[webkit-changes] [231461] trunk

Mon, 07 May 2018 16:21:37 -0700

Title: [231461] trunk
Revision
231461
Author
[email protected]
Date
2018-05-07 16:21:10 -0700 (Mon, 07 May 2018)

Log Message

CSP referrer incorrect for document blocked due to violation of its frame-ancestors directive
https://bugs.webkit.org/show_bug.cgi?id=185380

Reviewed by Brent Fulgham.

Source/WebCore:

Similar to <https://bugs.webkit.org/show_bug.cgi?id=185366>, fixes an issue where the referrer
in the sent CSP report for an HTTP document blocked because its frame-ancestors directive was
violated would be the referrer of the previously loaded document in the frame.

Currently whenever we send a CSP report we ask the document's loader (Document::loader()) for
the referrer for the last request. Document::loader() returns the loader for the last committed
document in its frame. For a frame-ancestors violation, a CSP report is sent before the document
that had the frame-ancestors directive has been committed and after it has been associate with a
frame. As a result we are in a transient transition state for the frame and hence the last request
for the new document's loader (Document::loader()) is actually the last request of the previously
loaded document in the frame. Instead we need to take care to tell CSP about the referrer for the
request associated with the document the CSP came from.

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::responseReceived):

LayoutTests:

Update existing test results now that we send the referrer for the correct document.

* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:

Modified Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (231460 => 231461)


--- trunk/LayoutTests/ChangeLog	2018-05-07 22:44:28 UTC (rev 231460)
+++ trunk/LayoutTests/ChangeLog	2018-05-07 23:21:10 UTC (rev 231461)
@@ -1,3 +1,17 @@
+2018-05-07  Daniel Bates  <[email protected]>
+
+        CSP referrer incorrect for document blocked due to violation of its frame-ancestors directive
+        https://bugs.webkit.org/show_bug.cgi?id=185380
+
+        Reviewed by Brent Fulgham.
+
+        Update existing test results now that we send the referrer for the correct document.
+
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt:
+
 2018-05-07  Chris Dumez  <[email protected]>
 
         Stop using an iframe's id as fallback if its name attribute is not set

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt (231460 => 231461)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt	2018-05-07 22:44:28 UTC (rev 231460)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-expected.txt	2018-05-07 23:21:10 UTC (rev 231461)
@@ -5,4 +5,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html
 === POST DATA =""
-{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code&
 quot;:0}}
+{"csp-report":{"document-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin.html","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"http://localhost:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D
 /security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt (231460 => 231461)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt	2018-05-07 22:44:28 UTC (rev 231460)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https-expected.txt	2018-05-07 23:21:10 UTC (rev 231461)
@@ -5,4 +5,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html
 === POST DATA =""
-{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-cod
 e":0}}
+{"csp-report":{"document-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-cross-origin-https.html","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html","blocked-uri":"https://localhost:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3
 Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-cross-origin.html&q=FAIL","status-code":0}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt (231460 => 231461)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt	2018-05-07 22:44:28 UTC (rev 231460)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-expected.txt	2018-05-07 23:21:10 UTC (rev 231461)
@@ -5,4 +5,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html
 === POST DATA =""
-{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code&quo
 t;:0}}
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin.html","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/se
 curity/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}

Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt (231460 => 231461)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt	2018-05-07 22:44:28 UTC (rev 231460)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https-expected.txt	2018-05-07 23:21:10 UTC (rev 231461)
@@ -5,4 +5,4 @@
 REQUEST_METHOD: POST
 REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html
 === POST DATA =""
-{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code&q
 uot;:0}}
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Ftest%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/frame-ancestors/report-frame-ancestors-same-origin-https.html","violated-directive":"frame-ancestors 'none'","effective-directive":"frame-ancestors","original-policy":"frame-ancestors 'none'; report-uri save-report.php?test=/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html","blocked-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-intertag.pl?header=Content-Security-Policy%3A+frame-ancestors+%27none%27%3B+report-uri+save-report.php%3Fte
 st%3D/security/contentSecurityPolicy/1.1/report-frame-ancestors-same-origin.html&q=FAIL","status-code":0}}

Modified: trunk/Source/WebCore/ChangeLog (231460 => 231461)


--- trunk/Source/WebCore/ChangeLog	2018-05-07 22:44:28 UTC (rev 231460)
+++ trunk/Source/WebCore/ChangeLog	2018-05-07 23:21:10 UTC (rev 231461)
@@ -1,3 +1,26 @@
+2018-05-07  Daniel Bates  <[email protected]>
+
+        CSP referrer incorrect for document blocked due to violation of its frame-ancestors directive
+        https://bugs.webkit.org/show_bug.cgi?id=185380
+
+        Reviewed by Brent Fulgham.
+
+        Similar to <https://bugs.webkit.org/show_bug.cgi?id=185366>, fixes an issue where the referrer
+        in the sent CSP report for an HTTP document blocked because its frame-ancestors directive was
+        violated would be the referrer of the previously loaded document in the frame.
+
+        Currently whenever we send a CSP report we ask the document's loader (Document::loader()) for
+        the referrer for the last request. Document::loader() returns the loader for the last committed
+        document in its frame. For a frame-ancestors violation, a CSP report is sent before the document
+        that had the frame-ancestors directive has been committed and after it has been associate with a
+        frame. As a result we are in a transient transition state for the frame and hence the last request
+        for the new document's loader (Document::loader()) is actually the last request of the previously
+        loaded document in the frame. Instead we need to take care to tell CSP about the referrer for the
+        request associated with the document the CSP came from.
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::responseReceived):
+
 2018-05-07  Brent Fulgham  <[email protected]>
 
         Add experimental feature to prompt for Storage Access API use

Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (231460 => 231461)


--- trunk/Source/WebCore/loader/DocumentLoader.cpp	2018-05-07 22:44:28 UTC (rev 231460)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp	2018-05-07 23:21:10 UTC (rev 231461)
@@ -768,7 +768,7 @@
     auto url = ""
 
     ContentSecurityPolicy contentSecurityPolicy(SecurityOrigin::create(url), m_frame);
-    contentSecurityPolicy.didReceiveHeaders(ContentSecurityPolicyResponseHeaders(response), m_frame->loader().referrer());
+    contentSecurityPolicy.didReceiveHeaders(ContentSecurityPolicyResponseHeaders { response }, m_request.httpReferrer());
     if (!contentSecurityPolicy.allowFrameAncestors(*m_frame, url)) {
         stopLoadingAfterXFrameOptionsOrContentSecurityPolicyDenied(identifier, response);
         return;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to