2 as fetch is not activated in the pop-up window.

Location:

trunk

Files:

: 5 added
: 10 edited

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r204163
+                      r204164
+-08-05  Youenn Fablet  <youenn@apple.com>
+        [Fetch API] Activate CSP checks
+        https://bugs.webkit.org/show_bug.cgi?id=160445
+        Reviewed by Daniel Bates.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-fetch-in-main-frame-window.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html:
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html: Added.
+        * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt:
+        * platform/mac-wk2/TestExpectations: Marking new worker test as failing at loading https resource from loader.
+        It gets a "The certificate for this server is invalid" error.
+        * platform/wk2/TestExpectations: Marking new frame test as timing out for WK2 as fetch is not activated in the pop-up window.
 -08-05  Youenn Fablet  <youenn@apple.com>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html

-                      r201753
+                      r204164
     xhr.onload = function() {
         alert("PASS: load was not blocked");
+    };
+    var testIsFinished = false;
+    xhr.onloadend = function() {
+        testIsFinished = true;
+        alert("PASS: onloadend called");
         if (window.testRunner)
             testRunner.notifyDone();
+    };
+    // When XHR is blocked due to mixed content blocking, it just appears as if the load stalls,
+    // see https://bugs.webkit.org/show_bug.cgi?id=145717.
+    setTimeout(function() {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }, 2000);
+    }
     try {
 …
+    }
+    // When running in normal environment, let's notify user if something went wrong
+    if (!window.testRunner) {
+        setTimeout(() => {
+            if (testIsFinished)
+                return;
+            alert("Test timed out");
+        }, 2000);
+    }
     xhr.send(null);
 };

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt

r201753	r204164
1	1	ALERT: PASS: load was not blocked
	2	ALERT: PASS: onloadend called
2	3	This test opens a HTTPS window that loads insecure data via XHR. We should upgrade this request and thereby avoid a mixed content callback.

trunk/LayoutTests/imported/w3c/ChangeLog

-                      r204163
+                      r204164
+-08-05  Youenn Fablet  <youenn@apple.com>
+        [Fetch API] Activate CSP checks
+        https://bugs.webkit.org/show_bug.cgi?id=160445
+        Reviewed by Daniel Bates.
+        * web-platform-tests/fetch/api/policies/csp-blocked-expected.txt:
+        * web-platform-tests/fetch/api/policies/csp-blocked-worker-expected.txt:
 -08-05  Youenn Fablet  <youenn@apple.com>

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/policies/csp-blocked-expected.txt

r200195	r204164
	1	CONSOLE MESSAGE: Refused to connect to http://localhost:8800/fetch/api/resources/top.txt because it does not appear in the connect-src directive of the Content Security Policy.
1	2
2		FAIL Fetch is blocked by CSP, got a TypeError assert_unreached: Should have rejected. Reached unreachable code
	3	PASS Fetch is blocked by CSP, got a TypeError
3	4

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/policies/csp-blocked-worker-expected.txt

r200195	r204164
	1	CONSOLE MESSAGE: Refused to connect to http://localhost:8800/fetch/api/resources/top.txt because it does not appear in the connect-src directive of the Content Security Policy.
1	2
2		FAIL Fetch is blocked by CSP, got a TypeError assert_unreached: Should have rejected. Reached unreachable code
	3	PASS Fetch is blocked by CSP, got a TypeError
3	4

trunk/LayoutTests/platform/mac-wk2/TestExpectations

-                      r204127
+                      r204164
 [ ElCapitan ] fast/mediastream/MediaStream-video-element-video-tracks-disabled.html [ Skip ]
+# Hitting "The certificate for this server is invalid" loading error (not happening in WK1)
+webkit.org/b/160445 http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html [ Failure Timeout ]
 ### END OF (3) Unclassified failures
 ########################################

trunk/LayoutTests/platform/wk2/TestExpectations

r202150	r204164
42	42	########################################
43	43	### START OF (1) Classified failures with bug reports
	44
	45	webkit.org/b/160445 http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html [ Timeout ]
44	46
45	47	webkit.org/b/156612 http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html [ Failure ]

trunk/Source/WebCore/ChangeLog

-                      r204163
+                      r204164
+-08-05  Youenn Fablet  <youenn@apple.com>
+        [Fetch API] Activate CSP checks
+        https://bugs.webkit.org/show_bug.cgi?id=160445
+        Reviewed by Daniel Bates.
+        Tests: http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html
+        * Modules/fetch/FetchLoader.cpp:
+        (WebCore::FetchLoader::start): Adding CSP and URL upgrade checks.
 -08-05  Youenn Fablet  <youenn@apple.com>

trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp

-                      r204019
+                      r204164
 #include "BlobURL.h"
 #include "CachedResourceRequestInitiators.h"
+#include "ContentSecurityPolicy.h"
 #include "FetchBody.h"
 #include "FetchLoaderClient.h"
 …
 void FetchLoader::start(ScriptExecutionContext& context, const FetchRequest& request)
+{
+    ThreadableLoaderOptions options(request.fetchOptions(), ConsiderPreflight, ContentSecurityPolicyEnforcement::DoNotEnforce, String(cachedResourceRequestInitiators().fetch));
+    ThreadableLoaderOptions options(request.fetchOptions(), ConsiderPreflight,
+        context.shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective,
+        String(cachedResourceRequestInitiators().fetch));
     options.sendLoadCallbacks = SendCallbacks;
     options.dataBufferingPolicy = DoNotBufferData;
+    m_loader = ThreadableLoader::create(context, *this, request.internalRequest(), options);
+    ResourceRequest fetchRequest = request.internalRequest();
+    ASSERT(context.contentSecurityPolicy());
+    context.contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(fetchRequest, ContentSecurityPolicy::InsecureRequestType::Load);
+    if (!context.contentSecurityPolicy()->allowConnectToSource(fetchRequest.url(), context.shouldBypassMainWorldContentSecurityPolicy())) {
+        m_client.didFail();
+        return;
+    }
+    m_loader = ThreadableLoader::create(context, *this, WTFMove(fetchRequest), options);
     m_isStarted = m_loader;
+}

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 204164 in webkit

Legend:

Download in other formats: