Title: [283057] branches/safari-612-branch
- Revision
- 283057
- Author
- [email protected]
- Date
- 2021-09-24 14:25:45 -0700 (Fri, 24 Sep 2021)
Log Message
Cherry-pick r282084. rdar://problem/83429618
[wpt-improvement] Improve CSP support for window reuse
https://bugs.webkit.org/show_bug.cgi?id=229882
<rdar://78416553>
Reviewed by Chris Dumez.
LayoutTests/imported/w3c:
Rebaseline a test that now passes.
* web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt:
Source/WebCore:
If window.open is used to host content with a CSP sandbox header, we should always
create a new window, rather than reusing the existing one, unless the header
includes 'allow-same-site'.
This improves our WPT score.
Tested by: imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed.html
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::responseReceived): Parse the HTTP headers earlier so we can
make decisions based on their state.
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin): Don't reuse the current window if 'allow-same-site'
is not allowed.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282084 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-612-branch/LayoutTests/imported/w3c/ChangeLog (283056 => 283057)
--- branches/safari-612-branch/LayoutTests/imported/w3c/ChangeLog 2021-09-24 21:25:41 UTC (rev 283056)
+++ branches/safari-612-branch/LayoutTests/imported/w3c/ChangeLog 2021-09-24 21:25:45 UTC (rev 283057)
@@ -1,5 +1,52 @@
2021-09-24 Russell Epstein <[email protected]>
+ Cherry-pick r282084. rdar://problem/83429618
+
+ [wpt-improvement] Improve CSP support for window reuse
+ https://bugs.webkit.org/show_bug.cgi?id=229882
+ <rdar://78416553>
+
+ Reviewed by Chris Dumez.
+
+ LayoutTests/imported/w3c:
+
+ Rebaseline a test that now passes.
+
+ * web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt:
+
+ Source/WebCore:
+
+ If window.open is used to host content with a CSP sandbox header, we should always
+ create a new window, rather than reusing the existing one, unless the header
+ includes 'allow-same-site'.
+
+ This improves our WPT score.
+
+ Tested by: imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed.html
+
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::responseReceived): Parse the HTTP headers earlier so we can
+ make decisions based on their state.
+ * loader/DocumentWriter.cpp:
+ (WebCore::DocumentWriter::begin): Don't reuse the current window if 'allow-same-site'
+ is not allowed.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282084 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-09-07 Brent Fulgham <[email protected]>
+
+ [wpt-improvement] Improve CSP support for window reuse
+ https://bugs.webkit.org/show_bug.cgi?id=229882
+ <rdar://78416553>
+
+ Reviewed by Chris Dumez.
+
+ Rebaseline a test that now passes.
+
+ * web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt:
+
+2021-09-24 Russell Epstein <[email protected]>
+
Cherry-pick r281941. rdar://problem/83429618
[COOP] html/cross-origin-opener-policy/coop-navigate-same-origin-csp-sandbox.html WPT test is failing
Modified: branches/safari-612-branch/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt (283056 => 283057)
--- branches/safari-612-branch/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt 2021-09-24 21:25:41 UTC (rev 283056)
+++ branches/safari-612-branch/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt 2021-09-24 21:25:45 UTC (rev 283057)
@@ -1,3 +1,3 @@
-FAIL Window object should not be reused assert_equals: expected (undefined) undefined but got (string) "test"
+PASS Window object should not be reused
Modified: branches/safari-612-branch/Source/WebCore/ChangeLog (283056 => 283057)
--- branches/safari-612-branch/Source/WebCore/ChangeLog 2021-09-24 21:25:41 UTC (rev 283056)
+++ branches/safari-612-branch/Source/WebCore/ChangeLog 2021-09-24 21:25:45 UTC (rev 283057)
@@ -1,5 +1,63 @@
2021-09-24 Russell Epstein <[email protected]>
+ Cherry-pick r282084. rdar://problem/83429618
+
+ [wpt-improvement] Improve CSP support for window reuse
+ https://bugs.webkit.org/show_bug.cgi?id=229882
+ <rdar://78416553>
+
+ Reviewed by Chris Dumez.
+
+ LayoutTests/imported/w3c:
+
+ Rebaseline a test that now passes.
