Context Navigation

← Previous Changeset
Next Changeset →

Changeset 215753 in webkit

Timestamp:

Apr 25, 2017 1:26:13 PM (7 years ago)

Author:

dbates@webkit.org

Message:

[Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
https://bugs.webkit.org/show_bug.cgi?id=136452
<rdar://problem/23412620>

Reviewed by Brent Fulgham.

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

Source/cmake/OptionsMac.cmake:
Source/cmake/OptionsWin.cmake:

LayoutTests/imported/w3c:

Update expected results now we support X-Content-Type-Options: nosniff.

web-platform-tests/fetch/nosniff/parsing-nosniff-expected.txt:
web-platform-tests/fetch/nosniff/script-expected.txt:
web-platform-tests/fetch/nosniff/stylesheet-expected.txt:

Source/JavaScriptCore:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

Configurations/FeatureDefines.xcconfig:

Source/WebCore:

Enable support for X-Content-Type-Options: nosniff on Mac, iOS and Windows.

Additionally, honor X-Content-Type-Options: nosniff header for stylesheets as per
<https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff%3F> (30 March 2017).

Test: http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html

Configurations/FeatureDefines.xcconfig:
css/StyleSheetContents.cpp:

(WebCore::StyleSheetContents::parseAuthorStyleSheet): Log an error if the stylesheet
has the nosniff header and does not have a valid MIME type. Also update code for
renaming of MIMETypeCheck to MIMETypeCheckHint.
(WebCore::StyleSheetContents::notifyLoadedSheet): If the stylesheet is blocked by
nosniff then consider it analogous to a load error so that we dispatch a DOM error
event at the <style>/<link> element.

dom/LoadableClassicScript.cpp:

(WebCore::LoadableClassicScript::notifyFinished): Modified the wording of the error
message when a script is disallowed by nosniff so as to more closely match the
wording used when a stylesheet is disallowed by nonsniff.

loader/cache/CachedCSSStyleSheet.cpp:

(WebCore::CachedCSSStyleSheet::sheetText): Update for renaming of MIMETypeCheck
to MIMETypeCheckHint.
(WebCore::CachedCSSStyleSheet::responseMIMEType): Added.
(WebCore::CachedCSSStyleSheet::mimeTypeAllowedByNosniff): Added.
(WebCore::CachedCSSStyleSheet::canUseSheet): Modified to check if the X-Content-Type-Options: nosniff
header is in the HTTP response for the stylesheet. If it is then we can only use the stylesheet
if its content-type is "text/css". Otherwise, apply the existing criterion for determining whether
to to use the stylesheet.

loader/cache/CachedCSSStyleSheet.h: Rename MIMETypeCheck to MIMETypeCheckHint to better

describe its purpose as a hint as to whether to enforce MIME type checking for the stylesheet.
Processing of the HTTP header X-Content-Type-Options takes precedence over this hint.

loader/cache/CachedScript.h: Make mimeType() private.

Source/WebCore/PAL:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

Configurations/FeatureDefines.xcconfig:

Source/WebKit/mac:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

Configurations/FeatureDefines.xcconfig:

Source/WebKit2:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

Configurations/FeatureDefines.xcconfig:

Tools:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

Scripts/webkitperl/FeatureList.pm: Also do not enable nosniff on EFL

as the EFL port is no longer in the WebKit OpenSource repository.

TestWebKitAPI/Configurations/FeatureDefines.xcconfig:

LayoutTests:

Unskip nosniff tests on Mac, iOS and Windows and update expected results now that
we support X-Content-Type-Options: nosniff.

Merge Blink test from <https://src.chromium.org/viewvc/blink?revision=168570&view=revision>.

TestExpectations: Unskip all nosniff tests except imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html.

We need to fix <https://bugs.webkit.org/show_bug.cgi?id=171248> before we can unskip it.
When running the nosniff Web Platform Tests (WPT) dump console messages to standard error
to avoid a difference of console message ordering due to the non-determinism of the WPT
tests from affecting the matching of the expected result.

http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt: Added.
http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html: Copied from LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked.html.
http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt: Update expected result.
http/tests/security/contentTypeOptions/nosniff-script-blocked.html: Substitute the not executable

MIME type "text/xx-javascript" for "text/x-javascript" as the latter is an acceptable MIME type for
JavaScript scripts as per the Fetch standard, <https://html.spec.whatwg.org/multipage/scripting.html#javascript-mime-type> (30 March 2017).

http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt: Update

expected result.

platform/gtk/TestExpectations: Skip the nosniff tests as GTK does not enable ENABLE(NOSNIFF).
platform/ios/TestExpectations: Unskip nosniff tests.
platform/mac/TestExpectations: Ditto.
platform/win/TestExpectations: Ditto.
platform/wk2/TestExpectations: Ditto.

