Diff
Modified: trunk/LayoutTests/ChangeLog (209820 => 209821)
--- trunk/LayoutTests/ChangeLog 2016-12-14 19:58:27 UTC (rev 209820)
+++ trunk/LayoutTests/ChangeLog 2016-12-14 20:17:28 UTC (rev 209821)
@@ -1,3 +1,16 @@
+2016-12-14 Daniel Bates <[email protected]>
+
+ CSP: Allow HTTPS URL to match HTTP source _expression_
+ https://bugs.webkit.org/show_bug.cgi?id=159520
+ <rdar://problem/27287177>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number.html: Added.
+ * platform/wk2/TestExpectations: Skip the test on WebKit2 because it makes use of Internals.registerDefaultPortForProtocol(),
+ which does not work with NetworkProcess.
+
2016-12-14 Ryan Haddad <[email protected]>
Add mac-elcapitan baseline for js/dom/global-constructors-attributes.html.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number-expected.txt (0 => 209821)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number-expected.txt 2016-12-14 20:17:28 UTC (rev 209821)
@@ -0,0 +1,28 @@
+Tests script-src source _expression_ matching with implicit and explicit default port numbers.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame3-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame4-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number.html (0 => 209821)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number.html 2016-12-14 20:17:28 UTC (rev 209821)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script>
+if (window.internals) {
+ internals.registerDefaultPortForProtocol(8000, "http");
+ internals.registerDefaultPortForProtocol(8443, "https");
+}
+
+var tests = [
+ // Tests that HTTP URL with explicit default port number matches HTTP source _expression_ with implicit and explicit default port number.
+ ["yes", "script-src http://127.0.0.1", "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js"],
+ ["yes", "script-src http://127.0.0.1:8000", "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js"],
+
+ // Tests that HTTPS URL with explicit default port number matches HTTP source _expression_ with implicit and explicit default port number.
+ ["yes", "script-src http://127.0.0.1", "https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js"],
+ ["yes", "script-src http://127.0.0.1:8000", "https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js"],
+
+ // Tests that HTTPS URL with explicit default port number matches 'self'.
+ ["yes", "script-src 'self'", "https://127.0.0.1:8443/security/contentSecurityPolicy/resources/script.js"],
+];
+</script>
+</head>
+<body _onload_="test()">
+<p>Tests script-src source _expression_ matching with implicit and explicit default port numbers.</p>
+</body>
+</html>
Modified: trunk/LayoutTests/platform/wk2/TestExpectations (209820 => 209821)
--- trunk/LayoutTests/platform/wk2/TestExpectations 2016-12-14 19:58:27 UTC (rev 209820)
+++ trunk/LayoutTests/platform/wk2/TestExpectations 2016-12-14 20:17:28 UTC (rev 209821)
@@ -550,6 +550,7 @@
# Internals.registerDefaultPortForProtocol() does not affect NetworkProcess. We should
# look to remove it and write these test to make use of an HTTP server running on port 80.
+http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number.html
http/tests/security/http-0.9/default-port-plugin-blocked.html
http/tests/security/http-0.9/default-port-script-blocked.html
http/tests/security/http-0.9/image-default-port-allowed.html
Modified: trunk/Source/WebCore/ChangeLog (209820 => 209821)
--- trunk/Source/WebCore/ChangeLog 2016-12-14 19:58:27 UTC (rev 209820)
+++ trunk/Source/WebCore/ChangeLog 2016-12-14 20:17:28 UTC (rev 209821)
@@ -1,3 +1,17 @@
+2016-12-14 Daniel Bates <[email protected]>
+
+ CSP: Allow HTTPS URL to match HTTP source _expression_
+ https://bugs.webkit.org/show_bug.cgi?id=159520
+ <rdar://problem/27287177>
+
+ Reviewed by Brent Fulgham.
+
+ Test: http/tests/security/contentSecurityPolicy/script-src-parsing-implicit-and-explicit-port-number.html
+
+ * page/csp/ContentSecurityPolicySource.cpp:
+ (WebCore::ContentSecurityPolicySource::schemeMatches):
+ (WebCore::ContentSecurityPolicySource::portMatches):
+
2016-12-14 Alex Christensen <[email protected]>
REGRESSION (r209776): [ios-simulator] LayoutTest http/tests/xmlhttprequest/on-network-timeout-error-during-preflight.html is timing out
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp (209820 => 209821)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp 2016-12-14 19:58:27 UTC (rev 209820)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp 2016-12-14 20:17:28 UTC (rev 209821)
@@ -56,6 +56,8 @@
{
if (m_scheme.isEmpty())
return m_policy.protocolMatchesSelf(url);
+ if (equalLettersIgnoringASCIICase(m_scheme, "http"))
+ return url.protocolIsInHTTPFamily();
return equalIgnoringASCIICase(url.protocol(), m_scheme);
}
@@ -91,6 +93,9 @@
if (port == m_port)
return true;
+ if (isDefaultPortForProtocol(m_port.value(), "http") && ((!port && url.protocolIs("https")) || isDefaultPortForProtocol(port.value(), "https")))
+ return true;
+
if (!port)
return isDefaultPortForProtocol(m_port.value(), url.protocol());
