Diff
Modified: branches/safari-611.4.2.0-branch/LayoutTests/ChangeLog (283384 => 283385)
--- branches/safari-611.4.2.0-branch/LayoutTests/ChangeLog 2021-10-01 18:18:05 UTC (rev 283384)
+++ branches/safari-611.4.2.0-branch/LayoutTests/ChangeLog 2021-10-01 18:31:47 UTC (rev 283385)
@@ -1,3 +1,76 @@
+2021-10-01 Russell Epstein <[email protected]>
+
+ Cherry-pick r281431. rdar://problem/81175635
+
+ Report correct blocked URI in CSP violation report
+ https://bugs.webkit.org/show_bug.cgi?id=226316
+ <rdar://problem/78552912>
+
+ Reviewed by Alex Christensen.
+
+ Source/WebCore:
+
+ Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html
+ http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html
+
+ Currently for a blocked redirection we report the blocked URI as the
+ target URL. This is not up to spec and we should actually report the
+ requested URL.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::redirectReceived):
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/DocumentThreadableLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowConnectToSource const):
+ (WebCore::ContentSecurityPolicy::reportViolation const):
+ * page/csp/ContentSecurityPolicy.h:
+
+ Source/WebKit:
+
+ Currently for a blocked redirection we report the blocked URI as the
+ target URL. This is not up to spec and we should actually report the
+ requested URL.
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::check):
+ (WebKit::NetworkLoadChecker::checkRedirection):
+ (WebKit::NetworkLoadChecker::checkRequest):
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+ * NetworkProcess/NetworkLoadChecker.h:
+
+ LayoutTests:
+
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ WebKitLegacy and Win have different console logging.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281431 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-08-22 Kate Cheney <[email protected]>
+
+ Report correct blocked URI in CSP violation report
+ https://bugs.webkit.org/show_bug.cgi?id=226316
+ <rdar://problem/78552912>
+
+ Reviewed by Alex Christensen.
+
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ WebKitLegacy and Win have different console logging.
+
2021-09-30 Russell Epstein <[email protected]>
Cherry-pick r281613. rdar://problem/83369963
Added: branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (0 => 283385)
--- branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (rev 0)
+++ branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-10-01 18:31:47 UTC (rev 283385)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Added: branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html (0 => 283385)
--- branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html (rev 0)
+++ branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html 2021-10-01 18:31:47 UTC (rev 283385)
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py">
+ <script src=""
+</head>
+<body>
+ <script>
+ window.jsTestIsAsync = true;
+
+ var haveReportedXhrError = false;
+ var haveReportedBlockedURI = false;
+
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ haveReportedBlockedURI = true;
+ if (haveReportedXhrError)
+ finishJSTest();
+ });
+
+ var xhr = new XMLHttpRequest;
+ try {
+ xhr.open("GET", "resources/redir.py?url="" true);
+ } catch(e) {
+ testFailed("XMLHttpRequest.open() should not throw an exception.");
+ }
+
+ xhr._onload_ = function () {
+ testFailed("XMLHttpRequest.send() should fail to follow the disallowed redirect.");
+ finishJSTest();
+ };
+
+ xhr._onerror_ = function () {
+ testPassed("XMLHttpRequest.send() did not follow the disallowed redirect.");
+ haveReportedXhrError = true;
+ if (haveReportedBlockedURI)
+ finishJSTest();
+ };
+
+ xhr.send();
+ </script>
+</script>
+<script src=""
+</body>
+</html>
Added: branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (0 => 283385)
--- branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (rev 0)
+++ branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-10-01 18:31:47 UTC (rev 283385)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: Fetch API cannot load http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py due to access control checks.
+PASS fetch was successfully blocked.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Added: branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html (0 => 283385)
--- branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html (rev 0)
+++ branches/safari-611.4.2.0-branch/LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html 2021-10-01 18:31:47 UTC (rev 283385)
@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py">
+ <script src=""
+
+</head>
+<body>
+ <script>
+ window.jsTestIsAsync = true;
+
+ var haveReportedFetchError = false;
+ var haveReportedBlockedURI = false;
+
+ // Expect the blocked URI to be the requested origin, not the redirect target.