Location:

trunk

Files:

: 1 added
: 35 edited
: 1 copied

ChangeLog (modified) (1 diff)
LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/TestExpectations (modified) (3 diffs)
LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt (added)
LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html (copied) (copied from trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked.html) (1 diff)
LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt (modified) (1 diff)
LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked.html (modified) (1 diff)
LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt (modified) (1 diff)
LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff-expected.txt (modified) (1 diff)
LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/script-expected.txt (modified) (1 diff)
LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/stylesheet-expected.txt (modified) (1 diff)
LayoutTests/platform/gtk/TestExpectations (modified) (1 diff)
LayoutTests/platform/ios/TestExpectations (modified) (1 diff)
LayoutTests/platform/mac/TestExpectations (modified) (1 diff)
LayoutTests/platform/win/TestExpectations (modified) (2 diffs)
LayoutTests/platform/wk2/TestExpectations (modified) (1 diff)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/Configurations/FeatureDefines.xcconfig (modified) (2 diffs)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/Configurations/FeatureDefines.xcconfig (modified) (2 diffs)
Source/WebCore/PAL/ChangeLog (modified) (1 diff)
Source/WebCore/PAL/Configurations/FeatureDefines.xcconfig (modified) (2 diffs)
Source/WebCore/css/StyleSheetContents.cpp (modified) (3 diffs)
Source/WebCore/dom/LoadableClassicScript.cpp (modified) (1 diff)
Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp (modified) (3 diffs)
Source/WebCore/loader/cache/CachedCSSStyleSheet.h (modified) (1 diff)
Source/WebCore/loader/cache/CachedScript.h (modified) (2 diffs)
Source/WebKit/mac/ChangeLog (modified) (1 diff)
Source/WebKit/mac/Configurations/FeatureDefines.xcconfig (modified) (2 diffs)
Source/WebKit2/ChangeLog (modified) (1 diff)
Source/WebKit2/Configurations/FeatureDefines.xcconfig (modified) (2 diffs)
Source/cmake/OptionsMac.cmake (modified) (1 diff)
Source/cmake/OptionsWin.cmake (modified) (1 diff)
Tools/ChangeLog (modified) (1 diff)
Tools/Scripts/webkitperl/FeatureList.pm (modified) (1 diff)
Tools/TestWebKitAPI/Configurations/FeatureDefines.xcconfig (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/ChangeLog

-                      r215684
+                      r215753
+-04-25  Daniel Bates  <dabates@apple.com>
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        <rdar://problem/23412620>
+        Reviewed by Brent Fulgham.
+        Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.
+        * Source/cmake/OptionsMac.cmake:
+        * Source/cmake/OptionsWin.cmake:
 -04-24  Zan Dobersek  <zdobersek@igalia.com>

trunk/LayoutTests/ChangeLog

-                      r215738
+                      r215753
+-04-25  Daniel Bates  <dabates@apple.com>
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        <rdar://problem/23412620>
+        Reviewed by Brent Fulgham.
+        Unskip nosniff tests on Mac, iOS and Windows and update expected results now that
+        we support X-Content-Type-Options: nosniff.
+        Merge Blink test from <https://src.chromium.org/viewvc/blink?revision=168570&view=revision>.
+        * TestExpectations: Unskip all nosniff tests except imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html.
+        We need to fix <https://bugs.webkit.org/show_bug.cgi?id=171248> before we can unskip it.
+        When running the nosniff Web Platform Tests (WPT) dump console messages to standard error
+        to avoid a difference of console message ordering due to the non-determinism of the WPT
+        tests from affecting the matching of the expected result.
+        * http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt: Added.
+        * http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html: Copied from LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked.html.
+        * http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt: Update expected result.
+        * http/tests/security/contentTypeOptions/nosniff-script-blocked.html: Substitute the not executable
+        MIME type "text/xx-javascript" for "text/x-javascript" as the latter is an acceptable MIME type for
+        JavaScript scripts as per the Fetch standard, <https://html.spec.whatwg.org/multipage/scripting.html#javascript-mime-type> (30 March 2017).
+        * http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt: Update
+        expected result.
+        * platform/gtk/TestExpectations: Skip the nosniff tests as GTK does not enable ENABLE(NOSNIFF).
+        * platform/ios/TestExpectations: Unskip nosniff tests.
+        * platform/mac/TestExpectations: Ditto.
+        * platform/win/TestExpectations: Ditto.
+        * platform/wk2/TestExpectations: Ditto.
 -04-25  Ryan Haddad  <ryanhaddad@apple.com>

trunk/LayoutTests/TestExpectations

-                      r215726
+                      r215753
 imported/w3c/web-platform-tests/resource-timing/test_resource_timing.html [ Pass Failure ]
-webkit.org/b/157068 imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html [ Skip ]
-webkit.org/b/157145 imported/w3c/web-platform-tests/fetch/nosniff/stylesheet.html [ Failure Pass ]
 webkit.org/b/161312 imported/w3c/web-platform-tests/html/semantics/document-metadata/the-link-element/document-without-browsing-context.html [ Failure Pass ]
 …
 webkit.org/b/168238 imported/w3c/web-platform-tests/dom/events/EventListener-invoke-legacy.html [ Pass Failure ]
+# Ignore MIME type refused console messages when comparing nosniff tests results as their ordering is non-deterministic.
+imported/w3c/web-platform-tests/fetch/nosniff [ DumpJSConsoleLogInStdErr ]
 ########################################
 ### START OF -disabled tests
 …
 webkit.org/b/170701 webrtc/datachannel/bufferedAmountLowThreshold.html [ Pass Failure ]
+webkit.org/b/171248 imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html

trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html

-                      r215752
+                      r215753
         window.jsTestIsAsync = true;
-        var unscriptyMimeTypes = [
-            'application/json',
-            'image/png',
-            'text/html',
-            'text/vbs',
-            'text/vbscript',
-            'text/x-javascript',
-        ];
         window.scriptsSuccessfullyLoaded = 0;
         for (var i = 0; i < unscriptyMimeTypes.length; i++) {
             document.write('<script src="./resources/script-with-header.pl?mime=' + unscriptyMimeTypes[i] + '"><' + '/script>');
+        }
+        var s = document.createElement('script');
+        s.src = './resources/script-with-header.pl?mime=application/json';
+        document.querySelector('head').appendChild(s);
         window.onload = function () {

trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt

-                      r164848
+                      r215753
 CONSOLE MESSAGE: line 30: Refused to execute script from 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json' because its MIME type ('application/json') is not executable, and strict MIME type checking is enabled.
 CONSOLE MESSAGE: line 30: Refused to execute script from 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=image/png' because its MIME type ('image/png') is not executable, and strict MIME type checking is enabled.
 CONSOLE MESSAGE: line 30: Refused to execute script from 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.
 CONSOLE MESSAGE: line 30: Refused to execute script from 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbs' because its MIME type ('text/vbs') is not executable, and strict MIME type checking is enabled.
 CONSOLE MESSAGE: line 30: Refused to execute script from 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbscript' because its MIME type ('text/vbscript') is not executable, and strict MIME type checking is enabled.
 CONSOLE MESSAGE: line 30: Refused to execute script from 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/x-javascript' because its MIME type ('text/x-javascript') is not executable, and strict MIME type checking is enabled.
+CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/json' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
+CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=image/png' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
+CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
+CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbs' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
+CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/vbscript' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
+CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xx-javascript' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
 Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly blocked if the MIME type isn't scripty.

trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked.html

r142683	r215753
15	15	'text/vbs',
16	16	'text/vbscript',
17		'text/x-javascript',
	17	'text/xx-javascript',
18	18	];
19	19

trunk/LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt

r164848	r215753
1		CONSOLE MESSAGE: line 16: Refused to execute script from 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.
	1	CONSOLE MESSAGE: Did not load script at 'http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.
2	2	Check that script sent with an 'X-Content-Type-Options: nosniff' header is correctly blocked if no 'Content-Type' header is present.
3	3

trunk/LayoutTests/imported/w3c/ChangeLog

-                      r215726
+                      r215753
+-04-25  Daniel Bates  <dabates@apple.com>
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        <rdar://problem/23412620>
+        Reviewed by Brent Fulgham.
+        Update expected results now we support X-Content-Type-Options: nosniff.
+        * web-platform-tests/fetch/nosniff/parsing-nosniff-expected.txt:
+        * web-platform-tests/fetch/nosniff/script-expected.txt:
+        * web-platform-tests/fetch/nosniff/stylesheet-expected.txt:
 -04-25  Frederic Wang  <fwang@igalia.com>

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff-expected.txt

r200195	r215753
1	1
2	2	FAIL URL query: first assert_unreached: Unexpected load event Reached unreachable code
3		FAIL URL query: uppercase assert_unreached: Unexpected load event Reached unreachable code
	3	PASS URL query: uppercase
4	4	PASS URL query: last
5	5	PASS URL query: quoted

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/script-expected.txt

-                      r200195
+                      r215753
+FAIL URL query:  assert_unreached: Unexpected load event Reached unreachable code
+FAIL URL query: ?type= assert_unreached: Unexpected load event Reached unreachable code
+FAIL URL query: ?type=x assert_unreached: Unexpected load event Reached unreachable code
+FAIL URL query: ?type=x/x assert_unreached: Unexpected load event Reached unreachable code
+PASS URL query:
+PASS URL query: ?type=
+PASS URL query: ?type=x
+PASS URL query: ?type=x/x
 PASS URL query: ?type=text/javascript
 PASS URL query: ?type=text/ecmascript

trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/stylesheet-expected.txt

-                      r204079
+                      r215753
+FAIL URL query:  assert_unreached: Unexpected load event Reached unreachable code
+FAIL URL query: ?type= assert_unreached: Unexpected load event Reached unreachable code
+FAIL URL query: ?type=x assert_unreached: Unexpected load event Reached unreachable code
+FAIL URL query: ?type=x/x assert_unreached: Unexpected load event Reached unreachable code
+PASS URL query:
+PASS URL query: ?type=
+PASS URL query: ?type=x
+PASS URL query: ?type=x/x
 PASS URL query: ?type=text/css
 PASS URL query: ?type=text/css;blah

trunk/LayoutTests/platform/gtk/TestExpectations

r215561	r215753
77	77	# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
78	78	webkit.org/b/71851 http/tests/security/contentTypeOptions [ Skip ]
	79	imported/w3c/web-platform-tests/fetch/nosniff [ Skip ]
79	80
80	81

trunk/LayoutTests/platform/ios/TestExpectations

-                      r215643
+                      r215753
 fast/history/page-cache-media-source-opened.html [ Skip ]
 fast/history/page-cache-removed-source-buffer.html [ Skip ]
-# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
-webkit.org/b/136452 http/tests/security/contentTypeOptions
 # IndexedDB tests have numerous unexpected failures on iOS

trunk/LayoutTests/platform/mac/TestExpectations

-                      r215652
+                      r215753
 fast/forms/time
 fast/forms/week
-# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
-webkit.org/b/136452 http/tests/security/contentTypeOptions
 # Media Stream API is not fully supported.

