Changeset 211656 in webkit
- Timestamp:
- Feb 3, 2017 3:14:53 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 5 added
- 21 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r211654 r211656 1 2017-02-03 Daniel Bates <dabates@apple.com> 2 3 [Mac][WK2] Add SPI to override the Content Security Policy of a page 4 https://bugs.webkit.org/show_bug.cgi?id=167810 5 <rdar://problem/30102568> 6 7 Reviewed by Anders Carlsson. 8 9 * dom/Document.cpp: 10 (WebCore::Document::initSecurityContext): Apply the embedding client's override Content Security 11 Policy to the document if one exists. 12 * loader/FrameLoaderClient.h: Add function overrideContentSecurityPolicy() that a FrameLoaderClient 13 can override to provide a custom Content Security Policy for a document (defaults: null string - no policy). 14 As its name implies, the policy returned by overrideContentSecurityPolicy() will define the Content 15 Security Policy for the document, overriding any subsequently received Content Security Policy for 16 the document. 17 * page/csp/ContentSecurityPolicy.cpp: 18 (WebCore::ContentSecurityPolicy::copyStateFrom): Only copy policies from the specified ContentSecurityPolicy 19 object if our policy was not specified by the embedding client. 20 (WebCore::ContentSecurityPolicy::didReceiveHeader): Set ContentSecurityPolicy::m_hasAPIPolicy to true 21 when we receive an API policy from the embedding client (ContentSecurityPolicy::PolicyFrom::API). An 22 API policy must be defined before a policy received from a document. Do not process a received header 23 if we already have an API policy as the API policy overrides all other policies. 24 * page/csp/ContentSecurityPolicy.h: 25 1 26 2017-02-03 Chris Dumez <cdumez@apple.com> 2 27 -
trunk/Source/WebCore/dom/Document.cpp
r211649 r211656 5157 5157 setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(*this)); 5158 5158 5159 String overrideContentSecurityPolicy = m_frame->loader().client().overrideContentSecurityPolicy(); 5160 if (!overrideContentSecurityPolicy.isNull()) 5161 contentSecurityPolicy()->didReceiveHeader(overrideContentSecurityPolicy, ContentSecurityPolicyHeaderType::Enforce, ContentSecurityPolicy::PolicyFrom::API); 5162 5159 5163 #if USE(QUICK_LOOK) 5160 5164 if (shouldEnforceQuickLookSandbox()) -
trunk/Source/WebCore/loader/FrameLoaderClient.h
r211402 r211656 257 257 258 258 virtual String userAgent(const URL&) = 0; 259 260 virtual String overrideContentSecurityPolicy() const { return String(); } 259 261 260 262 virtual void savePlatformDataToCachedFrame(CachedFrame*) = 0; -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp
r211027 r211656 111 111 void ContentSecurityPolicy::copyStateFrom(const ContentSecurityPolicy* other) 112 112 { 113 if (m_hasAPIPolicy) 114 return; 113 115 ASSERT(m_policies.isEmpty()); 114 116 for (auto& policy : other->m_policies) … … 178 180 void ContentSecurityPolicy::didReceiveHeader(const String& header, ContentSecurityPolicyHeaderType type, ContentSecurityPolicy::PolicyFrom policyFrom) 179 181 { 182 if (m_hasAPIPolicy) 183 return; 184 185 if (policyFrom == PolicyFrom::API) { 186 ASSERT(m_policies.isEmpty()); 187 m_hasAPIPolicy = true; 188 } 189 180 190 // RFC2616, section 4.2 specifies that headers appearing multiple times can 181 191 // be combined with a comma. Walk the header string, and parse each comma -
trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h
r210992 r211656 75 75 76 76 enum class PolicyFrom { 77 API, 77 78 HTTPEquivMeta, 78 79 HTTPHeader, … … 211 212 bool m_isReportingEnabled { true }; 212 213 bool m_upgradeInsecureRequests { false }; 214 bool m_hasAPIPolicy { false }; 213 215 OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineScripts; 214 216 OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineStylesheets; -
