Diff
Modified: trunk/LayoutTests/ChangeLog (287755 => 287756)
--- trunk/LayoutTests/ChangeLog 2022-01-07 17:44:46 UTC (rev 287755)
+++ trunk/LayoutTests/ChangeLog 2022-01-07 18:04:56 UTC (rev 287756)
@@ -1,3 +1,14 @@
+2022-01-07 Kate Cheney <[email protected]>
+
+ Implement CSP strict-dynamic for module scripts
+ https://bugs.webkit.org/show_bug.cgi?id=234934
+ <rdar://problem/83728374>
+
+ Reviewed by Brent Fulgham.
+
+ * http/tests/security/contentSecurityPolicy/strict-dynamic-module-script-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/strict-dynamic-module-script.html: Added.
+
2022-01-07 Aditya Keerthi <[email protected]>
Checkboxes on PurpleAir map controls are much smaller in Safari than other browsers
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic-module-script-expected.txt (0 => 287756)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic-module-script-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic-module-script-expected.txt 2022-01-07 18:04:56 UTC (rev 287756)
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/strict-dynamic-module-script.html because it does not appear in the script-src directive of the Content Security Policy.
+
+PASS All the expected CSP violation reports have been fired.
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic-module-script.html (0 => 287756)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic-module-script.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/strict-dynamic-module-script.html 2022-01-07 18:04:56 UTC (rev 287756)
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="script-src 'strict-dynamic' 'unsafe-inline' 'nonce-dummy'">
+ <script src="" nonce='dummy'></script>
+ <script src="" nonce='dummy'></script>
+</head>
+<body>
+ <script nonce='dummy'>
+ async_test(function(t) {
+ window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
+ assert_equals(e.effectiveDirective, 'script-src-elem');
+ }));
+ }, 'All the expected CSP violation reports have been fired.');
+ </script>
+ <script nonce='wrong' type='module'>
+ assert_unreached('Inline script with an incorrect nonce should not be executed.');
+ </script>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (287755 => 287756)
--- trunk/Source/WebCore/ChangeLog 2022-01-07 17:44:46 UTC (rev 287755)
+++ trunk/Source/WebCore/ChangeLog 2022-01-07 18:04:56 UTC (rev 287756)
@@ -1,3 +1,24 @@
+2022-01-07 Kate Cheney <[email protected]>
+
+ Implement CSP strict-dynamic for module scripts
+ https://bugs.webkit.org/show_bug.cgi?id=234934
+ <rdar://problem/83728374>
+
+ Reviewed by Brent Fulgham.
+
+ Test: http/tests/security/contentSecurityPolicy/strict-dynamic-module-script.html
+
+ This also adds the contextLine value instead of using the default
+ OrdinalNumber::beforeFirst() value.
+
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestClassicScript):
+ (WebCore::ScriptElement::requestModuleScript):
+ (WebCore::ScriptElement::executeClassicScript):
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowNonParserInsertedScripts const):
+ * page/csp/ContentSecurityPolicy.h:
+
2022-01-07 Aditya Keerthi <[email protected]>
Checkboxes on PurpleAir map controls are much smaller in Safari than other browsers
Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (287755 => 287756)
--- trunk/Source/WebCore/dom/ScriptElement.cpp 2022-01-07 17:44:46 UTC (rev 287755)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp 2022-01-07 18:04:56 UTC (rev 287756)
@@ -304,7 +304,7 @@
m_element.document().willLoadScriptElement(scriptURL);
const auto& contentSecurityPolicy = *m_element.document().contentSecurityPolicy();
- if (!contentSecurityPolicy.allowNonParserInsertedScripts(scriptURL, m_element.nonce(), String(), m_parserInserted))
+ if (!contentSecurityPolicy.allowNonParserInsertedScripts(scriptURL, m_startLineNumber, m_element.nonce(), String(), m_parserInserted))
return false;
if (script->load(m_element.document(), scriptURL)) {
@@ -376,6 +376,9 @@
ASSERT(m_element.document().contentSecurityPolicy());
const auto& contentSecurityPolicy = *m_element.document().contentSecurityPolicy();
+ if (!contentSecurityPolicy.allowNonParserInsertedScripts(m_element.document().url(), m_startLineNumber, m_element.nonce(), sourceCode.source(), m_parserInserted))
+ return false;
+
bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(nonce, m_element.isInUserAgentShadowTree());
if (!contentSecurityPolicy.allowInlineScript(m_element.document().url().string(), m_startLineNumber, sourceCode.source(), m_element, hasKnownNonce))
return false;
@@ -397,7 +400,7 @@
if (!m_isExternalScript) {
ASSERT(m_element.document().contentSecurityPolicy());
const ContentSecurityPolicy& contentSecurityPolicy = *m_element.document().contentSecurityPolicy();
- if (!contentSecurityPolicy.allowNonParserInsertedScripts(m_element.document().url(), m_element.nonce(), sourceCode.source(), m_parserInserted))
+ if (!contentSecurityPolicy.allowNonParserInsertedScripts(m_element.document().url(), m_startLineNumber, m_element.nonce(), sourceCode.source(), m_parserInserted))
return;
bool hasKnownNonce = contentSecurityPolicy.allowScriptWithNonce(m_element.nonce(), m_element.isInUserAgentShadowTree());
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (287755 => 287756)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2022-01-07 17:44:46 UTC (rev 287755)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2022-01-07 18:04:56 UTC (rev 287756)
@@ -459,13 +459,13 @@
return false;
}
-bool ContentSecurityPolicy::allowNonParserInsertedScripts(const URL& url, const String& nonce, const StringView& scriptContent, ParserInserted parserInserted) const
+bool ContentSecurityPolicy::allowNonParserInsertedScripts(const URL& url, const OrdinalNumber& contextLine, const String& nonce, const StringView& scriptContent, ParserInserted parserInserted) const
{
if (!shouldPerformEarlyCSPCheck())
return true;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
- TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
+ TextPosition sourcePosition(contextLine, OrdinalNumber());
String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, url, "Refused to load");
reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrcElem, violatedDirective, url.string(), consoleMessage, String(), scriptContent, sourcePosition);
};
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (287755 => 287756)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2022-01-07 17:44:46 UTC (rev 287755)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2022-01-07 18:04:56 UTC (rev 287756)
@@ -101,7 +101,7 @@
bool allowJavaScriptURLs(const String& contextURL, const OrdinalNumber& contextLine, const String& code, bool overrideContentSecurityPolicy = false) const;
bool allowInlineEventHandlers(const String& contextURL, const OrdinalNumber& contextLine, const String& code, Element*, bool overrideContentSecurityPolicy = false) const;
bool allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, Element&, bool overrideContentSecurityPolicy = false) const;
- bool allowNonParserInsertedScripts(const URL&, const String&, const StringView&, ParserInserted) const;
+ bool allowNonParserInsertedScripts(const URL&, const OrdinalNumber&, const String&, const StringView&, ParserInserted) const;
bool allowInlineStyle(const String& contextURL, const OrdinalNumber& contextLine, StringView styleContent, CheckUnsafeHashes, Element&, bool overrideContentSecurityPolicy = false) const;
bool allowEval(JSC::JSGlobalObject*, LogToConsole, StringView codeContent, bool overrideContentSecurityPolicy = false) const;
