- Revision
- 262870
- Author
- [email protected]
- Date
- 2020-06-10 16:11:41 -0700 (Wed, 10 Jun 2020)
Log Message
Improve CSP compliance under PSON
https://bugs.webkit.org/show_bug.cgi?id=212995
<rdar://problem/62996186>
Reviewed by Chris Dumez.
LayoutTests/imported/w3c:
Rebaseline an existing test, since CSP is now checked before any navigations performed by a form action.
* web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub-expected.txt:
Source/WebCore:
Tests: http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked.html
The form submission logic was only considering CSP if the form
action was a _javascript_ URL. This is incorrect, as CSP might
apply to any URL.
This is also covered by the existing form-action CSP tests.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::submitForm): All URLs should be evaluted for
compliance with CSP.
LayoutTests:
Add a new test to confirm that CSP rules are honored for form-action operations during process swap.
This also rebaselines an existing test, since CSP is now checked before any navigations performed by
a form action.
* http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt: Rebaselined.
* http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt.
* http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (262869 => 262870)
--- trunk/LayoutTests/ChangeLog 2020-06-10 23:11:31 UTC (rev 262869)
+++ trunk/LayoutTests/ChangeLog 2020-06-10 23:11:41 UTC (rev 262870)
@@ -1,3 +1,19 @@
+2020-06-10 Brent Fulgham <[email protected]>
+
+ Improve CSP compliance under PSON
+ https://bugs.webkit.org/show_bug.cgi?id=212995
+ <rdar://problem/62996186>
+
+ Reviewed by Chris Dumez.
+
+ Add a new test to confirm that CSP rules are honored for form-action operations during process swap.
+ This also rebaselines an existing test, since CSP is now checked before any navigations performed by
+ a form action.
+
+ * http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt: Rebaselined.
+ * http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt.
+ * http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked.html: Added.
+
2020-06-10 Devin Rousso <[email protected]>
Web Inspector: XHR request with same URL as main resource will hide the main resource request
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt (262869 => 262870)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt 2020-06-10 23:11:31 UTC (rev 262869)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt 2020-06-10 23:11:41 UTC (rev 262870)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/form-target.pl?fieldname=fieldvalue because it does not appear in the form-action directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked-expected.txt (from rev 262868, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked-expected.txt) (0 => 262870)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked-expected.txt 2020-06-10 23:11:41 UTC (rev 262870)
@@ -0,0 +1,7 @@
+CONSOLE MESSAGE: Refused to load http://localhost:8000/navigation/resources/form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
+
+Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
+
+============== Back Forward List ==============
+curr-> http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/form-action-src-self-blocked.html **nav target**
+===============================================
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked.html (0 => 262870)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked.html 2020-06-10 23:11:41 UTC (rev 262870)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="form-action 'self'">
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ testRunner.clearBackForwardList();
+ testRunner.dumpBackForwardList();
+ }
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ setTimeout(function () {
+ testRunner.notifyDone();
+ }, 0);
+ }, 0);
+ });
+</script>
+</head>
+<body>
+ <form action='' id='theform' method='post'>
+ <input type='text' name='fieldname' value='fieldvalue'>
+ <input type='submit' id='submit' value='submit'>
+ </form>
+
+ <p>Tests that blocking form actions works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.</p>
+</body>
+</html>
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (262869 => 262870)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2020-06-10 23:11:31 UTC (rev 262869)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2020-06-10 23:11:41 UTC (rev 262870)
@@ -1,3 +1,15 @@
+2020-06-10 Brent Fulgham <[email protected]>
+
+ Improve CSP compliance under PSON
+ https://bugs.webkit.org/show_bug.cgi?id=212995
+ <rdar://problem/62996186>
+
+ Reviewed by Chris Dumez.
+
+ Rebaseline an existing test, since CSP is now checked before any navigations performed by a form action.
+
+ * web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub-expected.txt:
+
2020-06-10 Ryan Haddad <[email protected]>
REGRESSION(r262809): [ macOS iOS ] imported/w3c/web-platform-tests/css/css-grid/grid-items/grid-items-minimum-height-orthogonal-001.html is a constant failure
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub-expected.txt (262869 => 262870)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub-expected.txt 2020-06-10 23:11:31 UTC (rev 262869)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/form-action/form-action-src-blocked.sub-expected.txt 2020-06-10 23:11:41 UTC (rev 262870)
@@ -4,5 +4,4 @@
FAIL Expecting logs: ["violated-directive=form-action","TEST COMPLETE"] assert_unreached: Logging timeout, expected logs violated-directive=form-action not sent. Reached unreachable code
-FAIL form-action-src-blocked assert_unreached: FAIL Reached unreachable code
Modified: trunk/Source/WebCore/ChangeLog (262869 => 262870)
--- trunk/Source/WebCore/ChangeLog 2020-06-10 23:11:31 UTC (rev 262869)
+++ trunk/Source/WebCore/ChangeLog 2020-06-10 23:11:41 UTC (rev 262870)
@@ -1,3 +1,23 @@
+2020-06-10 Brent Fulgham <[email protected]>
+
+ Improve CSP compliance under PSON
+ https://bugs.webkit.org/show_bug.cgi?id=212995
+ <rdar://problem/62996186>
+
+ Reviewed by Chris Dumez.
+
+ Tests: http/tests/security/contentSecurityPolicy/1.1/form-action-src-self-blocked.html
+
+ The form submission logic was only considering CSP if the form
+ action was a _javascript_ URL. This is incorrect, as CSP might
+ apply to any URL.
+
+ This is also covered by the existing form-action CSP tests.
+
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::submitForm): All URLs should be evaluted for
+ compliance with CSP.
+
2020-06-10 Brian Burg <[email protected]>
WebDriver on non-iOS ports cannot perform ActionChain which has scrolling down to the element and click it
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (262869 => 262870)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2020-06-10 23:11:31 UTC (rev 262869)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2020-06-10 23:11:41 UTC (rev 262870)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2020 Apple Inc. All rights reserved.
* Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
* Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
* Copyright (C) 2008 Alp Toker <[email protected]>
@@ -468,9 +468,11 @@
return;
}
- if (submission->action().protocolIsJavaScript()) {
- if (!m_frame.document()->contentSecurityPolicy()->allowFormAction(URL(submission->action())))
- return;
+ URL formAction = submission->action();
+ if (!m_frame.document()->contentSecurityPolicy()->allowFormAction(formAction))
+ return;
+
+ if (formAction.protocolIsJavaScript()) {
m_isExecutingJavaScriptFormAction = true;
Ref<Frame> protect(m_frame);
m_frame.script().executeIfJavaScriptURL(submission->action(), nullptr, DoNotReplaceDocumentIfJavaScriptURL);
