Diff
Modified: trunk/Source/WebCore/ChangeLog (206253 => 206254)
--- trunk/Source/WebCore/ChangeLog 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/ChangeLog 2016-09-22 08:28:37 UTC (rev 206254)
@@ -1,3 +1,65 @@
+2016-09-22 Youenn Fablet <you...@apple.com>
+
+ Refactor ContentSecurityPolicy::allow* methods
+ https://bugs.webkit.org/show_bug.cgi?id=162335
+
+ Reviewed by Darin Adler.
+
+ No change of behavior.
+
+ Removing the second parameter of ContentSecurityPolicy::allow* methods.
+ When true, this parameter makes the methods return true.
+ This patch updates the callers of allow* methods to check for the parameter before making the call.
+
+ Made some refactoring to share more code between the various allow* methods.
+
+ * Modules/fetch/FetchLoader.cpp:
+ (WebCore::FetchLoader::start):
+ * Modules/websockets/WebSocket.cpp:
+ (WebCore::WebSocket::connect):
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::isSafeToLoadURL):
+ (WebCore::HTMLMediaElement::outOfBandTrackSources):
+ * html/HTMLPlugInImageElement.cpp:
+ (WebCore::HTMLPlugInImageElement::allowedToLoadPluginContent):
+ * html/HTMLTrackElement.cpp:
+ (WebCore::HTMLTrackElement::canLoadURL):
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::DocumentThreadableLoader):
+ (WebCore::DocumentThreadableLoader::redirectReceived):
+ (WebCore::DocumentThreadableLoader::loadRequest):
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/DocumentThreadableLoader.h:
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::checkIfFormActionAllowedByCSP):
+ * loader/PolicyChecker.cpp:
+ (WebCore::isAllowedByContentSecurityPolicy):
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::createJavaAppletWidget):
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy):
+ * page/EventSource.cpp:
+ (WebCore::EventSource::create):
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowObjectFromSource):
+ (WebCore::ContentSecurityPolicy::allowChildFrameFromSource):
+ (WebCore::ContentSecurityPolicy::allowResourceFromSource):
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource):
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource):
+ (WebCore::ContentSecurityPolicy::allowImageFromSource):
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource):
+ (WebCore::ContentSecurityPolicy::allowFontFromSource):
+ (WebCore::ContentSecurityPolicy::allowMediaFromSource):
+ (WebCore::ContentSecurityPolicy::allowConnectToSource):
+ (WebCore::ContentSecurityPolicy::allowFormAction):
+ * page/csp/ContentSecurityPolicy.h:
+ * workers/AbstractWorker.cpp:
+ (WebCore::AbstractWorker::resolveURL):
+ * workers/WorkerGlobalScope.cpp:
+ (WebCore::WorkerGlobalScope::importScripts):
+ * xml/XMLHttpRequest.cpp:
+ (WebCore::XMLHttpRequest::initSend):
+
2016-09-19 Sergio Villar Senin <svil...@igalia.com>
[css-grid] Remove the x2 computation of row sizes with indefinite heights
Modified: trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp (206253 => 206254)
--- trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -85,9 +85,11 @@
ResourceRequest fetchRequest = request.internalRequest();
ASSERT(context.contentSecurityPolicy());
- context.contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(fetchRequest, ContentSecurityPolicy::InsecureRequestType::Load);
+ auto& contentSecurityPolicy = *context.contentSecurityPolicy();
- if (!context.contentSecurityPolicy()->allowConnectToSource(fetchRequest.url(), context.shouldBypassMainWorldContentSecurityPolicy())) {
+ contentSecurityPolicy.upgradeInsecureRequestIfNeeded(fetchRequest, ContentSecurityPolicy::InsecureRequestType::Load);
+
+ if (!context.shouldBypassMainWorldContentSecurityPolicy() && !contentSecurityPolicy.allowConnectToSource(fetchRequest.url())) {
m_client.didFail();
return;
}
Modified: trunk/Source/WebCore/Modules/websockets/WebSocket.cpp (206253 => 206254)
--- trunk/Source/WebCore/Modules/websockets/WebSocket.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/Modules/websockets/WebSocket.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -217,8 +217,11 @@
LOG(Network, "WebSocket %p connect() url=''", this, url.utf8().data());
