Diff
Modified: trunk/LayoutTests/ChangeLog (204163 => 204164)
--- trunk/LayoutTests/ChangeLog 2016-08-05 07:25:15 UTC (rev 204163)
+++ trunk/LayoutTests/ChangeLog 2016-08-05 07:39:01 UTC (rev 204164)
@@ -1,5 +1,23 @@
2016-08-05 Youenn Fablet <you...@apple.com>
+ [Fetch API] Activate CSP checks
+ https://bugs.webkit.org/show_bug.cgi?id=160445
+
+ Reviewed by Daniel Bates.
+
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-fetch-in-main-frame-window.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html:
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt:
+ * platform/mac-wk2/TestExpectations: Marking new worker test as failing at loading https resource from loader.
+ It gets a "The certificate for this server is invalid" error.
+ * platform/wk2/TestExpectations: Marking new frame test as timing out for WK2 as fetch is not activated in the pop-up window.
+
+2016-08-05 Youenn Fablet <you...@apple.com>
+
DocumentThreadableLoader should report an error when getting a null CachedResource
https://bugs.webkit.org/show_bug.cgi?id=160444
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-fetch-in-main-frame-window.html (0 => 204164)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-fetch-in-main-frame-window.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-fetch-in-main-frame-window.html 2016-08-05 07:39:01 UTC (rev 204164)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<body>
+<script>
+window._onload_ = () => {
+
+ var testIsFinished = false;
+ fetch("http://127.0.0.1:8443/", { mode: "no-cors" }).then(() => {
+ testIsFinished = true;
+ alert("PASS: load was not blocked");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, () => {
+ testIsFinished = true;
+ alert("FAIL: load is not successful");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ });
+
+ // When running in normal environment, let's notify user if something went wrong
+ if (!window.testRunner) {
+ setTimeout(() => {
+ if (testIsFinished)
+ return;
+ alert("Test timed out");
+ }, 2000);
+ }
+};
+</script>
+
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html (204163 => 204164)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html 2016-08-05 07:25:15 UTC (rev 204163)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html 2016-08-05 07:39:01 UTC (rev 204164)
@@ -7,16 +7,15 @@
var xhr = new XMLHttpRequest();
xhr._onload_ = function() {
alert("PASS: load was not blocked");
- if (window.testRunner)
- testRunner.notifyDone();
};
- // When XHR is blocked due to mixed content blocking, it just appears as if the load stalls,
- // see https://bugs.webkit.org/show_bug.cgi?id=145717.
- setTimeout(function() {
+ var testIsFinished = false;
+ xhr._onloadend_ = function() {
+ testIsFinished = true;
+ alert("PASS: onloadend called");
if (window.testRunner)
testRunner.notifyDone();
- }, 2000);
+ }
try {
xhr.open("GET", "http://127.0.0.1:8443/");
@@ -26,6 +25,15 @@
testRunner.notifyDone();
}
+ // When running in normal environment, let's notify user if something went wrong
+ if (!window.testRunner) {
+ setTimeout(() => {
+ if (testIsFinished)
+ return;
+ alert("Test timed out");
+ }, 2000);
+ }
+
xhr.send(null);
};
</script>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame-expected.txt (0 => 204164)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame-expected.txt 2016-08-05 07:39:01 UTC (rev 204164)
@@ -0,0 +1,2 @@
+ALERT: PASS: load was not blocked
+This test opens a HTTPS window that loads insecure data via the Fetch API. We should upgrade this request and thereby avoid a mixed content resource load.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html (0 => 204164)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html 2016-08-05 07:39:01 UTC (rev 204164)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+</script>
+<p>This test opens a HTTPS window that loads insecure data via the Fetch API.
+We should upgrade this request and thereby avoid a mixed content resource load.</p>
+<script>
+window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-fetch-in-main-frame-window.html");
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker-expected.txt (0 => 204164)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker-expected.txt 2016-08-05 07:39:01 UTC (rev 204164)
@@ -0,0 +1,2 @@
+ALERT: PASS: load was not blocked
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html (0 => 204164)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html 2016-08-05 07:39:01 UTC (rev 204164)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+var blob = new Blob([
+ "fetch('http://127.0.0.1:8443/', { mode: 'no-cors' }).then(() => {"
++ " postMessage('PASS: load was not blocked');"
++ "}, (e) => {"
++ " postMessage('FAIL: load is not successful: ' + e);"
++ "});"
+], { type: "text/_javascript_" });
+
+var testIsFinished = false;
+var worker = new Worker(window.URL.createObjectURL(blob));
+worker._onmessage_ = function(e) {
+ testIsFinished = true;
+ alert(e.data);
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+// When running in normal environment, let's notify user if something went wrong
+if (!window.testRunner) {
+ setTimeout(() => {
+ if (testIsFinished)
+ return;
+ alert("Test timed out");
+ }, 2000);
+}
+</script>
+
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt (204163 => 204164)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt 2016-08-05 07:25:15 UTC (rev 204163)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt 2016-08-05 07:39:01 UTC (rev 204164)
@@ -1,2 +1,3 @@
ALERT: PASS: load was not blocked
+ALERT: PASS: onloadend called
This test opens a HTTPS window that loads insecure data via XHR. We should upgrade this request and thereby avoid a mixed content callback.
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (204163 => 204164)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2016-08-05 07:25:15 UTC (rev 204163)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2016-08-05 07:39:01 UTC (rev 204164)
@@ -1,5 +1,15 @@
2016-08-05 Youenn Fablet <you...@apple.com>
+ [Fetch API] Activate CSP checks
+ https://bugs.webkit.org/show_bug.cgi?id=160445
+
+ Reviewed by Daniel Bates.
