Diff
Modified: trunk/LayoutTests/ChangeLog (284066 => 284067)
--- trunk/LayoutTests/ChangeLog 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/ChangeLog 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,3 +1,37 @@
+2021-10-12 Kate Cheney <katherine_che...@apple.com>
+
+ CSP: Implement unsafe-hashes
+ https://bugs.webkit.org/show_bug.cgi?id=231313
+ <rdar://problem/83724376>
+
+ Reviewed by Brent Fulgham.
+
+ Mostly updating blockedURI to be "inline" in the case of inline script
+ or style violations to match the CSP3 spec.
+
+ * TestExpectations:
+ _javascript__src_allowed-href_blank.html times out because it can't find
+ opener.t1. This is unrelated to unsafe-hashes and seems to be another
+ bug in our DOM code.
+
+ * http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt:
+ * http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt:
+
2021-10-12 Alan Bujtas <za...@apple.com>
[LFC][IFC] Do not collapse whitespace with zero-width space separator in-between
Modified: trunk/LayoutTests/TestExpectations (284066 => 284067)
--- trunk/LayoutTests/TestExpectations 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/TestExpectations 2021-10-13 00:31:13 UTC (rev 284067)
@@ -946,16 +946,15 @@
imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/script-sample.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/securitypolicyviolation-block-image-from-script.sub.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/targeting.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-href.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/frame-src/frame-src-cross-origin-load.sub.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/generic/304-response-should-update-csp.sub.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html [ Skip ]
+imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-href_blank.html [ Skip ]
# FIXME: Skip Content Security Policy tests whose output is non-deterministic
imported/w3c/web-platform-tests/content-security-policy/reporting/multiple-report-policies.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/reporting/report-cross-origin-no-cookies.sub.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/style-src/style-src-multiple-policies-multiple-hashing-algorithms.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed.html [ Skip ]
# Content Security Policy: Embedded Enforcement is not supported
imported/w3c/web-platform-tests/content-security-policy/embedded-enforcement
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -6,4 +6,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.py","referrer":"","violated-directive":"default-src","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/report-uri-effective-directive.py","referrer":"","violated-directive":"default-src","effective-directive":"script-src","original-policy":"default-src 'self'; report-uri ../resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-allowed-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -15,4 +15,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'sha256-33badf00d3badf00d3badf00d3badf00d3badf00d33=' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scripthash-blocked-by-legacy-enforced-policy-and-blocked-by-report-policy2.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -16,4 +16,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'nonce-that-is-not-equal-to-dummy' 'nonce-dump-as-text'; report-uri ../resources/save-report.py?test=/security/contentSecurityPolicy/1.1/scriptnonce-blocked-by-enforced-policy-and-allowed-by-report-policy.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -8,4 +8,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-and-enforce.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -7,4 +7,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -7,4 +7,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-from-header.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -8,4 +8,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-status-code-zero-when-using-https-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -13,4 +13,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html
=== POST DATA =""
-{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"","status-code":0}}
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","referrer":"http://127.0.0.1:8000/","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-status-code-zero-when-using-https.html","blocked-uri":"inline","status-code":0}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -6,4 +6,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-from-child-frame-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -11,4 +11,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/generate-csp-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-from-child-frame.html","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri save-report.py?test=/security/contentSecurityPolicy/report-uri-from-child-frame.html","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt (284066 => 284067)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-uri-scheme-relative-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -6,4 +6,4 @@
REQUEST_METHOD: POST
REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.py
=== POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.py","blocked-uri":"","status-code":200}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-uri-scheme-relative.py","referrer":"","violated-directive":"script-src","effective-directive":"script-src","original-policy":"script-src 'self'; report-uri //127.0.0.1:8080/security/contentSecurityPolicy/resources/save-report.py","blocked-uri":"inline","status-code":200}}
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,3 +1,31 @@
+2021-10-12 Kate Cheney <katherine_che...@apple.com>
+
+ CSP: Implement unsafe-hashes
+ https://bugs.webkit.org/show_bug.cgi?id=231313
+ <rdar://problem/83724376>
+
+ Reviewed by Brent Fulgham.
+
+ Some unsafe-hashes tests still "fail" because we haven't implemented
+ some directives like script-src-elem/script-src-attr but will
+ still test correct behavior for unsafe-hashes because the reports are
+ received correctly. Tracking implementation of missing directives
+ in rdar://83332874.
+
+ * web-platform-tests/content-security-policy/navigation/to-_javascript_-parent-initiated-parent-csp-expected.txt:
+ * web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline-expected.txt:
+ Tests that have changed failures now that the blockedURI target is
+ correct.
