Diff
Modified: trunk/LayoutTests/ChangeLog (285319 => 285320)
--- trunk/LayoutTests/ChangeLog 2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/LayoutTests/ChangeLog 2021-11-04 23:46:28 UTC (rev 285320)
@@ -1,3 +1,16 @@
+2021-11-04 Kate Cheney <[email protected]>
+
+ Form action with a redirect should report correct blocked URI
+ https://bugs.webkit.org/show_bug.cgi?id=232660
+ <rdar://problem/84969024>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt:
+ Update console logging to report the correct URL.
+
2021-11-04 Lauro Moura <[email protected]>
[GLIB] Gardening some timeouts
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt (285319 => 285320)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt 2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt 2021-11-04 23:46:28 UTC (rev 285320)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/navigation/resources/form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/redirection-response.py?host=localhost:8000&status=302&target=form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
Tests that blocking form redirect works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt (0 => 285320)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt 2021-11-04 23:46:28 UTC (rev 285320)
@@ -0,0 +1,7 @@
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/redirection-response.py?host=localhost:8000&status=302&target=form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
+
+Tests that blocking form redirect reports the correct blockedURI.
+
+blockedURI = http://127.0.0.1:8000/navigation/resources/redirection-response.py?host=localhost:8000&status=302&target=form-target.pl
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html (0 => 285320)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html 2021-11-04 23:46:28 UTC (rev 285320)
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="form-action 127.0.0.1:8000">
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+ window.addEventListener('load', function() {
+ setTimeout(function() {
+ document.getElementById('submit').click();
+ }, 0);
+ });
+
+ window.addEventListener('securitypolicyviolation', e => {
+ document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+ testRunner.notifyDone();
+ });
+
+</script>
+</head>
+<body>
+ <form id="form1" action="" method="post">
+ <input type='text' name='fieldname' value='fieldvalue'>
+ <input type='submit' id='submit' value='submit'>
+ </form>
+
+ <p>
+ Tests that blocking form redirect reports the correct blockedURI.
+ </p>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (285319 => 285320)
--- trunk/Source/WebCore/ChangeLog 2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/ChangeLog 2021-11-04 23:46:28 UTC (rev 285320)
@@ -1,3 +1,26 @@
+2021-11-04 Kate Cheney <[email protected]>
+
+ Form action with a redirect should report correct blocked URI
+ https://bugs.webkit.org/show_bug.cgi?id=232660
+ <rdar://problem/84969024>
+
+ Reviewed by Brent Fulgham.
+
+ We currently report the blocked URI as the target of a redirect, per
+ the spec it should actually be the initiating url.
+
+ Test: http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html
+
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::willSendRequest):
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::checkIfFormActionAllowedByCSP const):
+ * loader/FrameLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowResourceFromSource const):
+ (WebCore::ContentSecurityPolicy::allowFormAction const):
+ * page/csp/ContentSecurityPolicy.h:
+
2021-11-04 Myles C. Maxfield <[email protected]>
[Cocoa] Migrate from CTFontCopyVariationAxes() to CTFontCopyVariationAxesInternal() if possible
Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (285319 => 285320)
--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2021-11-04 23:46:28 UTC (rev 285320)
@@ -639,7 +639,7 @@
reportingEndpointsCache->addEndpointsFromResponse(redirectResponse);
}
- if (!frameLoader()->checkIfFormActionAllowedByCSP(newRequest.url(), didReceiveRedirectResponse)) {
+ if (!frameLoader()->checkIfFormActionAllowedByCSP(newRequest.url(), didReceiveRedirectResponse, redirectResponse.url())) {
DOCUMENTLOADER_RELEASE_LOG("willSendRequest: canceling - form action not allowed by CSP");
cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
return completionHandler(WTFMove(newRequest));
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (285319 => 285320)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2021-11-04 23:46:28 UTC (rev 285320)
@@ -1021,13 +1021,13 @@