trunk/Source/WebKit2/ChangeLog
r211655 r211656 1 2017-02-03 Daniel Bates <dabates@apple.com> 2 3 [Mac][WK2] Add SPI to override the Content Security Policy of a page 4 https://bugs.webkit.org/show_bug.cgi?id=167810 5 <rdar://problem/30102568> 6 7 Reviewed by Anders Carlsson. 8 9 Add SPI to WKWebViewConfiguration so that an embedding client can define a custom Content Security 10 Policy that overrides the Content Security Policy of any page loaded in the web view. 11 12 * Shared/WebPageCreationParameters.cpp: 13 (WebKit::WebPageCreationParameters::encode): Encode instance variable overrideContentSecurityPolicy. 14 (WebKit::WebPageCreationParameters::decode): Decode instance variable overrideContentSecurityPolicy. 15 * Shared/WebPageCreationParameters.h: 16 * UIProcess/API/APIPageConfiguration.cpp: 17 (API::PageConfiguration::copy): Copy instance variable overrideContentSecurityPolicy. 18 * UIProcess/API/APIPageConfiguration.h: 19 (API::PageConfiguration::overrideContentSecurityPolicy): Added. 20 (API::PageConfiguration::setOverrideContentSecurityPolicy): Added. 21 * UIProcess/API/Cocoa/WKWebView.mm: 22 (-[WKWebView _initializeWithConfiguration:]): Copy overrideContentSecurityPolicy set on the WKWebViewConfiguration 23 object to the API::PageConfiguration object if non-nil. 24 * UIProcess/API/Cocoa/WKWebViewConfiguration.mm: 25 (-[WKWebViewConfiguration copyWithZone:]): Copy the instance variable overrideContentSecurityPolicy. 26 (-[WKWebViewConfiguration _overrideContentSecurityPolicy]): Added. 27 (-[WKWebViewConfiguration _setOverrideContentSecurityPolicy:]): Added. 28 * UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h: Define SPI property _overrideContentSecurityPolicy. 29 * UIProcess/WebPageProxy.cpp: 30 (WebKit::WebPageProxy::WebPageProxy): Initialize m_overrideContentSecurityPolicy from the passed 31 page configuration. 32 (WebKit::WebPageProxy::creationParameters): Set WebPageCreationParameters::overrideContentSecurityPolicy 33 so that the WebPage object (in the WebProcess) will know the overridden Content Security Policy 34 to apply to the document. 35 * UIProcess/WebPageProxy.h: 36 * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp: 37 (WebKit::WebFrameLoaderClient::overrideContentSecurityPolicy): Added. Returns the custom Content 38 Security Policy to apply to a new document. 39 * WebProcess/WebCoreSupport/WebFrameLoaderClient.h: 40 * WebProcess/WebPage/WebPage.cpp: 41 * WebProcess/WebPage/WebPage.h: 42 (WebKit::WebPage::overrideContentSecurityPolicy): Added. 43 1 44 2017-02-03 Anders Carlsson <andersca@apple.com> 2 45 -
trunk/Source/WebKit2/Shared/WebPageCreationParameters.cpp
r208340 r211656 90 90 encoder.encodeEnum(userInterfaceLayoutDirection); 91 91 encoder.encodeEnum(observedLayoutMilestones); 92 encoder << overrideContentSecurityPolicy; 92 93 } 93 94 … … 205 206 return false; 206 207 208 if (!decoder.decode(parameters.overrideContentSecurityPolicy)) 209 return false; 210 207 211 return true; 208 212 } -
trunk/Source/WebKit2/Shared/WebPageCreationParameters.h
r211312 r211656 144 144 WebCore::UserInterfaceLayoutDirection userInterfaceLayoutDirection; 145 145 WebCore::LayoutMilestones observedLayoutMilestones; 146 147 String overrideContentSecurityPolicy; 146 148 }; 147 149 -
trunk/Source/WebKit2/UIProcess/API/APIPageConfiguration.cpp
r209067 r211656 70 70 copy->m_initialCapitalizationEnabled = this->m_initialCapitalizationEnabled; 71 71 copy->m_controlledByAutomation = this->m_controlledByAutomation; 72 copy->m_overrideContentSecurityPolicy = this->m_overrideContentSecurityPolicy; 72 73 73 74 return copy; -
trunk/Source/WebKit2/UIProcess/API/APIPageConfiguration.h