+
+ * web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-href-expected.txt:
+ * web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-href_blank-expected.txt:
+ * web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-window_location-expected.txt:
+ * web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-window_open-expected.txt:
+ * web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed-expected.txt:
+ * web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed-expected.txt:
+ * web-platform-tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic-expected.txt:
+ * web-platform-tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module-expected.txt:
+
2021-10-12 Myles C. Maxfield <mmaxfi...@apple.com>
WPT test gardening for font palettes
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-_javascript_-parent-initiated-parent-csp-expected.txt (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-_javascript_-parent-initiated-parent-csp-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-_javascript_-parent-initiated-parent-csp-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,4 +1,4 @@
-FAIL Should not have executed the _javascript_ url assert_equals: expected "inline" but got ""
+FAIL Should not have executed the _javascript_ url assert_equals: expected "script-src-attr" but got "script-src"
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline-expected.txt (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/blockeduri-inline-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,3 +1,3 @@
-FAIL Inline violations have a blockedURI of 'inline' assert_equals: expected "inline" but got ""
+FAIL Inline violations have a blockedURI of 'inline' assert_equals: expected 15 but got 0
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-href-expected.txt (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-href-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-href-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,3 +1,3 @@
-
-FAIL Test that the _javascript_: src is allowed to run assert_unreached: Should have not raised any event Reached unreachable code
+PASS Test that the _javascript_: src is allowed to run
+
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-href_blank-expected.txt (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-href_blank-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-href_blank-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,3 +1,2 @@
-FAIL Test that the _javascript_: src is allowed to run assert_unreached: Should have not raised any event Reached unreachable code
-
+PASS Test that the _javascript_: src is allowed to run
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-window_location-expected.txt (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-window_location-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-window_location-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,3 +1,3 @@
-FAIL Test that the _javascript_: src is allowed to run assert_equals: expected "pass" but got "fail"
+PASS Test that the _javascript_: src is allowed to run
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-window_open-expected.txt (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-window_open-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/_javascript__src_allowed-window_open-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,3 +1,3 @@
-FAIL Test that the _javascript_: src is allowed to run assert_unreached: Should have not raised any event Reached unreachable code
+PASS Test that the _javascript_: src is allowed to run
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed-expected.txt (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/script_event_handlers_allowed-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,3 +1,3 @@
-FAIL Test that the inline event handler is allowed to run assert_unreached: Should have not raised any event Reached unreachable code
+PASS Test that the inline event handler is allowed to run
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed-expected.txt (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/unsafe-hashes/style_attribute_allowed-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,3 +1,3 @@
-FAIL Test that the inline style attribute is loaded assert_equals: expected "" but got "green"
+PASS Test that the inline style attribute is loaded
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic-expected.txt (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-classic-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,12 +1,11 @@
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored.
CONSOLE MESSAGE: Refused to load http://localhost:8800/html/semantics/scripting-1/the-script-element/module/imports-a.js?label=setTimeout because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8800/html/semantics/scripting-1/the-script-element/module/imports-a.js?label=reflected%20inline%20event%20handlers because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8800/html/semantics/scripting-1/the-script-element/module/imports-a.js?label=inline%20event%20handlers%20triggered%20via%20UA%20code because it does not appear in the script-src directive of the Content Security Policy.
FAIL setTimeout must inherit the nonce from the triggering script, thus execute promise_test: Unhandled rejection with value: object "TypeError: Importing a module script failed."
PASS direct eval must inherit the nonce from the triggering script, thus execute
PASS indirect eval must inherit the nonce from the triggering script, thus execute
PASS the Function constructor must inherit the nonce from the triggering script, thus execute
-FAIL reflected inline event handlers must not inherit the nonce from the triggering script, thus fail dummyDiv.onclick is not a function. (In 'dummyDiv.onclick()', 'dummyDiv.onclick' is null)
-FAIL inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail assert_equals: the browser must be able to parse a string containing the import() syntax into a function expected "function" but got "object"
+PASS reflected inline event handlers must not inherit the nonce from the triggering script, thus fail
+PASS inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module-expected.txt (284066 => 284067)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module-expected.txt 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/module/dynamic-import/string-compilation-nonce-module-expected.txt 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,12 +1,11 @@
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''unsafe-hashes''. It will be ignored.
CONSOLE MESSAGE: Refused to load http://localhost:8800/html/semantics/scripting-1/the-script-element/module/imports-a.js?label=setTimeout because it does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script for an inline event handler because 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8800/html/semantics/scripting-1/the-script-element/module/imports-a.js?label=reflected%20inline%20event%20handlers because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://localhost:8800/html/semantics/scripting-1/the-script-element/module/imports-a.js?label=inline%20event%20handlers%20triggered%20via%20UA%20code because it does not appear in the script-src directive of the Content Security Policy.
