Diff
Modified: trunk/LayoutTests/ChangeLog (232848 => 232849)
--- trunk/LayoutTests/ChangeLog 2018-06-14 19:58:37 UTC (rev 232848)
+++ trunk/LayoutTests/ChangeLog 2018-06-14 19:59:47 UTC (rev 232849)
@@ -1,3 +1,15 @@
+2018-06-14 Youenn Fablet <[email protected]>
+
+ Apply CSP checks before Content blocker checks in NetworkLoadChecker as done by CachedResourceLoader
+ https://bugs.webkit.org/show_bug.cgi?id=186550
+
+ Reviewed by Alex Christensen.
+
+ * http/tests/contentextensions/fetch-redirect-blocked-expected.txt: Added.
+ * http/tests/contentextensions/fetch-redirect-blocked.html: Added.
+ * http/tests/contentextensions/fetch-redirect-blocked.html.json: Added.
+ * http/tests/contentextensions/resources/subresource-redirect.php:
+
2018-06-14 Timothy Hatcher <[email protected]>
Expose more semantic system colors.
Added: trunk/LayoutTests/http/tests/contentextensions/fetch-redirect-blocked-expected.txt (0 => 232849)
--- trunk/LayoutTests/http/tests/contentextensions/fetch-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/contentextensions/fetch-redirect-blocked-expected.txt 2018-06-14 19:59:47 UTC (rev 232849)
@@ -0,0 +1,6 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/resources/square128.png because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8000/resources/square128.png due to access control checks.
+
+PASS Ensure CSP happens before content blocker checks
+
Added: trunk/LayoutTests/http/tests/contentextensions/fetch-redirect-blocked.html (0 => 232849)
--- trunk/LayoutTests/http/tests/contentextensions/fetch-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/contentextensions/fetch-redirect-blocked.html 2018-06-14 19:59:47 UTC (rev 232849)
@@ -0,0 +1,13 @@
+<meta http-equiv="Content-Security-Policy" content="connect-src 'self';">
+<script src=""
+<script src=""
+<script>
+promise_test((test) => {
+
+ return fetch("resources/subresource-redirect.php", { mode : "no-cors" }).then(() => {
+ assert_not_reached("fetch should fail");
+ }, (e) => {
+ assert_equals(e.message, "Blocked by Content Security Policy.");
+ });
+}, "Ensure CSP happens before content blocker checks");
+</script>
Added: trunk/LayoutTests/http/tests/contentextensions/fetch-redirect-blocked.html.json (0 => 232849)
--- trunk/LayoutTests/http/tests/contentextensions/fetch-redirect-blocked.html.json (rev 0)
+++ trunk/LayoutTests/http/tests/contentextensions/fetch-redirect-blocked.html.json 2018-06-14 19:59:47 UTC (rev 232849)
@@ -0,0 +1,10 @@
+[
+ {
+ "action": {
+ "type": "block"
+ },
+ "trigger": {
+ "url-filter": ".*square"
+ }
+ }
+]
Modified: trunk/LayoutTests/http/tests/contentextensions/resources/subresource-redirect.php (232848 => 232849)
--- trunk/LayoutTests/http/tests/contentextensions/resources/subresource-redirect.php 2018-06-14 19:58:37 UTC (rev 232848)
+++ trunk/LayoutTests/http/tests/contentextensions/resources/subresource-redirect.php 2018-06-14 19:59:47 UTC (rev 232849)
@@ -1,4 +1,4 @@
<?php
- header('Location: http://127.0.0.1:8000/resources/square128.png');
+ header('Location: http://localhost:8000/resources/square128.png');
header('HTTP/1.0 302 Found');
?>
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (232848 => 232849)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2018-06-14 19:58:37 UTC (rev 232848)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2018-06-14 19:59:47 UTC (rev 232849)
@@ -162,7 +162,7 @@
void setUpgradeInsecureRequests(bool);
bool upgradeInsecureRequests() const { return m_upgradeInsecureRequests; }
enum class InsecureRequestType { Load, FormSubmission, Navigation };
- void upgradeInsecureRequestIfNeeded(ResourceRequest&, InsecureRequestType) const;
+ WEBCORE_EXPORT void upgradeInsecureRequestIfNeeded(ResourceRequest&, InsecureRequestType) const;
WEBCORE_EXPORT void upgradeInsecureRequestIfNeeded(URL&, InsecureRequestType) const;
HashSet<SecurityOriginData> takeNavigationRequestsToUpgrade();
Modified: trunk/Source/WebKit/ChangeLog (232848 => 232849)
--- trunk/Source/WebKit/ChangeLog 2018-06-14 19:58:37 UTC (rev 232848)
+++ trunk/Source/WebKit/ChangeLog 2018-06-14 19:59:47 UTC (rev 232849)
@@ -1,3 +1,16 @@
+2018-06-14 Youenn Fablet <[email protected]>
+
+ Apply CSP checks before Content blocker checks in NetworkLoadChecker as done by CachedResourceLoader
+ https://bugs.webkit.org/show_bug.cgi?id=186550
+
+ Reviewed by Alex Christensen.
+
+ Do CSP checks and URL upgrade before content blocker checks.
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::checkRequest):
+ (WebKit::NetworkLoadChecker::continueCheckingRequest):
+
2018-06-14 Brent Fulgham <[email protected]>
Plug-in Process crashing on Mojave (affects Flash, others)
Modified: trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (232848 => 232849)
--- trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2018-06-14 19:58:37 UTC (rev 232848)
+++ trunk/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2018-06-14 19:59:47 UTC (rev 232849)
@@ -193,6 +193,17 @@
void NetworkLoadChecker::checkRequest(ResourceRequest&& request, ValidationHandler&& handler)
{
+ if (auto* contentSecurityPolicy = this->contentSecurityPolicy()) {
+ if (isRedirected()) {
+ auto type = m_options.mode == FetchOptions::Mode::Navigate ? ContentSecurityPolicy::InsecureRequestType::Navigation : ContentSecurityPolicy::InsecureRequestType::Load;
+ contentSecurityPolicy->upgradeInsecureRequestIfNeeded(request, type);
+ }
+ if (!isAllowedByContentSecurityPolicy(request)) {
+ handler(accessControlErrorForValidationHandler(ASCIILiteral { "Blocked by Content Security Policy." }));
+ return;
+ }
+ }
+
#if ENABLE(CONTENT_EXTENSIONS)
processContentExtensionRulesForLoad(WTFMove(request), [this, handler = WTFMove(handler)](auto result) mutable {
if (!result.has_value()) {
@@ -248,20 +259,6 @@
void NetworkLoadChecker::continueCheckingRequest(ResourceRequest&& request, ValidationHandler&& handler)
{
- if (auto* contentSecurityPolicy = this->contentSecurityPolicy()) {
- if (isRedirected()) {
- URL url = ""
- auto type = m_options.mode == FetchOptions::Mode::Navigate ? ContentSecurityPolicy::InsecureRequestType::Navigation : ContentSecurityPolicy::InsecureRequestType::Load;
- contentSecurityPolicy->upgradeInsecureRequestIfNeeded(url, type);
- if (url != request.url())
- request.setURL(url);
- }
- if (!isAllowedByContentSecurityPolicy(request)) {
- handler(accessControlErrorForValidationHandler(ASCIILiteral { "Blocked by Content Security Policy." }));
- return;
- }
- }
-
if (m_options.credentials == FetchOptions::Credentials::SameOrigin)
m_storedCredentialsPolicy = m_isSameOriginRequest && m_origin->canRequest(request.url()) ? StoredCredentialsPolicy::Use : StoredCredentialsPolicy::DoNotUse;