m_url = URL(URL(), url);
+ ASSERT(scriptExecutionContext());
+ auto& context = *scriptExecutionContext();
+
if (!m_url.isValid()) {
- scriptExecutionContext()->addConsoleMessage(MessageSource::JS, MessageLevel::Error, "Invalid url for WebSocket " + m_url.stringCenterEllipsizedToLength());
+ context.addConsoleMessage(MessageSource::JS, MessageLevel::Error, "Invalid url for WebSocket " + m_url.stringCenterEllipsizedToLength());
m_state = CLOSED;
ec = SYNTAX_ERR;
return;
@@ -225,22 +228,25 @@
}
if (!m_url.protocolIs("ws") && !m_url.protocolIs("wss")) {
- scriptExecutionContext()->addConsoleMessage(MessageSource::JS, MessageLevel::Error, "Wrong url scheme for WebSocket " + m_url.stringCenterEllipsizedToLength());
+ context.addConsoleMessage(MessageSource::JS, MessageLevel::Error, "Wrong url scheme for WebSocket " + m_url.stringCenterEllipsizedToLength());
m_state = CLOSED;
ec = SYNTAX_ERR;
return;
}
if (m_url.hasFragmentIdentifier()) {
- scriptExecutionContext()->addConsoleMessage(MessageSource::JS, MessageLevel::Error, "URL has fragment component " + m_url.stringCenterEllipsizedToLength());
+ context.addConsoleMessage(MessageSource::JS, MessageLevel::Error, "URL has fragment component " + m_url.stringCenterEllipsizedToLength());
m_state = CLOSED;
ec = SYNTAX_ERR;
return;
}
- scriptExecutionContext()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(m_url, ContentSecurityPolicy::InsecureRequestType::Load);
-
+ ASSERT(context.contentSecurityPolicy());
+ auto& contentSecurityPolicy = *context.contentSecurityPolicy();
+
+ contentSecurityPolicy.upgradeInsecureRequestIfNeeded(m_url, ContentSecurityPolicy::InsecureRequestType::Load);
+
if (!portAllowed(m_url)) {
- scriptExecutionContext()->addConsoleMessage(MessageSource::JS, MessageLevel::Error, "WebSocket port " + String::number(m_url.port()) + " blocked");
+ context.addConsoleMessage(MessageSource::JS, MessageLevel::Error, "WebSocket port " + String::number(m_url.port()) + " blocked");
m_state = CLOSED;
ec = SECURITY_ERR;
return;
@@ -247,7 +253,7 @@
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(m_url, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
+ if (!context.shouldBypassMainWorldContentSecurityPolicy() && !contentSecurityPolicy.allowConnectToSource(m_url)) {
m_state = CLOSED;
// FIXME: Should this be throwing an exception?
@@ -255,7 +261,7 @@
return;
}
- if (auto* provider = scriptExecutionContext()->socketProvider())
+ if (auto* provider = context.socketProvider())
m_channel = ThreadableWebSocketChannel::create(*scriptExecutionContext(), *this, *provider);
// Every ScriptExecutionContext should have a SocketProvider.
@@ -270,7 +276,7 @@
// comply with WebSocket API specification, but it seems to be the only reasonable way to handle this conflict.
for (auto& protocol : protocols) {
if (!isValidProtocolString(protocol)) {
- scriptExecutionContext()->addConsoleMessage(MessageSource::JS, MessageLevel::Error, "Wrong protocol for WebSocket '" + encodeProtocolString(protocol) + "'");
+ context.addConsoleMessage(MessageSource::JS, MessageLevel::Error, "Wrong protocol for WebSocket '" + encodeProtocolString(protocol) + "'");
m_state = CLOSED;
ec = SYNTAX_ERR;
return;
@@ -279,7 +285,7 @@
HashSet<String> visited;
for (auto& protocol : protocols) {
if (!visited.add(protocol).isNewEntry) {
- scriptExecutionContext()->addConsoleMessage(MessageSource::JS, MessageLevel::Error, "WebSocket protocols contain duplicates: '" + encodeProtocolString(protocol) + "'");
+ context.addConsoleMessage(MessageSource::JS, MessageLevel::Error, "WebSocket protocols contain duplicates: '" + encodeProtocolString(protocol) + "'");
m_state = CLOSED;
ec = SYNTAX_ERR;
return;
@@ -286,8 +292,8 @@
}
}
- if (is<Document>(*scriptExecutionContext())) {
- Document& document = downcast<Document>(*scriptExecutionContext());
+ if (is<Document>(context)) {
+ Document& document = downcast<Document>(context);
if (!document.frame()->loader().mixedContentChecker().canRunInsecureContent(document.securityOrigin(), m_url)) {
// Balanced by the call to ActiveDOMObject::unsetPendingActivity() in WebSocket::stop().