FAIL setTimeout must inherit the nonce from the triggering script, thus execute promise_test: Unhandled rejection with value: object "TypeError: Importing a module script failed."
PASS direct eval must inherit the nonce from the triggering script, thus execute
PASS indirect eval must inherit the nonce from the triggering script, thus execute
PASS the Function constructor must inherit the nonce from the triggering script, thus execute
-FAIL reflected inline event handlers must not inherit the nonce from the triggering script, thus fail dummyDiv.onclick is not a function. (In 'dummyDiv.onclick()', 'dummyDiv.onclick' is null)
-FAIL inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail assert_equals: the browser must be able to parse a string containing the import() syntax into a function expected "function" but got "object"
+PASS reflected inline event handlers must not inherit the nonce from the triggering script, thus fail
+PASS inline event handlers triggered via UA code must not inherit the nonce from the triggering script, thus fail
Modified: trunk/Source/WebCore/ChangeLog (284066 => 284067)
--- trunk/Source/WebCore/ChangeLog 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/ChangeLog 2021-10-13 00:31:13 UTC (rev 284067)
@@ -1,3 +1,76 @@
+2021-10-12 Kate Cheney <katherine_che...@apple.com>
+
+ CSP: Implement unsafe-hashes
+ https://bugs.webkit.org/show_bug.cgi?id=231313
+ <rdar://problem/83724376>
+
+ Reviewed by Brent Fulgham.
+
+ No new tests. Existing imported web platform tests cover behavior.
+
+ unsafe-hashes allows specific event handlers and style attributes
+ while blocking all other inline script and style. To implement it,
+ we pass in the code source for event handlers when we check CSP for
+ inline style, event handlers and _javascript_: navigation targets.
+ Then we compare the hash of the source with the specified hashes in
+ the CSP policy.
+
+ * bindings/js/JSEventListener.cpp:
+ (WebCore::JSEventListener::handleEvent):
+ * bindings/js/JSEventListener.h:
+ (WebCore::JSEventListener::code const):
+ * bindings/js/JSLazyEventListener.cpp:
+ (WebCore::JSLazyEventListener::initializeJSFunction const):
+ * bindings/js/JSLazyEventListener.h:
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::executeJavaScriptURL):
+ * dom/InlineStyleSheetOwner.cpp:
+ (WebCore::InlineStyleSheetOwner::createSheet):
+ * dom/StyledElement.cpp:
+ (WebCore::StyledElement::styleAttributeChanged):
+ There are two types of inline style, either a style tag or the style
+ attribute. Style attributes are covered by unsafe-hashes and come from
+ StyledElement::styleAttributeChanged, so we specify that unsafe-hashes
+ should be checked.
+
+ * loader/FrameLoader.cpp:
+ (WebCore::createWindow):
+ * page/csp/ContentSecurityPolicy.cpp:
+ This patch updates blockedURL to be a string when reporting violations
+ now that we need to report "inline" as the blocked URI in many cases.
+ (WebCore::ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent):
+ (WebCore::ContentSecurityPolicy::checkHashAndReportViolation const):
+ Refactor to separate out code to search for known hashes now that it
+ is used in multiple places.
+
+ (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
+ (WebCore::ContentSecurityPolicy::allowInlineEventHandlers const):
+ (WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
+ (WebCore::ContentSecurityPolicy::allowInlineScript const):
+ (WebCore::ContentSecurityPolicy::allowInlineStyle const):
+ (WebCore::ContentSecurityPolicy::allowEval const):
+ (WebCore::ContentSecurityPolicy::allowFrameAncestors const):
+ (WebCore::ContentSecurityPolicy::allowPluginType const):
+ (WebCore::ContentSecurityPolicy::allowObjectFromSource const):
+ (WebCore::ContentSecurityPolicy::allowChildFrameFromSource const):
+ (WebCore::ContentSecurityPolicy::allowResourceFromSource const):
+ (WebCore::ContentSecurityPolicy::allowConnectToSource const):
+ (WebCore::ContentSecurityPolicy::allowBaseURI const):
+ (WebCore::ContentSecurityPolicy::reportViolation const):
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::checkUnsafeHashes):
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript const):
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle const):
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+ * page/csp/ContentSecurityPolicySourceList.cpp:
+ (WebCore::ContentSecurityPolicySourceList::parseSource):
+ * page/csp/ContentSecurityPolicySourceList.h:
+ (WebCore::ContentSecurityPolicySourceList::allowUnsafeHashes const):
+ * page/csp/ContentSecurityPolicySourceListDirective.cpp:
+ (WebCore::ContentSecurityPolicySourceListDirective::allowUnsafeHashes const):
+ * page/csp/ContentSecurityPolicySourceListDirective.h:
+
2021-10-12 Simon Fraser <simon.fra...@apple.com>
Scrolling thread animations need to commit layers on the scrolling thread
Modified: trunk/Source/WebCore/bindings/js/JSEventListener.cpp (284066 => 284067)
--- trunk/Source/WebCore/bindings/js/JSEventListener.cpp 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/bindings/js/JSEventListener.cpp 2021-10-13 00:31:13 UTC (rev 284067)
@@ -126,7 +126,7 @@
JSDOMWindow* window = jsCast<JSDOMWindow*>(globalObject);
if (!window->wrapped().isCurrentlyDisplayedInFrame())
return;
- if (wasCreatedFromMarkup() && !scriptExecutionContext.contentSecurityPolicy()->allowInlineEventHandlers(sourceURL().string(), sourcePosition().m_line))
+ if (wasCreatedFromMarkup() && !scriptExecutionContext.contentSecurityPolicy()->allowInlineEventHandlers(sourceURL().string(), sourcePosition().m_line, code()))
return;
// FIXME: Is this check needed for other contexts?