+
+ * web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed-expected.txt:
+
+ Source/WebCore:
+
+ If window.open is used to host content with a CSP sandbox header, we should always
+ create a new window, rather than reusing the existing one, unless the header
+ includes 'allow-same-site'.
+
+ This improves our WPT score.
+
+ Tested by: imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed.html
+
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::responseReceived): Parse the HTTP headers earlier so we can
+ make decisions based on their state.
+ * loader/DocumentWriter.cpp:
+ (WebCore::DocumentWriter::begin): Don't reuse the current window if 'allow-same-site'
+ is not allowed.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282084 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-09-07 Brent Fulgham <[email protected]>
+
+ [wpt-improvement] Improve CSP support for window reuse
+ https://bugs.webkit.org/show_bug.cgi?id=229882
+ <rdar://78416553>
+
+ Reviewed by Chris Dumez.
+
+ If window.open is used to host content with a CSP sandbox header, we should always
+ create a new window, rather than reusing the existing one, unless the header
+ includes 'allow-same-site'.
+
+ This improves our WPT score.
+
+ Tested by: imported/w3c/web-platform-tests/content-security-policy/sandbox/window-reuse-sandboxed.html
+
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::responseReceived): Parse the HTTP headers earlier so we can
+ make decisions based on their state.
+ * loader/DocumentWriter.cpp:
+ (WebCore::DocumentWriter::begin): Don't reuse the current window if 'allow-same-site'
+ is not allowed.
+
+2021-09-24 Russell Epstein <[email protected]>
+
Cherry-pick r281941. rdar://problem/83429618
[COOP] html/cross-origin-opener-policy/coop-navigate-same-origin-csp-sandbox.html WPT test is failing
Modified: branches/safari-612-branch/Source/WebCore/loader/DocumentLoader.cpp (283056 => 283057)
--- branches/safari-612-branch/Source/WebCore/loader/DocumentLoader.cpp 2021-09-24 21:25:41 UTC (rev 283056)
+++ branches/safari-612-branch/Source/WebCore/loader/DocumentLoader.cpp 2021-09-24 21:25:45 UTC (rev 283057)
@@ -919,6 +919,12 @@
{
ASSERT_UNUSED(resource, m_mainResource == &resource);
+ if (!response.httpHeaderField(HTTPHeaderName::ContentSecurityPolicy).isNull()) {
+ m_contentSecurityPolicy = makeUnique<ContentSecurityPolicy>(URL { response.url() }, nullptr);
+ m_contentSecurityPolicy->didReceiveHeaders(ContentSecurityPolicyResponseHeaders { response }, m_request.httpReferrer(), ContentSecurityPolicy::ReportParsingErrors::No);
+ } else
+ m_contentSecurityPolicy = nullptr;
+
#if ENABLE(RESOURCE_LOAD_STATISTICS)
// FIXME(218779): Remove this quirk once microsoft.com completes their login flow redesign.
if (m_frame && m_frame->document()) {
Modified: branches/safari-612-branch/Source/WebCore/loader/DocumentWriter.cpp (283056 => 283057)
--- branches/safari-612-branch/Source/WebCore/loader/DocumentWriter.cpp 2021-09-24 21:25:41 UTC (rev 283056)
+++ branches/safari-612-branch/Source/WebCore/loader/DocumentWriter.cpp 2021-09-24 21:25:45 UTC (rev 283057)
@@ -142,6 +142,12 @@
&& m_frame->document()->isSecureTransitionTo(url)
&& (m_frame->window() && !m_frame->window()->wasWrappedWithoutInitializedSecurityOrigin() && m_frame->window()->mayReuseForNavigation());
+ if (shouldReuseDefaultView) {
+ ASSERT(m_frame->loader().documentLoader());
+ if (auto* contentSecurityPolicy = m_frame->loader().documentLoader()->contentSecurityPolicy())
+ shouldReuseDefaultView = !(contentSecurityPolicy->sandboxFlags() & SandboxOrigin);
+ }
+
// Temporarily extend the lifetime of the existing document so that FrameLoader::clear() doesn't destroy it as
// we need to retain its ongoing set of upgraded requests in new navigation contexts per <http://www.w3.org/TR/upgrade-insecure-requests/>
// and we may also need to inherit its Content Security Policy below.
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