r210913 r211656 30 30 #include "WebPreferencesStore.h" 31 31 #include <WebCore/SessionID.h> 32 #include <wtf/Forward.h> 32 33 #include <wtf/GetPtr.h> 33 34 … … 99 100 void setControlledByAutomation(bool controlledByAutomation) { m_controlledByAutomation = controlledByAutomation; } 100 101 102 const WTF::String& overrideContentSecurityPolicy() const { return m_overrideContentSecurityPolicy; } 103 void setOverrideContentSecurityPolicy(const WTF::String& overrideContentSecurityPolicy) { m_overrideContentSecurityPolicy = overrideContentSecurityPolicy; } 104 101 105 private: 102 106 … … 121 125 bool m_waitsForPaintAfterViewDidMoveToWindow = true; 122 126 bool m_controlledByAutomation = false; 127 128 WTF::String m_overrideContentSecurityPolicy; 123 129 }; 124 130 -
trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm
r211628 r211656 414 414 pageConfiguration->setWebsiteDataStore([_configuration websiteDataStore]->_websiteDataStore.get()); 415 415 pageConfiguration->setTreatsSHA1SignedCertificatesAsInsecure([_configuration _treatsSHA1SignedCertificatesAsInsecure]); 416 417 if (NSString *overrideContentSecurityPolicy = configuration._overrideContentSecurityPolicy) 418 pageConfiguration->setOverrideContentSecurityPolicy(overrideContentSecurityPolicy); 416 419 417 420 RefPtr<WebKit::WebPageGroup> pageGroup; -
trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm
r210913 r211656 131 131 #endif 132 132 BOOL _needsStorageAccessFromFileURLsQuirk; 133 134 NSString *_overrideContentSecurityPolicy; 133 135 } 134 136 … … 319 321 #endif 320 322 configuration->_needsStorageAccessFromFileURLsQuirk = self->_needsStorageAccessFromFileURLsQuirk; 323 configuration->_overrideContentSecurityPolicy = self->_overrideContentSecurityPolicy; 321 324 322 325 return configuration; … … 753 756 } 754 757 758 - (NSString *)_overrideContentSecurityPolicy 759 { 760 return _overrideContentSecurityPolicy; 761 } 762 763 - (void)_setOverrideContentSecurityPolicy:(NSString *)overrideContentSecurityPolicy 764 { 765 _overrideContentSecurityPolicy = overrideContentSecurityPolicy; 766 } 767 755 768 @end 756 769 -
trunk/Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h
r210913 r211656 75 75 @property (nonatomic, setter=_setRequiresUserActionForVideoPlayback:) BOOL _requiresUserActionForVideoPlayback WK_API_DEPRECATED_WITH_REPLACEMENT("mediaTypesRequiringUserActionForPlayback", macosx(10.12, 10.12), ios(10.0, 10.0)); 76 76 77 @property (nonatomic, setter=_setOverrideContentSecurityPolicy:) NSString *_overrideContentSecurityPolicy WK_API_AVAILABLE(macosx(WK_MAC_TBA), ios(WK_IOS_TBA)); 78 77 79 @end 78 80 -
trunk/Source/WebKit2/UIProcess/WebPageProxy.cpp
r211652 r211656 344 344 , m_mainFrame(nullptr) 345 345 , m_userAgent(standardUserAgent()) 346 , m_overrideContentSecurityPolicy { m_configuration->overrideContentSecurityPolicy() } 346 347 , m_treatsSHA1CertificatesAsInsecure(m_configuration->treatsSHA1SignedCertificatesAsInsecure()) 347 348 #if ENABLE(FULLSCREEN_API) … … 5572 5573 parameters.userInterfaceLayoutDirection = m_pageClient.userInterfaceLayoutDirection(); 5573 5574 parameters.observedLayoutMilestones = m_observedLayoutMilestones; 5575 parameters.overrideContentSecurityPolicy = m_overrideContentSecurityPolicy; 5574 5576 5575 5577 return parameters; -
trunk/Source/WebKit2/UIProcess/WebPageProxy.h
r211597 r211656 1664 1664 String m_customUserAgent; 1665 1665 String m_customTextEncodingName; 1666 String m_overrideContentSecurityPolicy; 1666 1667 1667 1668 bool m_treatsSHA1CertificatesAsInsecure; -
trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
r211097 r211656 1298 1298 } 1299 1299 1300 String WebFrameLoaderClient::overrideContentSecurityPolicy() const 1301 { 1302 WebPage* webPage = m_frame->page(); 1303 if (!webPage) 1304 return String(); 1305 1306 return webPage->overrideContentSecurityPolicy(); 1307 } 1308 1300 1309 void WebFrameLoaderClient::savePlatformDataToCachedFrame(CachedFrame* cachedFrame) 1301 1310 { -