return m_frame.document()->securityOrigin().toString();
}
-bool FrameLoader::checkIfFormActionAllowedByCSP(const URL& url, bool didReceiveRedirectResponse) const
+bool FrameLoader::checkIfFormActionAllowedByCSP(const URL& url, bool didReceiveRedirectResponse, const URL& preRedirectURL) const
{
if (m_submittedFormURL.isEmpty())
return true;
auto redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
- return m_frame.document()->contentSecurityPolicy()->allowFormAction(url, redirectResponseReceived);
+ return m_frame.document()->contentSecurityPolicy()->allowFormAction(url, redirectResponseReceived, preRedirectURL);
}
void FrameLoader::setOpener(Frame* opener)
Modified: trunk/Source/WebCore/loader/FrameLoader.h (285319 => 285320)
--- trunk/Source/WebCore/loader/FrameLoader.h 2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/loader/FrameLoader.h 2021-11-04 23:46:28 UTC (rev 285320)
@@ -241,7 +241,7 @@
void forceSandboxFlags(SandboxFlags flags) { m_forcedSandboxFlags |= flags; }
WEBCORE_EXPORT SandboxFlags effectiveSandboxFlags() const;
- bool checkIfFormActionAllowedByCSP(const URL&, bool didReceiveRedirectResponse) const;
+ bool checkIfFormActionAllowedByCSP(const URL&, bool didReceiveRedirectResponse, const URL& preRedirectURL) const;
WEBCORE_EXPORT Frame* opener();
WEBCORE_EXPORT const Frame* opener() const;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (285319 => 285320)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2021-11-04 23:46:28 UTC (rev 285320)
@@ -620,15 +620,16 @@
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
-bool ContentSecurityPolicy::allowResourceFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const char* name, ResourcePredicate resourcePredicate) const
+bool ContentSecurityPolicy::allowResourceFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const char* name, ResourcePredicate resourcePredicate, const URL& preRedirectURL) const
{
if (LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol().toStringWithoutCopying()))
return true;
String sourceURL;
+ const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- String consoleMessage = consoleMessageForViolation(name, violatedDirective, url, "Refused to load");
- reportViolation(name, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
+ String consoleMessage = consoleMessageForViolation(name, violatedDirective, blockedURL, "Refused to load");
+ reportViolation(name, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, sourcePosition);
};
return allPoliciesAllow(WTFMove(handleViolatedDirective), resourcePredicate, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
@@ -686,9 +687,9 @@
return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
-bool ContentSecurityPolicy::allowFormAction(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowFormAction(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::formAction, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::formAction, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, preRedirectURL);
}
bool ContentSecurityPolicy::allowBaseURI(const URL& url, bool overrideContentSecurityPolicy) const
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (285319 => 285320)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2021-11-04 23:46:28 UTC (rev 285320)
@@ -121,7 +121,7 @@
bool allowChildFrameFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
WEBCORE_EXPORT bool allowChildContextFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
WEBCORE_EXPORT bool allowConnectToSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& requestedURL = URL()) const;
- bool allowFormAction(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowFormAction(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
bool allowObjectFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false) const;
@@ -213,7 +213,7 @@
bool shouldPerformEarlyCSPCheck() const;
using ResourcePredicate = const ContentSecurityPolicyDirective *(ContentSecurityPolicyDirectiveList::*)(const URL &, bool) const;
- bool allowResourceFromSource(const URL&, RedirectResponseReceived, const char*, ResourcePredicate) const;
+ bool allowResourceFromSource(const URL&, RedirectResponseReceived, const char*, ResourcePredicate, const URL& preRedirectURL = URL()) const;
using HashInEnforcedAndReportOnlyPoliciesPair = std::pair<bool, bool>;
template<typename Predicate> HashInEnforcedAndReportOnlyPoliciesPair findHashOfContentInPolicies(const Predicate&, StringView content, OptionSet<ContentSecurityPolicyHashAlgorithm>) const WARN_UNUSED_RETURN;