ActiveDOMObject::setPendingActivity(this);
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (206253 => 206254)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -1989,6 +1989,16 @@
#endif
+static inline bool isAllowedToLoadMediaURL(HTMLMediaElement& element, const URL& url, bool isInUserAgentShadowTree)
+{
+ // Elements in user agent show tree should load whatever the embedding document policy is.
+ if (isInUserAgentShadowTree)
+ return true;
+
+ ASSERT(element.document().contentSecurityPolicy());
+ return element.document().contentSecurityPolicy()->allowMediaFromSource(url);
+}
+
bool HTMLMediaElement::isSafeToLoadURL(const URL& url, InvalidURLAction actionIfInvalid)
{
if (!url.isValid()) {
@@ -2004,7 +2014,7 @@
return false;
}
- if (!document().contentSecurityPolicy()->allowMediaFromSource(url, isInUserAgentShadowTree())) {
+ if (!isAllowedToLoadMediaURL(*this, url, isInUserAgentShadowTree())) {
LOG(Media, "HTMLMediaElement::isSafeToLoadURL(%p) - %s -> rejected by Content Security Policy", this, urlForLoggingMedia(url).utf8().data());
return false;
}
@@ -6364,8 +6374,8 @@
URL url = ""
if (url.isEmpty())
continue;
-
- if (!document().contentSecurityPolicy()->allowMediaFromSource(url, trackElement.isInUserAgentShadowTree()))
+
+ if (!isAllowedToLoadMediaURL(*this, url, trackElement.isInUserAgentShadowTree()))
continue;
auto& track = *trackElement.track();
Modified: trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp (206253 => 206254)
--- trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -775,6 +775,10 @@
bool HTMLPlugInImageElement::allowedToLoadPluginContent(const String& url, const String& mimeType) const
{
+ // Elements in user agent show tree should load whatever the embedding document policy is.
+ if (isInUserAgentShadowTree())
+ return true;
+
URL completedURL;
if (!url.isEmpty())
completedURL = document().completeURL(url);
@@ -784,10 +788,12 @@
contentSecurityPolicy.upgradeInsecureRequestIfNeeded(completedURL, ContentSecurityPolicy::InsecureRequestType::Load);
- String declaredMimeType = document().isPluginDocument() && document().ownerElement() ?
+ if (!contentSecurityPolicy.allowObjectFromSource(completedURL))
+ return false;
+
+ auto& declaredMimeType = document().isPluginDocument() && document().ownerElement() ?
document().ownerElement()->attributeWithoutSynchronization(HTMLNames::typeAttr) : attributeWithoutSynchronization(HTMLNames::typeAttr);
- bool isInUserAgentShadowTree = this->isInUserAgentShadowTree();
- return contentSecurityPolicy.allowObjectFromSource(completedURL, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, completedURL, isInUserAgentShadowTree);
+ return contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, completedURL);
}
bool HTMLPlugInImageElement::requestObject(const String& url, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues)
Modified: trunk/Source/WebCore/html/HTMLTrackElement.cpp (206253 => 206254)
--- trunk/Source/WebCore/html/HTMLTrackElement.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/html/HTMLTrackElement.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -216,11 +216,13 @@
if (url.isEmpty())
return false;
- if (!document().contentSecurityPolicy()->allowMediaFromSource(url, isInUserAgentShadowTree())) {
+ ASSERT(document().contentSecurityPolicy());
+ // Elements in user agent show tree should load whatever the embedding document policy is.
+ if (!isInUserAgentShadowTree() && !document().contentSecurityPolicy()->allowMediaFromSource(url)) {
LOG(Media, "HTMLTrackElement::canLoadURL(%s) -> rejected by Content Security Policy", urlForLoggingTrack(url).utf8().data());
return false;
}
-
+
return dispatchBeforeLoadEvent(url.string());
}
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (206253 => 206254)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -35,7 +35,6 @@
#include "CachedResourceLoader.h"
#include "CachedResourceRequest.h"
#include "CachedResourceRequestInitiators.h"
-#include "ContentSecurityPolicy.h"
#include "CrossOriginAccessControl.h"
#include "CrossOriginPreflightChecker.h"
#include "CrossOriginPreflightResultCache.h"
@@ -98,7 +97,7 @@
// Referrer and Origin headers should be set after the preflight if any.