trunk/Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.h
r211402 r211656 180 180 181 181 String userAgent(const WebCore::URL&) final; 182 182 183 String overrideContentSecurityPolicy() const final; 184 183 185 void savePlatformDataToCachedFrame(WebCore::CachedFrame*) final; 184 186 void transitionToCommittedFromCachedFrame(WebCore::CachedFrame*) final; -
trunk/Source/WebKit2/WebProcess/WebPage/WebPage.cpp
r211441 r211656 363 363 , m_userActivityHysteresis([this](HysteresisState) { updateUserActivity(); }) 364 364 , m_userInterfaceLayoutDirection(parameters.userInterfaceLayoutDirection) 365 , m_overrideContentSecurityPolicy { parameters.overrideContentSecurityPolicy } 365 366 { 366 367 ASSERT(m_pageID); -
trunk/Source/WebKit2/WebProcess/WebPage/WebPage.h
r211356 r211656 294 294 WebCore::KeyboardUIMode keyboardUIMode(); 295 295 296 const String& overrideContentSecurityPolicy() const { return m_overrideContentSecurityPolicy; } 297 296 298 WebUndoStep* webUndoStep(uint64_t); 297 299 void addWebUndoStep(uint64_t, WebUndoStep*); … … 1543 1545 1544 1546 WebCore::UserInterfaceLayoutDirection m_userInterfaceLayoutDirection { WebCore::UserInterfaceLayoutDirection::LTR }; 1547 1548 const String m_overrideContentSecurityPolicy; 1545 1549 }; 1546 1550 -
trunk/Tools/ChangeLog
r211621 r211656 1 2017-02-03 Daniel Bates <dabates@apple.com> 2 3 [Mac][WK2] Add SPI to override the Content Security Policy of a page 4 https://bugs.webkit.org/show_bug.cgi?id=167810 5 <rdar://problem/30102568> 6 7 Reviewed by Anders Carlsson. 8 9 Add tests to ensure that we do not regress -[WKWebView _setOverrideContentSecurityPolicy:]. 10 11 * TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj: 12 * TestWebKitAPI/Tests/WebKit2Cocoa/OverrideContentSecurityPolicy.mm: Added. 13 (TEST): 14 * TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp-iframe.html: Added. 15 * TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp.html: Added. 16 * TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp-iframe.html: Added. 17 * TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp.html: Added. 18 1 19 2017-02-02 Alex Christensen <achristensen@webkit.org> 2 20 -
trunk/Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
r211539 r211656 540 540 CEA6CF2819CCF69D0064F5A7 /* open-and-close-window.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEA6CF2719CCF69D0064F5A7 /* open-and-close-window.html */; }; 541 541 CEBABD491B71687C0051210A /* should-open-external-schemes.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBABD481B71687C0051210A /* should-open-external-schemes.html */; }; 542 CEBCA12F1E3A660100C73293 /* OverrideContentSecurityPolicy.mm in Sources */ = {isa = PBXBuildFile; fileRef = CEBCA12E1E3A660100C73293 /* OverrideContentSecurityPolicy.mm */; }; 543 CEBCA1381E3A807A00C73293 /* page-with-csp.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1351E3A803400C73293 /* page-with-csp.html */; }; 544 CEBCA1391E3A807A00C73293 /* page-with-csp-iframe.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1341E3A803400C73293 /* page-with-csp-iframe.html */; }; 545 CEBCA13A1E3A807A00C73293 /* page-without-csp.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1371E3A803400C73293 /* page-without-csp.html */; }; 546 CEBCA13B1E3A807A00C73293 /* page-without-csp-iframe.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = CEBCA1361E3A803400C73293 /* page-without-csp-iframe.html */; }; 542 547 E1220DCA155B28AA0013E2FC /* MemoryCacheDisableWithinResourceLoadDelegate.