trunk/LayoutTests/platform/win/TestExpectations

-                      r215736
+                      r215753
 # ENABLE_GAMEPAD not enabled.
 gamepad/ [ Skip ]
-# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
-webkit.org/b/136452 http/tests/security/contentTypeOptions
 # TODO Userscripts stuff is not implemented
 …
 http/tests/navigation/restore-form-state-https.html [ Failure ]
 http/tests/navigation/target-blank-opener.html [ Skip ] # Timeout
-http/tests/security/contentTypeOptions/nosniff-script-blocked.html [ Failure ]
 http/tests/security/cross-frame-access-call.html [ Failure ]
 http/tests/security/cross-frame-access-get.html [ Failure ]

trunk/LayoutTests/platform/wk2/TestExpectations

-                      r215301
+                      r215753
 http/tests/security/canvas-remote-read-remote-video-allowed-with-credentials.html [ Failure ]
 http/tests/security/video-cross-origin-readback.html
-# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
-http/tests/security/contentTypeOptions
 # Unexpected redirection happens.

trunk/Source/JavaScriptCore/ChangeLog

-                      r215748
+                      r215753
+-04-25  Daniel Bates  <dabates@apple.com>
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        <rdar://problem/23412620>
+        Reviewed by Brent Fulgham.
+        Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.
+        * Configurations/FeatureDefines.xcconfig:
 -04-25  Mark Lam  <mark.lam@apple.com>

trunk/Source/JavaScriptCore/Configurations/FeatureDefines.xcconfig

-                      r215548
+                      r215753
 ENABLE_NAVIGATOR_CONTENT_UTILS = ;
 ENABLE_NAVIGATOR_HWCONCURRENCY = ENABLE_NAVIGATOR_HWCONCURRENCY;
 ENABLE_NOSNIFF = ;
+ENABLE_NOSNIFF = ENABLE_NOSNIFF;
 ENABLE_NOTIFICATIONS[sdk=macosx*] = ENABLE_NOTIFICATIONS;
 ENABLE_PDFKIT_PLUGIN[sdk=macosx*] = ENABLE_PDFKIT_PLUGIN;
 …
 ENABLE_VARIATION_FONTS_IF_NOT_YES = ;
 FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);
+FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOSNIFF) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);

trunk/Source/WebCore/ChangeLog

-                      r215752
+                      r215753
+-04-25  Daniel Bates  <dabates@apple.com>
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        <rdar://problem/23412620>
+        Reviewed by Brent Fulgham.
+        Enable support for X-Content-Type-Options: nosniff on Mac, iOS and Windows.
+        Additionally, honor X-Content-Type-Options: nosniff header for stylesheets as per
+        <https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff%3F> (30 March 2017).
+        Test: http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html
+        * Configurations/FeatureDefines.xcconfig:
+        * css/StyleSheetContents.cpp:
+        (WebCore::StyleSheetContents::parseAuthorStyleSheet): Log an error if the stylesheet
+        has the nosniff header and does not have a valid MIME type. Also update code for
+        renaming of MIMETypeCheck to MIMETypeCheckHint.
+        (WebCore::StyleSheetContents::notifyLoadedSheet): If the stylesheet is blocked by
+        nosniff then consider it analogous to a load error so that we dispatch a DOM error
+        event at the <style>/<link> element.
+        * dom/LoadableClassicScript.cpp:
+        (WebCore::LoadableClassicScript::notifyFinished): Modified the wording of the error
+        message when a script is disallowed by nosniff so as to more closely match the
+        wording used when a stylesheet is disallowed by nonsniff.
+        * loader/cache/CachedCSSStyleSheet.cpp:
+        (WebCore::CachedCSSStyleSheet::sheetText): Update for renaming of MIMETypeCheck
+        to MIMETypeCheckHint.
+        (WebCore::CachedCSSStyleSheet::responseMIMEType): Added.
+        (WebCore::CachedCSSStyleSheet::mimeTypeAllowedByNosniff): Added.
+        (WebCore::CachedCSSStyleSheet::canUseSheet): Modified to check if the X-Content-Type-Options: nosniff
+        header is in the HTTP response for the stylesheet. If it is then we can only use the stylesheet
+        if its content-type is "text/css". Otherwise, apply the existing criterion for determining whether
+        to to use the stylesheet.
+        * loader/cache/CachedCSSStyleSheet.h: Rename MIMETypeCheck to MIMETypeCheckHint to better
+        describe its purpose as a hint as to whether to enforce MIME type checking for the stylesheet.
+        Processing of the HTTP header X-Content-Type-Options takes precedence over this hint.
+        * loader/cache/CachedScript.h: Make mimeType() private.
+-04-25  Daniel Bates  <dabates@apple.com>
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        <rdar://problem/23412620>
+        Reviewed by Brent Fulgham.
+        Part 1
+        Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.
+        * Configurations/FeatureDefines.xcconfig:
 -04-25  Myles C. Maxfield  <mmaxfield@apple.com>