+ document.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ haveReportedBlockedURI = true;
+ if (haveReportedFetchError)
+ finishJSTest();
+ });
+
+ var url = ""
+
+async function loadURL() {
+ try {
+ await fetch(url);
+ testFailed("fetch should not have succeeded.");
+ } catch (e) {
+ haveReportedFetchError = true;
+ testPassed("fetch was successfully blocked.");
+ if (haveReportedBlockedURI)
+ finishJSTest();
+ }
+}
+loadURL();
+ </script>
+</script>
+<script src=""
+</body>
+</html>
Added: branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (0 => 283385)
--- branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (rev 0)
+++ branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-10-01 18:31:47 UTC (rev 283385)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Added: branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (0 => 283385)
--- branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (rev 0)
+++ branches/safari-611.4.2.0-branch/LayoutTests/platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-10-01 18:31:47 UTC (rev 283385)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
+PASS fetch was successfully blocked.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Added: branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (0 => 283385)
--- branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt (rev 0)
+++ branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt 2021-10-01 18:31:47 UTC (rev 283385)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
+PASS XMLHttpRequest.send() did not follow the disallowed redirect.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Added: branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (0 => 283385)
--- branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt (rev 0)
+++ branches/safari-611.4.2.0-branch/LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt 2021-10-01 18:31:47 UTC (rev 283385)
@@ -0,0 +1,10 @@
+CONSOLE MESSAGE: Refused to connect to http://localhost:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.py because it does not appear in the connect-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Blocked by Content Security Policy.
+CONSOLE MESSAGE: Fetch API cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" due to access control checks.
+PASS fetch was successfully blocked.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+blockedURI = http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url=""
+
+
Modified: branches/safari-611.4.2.0-branch/Source/WebCore/ChangeLog (283384 => 283385)
--- branches/safari-611.4.2.0-branch/Source/WebCore/ChangeLog 2021-10-01 18:18:05 UTC (rev 283384)
+++ branches/safari-611.4.2.0-branch/Source/WebCore/ChangeLog 2021-10-01 18:31:47 UTC (rev 283385)
@@ -1,3 +1,82 @@
+2021-10-01 Russell Epstein <[email protected]>
+
+ Cherry-pick r281431. rdar://problem/81175635
+
+ Report correct blocked URI in CSP violation report
+ https://bugs.webkit.org/show_bug.cgi?id=226316
+ <rdar://problem/78552912>
+
+ Reviewed by Alex Christensen.
+
+ Source/WebCore:
+
+ Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html
+ http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html
+
+ Currently for a blocked redirection we report the blocked URI as the
+ target URL. This is not up to spec and we should actually report the
+ requested URL.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::redirectReceived):
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/DocumentThreadableLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowConnectToSource const):
+ (WebCore::ContentSecurityPolicy::reportViolation const):
+ * page/csp/ContentSecurityPolicy.h:
+
+ Source/WebKit:
+
+ Currently for a blocked redirection we report the blocked URI as the
+ target URL. This is not up to spec and we should actually report the
+ requested URL.
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::check):
+ (WebKit::NetworkLoadChecker::checkRedirection):
+ (WebKit::NetworkLoadChecker::checkRequest):
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+ * NetworkProcess/NetworkLoadChecker.h:
+
+ LayoutTests:
+
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ WebKitLegacy and Win have different console logging.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281431 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-08-22 Kate Cheney <[email protected]>
+
+ Report correct blocked URI in CSP violation report
+ https://bugs.webkit.org/show_bug.cgi?id=226316
+ <rdar://problem/78552912>
+
+ Reviewed by Alex Christensen.