ASSERT(!request.hasHTTPReferrer() && !request.hasHTTPOrigin());
- ASSERT_WITH_SECURITY_IMPLICATION(isAllowedByContentSecurityPolicy(request.url()));
+ ASSERT_WITH_SECURITY_IMPLICATION(isAllowedByContentSecurityPolicy(request.url(), ContentSecurityPolicy::RedirectResponseReceived::No));
m_options.allowCredentials = (m_options.credentials == FetchOptions::Credentials::Include || (m_options.credentials == FetchOptions::Credentials::SameOrigin && m_sameOriginRequest)) ? AllowStoredCredentials : DoNotAllowStoredCredentials;
@@ -223,7 +222,7 @@
ASSERT_UNUSED(resource, resource == m_resource);
Ref<DocumentThreadableLoader> protectedThis(*this);
- if (!isAllowedByContentSecurityPolicy(request.url(), !redirectResponse.isNull())) {
+ if (!isAllowedByContentSecurityPolicy(request.url(), redirectResponse.isNull() ? ContentSecurityPolicy::RedirectResponseReceived::No : ContentSecurityPolicy::RedirectResponseReceived::Yes)) {
reportContentSecurityPolicyError(*m_client, redirectResponse.url());
clearResource();
return;
@@ -417,7 +416,7 @@
// requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
bool didRedirect = requestURL != response.url();
if (didRedirect) {
- if (!isAllowedByContentSecurityPolicy(response.url(), didRedirect)) {
+ if (!isAllowedByContentSecurityPolicy(response.url(), ContentSecurityPolicy::RedirectResponseReceived::Yes)) {
reportContentSecurityPolicyError(*m_client, requestURL);
return;
}
@@ -448,20 +447,17 @@
didFinishLoading(identifier, 0.0);
}
-bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, bool didRedirect)
+bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived)
{
- bool overrideContentSecurityPolicy = false;
- ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived = didRedirect ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
-
switch (m_options.contentSecurityPolicyEnforcement) {
case ContentSecurityPolicyEnforcement::DoNotEnforce:
return true;
case ContentSecurityPolicyEnforcement::EnforceChildSrcDirective:
- return contentSecurityPolicy().allowChildContextFromSource(url, overrideContentSecurityPolicy, redirectResponseReceived);
+ return contentSecurityPolicy().allowChildContextFromSource(url, redirectResponseReceived);
case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
- return contentSecurityPolicy().allowConnectToSource(url, overrideContentSecurityPolicy, redirectResponseReceived);
+ return contentSecurityPolicy().allowConnectToSource(url, redirectResponseReceived);
case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
- return contentSecurityPolicy().allowScriptFromSource(url, overrideContentSecurityPolicy, redirectResponseReceived);
+ return contentSecurityPolicy().allowScriptFromSource(url, redirectResponseReceived);
}
ASSERT_NOT_REACHED();
return false;
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.h (206253 => 206254)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2016-09-22 08:28:37 UTC (rev 206254)
@@ -31,6 +31,7 @@
#pragma once
+#include "ContentSecurityPolicy.h"
#include "CrossOriginPreflightChecker.h"
#include "ResourceResponse.h"
#include "SecurityOrigin.h"
@@ -94,7 +95,7 @@
void loadRequest(ResourceRequest&&, SecurityCheckPolicy);
bool isAllowedRedirect(const URL&);
- bool isAllowedByContentSecurityPolicy(const URL&, bool didRedirect = false);
+ bool isAllowedByContentSecurityPolicy(const URL&, ContentSecurityPolicy::RedirectResponseReceived);
bool isXMLHttpRequest() const final;
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (206253 => 206254)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -942,7 +942,7 @@
return true;
auto redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
- return m_frame.document()->contentSecurityPolicy()->allowFormAction(url, false /* overrideContentSecurityPolicy */, redirectResponseReceived);
+ return m_frame.document()->contentSecurityPolicy()->allowFormAction(url, redirectResponseReceived);
}
Frame* FrameLoader::opener()
Modified: trunk/Source/WebCore/loader/PolicyChecker.cpp (206253 => 206254)
--- trunk/Source/WebCore/loader/PolicyChecker.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/loader/PolicyChecker.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -55,10 +55,16 @@
{
if (!ownerElement)
return true;
+ // Elements in user agent show tree should load whatever the embedding document policy is.