trunk/Source/WebCore/Configurations/FeatureDefines.xcconfig

-                      r215548
+                      r215753
 ENABLE_NAVIGATOR_CONTENT_UTILS = ;
 ENABLE_NAVIGATOR_HWCONCURRENCY = ENABLE_NAVIGATOR_HWCONCURRENCY;
 ENABLE_NOSNIFF = ;
+ENABLE_NOSNIFF = ENABLE_NOSNIFF;
 ENABLE_NOTIFICATIONS[sdk=macosx*] = ENABLE_NOTIFICATIONS;
 ENABLE_PDFKIT_PLUGIN[sdk=macosx*] = ENABLE_PDFKIT_PLUGIN;
 …
 ENABLE_VARIATION_FONTS_IF_NOT_YES = ;
 FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);
+FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOSNIFF) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);

trunk/Source/WebCore/PAL/ChangeLog

-                      r215548
+                      r215753
+-04-25  Daniel Bates  <dabates@apple.com>
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        <rdar://problem/23412620>
+        Reviewed by Brent Fulgham.
+        Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.
+        * Configurations/FeatureDefines.xcconfig:
 -04-19  Youenn Fablet  <youenn@apple.com>

trunk/Source/WebCore/PAL/Configurations/FeatureDefines.xcconfig

-                      r215548
+                      r215753
 ENABLE_NAVIGATOR_CONTENT_UTILS = ;
 ENABLE_NAVIGATOR_HWCONCURRENCY = ENABLE_NAVIGATOR_HWCONCURRENCY;
 ENABLE_NOSNIFF = ;
+ENABLE_NOSNIFF = ENABLE_NOSNIFF;
 ENABLE_NOTIFICATIONS[sdk=macosx*] = ENABLE_NOTIFICATIONS;
 ENABLE_PDFKIT_PLUGIN[sdk=macosx*] = ENABLE_PDFKIT_PLUGIN;
 …
 ENABLE_VARIATION_FONTS_IF_NOT_YES = ;
 FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);
+FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOSNIFF) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);

trunk/Source/WebCore/css/StyleSheetContents.cpp

-                      r212614
+                      r215753
+{
     bool isSameOriginRequest = securityOrigin && securityOrigin->canRequest(baseURL());
     CachedCSSStyleSheet::MIMETypeCheck mimeTypeCheck = isStrictParserMode(m_parserContext.mode) || !isSameOriginRequest ? CachedCSSStyleSheet::MIMETypeCheck::Strict : CachedCSSStyleSheet::MIMETypeCheck::Lax;
+    CachedCSSStyleSheet::MIMETypeCheckHint mimeTypeCheckHint = isStrictParserMode(m_parserContext.mode) || !isSameOriginRequest ? CachedCSSStyleSheet::MIMETypeCheckHint::Strict : CachedCSSStyleSheet::MIMETypeCheckHint::Lax;
     bool hasValidMIMEType = true;
     String sheetText = cachedStyleSheet->sheetText(mimeTypeCheck, &hasValidMIMEType);
+    String sheetText = cachedStyleSheet->sheetText(mimeTypeCheckHint, &hasValidMIMEType);
     if (!hasValidMIMEType) {
 …
             if (auto* page = document->page()) {
                 if (isStrictParserMode(m_parserContext.mode))
+                    page->console().addMessage(MessageSource::Security, MessageLevel::Error, "Did not parse stylesheet at '" + cachedStyleSheet->url().stringCenterEllipsizedToLength() + "' because non CSS MIME types are not allowed in strict mode.");
+                    page->console().addMessage(MessageSource::Security, MessageLevel::Error, makeString("Did not parse stylesheet at '", cachedStyleSheet->url().stringCenterEllipsizedToLength(), "' because non CSS MIME types are not allowed in strict mode."));
+#if ENABLE(NOSNIFF)
+                else if (!cachedStyleSheet->mimeTypeAllowedByNosniff())
+                    page->console().addMessage(MessageSource::Security, MessageLevel::Error, makeString("Did not parse stylesheet at '", cachedStyleSheet->url().stringCenterEllipsizedToLength(), "' because non CSS MIME types are not allowed when 'X-Content-Type: nosniff' is given."));
+#endif
                 else
                     page->console().addMessage(MessageSource::Security, MessageLevel::Error, "Did not parse stylesheet at '" + cachedStyleSheet->url().stringCenterEllipsizedToLength() + "' because non CSS MIME types are not allowed for cross-origin stylesheets.");
+                    page->console().addMessage(MessageSource::Security, MessageLevel::Error, makeString("Did not parse stylesheet at '", cachedStyleSheet->url().stringCenterEllipsizedToLength(), "' because non CSS MIME types are not allowed for cross-origin stylesheets."));
+            }
+        }
 …
     ASSERT(sheet);
     m_didLoadErrorOccur |= sheet->errorOccurred();
+#if ENABLE(NOSNIFF)
+    m_didLoadErrorOccur |= !sheet->mimeTypeAllowedByNosniff();
+#endif
+}

trunk/Source/WebCore/dom/LoadableClassicScript.cpp

-                      r211280
+                      r215753
                 MessageSource::Security,
                 MessageLevel::Error,
+                makeString(
+                    "Refused to execute script from '", m_cachedScript->url().stringCenterEllipsizedToLength(),
+                    "' because its MIME type ('", m_cachedScript->mimeType(), "') is not executable, and strict MIME type checking is enabled.")
+                makeString("Did not load script at '", m_cachedScript->url().stringCenterEllipsizedToLength(), "' because non script MIME types are not allowed when 'X-Content-Type: nosniff' is given.")
+            }
         };