ScriptController& script = window->wrapped().frame()->script();
Modified: trunk/Source/WebCore/bindings/js/JSEventListener.h (284066 => 284067)
--- trunk/Source/WebCore/bindings/js/JSEventListener.h 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/bindings/js/JSEventListener.h 2021-10-13 00:31:13 UTC (rev 284067)
@@ -66,6 +66,7 @@
template<typename Visitor> void visitJSFunctionImpl(Visitor&);
void visitJSFunction(JSC::AbstractSlotVisitor&) final;
void visitJSFunction(JSC::SlotVisitor&) final;
+ virtual String code() const { return String(); }
protected:
JSEventListener(JSC::JSObject* function, JSC::JSObject* wrapper, bool isAttribute, DOMWrapperWorld&);
Modified: trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp (284066 => 284067)
--- trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/bindings/js/JSLazyEventListener.cpp 2021-10-13 00:31:13 UTC (rev 284067)
@@ -130,7 +130,7 @@
if (!document.frame())
return nullptr;
- if (!document.contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL.string(), m_sourcePosition.m_line))
+ if (!document.contentSecurityPolicy()->allowInlineEventHandlers(m_sourceURL.string(), m_sourcePosition.m_line, m_code))
return nullptr;
auto& script = document.frame()->script();
Modified: trunk/Source/WebCore/bindings/js/JSLazyEventListener.h (284066 => 284067)
--- trunk/Source/WebCore/bindings/js/JSLazyEventListener.h 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/bindings/js/JSLazyEventListener.h 2021-10-13 00:31:13 UTC (rev 284067)
@@ -46,6 +46,7 @@
struct CreationArguments;
static RefPtr<JSLazyEventListener> create(CreationArguments&&);
JSLazyEventListener(CreationArguments&&, const URL& sourceURL, const TextPosition&);
+ String code() const final { return m_code; }
#if ASSERT_ENABLED
void checkValidityForEventTarget(EventTarget&) final;
Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (284066 => 284067)
--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2021-10-13 00:31:13 UTC (rev 284067)
@@ -815,7 +815,7 @@
if (requesterSecurityOrigin && !requesterSecurityOrigin->isSameOriginDomain(m_frame.document()->securityOrigin()))
return;
- if (!m_frame.page() || !m_frame.document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame.document()->url().string(), eventHandlerPosition().m_line))
+ if (!m_frame.page() || !m_frame.document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame.document()->url().string(), eventHandlerPosition().m_line, url.string()))
return;
// We need to hold onto the Frame here because executing script can
Modified: trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp (284066 => 284067)
--- trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/dom/InlineStyleSheetOwner.cpp 2021-10-13 00:31:13 UTC (rev 284067)
@@ -169,7 +169,7 @@
ASSERT(document.contentSecurityPolicy());
const ContentSecurityPolicy& contentSecurityPolicy = *document.contentSecurityPolicy();
bool hasKnownNonce = contentSecurityPolicy.allowStyleWithNonce(element.attributeWithoutSynchronization(HTMLNames::nonceAttr), element.isInUserAgentShadowTree());
- if (!contentSecurityPolicy.allowInlineStyle(document.url().string(), m_startTextPosition.m_line, text, hasKnownNonce))
+ if (!contentSecurityPolicy.allowInlineStyle(document.url().string(), m_startTextPosition.m_line, text, CheckUnsafeHashes::No, hasKnownNonce))
return;
auto mediaQueries = MediaQuerySet::create(m_media, MediaQueryParserContext(document));
Modified: trunk/Source/WebCore/dom/StyledElement.cpp (284066 => 284067)
--- trunk/Source/WebCore/dom/StyledElement.cpp 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/dom/StyledElement.cpp 2021-10-13 00:31:13 UTC (rev 284067)
@@ -206,7 +206,7 @@
if (document().scriptableDocumentParser() && !document().isInDocumentWrite())
startLineNumber = document().scriptableDocumentParser()->textPosition().m_line;
- if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url().string(), startLineNumber, { }, isInUserAgentShadowTree()))
+ if (reason == ModifiedByCloning || document().contentSecurityPolicy()->allowInlineStyle(document().url().string(), startLineNumber, newStyleString.string(), CheckUnsafeHashes::Yes, isInUserAgentShadowTree()))
setInlineStyleFromString(newStyleString);
elementData()->setStyleAttributeIsDirty(false);
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (284066 => 284067)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2021-10-13 00:31:13 UTC (rev 284067)
@@ -4101,7 +4101,7 @@
created = false;
// FIXME: Provide line number information with respect to the opener's document.