+ if (ownerElement->isInUserAgentShadowTree())
+ return true;
+
auto redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
+
+ ASSERT(ownerElement->document().contentSecurityPolicy());
if (is<HTMLPlugInElement>(ownerElement))
- return ownerElement->document().contentSecurityPolicy()->allowObjectFromSource(url, ownerElement->isInUserAgentShadowTree(), redirectResponseReceived);
- return ownerElement->document().contentSecurityPolicy()->allowChildFrameFromSource(url, ownerElement->isInUserAgentShadowTree(), redirectResponseReceived);
+ return ownerElement->document().contentSecurityPolicy()->allowObjectFromSource(url, redirectResponseReceived);
+ return ownerElement->document().contentSecurityPolicy()->allowChildFrameFromSource(url, redirectResponseReceived);
}
PolicyChecker::PolicyChecker(Frame& frame)
Modified: trunk/Source/WebCore/loader/SubframeLoader.cpp (206253 => 206254)
--- trunk/Source/WebCore/loader/SubframeLoader.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/loader/SubframeLoader.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -248,9 +248,11 @@
}
const char javaAppletMimeType[] = "application/x-java-applet";
- bool isInUserAgentShadowTree = element.isInUserAgentShadowTree();
- if (!element.document().contentSecurityPolicy()->allowObjectFromSource(codeBaseURL, isInUserAgentShadowTree)
- || !element.document().contentSecurityPolicy()->allowPluginType(javaAppletMimeType, javaAppletMimeType, codeBaseURL, isInUserAgentShadowTree))
+ ASSERT(element.document().contentSecurityPolicy());
+ auto& contentSecurityPolicy = *element.document().contentSecurityPolicy();
+ // Elements in user agent show tree should load whatever the embedding document policy is.
+ if (!element.isInUserAgentShadowTree()
+ && (!contentSecurityPolicy.allowObjectFromSource(codeBaseURL) || !contentSecurityPolicy.allowPluginType(javaAppletMimeType, javaAppletMimeType, codeBaseURL)))
return nullptr;
}
Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (206253 => 206254)
--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -399,16 +399,16 @@
case CachedResource::XSLStyleSheet:
#endif
case CachedResource::Script:
- if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, false, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, redirectResponseReceived))
return false;
break;
case CachedResource::CSSStyleSheet:
- if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, false, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, redirectResponseReceived))
return false;
break;
case CachedResource::SVGDocumentResource:
case CachedResource::ImageResource:
- if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, false, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, redirectResponseReceived))
return false;
break;
#if ENABLE(SVG_FONTS)
@@ -415,7 +415,7 @@
case CachedResource::SVGFontResource:
#endif
case CachedResource::FontResource:
- if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, false, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, redirectResponseReceived))
return false;
break;
case CachedResource::MediaResource:
@@ -422,7 +422,7 @@
#if ENABLE(VIDEO_TRACK)
case CachedResource::TextTrackResource:
#endif
- if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, false, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, redirectResponseReceived))
return false;
break;
case CachedResource::RawResource:
Modified: trunk/Source/WebCore/page/EventSource.cpp (206253 => 206254)
--- trunk/Source/WebCore/page/EventSource.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/page/EventSource.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -72,7 +72,7 @@
}
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- if (!context.contentSecurityPolicy()->allowConnectToSource(fullURL, context.shouldBypassMainWorldContentSecurityPolicy())) {
+ if (!context.shouldBypassMainWorldContentSecurityPolicy() && !context.contentSecurityPolicy()->allowConnectToSource(fullURL)) {
// FIXME: Should this be throwing an exception?
ec = SECURITY_ERR;
return nullptr;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (206253 => 206254)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -451,27 +451,10 @@
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForPluginType, type, typeAttribute);
}
-bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowObjectFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
{
- if (overrideContentSecurityPolicy)
- return true;
if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
return true;
- String sourceURL;
- TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
- auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
- };
- return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForScript, url, redirectResponseReceived == RedirectResponseReceived::Yes);
-}
-
-bool ContentSecurityPolicy::allowObjectFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
-{
- if (overrideContentSecurityPolicy)
- return true;
- if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
- return true;
// As per section object-src of the Content Security Policy Level 3 spec., <http://w3c.github.io/webappsec-csp> (Editor's Draft, 29 February 2016),
// "If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based
// on the specified type), it MUST be blocked if object-src's value is 'none', but will otherwise be allowed".