+
+ Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html
+ http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html
+
+ Currently for a blocked redirection we report the blocked URI as the
+ target URL. This is not up to spec and we should actually report the
+ requested URL.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::redirectReceived):
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/DocumentThreadableLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowConnectToSource const):
+ (WebCore::ContentSecurityPolicy::reportViolation const):
+ * page/csp/ContentSecurityPolicy.h:
+
2021-09-30 Russell Epstein <[email protected]>
Cherry-pick r281613. rdar://problem/83369963
Modified: branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp (283384 => 283385)
--- branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp 2021-10-01 18:18:05 UTC (rev 283384)
+++ branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp 2021-10-01 18:31:47 UTC (rev 283385)
@@ -325,7 +325,7 @@
return;
}
- if (!isAllowedByContentSecurityPolicy(request.url(), redirectResponse.isNull() ? ContentSecurityPolicy::RedirectResponseReceived::No : ContentSecurityPolicy::RedirectResponseReceived::Yes)) {
+ if (!isAllowedByContentSecurityPolicy(request.url(), redirectResponse.isNull() ? ContentSecurityPolicy::RedirectResponseReceived::No : ContentSecurityPolicy::RedirectResponseReceived::Yes, redirectResponse.url())) {
reportContentSecurityPolicyError(redirectResponse.url());
clearResource();
return completionHandler(WTFMove(request));
@@ -668,7 +668,7 @@
didFinishLoading(identifier);
}
-bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived)
+bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL)
{
switch (m_options.contentSecurityPolicyEnforcement) {
case ContentSecurityPolicyEnforcement::DoNotEnforce:
@@ -676,7 +676,7 @@
case ContentSecurityPolicyEnforcement::EnforceChildSrcDirective:
return contentSecurityPolicy().allowChildContextFromSource(url, redirectResponseReceived);
case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
- return contentSecurityPolicy().allowConnectToSource(url, redirectResponseReceived);
+ return contentSecurityPolicy().allowConnectToSource(url, redirectResponseReceived, preRedirectURL);
case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
return contentSecurityPolicy().allowScriptFromSource(url, redirectResponseReceived);
}
Modified: branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.h (283384 => 283385)
--- branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.h 2021-10-01 18:18:05 UTC (rev 283384)
+++ branches/safari-611.4.2.0-branch/Source/WebCore/loader/DocumentThreadableLoader.h 2021-10-01 18:31:47 UTC (rev 283385)
@@ -103,7 +103,7 @@
void loadRequest(ResourceRequest&&, SecurityCheckPolicy);
bool isAllowedRedirect(const URL&);
- bool isAllowedByContentSecurityPolicy(const URL&, ContentSecurityPolicy::RedirectResponseReceived);
+ bool isAllowedByContentSecurityPolicy(const URL&, ContentSecurityPolicy::RedirectResponseReceived, const URL& preRedirectURL = URL());
SecurityOrigin& securityOrigin() const;
const ContentSecurityPolicy& contentSecurityPolicy() const;
Modified: branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (283384 => 283385)
--- branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-10-01 18:18:05 UTC (rev 283384)
+++ branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-10-01 18:31:47 UTC (rev 283385)
@@ -618,7 +618,7 @@
return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::mediaSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia);
}
-bool ContentSecurityPolicy::allowConnectToSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowConnectToSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
if (LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol().toStringWithoutCopying()))
return true;
@@ -626,7 +626,7 @@
TextPosition sourcePosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, "Refused to connect to");
- reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition);
+ reportViolation(ContentSecurityPolicyDirectiveNames::connectSrc, violatedDirective, url, consoleMessage, sourceURL, sourcePosition, preRedirectURL);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
@@ -677,12 +677,12 @@
return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL, JSC::JSGlobalObject* state) const
{
- return reportViolation(effectiveViolatedDirective, violatedDirective.text(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state);
+ return reportViolation(effectiveViolatedDirective, violatedDirective.text(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state, preRedirectURL);
}
-void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state) const
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* state, const URL& preRedirectURL) const
{
logToConsole(consoleMessage, sourceURL, sourcePosition.m_line, sourcePosition.m_column, state);
@@ -717,7 +717,12 @@
}
ASSERT(m_client || is<Document>(m_scriptExecutionContext));
- String blockedURI = deprecatedURLForReporting(blockedURL);
+ String blockedURI;
+ if (preRedirectURL.isNull())
+ blockedURI = deprecatedURLForReporting(blockedURL);
+ else
+ blockedURI = deprecatedURLForReporting(preRedirectURL);
+
// FIXME: Is it policy to not use the status code for HTTPS, or is that a bug?
unsigned short httpStatusCode = m_selfSourceProtocol == "http" ? m_httpStatusCode : 0;
Modified: branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.h (283384 => 283385)
--- branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-10-01 18:18:05 UTC (rev 283384)
+++ branches/safari-611.4.2.0-branch/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-10-01 18:31:47 UTC (rev 283385)
@@ -114,7 +114,7 @@
bool allowChildFrameFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
WEBCORE_EXPORT bool allowChildContextFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
- WEBCORE_EXPORT bool allowConnectToSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ WEBCORE_EXPORT bool allowConnectToSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& requestedURL = URL()) const;
bool allowFormAction(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
bool allowObjectFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
@@ -210,8 +210,8 @@
void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject*) const;
void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const URL& blockedURL, const String& consoleMessage, JSC::JSGlobalObject* = nullptr) const;
- void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject* = nullptr) const;
- void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*) const;
+ void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, const URL& preRedirectURL = URL(), JSC::JSGlobalObject* = nullptr) const;
+ void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::JSGlobalObject*, const URL& preRedirectURL = URL()) const;
void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
// We can never have both a script execution context and a ContentSecurityPolicyClient.