trunk/Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp

-                      r215229
+                      r215753
+}
 const String CachedCSSStyleSheet::sheetText(MIMETypeCheck mimeTypeCheck, bool* hasValidMIMEType) const
+{
     if (!m_data || m_data->isEmpty() || !canUseSheet(mimeTypeCheck, hasValidMIMEType))
+const String CachedCSSStyleSheet::sheetText(MIMETypeCheckHint mimeTypeCheckHint, bool* hasValidMIMEType) const
+{
+    if (!m_data || m_data->isEmpty() || !canUseSheet(mimeTypeCheckHint, hasValidMIMEType))
         return String();
 …
+}
+bool CachedCSSStyleSheet::canUseSheet(MIMETypeCheck mimeTypeCheck, bool* hasValidMIMEType) const
+String CachedCSSStyleSheet::responseMIMEType() const
+{
+    return extractMIMETypeFromMediaType(m_response.httpHeaderField(HTTPHeaderName::ContentType));
+}
+#if ENABLE(NOSNIFF)
+bool CachedCSSStyleSheet::mimeTypeAllowedByNosniff() const
+{
+    return parseContentTypeOptionsHeader(m_response.httpHeaderField(HTTPHeaderName::XContentTypeOptions)) != ContentTypeOptionsNosniff || equalLettersIgnoringASCIICase(responseMIMEType(), "text/css");
+}
+#endif
+bool CachedCSSStyleSheet::canUseSheet(MIMETypeCheckHint mimeTypeCheckHint, bool* hasValidMIMEType) const
+{
     if (errorOccurred())
         return false;
+    if (mimeTypeCheck == MIMETypeCheck::Lax)
+#if ENABLE(NOSNIFF)
+    if (!mimeTypeAllowedByNosniff()) {
+        if (hasValidMIMEType)
+            *hasValidMIMEType = false;
+        return false;
+    }
+#endif
+    if (mimeTypeCheckHint == MIMETypeCheckHint::Lax)
         return true;
 …
     // This code defaults to allowing the stylesheet for non-HTTP protocols so
     // folks can use standards mode for local HTML documents.
     String mimeType = extractMIMETypeFromMediaType(response().httpHeaderField(HTTPHeaderName::ContentType));
+    String mimeType = responseMIMEType();
     bool typeOK = mimeType.isEmpty() || equalLettersIgnoringASCIICase(mimeType, "text/css") || equalLettersIgnoringASCIICase(mimeType, "application/x-unknown-content-type");
     if (hasValidMIMEType)

trunk/Source/WebCore/loader/cache/CachedCSSStyleSheet.h

-                      r210845
+                      r215753
     virtual ~CachedCSSStyleSheet();
     enum class MIMETypeCheck { Strict, Lax };
     const String sheetText(MIMETypeCheck = MIMETypeCheck::Strict, bool* hasValidMIMEType = nullptr) const;
+    enum class MIMETypeCheckHint { Strict, Lax };
+    const String sheetText(MIMETypeCheckHint = MIMETypeCheckHint::Strict, bool* hasValidMIMEType = nullptr) const;
     RefPtr<StyleSheetContents> restoreParsedStyleSheet(const CSSParserContext&, CachePolicy);
     void saveParsedStyleSheet(Ref<StyleSheetContents>&&);
+#if ENABLE(NOSNIFF)
+    bool mimeTypeAllowedByNosniff() const;
+#endif
 private:
+    bool canUseSheet(MIMETypeCheck, bool* hasValidMIMEType) const;
+    String responseMIMEType() const;
+    bool canUseSheet(MIMETypeCheckHint, bool* hasValidMIMEType) const;
     bool mayTryReplaceEncodedData() const final { return true; }

trunk/Source/WebCore/loader/cache/CachedScript.h

-                      r208646
+                      r215753
     unsigned scriptHash();
-    String mimeType() const;
 #if ENABLE(NOSNIFF)
     bool mimeTypeAllowedByNosniff() const;
 …
 private:
+    String mimeType() const;
     bool mayTryReplaceEncodedData() const final { return true; }

trunk/Source/WebKit/mac/ChangeLog

-                      r215724
+                      r215753
+-04-25  Daniel Bates  <dabates@apple.com>
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        <rdar://problem/23412620>
+        Reviewed by Brent Fulgham.
+        Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.
+        * Configurations/FeatureDefines.xcconfig:
 -04-25  Wenson Hsieh  <wenson_hsieh@apple.com>

trunk/Source/WebKit/mac/Configurations/FeatureDefines.xcconfig

-                      r215548
+                      r215753
 ENABLE_NAVIGATOR_CONTENT_UTILS = ;
 ENABLE_NAVIGATOR_HWCONCURRENCY = ENABLE_NAVIGATOR_HWCONCURRENCY;
 ENABLE_NOSNIFF = ;
+ENABLE_NOSNIFF = ENABLE_NOSNIFF;
 ENABLE_NOTIFICATIONS[sdk=macosx*] = ENABLE_NOTIFICATIONS;
 ENABLE_PDFKIT_PLUGIN[sdk=macosx*] = ENABLE_PDFKIT_PLUGIN;
 …
 ENABLE_VARIATION_FONTS_IF_NOT_YES = ;
 FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);
+FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOSNIFF) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);