@@ -484,10 +467,8 @@
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes);
}
-bool ContentSecurityPolicy::allowChildFrameFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowChildFrameFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
{
- if (overrideContentSecurityPolicy)
- return true;
if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
return true;
String sourceURL;
@@ -500,85 +481,51 @@
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
-bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowResourceFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const char* name, ResourcePredicate resourcePredicate) const
{
- if (overrideContentSecurityPolicy)
- return true;
if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
return true;
String sourceURL;
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::childSrc, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::childSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
+ String consoleMessage = consoleMessageForViolation(name, violatedDirective, url, "Refused to load");
+ reportViolation(name, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
};
- return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, url, redirectResponseReceived == RedirectResponseReceived::Yes);
+ return allPoliciesAllow(WTFMove(handleViolatedDirective), resourcePredicate, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
-bool ContentSecurityPolicy::allowImageFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
{
- if (overrideContentSecurityPolicy)
- return true;
- if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
- return true;
- String sourceURL;
- TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
- auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::imgSrc, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::imgSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
- };
- return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForImage, url, redirectResponseReceived == RedirectResponseReceived::Yes);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::childSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext);
}
-bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
{
- if (overrideContentSecurityPolicy)
- return true;
- if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
- return true;
- String sourceURL;
- TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
- auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::styleSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
- };
- return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle, url, redirectResponseReceived == RedirectResponseReceived::Yes);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::scriptSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForScript);
}
-bool ContentSecurityPolicy::allowFontFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowImageFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
{
- if (overrideContentSecurityPolicy)
- return true;
- if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
- return true;
- String sourceURL;
- TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
- auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::fontSrc, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::fontSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
- };
- return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFont, url, redirectResponseReceived == RedirectResponseReceived::Yes);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::imgSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForImage);
}
-bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
{
- if (overrideContentSecurityPolicy)
- return true;
- if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
- return true;
- String sourceURL;
- TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
- auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::mediaSrc, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::mediaSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
- };
- return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia, url, redirectResponseReceived == RedirectResponseReceived::Yes);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::styleSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle);
}
-bool ContentSecurityPolicy::allowConnectToSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowFontFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
{
- if (overrideContentSecurityPolicy)
- return true;
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::fontSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFont);
+}
+
+bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+{
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::mediaSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia);
+}
+
+bool ContentSecurityPolicy::allowConnectToSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+{
if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
return true;
String sourceURL;
@@ -590,19 +537,9 @@
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
-bool ContentSecurityPolicy::allowFormAction(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowFormAction(const URL& url, RedirectResponseReceived redirectResponseReceived) const
{
- if (overrideContentSecurityPolicy)
- return true;
- if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
- return true;
- String sourceURL;
- TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
- auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::formAction, violatedDirective, url, "Refused to load");
- reportViolation(ContentSecurityPolicyDirectiveNames::formAction, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
- };
