Title: [246994] releases/WebKitGTK/webkit-2.24
- Revision
- 246994
- Author
- [email protected]
- Date
- 2019-07-01 04:03:47 -0700 (Mon, 01 Jul 2019)
Log Message
Merge r246129 - [CSP] Data URLs should inherit their CSP policy
https://bugs.webkit.org/show_bug.cgi?id=198572
<rdar://problem/50660927>
Reviewed by Brent Fulgham.
Source/WebCore:
As per <https://w3c.github.io/webappsec-csp/#security-inherit-csp> (Editor's Draft, 28 February 2019) data
URLs should inherit their CSP policy from their parent (if they have one).
Test: http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html
* dom/Document.cpp:
(WebCore::Document::shouldInheritContentSecurityPolicyFromOwner const):
LayoutTests:
Add a test to ensure that a framed data URL inherits its CSP policy from its parent document.
* http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog (246993 => 246994)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-07-01 11:03:41 UTC (rev 246993)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/ChangeLog 2019-07-01 11:03:47 UTC (rev 246994)
@@ -1,3 +1,16 @@
+2019-06-05 Daniel Bates <[email protected]>
+
+ [CSP] Data URLs should inherit their CSP policy
+ https://bugs.webkit.org/show_bug.cgi?id=198572
+ <rdar://problem/50660927>
+
+ Reviewed by Brent Fulgham.
+
+ Add a test to ensure that a framed data URL inherits its CSP policy from its parent document.
+
+ * http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html: Added.
+
2019-05-22 Antti Koivisto <[email protected]>
Subselectors not searched when determining property whitelist for selector
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance-expected.txt (0 => 246994)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance-expected.txt 2019-07-01 11:03:47 UTC (rev 246994)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: line 1: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+
Added: releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html (0 => 246994)
--- releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html (rev 0)
+++ releases/WebKitGTK/webkit-2.24/LayoutTests/http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html 2019-07-01 11:03:47 UTC (rev 246994)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'none'">
+</head>
+<body>
+<embed src=""
+L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5
+L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIkZhaWwgdXNp
+bmcgZGF0YSBVUkwgZW1iZWQiKTs8L3NjcmlwdD48L3N2Zz4=" type="image/svg+xml"></embed>
+<iframe src="" using data URL iframe/)</script>"></iframe>
+<object data="" using data URL object/)</script>"></object>
+</body>
+</html>
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog (246993 => 246994)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-07-01 11:03:41 UTC (rev 246993)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/ChangeLog 2019-07-01 11:03:47 UTC (rev 246994)
@@ -1,3 +1,19 @@
+2019-06-05 Daniel Bates <[email protected]>
+
+ [CSP] Data URLs should inherit their CSP policy
+ https://bugs.webkit.org/show_bug.cgi?id=198572
+ <rdar://problem/50660927>
+
+ Reviewed by Brent Fulgham.
+
+ As per <https://w3c.github.io/webappsec-csp/#security-inherit-csp> (Editor's Draft, 28 February 2019) data
+ URLs should inherit their CSP policy from their parent (if they have one).
+
+ Test: http/tests/security/contentSecurityPolicy/subframe-with-data-url-inheritance.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::shouldInheritContentSecurityPolicyFromOwner const):
+
2019-05-28 Brent Fulgham <[email protected]>
Protect frames during style and layout changes
Modified: releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/Document.cpp (246993 => 246994)
--- releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/Document.cpp 2019-07-01 11:03:41 UTC (rev 246993)
+++ releases/WebKitGTK/webkit-2.24/Source/WebCore/dom/Document.cpp 2019-07-01 11:03:47 UTC (rev 246994)
@@ -6009,6 +6009,8 @@
ASSERT(m_frame);
if (SecurityPolicy::shouldInheritSecurityOriginFromOwner(m_url))
return true;
+ if (m_url.protocolIsData())
+ return true;
if (!isPluginDocument())
return false;
if (m_frame->tree().parent())
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