- if (request.resourceRequest().url().protocolIsJavaScript() && !openerFrame.document()->contentSecurityPolicy()->allowJavaScriptURLs(openerFrame.document()->url().string(), { }))
+ if (request.resourceRequest().url().protocolIsJavaScript() && !openerFrame.document()->contentSecurityPolicy()->allowJavaScriptURLs(openerFrame.document()->url().string(), { }, request.resourceRequest().url().string()))
return nullptr;
if (!request.frameName().isEmpty() && !equalIgnoringASCIICase(request.frameName(), "_blank")) {
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (284066 => 284067)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-10-13 00:31:13 UTC (rev 284067)
@@ -130,7 +130,7 @@
auto message = makeString(isReportOnly ? "[Report Only] " : "", "Blocked mixed content ",
url.stringCenterEllipsizedToLength(), " because 'block-all-mixed-content' appears in the Content Security Policy.");
reportViolation(ContentSecurityPolicyDirectiveNames::blockAllMixedContent,
- ContentSecurityPolicyDirectiveNames::blockAllMixedContent, *policy, url, message);
+ ContentSecurityPolicyDirectiveNames::blockAllMixedContent, *policy, url.string(), message);
if (!isReportOnly)
allow = false;
}
@@ -355,7 +355,7 @@
}
template<typename Predicate>
-ContentSecurityPolicy::HashInEnforcedAndReportOnlyPoliciesPair ContentSecurityPolicy::findHashOfContentInPolicies(Predicate&& predicate, StringView content, OptionSet<ContentSecurityPolicyHashAlgorithm> algorithms) const
+ContentSecurityPolicy::HashInEnforcedAndReportOnlyPoliciesPair ContentSecurityPolicy::findHashOfContentInPolicies(const Predicate& predicate, StringView content, OptionSet<ContentSecurityPolicyHashAlgorithm> algorithms) const
{
if (algorithms.isEmpty() || content.isEmpty())
return { false, false };
@@ -373,9 +373,9 @@
bool foundHashInReportOnlyPolicies = false;
for (auto algorithm : algorithms) {
ContentSecurityPolicyHash hash = cryptographicDigestForBytes(algorithm, encodedContent.data(), encodedContent.size());
- if (!foundHashInEnforcedPolicies && allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::Enforce, std::forward<Predicate>(predicate), hash))
+ if (!foundHashInEnforcedPolicies && allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::Enforce, predicate, hash))
foundHashInEnforcedPolicies = true;
- if (!foundHashInReportOnlyPolicies && allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::ReportOnly, std::forward<Predicate>(predicate), hash))
+ if (!foundHashInReportOnlyPolicies && allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::ReportOnly, predicate, hash))
foundHashInReportOnlyPolicies = true;
if (foundHashInEnforcedPolicies && foundHashInReportOnlyPolicies)
break;
@@ -383,8 +383,21 @@
return { foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies };
}
-bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy) const
+template<typename ViolatedDirective, typename HashSearchPolicy>
+bool ContentSecurityPolicy::checkHashAndReportViolation(const String& source, const ViolatedDirective& violatedDirective, const HashSearchPolicy& searchPolicy, OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithms, ContentSecurityPolicy::ViolatedDirectiveCallback&& callback) const
{
+ auto [foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies] = findHashOfContentInPolicies(searchPolicy, source, hashAlgorithms);
+ if (foundHashInEnforcedPolicies && foundHashInReportOnlyPolicies)
+ return true;
+
+ if (!foundHashInReportOnlyPolicies)
+ allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::ReportOnly, std::forward<ViolatedDirectiveCallback>(callback), violatedDirective);
+
+ return foundHashInEnforcedPolicies || allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::Enforce, WTFMove(callback), violatedDirective);
+}
+
+bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& source, bool overrideContentSecurityPolicy) const
+{
if (overrideContentSecurityPolicy)
return true;
bool didNotifyInspector = false;
@@ -391,16 +404,17 @@
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
// FIXME (rdar://83332874) implement scriptSrcElem properly.