- return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, url, redirectResponseReceived == RedirectResponseReceived::Yes);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::formAction, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction);
}
bool ContentSecurityPolicy::allowBaseURI(const URL& url, bool overrideContentSecurityPolicy) const
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (206253 => 206254)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-09-22 08:28:37 UTC (rev 206254)
@@ -98,17 +98,18 @@
bool allowFrameAncestors(const Frame&, const URL&, bool overrideContentSecurityPolicy = false) const;
enum class RedirectResponseReceived { No, Yes };
- bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowChildContextFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowMediaFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowScriptFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowImageFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowStyleFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowFontFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowMediaFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowChildFrameFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowChildContextFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowConnectToSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowFormAction(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+
+ bool allowObjectFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false) const;
void setOverrideAllowInlineStyle(bool);
@@ -188,6 +189,9 @@
template<typename Predicate, typename... Args>
bool allPoliciesAllow(ViolatedDirectiveCallback&&, Predicate&&, Args&&...) const WARN_UNUSED_RETURN;
+ using ResourcePredicate = const ContentSecurityPolicyDirective *(ContentSecurityPolicyDirectiveList::*)(const URL &, bool) const;
+ bool allowResourceFromSource(const URL&, RedirectResponseReceived, const char*, ResourcePredicate) const;
+
using HashInEnforcedAndReportOnlyPoliciesPair = std::pair<bool, bool>;
template<typename Predicate> HashInEnforcedAndReportOnlyPoliciesPair findHashOfContentInPolicies(Predicate&&, const String& content, OptionSet<ContentSecurityPolicyHashAlgorithm>) const WARN_UNUSED_RETURN;
Modified: trunk/Source/WebCore/workers/AbstractWorker.cpp (206253 => 206254)
--- trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -63,7 +63,7 @@
}
ASSERT(scriptExecutionContext()->contentSecurityPolicy());
- if (!scriptExecutionContext()->contentSecurityPolicy()->allowChildContextFromSource(scriptURL, shouldBypassMainWorldContentSecurityPolicy)) {
+ if (!shouldBypassMainWorldContentSecurityPolicy && !scriptExecutionContext()->contentSecurityPolicy()->allowChildContextFromSource(scriptURL)) {
ec = SECURITY_ERR;
return URL();
}
Modified: trunk/Source/WebCore/workers/WorkerGlobalScope.cpp (206253 => 206254)
--- trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -216,11 +216,14 @@
void WorkerGlobalScope::importScripts(const Vector<String>& urls, ExceptionCode& ec)
{
+ ASSERT(scriptExecutionContext());
ASSERT(contentSecurityPolicy());
+
+ auto& context = *scriptExecutionContext();
ec = 0;
Vector<URL> completedURLs;
for (auto& entry : urls) {
- URL url = ""
+ URL url = ""
if (!url.isValid()) {
ec = SYNTAX_ERR;
return;
@@ -230,14 +233,14 @@
for (auto& url : completedURLs) {
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- bool shouldBypassMainWorldContentSecurityPolicy = scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy();
- if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(url, shouldBypassMainWorldContentSecurityPolicy)) {
+ bool shouldBypassMainWorldContentSecurityPolicy = context.shouldBypassMainWorldContentSecurityPolicy();
+ if (!shouldBypassMainWorldContentSecurityPolicy && !context.contentSecurityPolicy()->allowScriptFromSource(url)) {
ec = NETWORK_ERR;
return;
}
Ref<WorkerScriptLoader> scriptLoader = WorkerScriptLoader::create();
- scriptLoader->loadSynchronously(scriptExecutionContext(), url, FetchOptions::Mode::NoCors, shouldBypassMainWorldContentSecurityPolicy ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective);
+ scriptLoader->loadSynchronously(&context, url, FetchOptions::Mode::NoCors, shouldBypassMainWorldContentSecurityPolicy ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective);
// If the fetching attempt failed, throw a NETWORK_ERR exception and abort all these steps.
if (scriptLoader->failed()) {
@@ -245,7 +248,7 @@
return;
}
- InspectorInstrumentation::scriptImported(scriptExecutionContext(), scriptLoader->identifier(), scriptLoader->script());
+ InspectorInstrumentation::scriptImported(&context, scriptLoader->identifier(), scriptLoader->script());
NakedPtr<JSC::Exception> exception;
m_script->evaluate(ScriptSourceCode(scriptLoader->script(), scriptLoader->responseURL()), exception);
Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (206253 => 206254)
--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-09-22 07:57:32 UTC (rev 206253)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-09-22 08:28:37 UTC (rev 206254)
@@ -494,6 +494,8 @@
if (!scriptExecutionContext())
return false;
+ auto& context = *scriptExecutionContext();
+
if (m_state != OPENED || m_sendFlag) {
ec = INVALID_STATE_ERR;
return false;
@@ -501,7 +503,7 @@
ASSERT(!m_loader);
// FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
- if (!scriptExecutionContext()->contentSecurityPolicy()->allowConnectToSource(m_url, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
+ if (!context.shouldBypassMainWorldContentSecurityPolicy() && !context.contentSecurityPolicy()->allowConnectToSource(m_url)) {
if (m_async) {
setPendingActivity(this);
m_timeoutTimer.stop();
