Diff
Modified: trunk/LayoutTests/ChangeLog (227237 => 227238)
--- trunk/LayoutTests/ChangeLog 2018-01-19 22:33:51 UTC (rev 227237)
+++ trunk/LayoutTests/ChangeLog 2018-01-19 22:43:11 UTC (rev 227238)
@@ -1,3 +1,23 @@
+2018-01-19 Daniel Bates <[email protected]>
+
+ Update frame-ancestor directive to match Content Security Policy Level 3
+ https://bugs.webkit.org/show_bug.cgi?id=178891
+ <rdar://problem/35209458>
+
+ Reviewed by Alex Christensen.
+
+ Derived from Blink e667cc2e501fabab3605b838e4ee0d642a9c4a59:
+ <https://chromium.googlesource.com/chromium/src.git/+/e667cc2e501fabab3605b838e4ee0d642a9c4a59>
+
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-allow-same-origin-sandboxed-cross-url-allow-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-allow-same-origin-sandboxed-cross-url-allow.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js:
+ (injectNestedIframe):
+ (window.onload):
+ (testNestedIFrame):
+
2018-01-19 Yoav Weiss <[email protected]>
Support for preconnect Link headers
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-allow-same-origin-sandboxed-cross-url-allow-expected.txt (0 => 227238)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-allow-same-origin-sandboxed-cross-url-allow-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-allow-same-origin-sandboxed-cross-url-allow-expected.txt 2018-01-19 22:43:11 UTC (rev 227238)
@@ -0,0 +1,21 @@
+A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, so a nested frame with a sandboxed parent frame with allow-same-origin should be allowed due to the parent opting out of the unique origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Testing a cross-origin child with a policy of "http://127.0.0.1:8000 http://localhost:8080" nested in a cross-origin parent.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
+--------
+This is an IFrame sending a Content Security Policy header containing "frame-ancestors http://127.0.0.1:8000 http://localhost:8080".
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-allow-same-origin-sandboxed-cross-url-allow.html (0 => 227238)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-allow-same-origin-sandboxed-cross-url-allow.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-allow-same-origin-sandboxed-cross-url-allow.html 2018-01-19 22:43:11 UTC (rev 227238)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+</head>
+<body>
+<script>
+description("A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, " +
+ "so a nested frame with a sandboxed parent frame with allow-same-origin should be allowed due to the parent opting " +
+ "out of the unique origin.");
+
+testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK, "allow-scripts allow-same-origin");
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block-expected.txt (0 => 227238)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block-expected.txt 2018-01-19 22:43:11 UTC (rev 227238)
@@ -0,0 +1,22 @@
+CONSOLE MESSAGE: Refused to load http://localhost:8080/security/contentSecurityPolicy/resources/frame-ancestors.pl?policy=http://127.0.0.1:8000%20http://localhost:8080 because it does not appear in the frame-ancestors directive of the Content Security Policy.
+A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, so a nested frame with a sandboxed parent frame should be blocked due to the parent having a unique origin.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+Testing a cross-origin child with a policy of "http://127.0.0.1:8000 http://localhost:8080" nested in a cross-origin parent.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
+--------
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html (0 => 227238)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html 2018-01-19 22:43:11 UTC (rev 227238)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+</head>
+<body>
+<script>
+description("A 'frame-ancestors' CSP directive with a URL value should compare against each frame's origin rather than URL, " +
+ "so a nested frame with a sandboxed parent frame should be blocked due to the parent having a unique origin.");
+
+testNestedIFrame(SAMEORIGIN_ORIGIN + " " + CROSSORIGIN_ORIGIN, CROSS_ORIGIN, CROSS_ORIGIN, EXPECT_BLOCK, "allow-scripts");
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js (227237 => 227238)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js 2018-01-19 22:33:51 UTC (rev 227237)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/frame-ancestors-test.js 2018-01-19 22:43:11 UTC (rev 227238)
@@ -26,7 +26,7 @@
done();
});
-function injectNestedIframe(policy, parent, child, expectation) {
+function injectNestedIframe(policy, parent, child, expectation, sandboxPolicy) {
var iframe = document.createElement("iframe");
var url = ""
@@ -36,6 +36,9 @@
+ "&expectation=" + expectation;
url = "" == "same" ? SAMEORIGIN_ORIGIN : CROSSORIGIN_ORIGIN) + url;
+ if (sandboxPolicy !== undefined)
+ iframe.sandbox = sandboxPolicy;
+
iframe.src = ""
document.body.appendChild(iframe);
}
@@ -85,8 +88,8 @@
};
}
-function testNestedIFrame(policy, parent, child, expectation) {
+function testNestedIFrame(policy, parent, child, expectation, sandboxPolicy) {
window._onload_ = function () {
- injectNestedIframe(policy, parent == SAME_ORIGIN ? "same" : "cross", child == SAME_ORIGIN ? "same" : "cross", expectation == EXPECT_LOAD ? "Allowed" : "Blocked");
+ injectNestedIframe(policy, parent == SAME_ORIGIN ? "same" : "cross", child == SAME_ORIGIN ? "same" : "cross", expectation == EXPECT_LOAD ? "Allowed" : "Blocked", sandboxPolicy);
};
}
Modified: trunk/Source/WebCore/ChangeLog (227237 => 227238)
--- trunk/Source/WebCore/ChangeLog 2018-01-19 22:33:51 UTC (rev 227237)
+++ trunk/Source/WebCore/ChangeLog 2018-01-19 22:43:11 UTC (rev 227238)
@@ -1,3 +1,29 @@
+2018-01-19 Daniel Bates <[email protected]>
+
+ Update frame-ancestor directive to match Content Security Policy Level 3
+ https://bugs.webkit.org/show_bug.cgi?id=178891
+ <rdar://problem/35209458>
+
+ Reviewed by Alex Christensen.
+
+ Derived from Blink e667cc2e501fabab3605b838e4ee0d642a9c4a59:
+ <https://chromium.googlesource.com/chromium/src.git/+/e667cc2e501fabab3605b838e4ee0d642a9c4a59>
+
+ Update frame-ancestor directive to match against the origin of the ancestor document per the
+ Content Security Policy Level 3 spec.: <https://w3c.github.io/webappsec-csp/> (15 January 2018).
+ Specifically this change in behavior was made to CSP 3 in <https://github.com/w3c/webappsec/issues/311>.
+ In earlier versions of the spec, the frame-ancestor directive matched against the URL of the
+ ancestor document.
+
+ Disregarding allow-same-origin sandboxed iframes, a document with policy "frame-ancestor 'self'"
+ will be blocked from loading in a sandboxed iframe as a result of this change.
+
+ Tests: http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-allow-same-origin-sandboxed-cross-url-allow.html
+ http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-nested-cross-in-sandboxed-cross-url-block.html
+
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::checkFrameAncestors):
+
2018-01-19 Basuke Suzuki <[email protected]>
[Curl] Add timeout support to XMLHttpRequest
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (227237 => 227238)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2018-01-19 22:33:51 UTC (rev 227237)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2018-01-19 22:43:11 UTC (rev 227238)
@@ -76,7 +76,8 @@
return true;
bool didReceiveRedirectResponse = false;
for (Frame* current = frame.tree().parent(); current; current = current->tree().parent()) {
- if (!directive->allows(current->document()->url(), didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No))
+ URL origin { URL { }, current->document()->securityOrigin().toString() };
+ if (!origin.isValid() || !directive->allows(origin, didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No))
return false;
}
return true;