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
+ reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
if (!didNotifyInspector && violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
didNotifyInspector = true;
}
};
- return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript);
+
+ return checkHashAndReportViolation(source, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
}
-bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy) const
+bool ContentSecurityPolicy::allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& source, bool overrideContentSecurityPolicy) const
{
if (overrideContentSecurityPolicy)
return true;
@@ -407,13 +421,14 @@
bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script for an inline event handler", "'unsafe-inline'");
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
+ reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
didNotifyInspector = true;
}
};
- return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript);
+
+ return checkHashAndReportViolation(source, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
}
bool ContentSecurityPolicy::allowScriptWithNonce(const String& nonce, bool overrideContentSecurityPolicy) const
@@ -458,7 +473,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, url, "Refused to load");
// FIXME: (rdar://83332874) implement scriptSrcElem properly.
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, url, consoleMessage, String(), sourcePosition);
+ reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, url.string(), consoleMessage, String(), sourcePosition);
};
return allScriptPoliciesAllow(handleViolatedDirective, url, nonce, scriptContent, parserInserted);
@@ -469,12 +484,9 @@
if (overrideContentSecurityPolicy || shouldPerformEarlyCSPCheck())
return true;
bool didNotifyInspector = false;
- auto [foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies] = findHashOfContentInPolicies(&ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash, scriptContent, m_hashAlgorithmsForInlineScripts);
- if (foundHashInEnforcedPolicies && foundHashInReportOnlyPolicies)
- return true;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "its hash, its nonce, or 'unsafe-inline'");
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
+ reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
didNotifyInspector = true;
@@ -482,29 +494,25 @@
};
// FIXME: We should not report that the inline script violated a policy when its hash matched a source
// _expression_ in the policy and the page has more than one policy. See <https://bugs.webkit.org/show_bug.cgi?id=159832>.
- if (!foundHashInReportOnlyPolicies)
- allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::ReportOnly, handleViolatedDirective, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript);
- return foundHashInEnforcedPolicies || allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::Enforce, handleViolatedDirective, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript);
+ return checkHashAndReportViolation(scriptContent.toString(), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript, &ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash, m_hashAlgorithmsForInlineScripts, handleViolatedDirective);
}
-bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, StringView styleContent, bool overrideContentSecurityPolicy) const
+bool ContentSecurityPolicy::allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes shouldCheckUnsafeHashes, bool overrideContentSecurityPolicy) const
{
if (overrideContentSecurityPolicy)
return true;
if (m_overrideInlineStyleAllowed)
return true;
- auto [foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies] = findHashOfContentInPolicies(&ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash, styleContent, m_hashAlgorithmsForInlineStylesheets);
- if (foundHashInEnforcedPolicies && foundHashInReportOnlyPolicies)
- return true;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, URL(), "Refused to apply a stylesheet", "its hash, its nonce, or 'unsafe-inline'");
- reportViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, URL(), consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
+ reportViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, "inline"_s, consoleMessage, contextURL, TextPosition(contextLine, WTF::OrdinalNumber()));
};
+
+ auto searchPolicy = shouldCheckUnsafeHashes == CheckUnsafeHashes::Yes ? &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle : &ContentSecurityPolicyDirectiveList::violatedDirectiveForStyleHash;
+
// FIXME: We should not report that the inline stylesheet violated a policy when its hash matched a source
// _expression_ in the policy and the page has more than one policy. See <https://bugs.webkit.org/show_bug.cgi?id=159832>.