Modified: branches/safari-611.4.2.0-branch/Source/WebKit/ChangeLog (283384 => 283385)
--- branches/safari-611.4.2.0-branch/Source/WebKit/ChangeLog 2021-10-01 18:18:05 UTC (rev 283384)
+++ branches/safari-611.4.2.0-branch/Source/WebKit/ChangeLog 2021-10-01 18:31:47 UTC (rev 283385)
@@ -1,3 +1,77 @@
+2021-10-01 Russell Epstein <[email protected]>
+
+ Cherry-pick r281431. rdar://problem/81175635
+
+ Report correct blocked URI in CSP violation report
+ https://bugs.webkit.org/show_bug.cgi?id=226316
+ <rdar://problem/78552912>
+
+ Reviewed by Alex Christensen.
+
+ Source/WebCore:
+
+ Tests: http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html
+ http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html
+
+ Currently for a blocked redirection we report the blocked URI as the
+ target URL. This is not up to spec and we should actually report the
+ requested URL.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::redirectReceived):
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/DocumentThreadableLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowConnectToSource const):
+ (WebCore::ContentSecurityPolicy::reportViolation const):
+ * page/csp/ContentSecurityPolicy.h:
+
+ Source/WebKit:
+
+ Currently for a blocked redirection we report the blocked URI as the
+ target URL. This is not up to spec and we should actually report the
+ requested URL.
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::check):
+ (WebKit::NetworkLoadChecker::checkRedirection):
+ (WebKit::NetworkLoadChecker::checkRequest):
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+ * NetworkProcess/NetworkLoadChecker.h:
+
+ LayoutTests:
+
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect.html: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects.html: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ * platform/mac-wk1/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-blocked-redirect-expected.txt: Added.
+ * platform/win/http/tests/security/contentSecurityPolicy/report-blocked-uri-after-multiple-redirects-expected.txt: Added.
+ WebKitLegacy and Win have different console logging.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281431 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-08-22 Kate Cheney <[email protected]>
+
+ Report correct blocked URI in CSP violation report
+ https://bugs.webkit.org/show_bug.cgi?id=226316
+ <rdar://problem/78552912>
+
+ Reviewed by Alex Christensen.
+
+ Currently for a blocked redirection we report the blocked URI as the
+ target URL. This is not up to spec and we should actually report the
+ requested URL.
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::check):
+ (WebKit::NetworkLoadChecker::checkRedirection):
+ (WebKit::NetworkLoadChecker::checkRequest):
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+ * NetworkProcess/NetworkLoadChecker.h:
+
2021-08-10 Russell Epstein <[email protected]>
Apply patch. rdar://problem/79924198
Modified: branches/safari-611.4.2.0-branch/Source/WebKit/NetworkProcess/NetworkLoadChecker.h (283384 => 283385)
--- branches/safari-611.4.2.0-branch/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2021-10-01 18:18:05 UTC (rev 283384)
+++ branches/safari-611.4.2.0-branch/Source/WebKit/NetworkProcess/NetworkLoadChecker.h 2021-10-01 18:31:47 UTC (rev 283385)
@@ -103,9 +103,9 @@
bool isChecking() const { return !!m_corsPreflightChecker; }
bool isRedirected() const { return m_redirectCount; }
- void checkRequest(WebCore::ResourceRequest&&, WebCore::ContentSecurityPolicyClient*, ValidationHandler&&);
+ void checkRequest(WebCore::ResourceRequest&&, WebCore::ContentSecurityPolicyClient*, const URL&, ValidationHandler&&);
- bool isAllowedByContentSecurityPolicy(const WebCore::ResourceRequest&, WebCore::ContentSecurityPolicyClient*);
+ bool isAllowedByContentSecurityPolicy(const WebCore::ResourceRequest&, WebCore::ContentSecurityPolicyClient*, const URL& preRedirectURL = URL());
void continueCheckingRequest(WebCore::ResourceRequest&&, ValidationHandler&&);
void continueCheckingRequestOrDoSyntheticRedirect(WebCore::ResourceRequest&& originalRequest, WebCore::ResourceRequest&& currentRequest, ValidationHandler&&);
