[webkit-changes] [246129] trunk

Wed, 05 Jun 2019 15:10:08 -0700

Title: [246129] trunk
Revision
246129
Author
[email protected]
Date
2019-06-05 15:09:25 -0700 (Wed, 05 Jun 2019)

Log Message

[CSP] Data URLs should inherit their CSP policy
https://bugs.webkit.org/show_bug.cgi?id=198572
<rdar://problem/50660927>

Reviewed by Brent Fulgham.

Source/WebCore:

As per <https://w3c.github.io/webappsec-csp/#security-inherit-csp> (Editor's Draft, 28 February 2019) data
URLs should inherit their CSP policy from their parent (if they have one).

Test: http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html

* dom/Document.cpp:
(WebCore::Document::shouldInheritContentSecurityPolicyFromOwner const):

LayoutTests:

Add a test to ensure that a framed data URL inherits its CSP policy from its parent document.

* http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (246128 => 246129)


--- trunk/LayoutTests/ChangeLog	2019-06-05 21:28:01 UTC (rev 246128)
+++ trunk/LayoutTests/ChangeLog	2019-06-05 22:09:25 UTC (rev 246129)
@@ -1,3 +1,16 @@
+2019-06-05  Daniel Bates  <[email protected]>
+
+        [CSP] Data URLs should inherit their CSP policy
+        https://bugs.webkit.org/show_bug.cgi?id=198572
+        <rdar://problem/50660927>
+
+        Reviewed by Brent Fulgham.
+
+        Add a test to ensure that a framed data URL inherits its CSP policy from its parent document.
+
+        * http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html: Added.
+
 2019-06-05  Alex Christensen  <[email protected]>
 
         Re-enable safe browsing in WKWebView

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance-expected.txt (0 => 246129)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance-expected.txt	2019-06-05 22:09:25 UTC (rev 246129)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html (0 => 246129)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html	2019-06-05 22:09:25 UTC (rev 246129)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'none'">
+</head>
+<body>
+<embed src=""
+L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5
+L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIkZhaWwgdXNp
+bmcgZGF0YSBVUkwgZW1iZWQiKTs8L3NjcmlwdD48L3N2Zz4=" type="image/svg+xml"></embed>
+<iframe src="" using data URL iframe/)</script>"></iframe>
+<object data="" using data URL object/)</script>"></object>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (246128 => 246129)


--- trunk/Source/WebCore/ChangeLog	2019-06-05 21:28:01 UTC (rev 246128)
+++ trunk/Source/WebCore/ChangeLog	2019-06-05 22:09:25 UTC (rev 246129)
@@ -1,3 +1,19 @@
+2019-06-05  Daniel Bates  <[email protected]>
+
+        [CSP] Data URLs should inherit their CSP policy
+        https://bugs.webkit.org/show_bug.cgi?id=198572
+        <rdar://problem/50660927>
+
+        Reviewed by Brent Fulgham.
+
+        As per <https://w3c.github.io/webappsec-csp/#security-inherit-csp> (Editor's Draft, 28 February 2019) data
+        URLs should inherit their CSP policy from their parent (if they have one).
+
+        Test: http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::shouldInheritContentSecurityPolicyFromOwner const):
+
 2019-06-05  Saam Barati  <[email protected]>
 
         Unreviewed. Follow up fix after r246115.

Modified: trunk/Source/WebCore/dom/Document.cpp (246128 => 246129)


--- trunk/Source/WebCore/dom/Document.cpp	2019-06-05 21:28:01 UTC (rev 246128)
+++ trunk/Source/WebCore/dom/Document.cpp	2019-06-05 22:09:25 UTC (rev 246129)
@@ -5903,6 +5903,8 @@
     ASSERT(m_frame);
     if (SecurityPolicy::shouldInheritSecurityOriginFromOwner(m_url))
         return true;
+    if (m_url.protocolIsData())
+        return true;
     if (!isPluginDocument())
         return false;
     if (m_frame->tree().parent())

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to