- if (!foundHashInReportOnlyPolicies)
- allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::ReportOnly, handleViolatedDirective, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyle);
- return foundHashInEnforcedPolicies || allPoliciesWithDispositionAllow(ContentSecurityPolicy::Disposition::Enforce, handleViolatedDirective, &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyle);
+ return checkHashAndReportViolation(styleContent.toString(), &ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineStyle, searchPolicy, m_hashAlgorithmsForInlineStylesheets, handleViolatedDirective);
}
bool ContentSecurityPolicy::allowEval(JSC::JSGlobalObject* state, LogToConsole shouldLogToConsole, bool overrideContentSecurityPolicy) const
@@ -513,7 +521,7 @@
return true;
bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = shouldLogToConsole == LogToConsole::Yes ?consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'") : String();
+ String consoleMessage = shouldLogToConsole == LogToConsole::Yes ? consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, URL(), "Refused to execute a script", "'unsafe-eval'") : String();
reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, "eval", consoleMessage, state);
if (!didNotifyInspector && !violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
@@ -534,7 +542,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
+ reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrameAncestor, frame);
}
@@ -562,7 +570,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
+ reportViolation(ContentSecurityPolicyDirectiveNames::frameAncestors, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrameAncestorOrigins, ancestorOrigins);
}
@@ -575,7 +583,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::pluginTypes, violatedDirective, url, "Refused to load", "its MIME type");
- reportViolation(ContentSecurityPolicyDirectiveNames::pluginTypes, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
+ reportViolation(ContentSecurityPolicyDirectiveNames::pluginTypes, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForPluginType, type, typeAttribute);
}
@@ -591,7 +599,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::objectSrc, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::objectSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
+ reportViolation(ContentSecurityPolicyDirectiveNames::objectSrc, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes);
}
@@ -605,7 +613,7 @@
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
const char* effectiveViolatedDirective = violatedDirective.name() == ContentSecurityPolicyDirectiveNames::frameSrc ? ContentSecurityPolicyDirectiveNames::frameSrc : ContentSecurityPolicyDirectiveNames::childSrc;
String consoleMessage = consoleMessageForViolation(effectiveViolatedDirective, violatedDirective, url, "Refused to load");
- reportViolation(effectiveViolatedDirective, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
+ reportViolation(effectiveViolatedDirective, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
@@ -618,7 +626,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(name, violatedDirective, url, "Refused to load");
- reportViolation(name, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
+ reportViolation(name, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), resourcePredicate, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
@@ -671,7 +679,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, "Refused to connect to");
- reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition, preRedirectURL);
+ reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition, preRedirectURL);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
@@ -691,7 +699,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::baseURI, violatedDirective, url, "Refused to change the document base URL to");
- reportViolation(ContentSecurityPolicyDirectiveNames::baseURI, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
+ reportViolation(ContentSecurityPolicyDirectiveNames::baseURI, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForBaseURI, url);
}
@@ -716,15 +724,15 @@
return reportViolation(violatedDirective, effectiveViolatedDirective.name().convertToASCIILowercase(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* state) const
{
// FIXME: Extract source file and source position from JSC::ExecState.
- return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL.string(), consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
+ return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state) const
{
- return reportViolation(effectiveViolatedDirective, violatedDirective.name().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL.string(), consoleMessage, sourceURL, sourcePosition, state, preRedirectURL);
+ return reportViolation(effectiveViolatedDirective, violatedDirective.name().convertToASCIILowercase(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state, preRedirectURL);
}
void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURLString, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL) const
@@ -764,7 +772,7 @@
ASSERT(m_client || is<Document>(m_scriptExecutionContext));
String blockedURI;
- if (blockedURLString == "eval")
+ if (blockedURLString == "eval" || blockedURLString == "inline")
blockedURI = blockedURLString;
else if (preRedirectURL.isNull())
blockedURI = deprecatedURLForReporting(blockedURL);
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (284066 => 284067)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-10-13 00:31:13 UTC (rev 284067)
@@ -61,6 +61,7 @@
enum class ParserInserted : bool { No, Yes };
enum class LogToConsole : bool { No, Yes };
+enum class CheckUnsafeHashes : bool { No, Yes };
typedef Vector<std::unique_ptr<ContentSecurityPolicyDirectiveList>> CSPDirectiveListVector;
@@ -93,11 +94,11 @@
bool allowScriptWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
bool allowStyleWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
- bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false) const;
- bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false) const;
+ bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& code, bool overrideContentSecurityPolicy = false) const;
+ bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& code, bool overrideContentSecurityPolicy = false) const;
bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, StringView scriptContent, bool overrideContentSecurityPolicy = false) const;
bool allowNonParserInsertedScripts(const URL&, const String&, const StringView&, ParserInserted) const;
- bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, StringView styleContent, bool overrideContentSecurityPolicy = false) const;
+ bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes, bool overrideContentSecurityPolicy = false) const;
bool allowEval(JSC::JSGlobalObject*, LogToConsole, bool overrideContentSecurityPolicy = false) const;
@@ -215,14 +216,16 @@
bool allowResourceFromSource(const URL&, RedirectResponseReceived, const char*, ResourcePredicate) const;
using HashInEnforcedAndReportOnlyPoliciesPair = std::pair<bool, bool>;
- template<typename Predicate> HashInEnforcedAndReportOnlyPoliciesPair findHashOfContentInPolicies(Predicate&&, StringView content, OptionSet<ContentSecurityPolicyHashAlgorithm>) const WARN_UNUSED_RETURN;
+ template<typename Predicate> HashInEnforcedAndReportOnlyPoliciesPair findHashOfContentInPolicies(const Predicate&, StringView content, OptionSet<ContentSecurityPolicyHashAlgorithm>) const WARN_UNUSED_RETURN;
void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*) const;
- void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
- void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr) const;
+ void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const String& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
+ void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr) const;
void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const String& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL()) const;
void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
+ template<typename ViolatedDirective, typename HashSearchPolicy> bool checkHashAndReportViolation(const String&, const ViolatedDirective&, const HashSearchPolicy&, OptionSet<ContentSecurityPolicyHashAlgorithm>, ContentSecurityPolicy::ViolatedDirectiveCallback&&) const;
+
// We can never have both a script execution context and a ContentSecurityPolicyClient.