trunk/Source/WebKit2/ChangeLog

-                      r215741
+                      r215753
+-04-25  Daniel Bates  <dabates@apple.com>
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        <rdar://problem/23412620>
+        Reviewed by Brent Fulgham.
+        Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.
+        * Configurations/FeatureDefines.xcconfig:
 -04-25  John Wilander  <wilander@apple.com>

trunk/Source/WebKit2/Configurations/FeatureDefines.xcconfig

-                      r215548
+                      r215753
 ENABLE_NAVIGATOR_CONTENT_UTILS = ;
 ENABLE_NAVIGATOR_HWCONCURRENCY = ENABLE_NAVIGATOR_HWCONCURRENCY;
 ENABLE_NOSNIFF = ;
+ENABLE_NOSNIFF = ENABLE_NOSNIFF;
 ENABLE_NOTIFICATIONS[sdk=macosx*] = ENABLE_NOTIFICATIONS;
 ENABLE_PDFKIT_PLUGIN[sdk=macosx*] = ENABLE_PDFKIT_PLUGIN;
 …
 ENABLE_VARIATION_FONTS_IF_NOT_YES = ;
 FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);
+FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOSNIFF) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);

trunk/Source/cmake/OptionsMac.cmake

r213450	r215753
67	67	WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_NAVIGATOR_CONTENT_UTILS PRIVATE OFF)
68	68	WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_NAVIGATOR_HWCONCURRENCY PRIVATE ON)
69		WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_NOSNIFF PRIVATE OFF)
	69	WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_NOSNIFF PRIVATE ON)
70	70	WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_NOTIFICATIONS PRIVATE ON)
71	71	WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_PDFKIT_PLUGIN PRIVATE ON)

trunk/Source/cmake/OptionsWin.cmake

r215429	r215753
47	47	WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_METER_ELEMENT PUBLIC ON)
48	48	WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_MOUSE_CURSOR_SCALE PUBLIC ON)
	49	WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_NOSNIFF PRIVATE ON)
49	50	WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_NOTIFICATIONS PUBLIC OFF)
50	51	WEBKIT_OPTION_DEFAULT_PORT_VALUE(ENABLE_PROXIMITY_EVENTS PUBLIC OFF)

trunk/Tools/ChangeLog

-                      r215744
+                      r215753
+-04-25  Daniel Bates  <dabates@apple.com>
+        [Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
+        https://bugs.webkit.org/show_bug.cgi?id=136452
+        <rdar://problem/23412620>
+        Reviewed by Brent Fulgham.
+        Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.
+        * Scripts/webkitperl/FeatureList.pm: Also do not enable nosniff on EFL
+        as the EFL port is no longer in the WebKit OpenSource repository.
+        * TestWebKitAPI/Configurations/FeatureDefines.xcconfig:
 -04-25  Zan Dobersek  <zdobersek@igalia.com>

trunk/Tools/Scripts/webkitperl/FeatureList.pm

r213450	r215753
328	328
329	329	{ option => "nosniff", desc => "Toggle support for 'X-Content-Type-Options: nosniff'",
330		define => "ENABLE_NOSNIFF", default => ~~isEfl(~~), value => \$nosniffSupport },
	330	define => "ENABLE_NOSNIFF", default => (isAppleCocoaWebKit() \|\| isAppleWinWebKit()), value => \$nosniffSupport },
331	331
332	332	{ option => "notifications", desc => "Toggle Notifications support",