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = E1220DC9155B287D0013E2FC /* MemoryCacheDisableWithinResourceLoadDelegate.html */; }; 543 548 E194E1BD177E53C7009C4D4E /* StopLoadingFromDidReceiveResponse.html in Copy Resources */ = {isa = PBXBuildFile; fileRef = E194E1BC177E534A009C4D4E /* StopLoadingFromDidReceiveResponse.html */; }; … … 747 752 A1C4FB731BACD1CA003742D0 /* pages.pages in Copy Resources */, 748 753 A57A34F216AF6B2B00C2501F /* PageVisibilityStateWithWindowChanges.html in Copy Resources */, 754 CEBCA1381E3A807A00C73293 /* page-with-csp.html in Copy Resources */, 755 CEBCA1391E3A807A00C73293 /* page-with-csp-iframe.html in Copy Resources */, 756 CEBCA13A1E3A807A00C73293 /* page-without-csp.html in Copy Resources */, 757 CEBCA13B1E3A807A00C73293 /* page-without-csp-iframe.html in Copy Resources */, 749 758 F6FDDDD614241C6F004F1729 /* push-state.html in Copy Resources */, 750 759 52B8CF9815868D9100281053 /* SetDocumentURI.html in Copy Resources */, … … 1332 1341 CEA6CF2719CCF69D0064F5A7 /* open-and-close-window.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "open-and-close-window.html"; sourceTree = "<group>"; }; 1333 1342 CEBABD481B71687C0051210A /* should-open-external-schemes.html */ = {isa = PBXFileReference; lastKnownFileType = text.html; path = "should-open-external-schemes.html"; sourceTree = "<group>"; }; 1343 CEBCA12E1E3A660100C73293 /* OverrideContentSecurityPolicy.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = OverrideContentSecurityPolicy.mm; sourceTree = "<group>"; }; 1344 CEBCA1341E3A803400C73293 /* page-with-csp-iframe.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-with-csp-iframe.html"; sourceTree = "<group>"; }; 1345 CEBCA1351E3A803400C73293 /* page-with-csp.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-with-csp.html"; sourceTree = "<group>"; }; 1346 CEBCA1361E3A803400C73293 /* page-without-csp-iframe.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-without-csp-iframe.html"; sourceTree = "<group>"; }; 1347 CEBCA1371E3A803400C73293 /* page-without-csp.html */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.html; path = "page-without-csp.html"; sourceTree = "<group>"; }; 1334 1348 DC69AA621CF77C6500C6272F /* ScopedLambda.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ScopedLambda.cpp; sourceTree = "<group>"; }; 1335 1349 E1220D9F155B25480013E2FC /* MemoryCacheDisableWithinResourceLoadDelegate.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = MemoryCacheDisableWithinResourceLoadDelegate.mm; sourceTree = "<group>"; }; … … 1546 1560 37A22AA51DCAA27200AFBFC4 /* ObservedRenderingProgressEventsAfterCrash.mm */, 1547 1561 CEA6CF2219CCF5BD0064F5A7 /* OpenAndCloseWindow.mm */, 1562 CEBCA12E1E3A660100C73293 /* OverrideContentSecurityPolicy.mm */, 1548 1563 C95501BE19AD2FAF0049BE3E /* Preferences.mm */, 1549 1564 5798E2AF1CAF5C2800C5CBA0 /* ProvisionalURLNotChange.mm */, … … 1729 1744 46C519E41D35629600DAA51A /* LocalStorageNullEntries.localstorage-shm */, 1730 1745 7CCB99221D3B44E7003922F6 /* open-multiple-external-url.html */, 1746 CEBCA1351E3A803400C73293 /* page-with-csp.html */, 1747 CEBCA1341E3A803400C73293 /* page-with-csp-iframe.html */, 1748 CEBCA1371E3A803400C73293 /* page-without-csp.html */, 1749 CEBCA1361E3A803400C73293 /* page-without-csp-iframe.html */, 1731 1750 F4F405BB1D4C0CF8007A9707 /* skinny-autoplaying-video-with-audio.html */, 1732 1751 515BE16E1D4288FF00DD7C68 /* StoreBlobToBeDeleted.html */, … … 2649 2668 7CCE7F051A411AE600447C4C /* NewFirstVisuallyNonEmptyLayoutFrames.cpp in Sources */, 2650 2669 7CCE7F251A411AF600447C4C /* OpenAndCloseWindow.mm in Sources */, 2670 CEBCA12F1E3A660100C73293 /* OverrideContentSecurityPolicy.mm in Sources */, 2651 2671 7CCB4DA91C83AE7300CC6918 /* PageGroup.cpp in Sources */, 2652 2672 5769C50B1D9B0002000847FB /* SerializedCryptoKeyWrap.mm in Sources */,
Note: See TracChangeset
for help on using the changeset viewer.