+
+ * web-platform-tests/fetch/api/policies/csp-blocked-expected.txt:
+ * web-platform-tests/fetch/api/policies/csp-blocked-worker-expected.txt:
+
+2016-08-05 Youenn Fablet <you...@apple.com>
+
DocumentThreadableLoader should report an error when getting a null CachedResource
https://bugs.webkit.org/show_bug.cgi?id=160444
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/policies/csp-blocked-expected.txt (204163 => 204164)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/policies/csp-blocked-expected.txt 2016-08-05 07:25:15 UTC (rev 204163)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/policies/csp-blocked-expected.txt 2016-08-05 07:39:01 UTC (rev 204164)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8800/fetch/api/resources/top.txt because it does not appear in the connect-src directive of the Content Security Policy.
-FAIL Fetch is blocked by CSP, got a TypeError assert_unreached: Should have rejected. Reached unreachable code
+PASS Fetch is blocked by CSP, got a TypeError
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/policies/csp-blocked-worker-expected.txt (204163 => 204164)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/policies/csp-blocked-worker-expected.txt 2016-08-05 07:25:15 UTC (rev 204163)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/fetch/api/policies/csp-blocked-worker-expected.txt 2016-08-05 07:39:01 UTC (rev 204164)
@@ -1,3 +1,4 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8800/fetch/api/resources/top.txt because it does not appear in the connect-src directive of the Content Security Policy.
-FAIL Fetch is blocked by CSP, got a TypeError assert_unreached: Should have rejected. Reached unreachable code
+PASS Fetch is blocked by CSP, got a TypeError
Modified: trunk/LayoutTests/platform/mac-wk2/TestExpectations (204163 => 204164)
--- trunk/LayoutTests/platform/mac-wk2/TestExpectations 2016-08-05 07:25:15 UTC (rev 204163)
+++ trunk/LayoutTests/platform/mac-wk2/TestExpectations 2016-08-05 07:39:01 UTC (rev 204164)
@@ -376,6 +376,9 @@
# This test fails every time on El Capitan
[ ElCapitan ] fast/mediastream/MediaStream-video-element-video-tracks-disabled.html [ Skip ]
+# Hitting "The certificate for this server is invalid" loading error (not happening in WK1)
+webkit.org/b/160445 http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html [ Failure Timeout ]
+
### END OF (3) Unclassified failures
########################################
Modified: trunk/LayoutTests/platform/wk2/TestExpectations (204163 => 204164)
--- trunk/LayoutTests/platform/wk2/TestExpectations 2016-08-05 07:25:15 UTC (rev 204163)
+++ trunk/LayoutTests/platform/wk2/TestExpectations 2016-08-05 07:39:01 UTC (rev 204164)
@@ -42,6 +42,8 @@
########################################
### START OF (1) Classified failures with bug reports
+webkit.org/b/160445 http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html [ Timeout ]
+
webkit.org/b/156612 http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html [ Failure ]
webkit.org/b/156612 http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html [ Failure ]
Modified: trunk/Source/WebCore/ChangeLog (204163 => 204164)
--- trunk/Source/WebCore/ChangeLog 2016-08-05 07:25:15 UTC (rev 204163)
+++ trunk/Source/WebCore/ChangeLog 2016-08-05 07:39:01 UTC (rev 204164)
@@ -1,5 +1,18 @@
2016-08-05 Youenn Fablet <you...@apple.com>
+ [Fetch API] Activate CSP checks
+ https://bugs.webkit.org/show_bug.cgi?id=160445
+
+ Reviewed by Daniel Bates.
+
+ Tests: http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-fetch-in-worker.html
+
+ * Modules/fetch/FetchLoader.cpp:
+ (WebCore::FetchLoader::start): Adding CSP and URL upgrade checks.
+
+2016-08-05 Youenn Fablet <you...@apple.com>
+
DocumentThreadableLoader should report an error when getting a null CachedResource
https://bugs.webkit.org/show_bug.cgi?id=160444
Modified: trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp (204163 => 204164)
--- trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp 2016-08-05 07:25:15 UTC (rev 204163)
+++ trunk/Source/WebCore/Modules/fetch/FetchLoader.cpp 2016-08-05 07:39:01 UTC (rev 204164)
@@ -33,6 +33,7 @@
#include "BlobURL.h"
#include "CachedResourceRequestInitiators.h"
+#include "ContentSecurityPolicy.h"
#include "FetchBody.h"
#include "FetchLoaderClient.h"
#include "FetchRequest.h"
@@ -73,11 +74,23 @@
void FetchLoader::start(ScriptExecutionContext& context, const FetchRequest& request)
{
- ThreadableLoaderOptions options(request.fetchOptions(), ConsiderPreflight, ContentSecurityPolicyEnforcement::DoNotEnforce, String(cachedResourceRequestInitiators().fetch));
+ ThreadableLoaderOptions options(request.fetchOptions(), ConsiderPreflight,
+ context.shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective,
+ String(cachedResourceRequestInitiators().fetch));
options.sendLoadCallbacks = SendCallbacks;
options.dataBufferingPolicy = DoNotBufferData;
- m_loader = ThreadableLoader::create(context, *this, request.internalRequest(), options);
+ ResourceRequest fetchRequest = request.internalRequest();
+
+ ASSERT(context.contentSecurityPolicy());
+ context.contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(fetchRequest, ContentSecurityPolicy::InsecureRequestType::Load);
+
+ if (!context.contentSecurityPolicy()->allowConnectToSource(fetchRequest.url(), context.shouldBypassMainWorldContentSecurityPolicy())) {
+ m_client.didFail();
+ return;
+ }
+
+ m_loader = ThreadableLoader::create(context, *this, WTFMove(fetchRequest), options);
m_isStarted = m_loader;
}