ScriptExecutionContext* m_scriptExecutionContext { nullptr };
ContentSecurityPolicyClient* m_client { nullptr };
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (284066 => 284067)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2021-10-13 00:31:13 UTC (rev 284067)
@@ -56,6 +56,11 @@
return !directive || directive->allowInline();
}
+static inline bool checkUnsafeHashes(ContentSecurityPolicySourceListDirective* directive, const ContentSecurityPolicyHash& hash)
+{
+ return !directive || directive->allowUnsafeHashes(hash);
+}
+
static inline bool checkNonParserInsertedScripts(ContentSecurityPolicySourceListDirective* directive, ParserInserted parserInserted)
{
if (!directive)
@@ -159,6 +164,22 @@
return operativeDirective;
}
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashScript(const ContentSecurityPolicyHash& hash) const
+{
+ auto* operativeDirective = this->operativeDirective(m_scriptSrc.get());
+ if (checkUnsafeHashes(operativeDirective, hash))
+ return nullptr;
+ return operativeDirective;
+}
+
+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeHashStyle(const ContentSecurityPolicyHash& hash) const
+{
+ auto* operativeDirective = this->operativeDirective(m_styleSrc.get());
+ if (checkUnsafeHashes(operativeDirective, hash))
+ return nullptr;
+ return operativeDirective;
+}
+
const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForUnsafeInlineScript() const
{
ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (284066 => 284067)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2021-10-13 00:31:13 UTC (rev 284067)
@@ -52,6 +52,8 @@
const ContentSecurityPolicyDirective* violatedDirectiveForScriptHash(const ContentSecurityPolicyHash&) const;
const ContentSecurityPolicyDirective* violatedDirectiveForStyleHash(const ContentSecurityPolicyHash&) const;
+ const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeHashScript(const ContentSecurityPolicyHash&) const;
+ const ContentSecurityPolicyDirective* violatedDirectiveForUnsafeHashStyle(const ContentSecurityPolicyHash&) const;
const ContentSecurityPolicyDirective* violatedDirectiveForScriptNonce(const String&) const;
const ContentSecurityPolicyDirective* violatedDirectiveForStyleNonce(const String&) const;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (284066 => 284067)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2021-10-13 00:31:13 UTC (rev 284067)
@@ -237,6 +237,11 @@
m_allowEval = true;
return source;
}
+
+ if (skipExactlyIgnoringASCIICase(buffer, "'unsafe-hashes'")) {
+ m_allowUnsafeHashes = true;
+ return source;
+ }
auto begin = buffer.position();
auto beginHost = begin;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (284066 => 284067)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h 2021-10-13 00:31:13 UTC (rev 284067)
@@ -54,6 +54,7 @@
bool allowSelf() const { return m_allowSelf; }
bool isNone() const { return m_isNone; }
bool allowNonParserInsertedScripts() const { return m_allowNonParserInsertedScripts; }
+ bool allowUnsafeHashes() const { return m_allowUnsafeHashes; }
private:
struct Host {
@@ -94,6 +95,7 @@
bool m_allowEval { false };
bool m_isNone { false };
bool m_allowNonParserInsertedScripts { false };
+ bool m_allowUnsafeHashes { false };
};
} // namespace WebCore
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp (284066 => 284067)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp 2021-10-13 00:31:13 UTC (rev 284067)
@@ -57,4 +57,9 @@
return m_sourceList.matches(hash);
}
+bool ContentSecurityPolicySourceListDirective::allowUnsafeHashes(const ContentSecurityPolicyHash& hash) const
+{
+ return m_sourceList.allowUnsafeHashes() && allows(hash);
+}
+
} // namespace WebCore
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h (284066 => 284067)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h 2021-10-13 00:24:27 UTC (rev 284066)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h 2021-10-13 00:31:13 UTC (rev 284067)
@@ -40,6 +40,7 @@
enum class ShouldAllowEmptyURLIfSourceListIsNotNone { No, Yes };
bool allows(const URL&, bool didReceiveRedirectResponse, ShouldAllowEmptyURLIfSourceListIsNotNone);
bool allows(const ContentSecurityPolicyHash&) const;
+ bool allowUnsafeHashes(const ContentSecurityPolicyHash&) const;
bool allows(const String& nonce) const;
bool allowInline() const { return m_sourceList.allowInline(); }
bool allowEval() const { return m_sourceList.allowEval(); }