trunk/Tools/TestWebKitAPI/Configurations/FeatureDefines.xcconfig

-                      r215548
+                      r215753
 ENABLE_NAVIGATOR_CONTENT_UTILS = ;
 ENABLE_NAVIGATOR_HWCONCURRENCY = ENABLE_NAVIGATOR_HWCONCURRENCY;
 ENABLE_NOSNIFF = ;
+ENABLE_NOSNIFF = ENABLE_NOSNIFF;
 ENABLE_NOTIFICATIONS[sdk=macosx*] = ENABLE_NOTIFICATIONS;
 ENABLE_PDFKIT_PLUGIN[sdk=macosx*] = ENABLE_PDFKIT_PLUGIN;
 …
 ENABLE_VARIATION_FONTS_IF_NOT_YES = ;
 FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);
+FEATURE_DEFINES = $(ENABLE_3D_TRANSFORMS) $(ENABLE_ACCELERATED_2D_CANVAS) $(ENABLE_ACCELERATED_OVERFLOW_SCROLLING) $(ENABLE_APPLE_PAY) $(ENABLE_APPLE_PAY_DELEGATE) $(ENABLE_ATTACHMENT_ELEMENT) $(ENABLE_AVF_CAPTIONS) $(ENABLE_CACHE_PARTITIONING) $(ENABLE_CANVAS_PATH) $(ENABLE_CANVAS_PROXY) $(ENABLE_CHANNEL_MESSAGING) $(ENABLE_CONTENT_FILTERING) $(ENABLE_CSS_ANIMATIONS_LEVEL_2) $(ENABLE_CSS_BOX_DECORATION_BREAK) $(ENABLE_CSS_COMPOSITING) $(ENABLE_CSS_DEVICE_ADAPTATION) $(ENABLE_CSS_IMAGE_ORIENTATION) $(ENABLE_CSS_IMAGE_RESOLUTION) $(ENABLE_CSS_REGIONS) $(ENABLE_CSS_SCROLL_SNAP) $(ENABLE_CSS_SELECTORS_LEVEL4) $(ENABLE_CSS_TRAILING_WORD) $(ENABLE_CSS3_TEXT) $(ENABLE_CURSOR_VISIBILITY) $(ENABLE_CUSTOM_SCHEME_HANDLER) $(ENABLE_DASHBOARD_SUPPORT) $(ENABLE_DATA_TRANSFER_ITEMS) $(ENABLE_DATACUE_VALUE) $(ENABLE_DATALIST_ELEMENT) $(ENABLE_DEVICE_ORIENTATION) $(ENABLE_ENCRYPTED_MEDIA) $(ENABLE_FAST_JIT_PERMISSIONS) $(ENABLE_FETCH_API) $(ENABLE_FILTERS_LEVEL_2) $(ENABLE_FONT_LOAD_EVENTS) $(ENABLE_FTL_JIT) $(ENABLE_FULLSCREEN_API) $(ENABLE_GAMEPAD_DEPRECATED) $(ENABLE_GAMEPAD) $(ENABLE_GEOLOCATION) $(ENABLE_ICONDATABASE) $(ENABLE_INDEXED_DATABASE_IN_WORKERS) $(ENABLE_INDEXED_DATABASE) $(ENABLE_INPUT_TYPE_COLOR_POPOVER) $(ENABLE_INPUT_TYPE_COLOR) $(ENABLE_INPUT_TYPE_DATE) $(ENABLE_INPUT_TYPE_DATETIME_INCOMPLETE) $(ENABLE_INPUT_TYPE_DATETIMELOCAL) $(ENABLE_INPUT_TYPE_MONTH) $(ENABLE_INPUT_TYPE_TIME) $(ENABLE_INPUT_TYPE_WEEK) $(ENABLE_INTERSECTION_OBSERVER) $(ENABLE_INTL) $(ENABLE_IOS_GESTURE_EVENTS) $(ENABLE_IOS_TOUCH_EVENTS) $(ENABLE_JIT) $(ENABLE_KEYBOARD_KEY_ATTRIBUTE) $(ENABLE_KEYBOARD_CODE_ATTRIBUTE) $(ENABLE_LEGACY_CSS_VENDOR_PREFIXES) $(ENABLE_LEGACY_ENCRYPTED_MEDIA) $(ENABLE_LEGACY_NOTIFICATIONS) $(ENABLE_LEGACY_VENDOR_PREFIXES) $(ENABLE_LETTERPRESS) $(ENABLE_LINK_PREFETCH) $(ENABLE_MAC_GESTURE_EVENTS) $(ENABLE_MATHML) $(ENABLE_MEDIA_CAPTURE) $(ENABLE_MEDIA_CONTROLS_SCRIPT) $(ENABLE_MEDIA_SESSION) $(ENABLE_MEDIA_SOURCE) $(ENABLE_MEDIA_STATISTICS) $(ENABLE_MEDIA_STREAM) $(ENABLE_METER_ELEMENT) $(ENABLE_MHTML) $(ENABLE_MOUSE_CURSOR_SCALE) $(ENABLE_NAVIGATOR_CONTENT_UTILS) $(ENABLE_NAVIGATOR_HWCONCURRENCY) $(ENABLE_NOSNIFF) $(ENABLE_NOTIFICATIONS) $(ENABLE_PDFKIT_PLUGIN) $(ENABLE_POINTER_LOCK) $(ENABLE_PROXIMITY_EVENTS) $(ENABLE_PUBLIC_SUFFIX_LIST) $(ENABLE_QUOTA) $(ENABLE_REMOTE_INSPECTOR) $(ENABLE_REQUEST_AUTOCOMPLETE) $(ENABLE_RESOLUTION_MEDIA_QUERY) $(ENABLE_RESOURCE_USAGE) $(ENABLE_RUBBER_BANDING) $(ENABLE_SERVICE_CONTROLS) $(ENABLE_SPEECH_SYNTHESIS) $(ENABLE_STREAMS_API) $(ENABLE_SUBTLE_CRYPTO) $(ENABLE_SVG_FONTS) $(ENABLE_TELEPHONE_NUMBER_DETECTION) $(ENABLE_TEXT_AUTOSIZING) $(ENABLE_TOUCH_EVENTS) $(ENABLE_TOUCH_ICON_LOADING) $(ENABLE_USERSELECT_ALL) $(ENABLE_VARIATION_FONTS) $(ENABLE_VIDEO_PRESENTATION_MODE) $(ENABLE_MAC_VIDEO_TOOLBOX) $(ENABLE_VIDEO_TRACK) $(ENABLE_VIDEO) $(ENABLE_VIEW_MODE_CSS_MEDIA) $(ENABLE_WEB_ANIMATIONS) $(ENABLE_WEB_AUDIO) $(ENABLE_WEB_REPLAY) $(ENABLE_WEB_RTC) $(ENABLE_WEB_SOCKETS) $(ENABLE_WEB_TIMING) $(ENABLE_WEBASSEMBLY) $(ENABLE_WEBGL) $(ENABLE_WEBGL2) $(ENABLE_WEBGPU) $(ENABLE_WIRELESS_PLAYBACK_TARGET) $(ENABLE_XSLT);

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 215753 in webkit

Legend:

Download in other formats: