Diff
Modified: branches/safari-612.4.9.1-branch/LayoutTests/ChangeLog (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/ChangeLog 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/ChangeLog 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,5 +1,90 @@
2022-01-07 Russell Epstein <[email protected]>
+ Cherry-pick r286094. rdar://problem/87125111
+
+ Report the initiating url instead of the redirected one
+ https://bugs.webkit.org/show_bug.cgi?id=233037
+
+ Patch by Carlos Garcia Campos <[email protected]> on 2021-11-20
+ Reviewed by Brent Fulgham.
+
+ LayoutTests/imported/w3c:
+
+ * web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub-expected.txt:
+
+ Source/WebCore:
+
+ As per the spec, blockedURI should use the requested URL of original request instead of redirected location.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::willSendRequestInternal):
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const):
+ (WebCore::CachedResourceLoader::canRequestAfterRedirection const):
+ (WebCore::CachedResourceLoader::updateRequestAfterRedirection):
+ * loader/cache/CachedResourceLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource const):
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource const):
+ (WebCore::ContentSecurityPolicy::allowImageFromSource const):
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource const):
+ (WebCore::ContentSecurityPolicy::allowFontFromSource const):
+ (WebCore::ContentSecurityPolicy::allowManifestFromSource const):
+ (WebCore::ContentSecurityPolicy::allowMediaFromSource const):
+ * page/csp/ContentSecurityPolicy.h:
+
+ Source/WebKit:
+
+ Pass pre-redirect URL to allowChildContextFromSource() and allowScriptFromSource().
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+
+ LayoutTests:
+
+ * TestExpectations: Unskip imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286094 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-20 Carlos Garcia Campos <[email protected]>
+
+ Report the initiating url instead of the redirected one
+ https://bugs.webkit.org/show_bug.cgi?id=233037
+
+ Reviewed by Brent Fulgham.
+
+ * TestExpectations: Unskip imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt:
+
+2022-01-07 Russell Epstein <[email protected]>
+
Cherry-pick r287604. rdar://problem/85966622
Protect frame from destruction in HTMLMediaElement::setupAndCallJS
Modified: branches/safari-612.4.9.1-branch/LayoutTests/TestExpectations (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/TestExpectations 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/TestExpectations 2022-01-07 23:22:30 UTC (rev 287791)
@@ -504,7 +504,6 @@
imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-blocked-by-default.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-blocked-by-default.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/reporting-api/report-to-directive-allowed-in-meta.https.sub.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-strict_dynamic_double_policy_honor_source_expressions.sub.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/source-file-blob-scheme.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/source-file-data-scheme.html [ Skip ]
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the child-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" because it does not appear in the child-src directive of the Content Security Policy.
CONSOLE MESSAGE: Blocked by Content Security Policy.
CONSOLE MESSAGE: Cannot load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js due to access control checks.
This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/resources/balls-of-the-orient.aif because it does not appear in the media-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the media-src directive of the Content Security Policy.
ALERT: PASS
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/resources/Ahem.woff because it does not appear in the font-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the font-src directive of the Content Security Policy.
Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
.
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/resources/abe.png because it does not appear in the img-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the img-src directive of the Content Security Policy.
Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the script-src directive of the Content Security Policy.
ALERT: PASS
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/blue.css because it does not appear in the style-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the style-src directive of the Content Security Policy.
ALERT: PASS
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/ABCFont.svg because it does not appear in the font-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the font-src directive of the Content Security Policy.
Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/red-square.svg because it does not appear in the img-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the img-src directive of the Content Security Policy.
Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt because it does not appear in the media-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the media-src directive of the Content Security Policy.
ALERT: PASS
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/resources/test.mp4 because it does not appear in the media-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the media-src directive of the Content Security Policy.
ALERT: PASS
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/script-set-value.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" because it does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: Blocked by Content Security Policy.
This tests that the Content Security Policy of the parent origin (this page) blocks a Web Worker from importing a script from a different origin, not listed in script-src, through a redirect.
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/script-set-value.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.py?url="" because it does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: Blocked by Content Security Policy.
This tests a Web Worker with Content Security Policy "script-src 'self'" blocks the import of a script from a different origin through a redirect.
Modified: branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,2 +1,2 @@
-CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.xsl because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/resources/redirect.py?code=307&url="" because it does not appear in the script-src directive of the Content Security Policy.
Modified: branches/safari-612.4.9.1-branch/LayoutTests/imported/w3c/ChangeLog (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/imported/w3c/ChangeLog 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/imported/w3c/ChangeLog 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,3 +1,75 @@
+2022-01-07 Russell Epstein <[email protected]>
+
+ Cherry-pick r286094. rdar://problem/87125111
+
+ Report the initiating url instead of the redirected one
+ https://bugs.webkit.org/show_bug.cgi?id=233037
+
+ Patch by Carlos Garcia Campos <[email protected]> on 2021-11-20
+ Reviewed by Brent Fulgham.
+
+ LayoutTests/imported/w3c:
+
+ * web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub-expected.txt:
+
+ Source/WebCore:
+
+ As per the spec, blockedURI should use the requested URL of original request instead of redirected location.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::willSendRequestInternal):
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const):
+ (WebCore::CachedResourceLoader::canRequestAfterRedirection const):
+ (WebCore::CachedResourceLoader::updateRequestAfterRedirection):
+ * loader/cache/CachedResourceLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource const):
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource const):
+ (WebCore::ContentSecurityPolicy::allowImageFromSource const):
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource const):
+ (WebCore::ContentSecurityPolicy::allowFontFromSource const):
+ (WebCore::ContentSecurityPolicy::allowManifestFromSource const):
+ (WebCore::ContentSecurityPolicy::allowMediaFromSource const):
+ * page/csp/ContentSecurityPolicy.h:
+
+ Source/WebKit:
+
+ Pass pre-redirect URL to allowChildContextFromSource() and allowScriptFromSource().
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+
+ LayoutTests:
+
+ * TestExpectations: Unskip imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286094 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-20 Carlos Garcia Campos <[email protected]>
+
+ Report the initiating url instead of the redirected one
+ https://bugs.webkit.org/show_bug.cgi?id=233037
+
+ Reviewed by Brent Fulgham.
+
+ * web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub-expected.txt:
+
2022-01-05 Russell Epstein <[email protected]>
Cherry-pick r286940. rdar://problem/85388372
Modified: branches/safari-612.4.9.1-branch/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub-expected.txt (287790 => 287791)
--- branches/safari-612.4.9.1-branch/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub-expected.txt 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub-expected.txt 2022-01-07 23:22:30 UTC (rev 287791)
@@ -2,5 +2,5 @@
Harness Error (TIMEOUT), message = null
-TIMEOUT The blocked URI in the security policy violation event should be the original URI before redirects. Test timed out
+PASS The blocked URI in the security policy violation event should be the original URI before redirects.
Modified: branches/safari-612.4.9.1-branch/Source/WebCore/ChangeLog (287790 => 287791)
--- branches/safari-612.4.9.1-branch/Source/WebCore/ChangeLog 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/Source/WebCore/ChangeLog 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,5 +1,96 @@
2022-01-07 Russell Epstein <[email protected]>
+ Cherry-pick r286094. rdar://problem/87125111
+
+ Report the initiating url instead of the redirected one
+ https://bugs.webkit.org/show_bug.cgi?id=233037
+
+ Patch by Carlos Garcia Campos <[email protected]> on 2021-11-20
+ Reviewed by Brent Fulgham.
+
+ LayoutTests/imported/w3c:
+
+ * web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub-expected.txt:
+
+ Source/WebCore:
+
+ As per the spec, blockedURI should use the requested URL of original request instead of redirected location.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::willSendRequestInternal):
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const):
+ (WebCore::CachedResourceLoader::canRequestAfterRedirection const):
+ (WebCore::CachedResourceLoader::updateRequestAfterRedirection):
+ * loader/cache/CachedResourceLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource const):
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource const):
+ (WebCore::ContentSecurityPolicy::allowImageFromSource const):
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource const):
+ (WebCore::ContentSecurityPolicy::allowFontFromSource const):
+ (WebCore::ContentSecurityPolicy::allowManifestFromSource const):
+ (WebCore::ContentSecurityPolicy::allowMediaFromSource const):
+ * page/csp/ContentSecurityPolicy.h:
+
+ Source/WebKit:
+
+ Pass pre-redirect URL to allowChildContextFromSource() and allowScriptFromSource().
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+
+ LayoutTests:
+
+ * TestExpectations: Unskip imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286094 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-20 Carlos Garcia Campos <[email protected]>
+
+ Report the initiating url instead of the redirected one
+ https://bugs.webkit.org/show_bug.cgi?id=233037
+
+ Reviewed by Brent Fulgham.
+
+ As per the spec, blockedURI should use the requested URL of original request instead of redirected location.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::willSendRequestInternal):
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const):
+ (WebCore::CachedResourceLoader::canRequestAfterRedirection const):
+ (WebCore::CachedResourceLoader::updateRequestAfterRedirection):
+ * loader/cache/CachedResourceLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource const):
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource const):
+ (WebCore::ContentSecurityPolicy::allowImageFromSource const):
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource const):
+ (WebCore::ContentSecurityPolicy::allowFontFromSource const):
+ (WebCore::ContentSecurityPolicy::allowManifestFromSource const):
+ (WebCore::ContentSecurityPolicy::allowMediaFromSource const):
+ * page/csp/ContentSecurityPolicy.h:
+
+2022-01-07 Russell Epstein <[email protected]>
+
Cherry-pick r287604. rdar://problem/85966622
Protect frame from destruction in HTMLMediaElement::setupAndCallJS
Modified: branches/safari-612.4.9.1-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp (287790 => 287791)
--- branches/safari-612.4.9.1-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/Source/WebCore/loader/DocumentThreadableLoader.cpp 2022-01-07 23:22:30 UTC (rev 287791)
@@ -691,11 +691,11 @@
case ContentSecurityPolicyEnforcement::DoNotEnforce:
return true;
case ContentSecurityPolicyEnforcement::EnforceChildSrcDirective:
- return contentSecurityPolicy().allowChildContextFromSource(url, redirectResponseReceived);
+ return contentSecurityPolicy().allowChildContextFromSource(url, redirectResponseReceived, preRedirectURL);
case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
return contentSecurityPolicy().allowConnectToSource(url, redirectResponseReceived, preRedirectURL);
case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
- return contentSecurityPolicy().allowScriptFromSource(url, redirectResponseReceived);
+ return contentSecurityPolicy().allowScriptFromSource(url, redirectResponseReceived, preRedirectURL);
}
ASSERT_NOT_REACHED();
return false;
Modified: branches/safari-612.4.9.1-branch/Source/WebCore/loader/SubresourceLoader.cpp (287790 => 287791)
--- branches/safari-612.4.9.1-branch/Source/WebCore/loader/SubresourceLoader.cpp 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/Source/WebCore/loader/SubresourceLoader.cpp 2022-01-07 23:22:30 UTC (rev 287791)
@@ -277,7 +277,7 @@
m_frame->page()->diagnosticLoggingClient().logDiagnosticMessageWithResult(DiagnosticLoggingKeys::cachedResourceRevalidationKey(), emptyString(), DiagnosticLoggingResultFail, ShouldSample::Yes);
}
- if (!m_documentLoader->cachedResourceLoader().updateRequestAfterRedirection(m_resource->type(), newRequest, options())) {
+ if (!m_documentLoader->cachedResourceLoader().updateRequestAfterRedirection(m_resource->type(), newRequest, options(), redirectResponse.url())) {
SUBRESOURCELOADER_RELEASE_LOG("willSendRequestInternal: resource load canceled because CachedResourceLoader::updateRequestAfterRedirection (really CachedResourceLoader::canRequestAfterRedirection) said no");
cancel();
return completionHandler(WTFMove(newRequest));
Modified: branches/safari-612.4.9.1-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp (287790 => 287791)
--- branches/safari-612.4.9.1-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2022-01-07 23:22:30 UTC (rev 287791)
@@ -487,7 +487,7 @@
return true;
}
-bool CachedResourceLoader::allowedByContentSecurityPolicy(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived) const
+bool CachedResourceLoader::allowedByContentSecurityPolicy(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
if (options.contentSecurityPolicyImposition == ContentSecurityPolicyImposition::SkipPolicyCheck)
return true;
@@ -500,22 +500,22 @@
case CachedResource::Type::XSLStyleSheet:
#endif
case CachedResource::Type::Script:
- if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, redirectResponseReceived, preRedirectURL))
return false;
break;
case CachedResource::Type::CSSStyleSheet:
- if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, redirectResponseReceived, preRedirectURL))
return false;
break;
case CachedResource::Type::SVGDocumentResource:
case CachedResource::Type::Icon:
case CachedResource::Type::ImageResource:
- if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, redirectResponseReceived, preRedirectURL))
return false;
break;
case CachedResource::Type::SVGFontResource:
case CachedResource::Type::FontResource:
- if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, redirectResponseReceived, preRedirectURL))
return false;
break;
case CachedResource::Type::MediaResource:
@@ -522,7 +522,7 @@
#if ENABLE(VIDEO)
case CachedResource::Type::TextTrackResource:
#endif
- if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, redirectResponseReceived, preRedirectURL))
return false;
break;
case CachedResource::Type::Beacon:
@@ -534,7 +534,7 @@
return true;
#if ENABLE(APPLICATION_MANIFEST)
case CachedResource::Type::ApplicationManifest:
- if (!m_document->contentSecurityPolicy()->allowManifestFromSource(url, redirectResponseReceived))
+ if (!m_document->contentSecurityPolicy()->allowManifestFromSource(url, redirectResponseReceived, preRedirectURL))
return false;
break;
#endif
@@ -592,7 +592,7 @@
}
// FIXME: Should we find a way to know whether the redirection is for a preload request like we do for CachedResourceLoader::canRequest?
-bool CachedResourceLoader::canRequestAfterRedirection(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options) const
+bool CachedResourceLoader::canRequestAfterRedirection(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, const URL& preRedirectURL) const
{
if (document() && !document()->securityOrigin().canDisplay(url)) {
FrameLoader::reportLocalLoadFailed(frame(), url.stringCenterEllipsizedToLength());
@@ -610,7 +610,7 @@
return false;
}
- if (!allowedByContentSecurityPolicy(type, url, options, ContentSecurityPolicy::RedirectResponseReceived::Yes)) {
+ if (!allowedByContentSecurityPolicy(type, url, options, ContentSecurityPolicy::RedirectResponseReceived::Yes, preRedirectURL)) {
CACHEDRESOURCELOADER_RELEASE_LOG("canRequestAfterRedirection: URL was not allowed by content policy");
return false;
}
@@ -625,7 +625,7 @@
return true;
}
-bool CachedResourceLoader::updateRequestAfterRedirection(CachedResource::Type type, ResourceRequest& request, const ResourceLoaderOptions& options)
+bool CachedResourceLoader::updateRequestAfterRedirection(CachedResource::Type type, ResourceRequest& request, const ResourceLoaderOptions& options, const URL& preRedirectURL)
{
ASSERT(m_documentLoader);
if (auto* document = m_documentLoader->cachedResourceLoader().document())
@@ -633,7 +633,7 @@
// FIXME: We might want to align the checks done here with the ones done in CachedResourceLoader::requestResource, content extensions blocking in particular.
- return canRequestAfterRedirection(type, request.url(), options);
+ return canRequestAfterRedirection(type, request.url(), options, preRedirectURL);
}
bool CachedResourceLoader::canRequestInContentDispositionAttachmentSandbox(CachedResource::Type type, const URL& url) const
Modified: branches/safari-612.4.9.1-branch/Source/WebCore/loader/cache/CachedResourceLoader.h (287790 => 287791)
--- branches/safari-612.4.9.1-branch/Source/WebCore/loader/cache/CachedResourceLoader.h 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/Source/WebCore/loader/cache/CachedResourceLoader.h 2022-01-07 23:22:30 UTC (rev 287791)
@@ -155,8 +155,8 @@
void warnUnusedPreloads();
void stopUnusedPreloadsTimer();
- bool updateRequestAfterRedirection(CachedResource::Type, ResourceRequest&, const ResourceLoaderOptions&);
- bool allowedByContentSecurityPolicy(CachedResource::Type, const URL&, const ResourceLoaderOptions&, ContentSecurityPolicy::RedirectResponseReceived) const;
+ bool updateRequestAfterRedirection(CachedResource::Type, ResourceRequest&, const ResourceLoaderOptions&, const URL& preRedirectURL);
+ bool allowedByContentSecurityPolicy(CachedResource::Type, const URL&, const ResourceLoaderOptions&, ContentSecurityPolicy::RedirectResponseReceived, const URL& preRedirectURL = URL()) const;
static const ResourceLoaderOptions& defaultCachedResourceOptions();
@@ -196,7 +196,7 @@
ImageLoading clientDefersImage(const URL&) const;
void reloadImagesIfNotDeferred();
- bool canRequestAfterRedirection(CachedResource::Type, const URL&, const ResourceLoaderOptions&) const;
+ bool canRequestAfterRedirection(CachedResource::Type, const URL&, const ResourceLoaderOptions&, const URL& preRedirectURL) const;
bool canRequestInContentDispositionAttachmentSandbox(CachedResource::Type, const URL&) const;
HashSet<String> m_validatedURLs;
Modified: branches/safari-612.4.9.1-branch/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (287790 => 287791)
--- branches/safari-612.4.9.1-branch/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2022-01-07 23:22:30 UTC (rev 287791)
@@ -575,41 +575,41 @@
return allPoliciesAllow(WTFMove(handleViolatedDirective), resourcePredicate, url, redirectResponseReceived == RedirectResponseReceived::Yes);
}
-bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::childSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::childSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, preRedirectURL);
}
-bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::scriptSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForScript);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::scriptSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForScript, preRedirectURL);
}
-bool ContentSecurityPolicy::allowImageFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowImageFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::imgSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForImage);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::imgSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForImage, preRedirectURL);
}
-bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::styleSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::styleSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle, preRedirectURL);
}
-bool ContentSecurityPolicy::allowFontFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowFontFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::fontSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFont);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::fontSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFont, preRedirectURL);
}
#if ENABLE(APPLICATION_MANIFEST)
-bool ContentSecurityPolicy::allowManifestFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowManifestFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::manifestSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::manifestSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForManifest, preRedirectURL);
}
#endif // ENABLE(APPLICATION_MANIFEST)
-bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived) const
+bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
{
- return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::mediaSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia);
+ return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::mediaSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia, preRedirectURL);
}
bool ContentSecurityPolicy::allowConnectToSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
Modified: branches/safari-612.4.9.1-branch/Source/WebCore/page/csp/ContentSecurityPolicy.h (287790 => 287791)
--- branches/safari-612.4.9.1-branch/Source/WebCore/page/csp/ContentSecurityPolicy.h 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/Source/WebCore/page/csp/ContentSecurityPolicy.h 2022-01-07 23:22:30 UTC (rev 287791)
@@ -104,17 +104,17 @@
WEBCORE_EXPORT bool overridesXFrameOptions() const;
enum class RedirectResponseReceived { No, Yes };
- WEBCORE_EXPORT bool allowScriptFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowImageFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowStyleFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
- bool allowFontFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ WEBCORE_EXPORT bool allowScriptFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
+ bool allowImageFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
+ bool allowStyleFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
+ bool allowFontFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
#if ENABLE(APPLICATION_MANIFEST)
- bool allowManifestFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowManifestFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
#endif
- bool allowMediaFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowMediaFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
bool allowChildFrameFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
- WEBCORE_EXPORT bool allowChildContextFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ WEBCORE_EXPORT bool allowChildContextFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& requestedURL = URL()) const;
WEBCORE_EXPORT bool allowConnectToSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& requestedURL = URL()) const;
bool allowFormAction(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
Modified: branches/safari-612.4.9.1-branch/Source/WebKit/ChangeLog (287790 => 287791)
--- branches/safari-612.4.9.1-branch/Source/WebKit/ChangeLog 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/Source/WebKit/ChangeLog 2022-01-07 23:22:30 UTC (rev 287791)
@@ -1,3 +1,78 @@
+2022-01-07 Russell Epstein <[email protected]>
+
+ Cherry-pick r286094. rdar://problem/87125111
+
+ Report the initiating url instead of the redirected one
+ https://bugs.webkit.org/show_bug.cgi?id=233037
+
+ Patch by Carlos Garcia Campos <[email protected]> on 2021-11-20
+ Reviewed by Brent Fulgham.
+
+ LayoutTests/imported/w3c:
+
+ * web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub-expected.txt:
+
+ Source/WebCore:
+
+ As per the spec, blockedURI should use the requested URL of original request instead of redirected location.
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::willSendRequestInternal):
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const):
+ (WebCore::CachedResourceLoader::canRequestAfterRedirection const):
+ (WebCore::CachedResourceLoader::updateRequestAfterRedirection):
+ * loader/cache/CachedResourceLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource const):
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource const):
+ (WebCore::ContentSecurityPolicy::allowImageFromSource const):
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource const):
+ (WebCore::ContentSecurityPolicy::allowFontFromSource const):
+ (WebCore::ContentSecurityPolicy::allowManifestFromSource const):
+ (WebCore::ContentSecurityPolicy::allowMediaFromSource const):
+ * page/csp/ContentSecurityPolicy.h:
+
+ Source/WebKit:
+
+ Pass pre-redirect URL to allowChildContextFromSource() and allowScriptFromSource().
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+
+ LayoutTests:
+
+ * TestExpectations: Unskip imported/w3c/web-platform-tests/content-security-policy/securitypolicyviolation/img-src-redirect.sub.html
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286094 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-20 Carlos Garcia Campos <[email protected]>
+
+ Report the initiating url instead of the redirected one
+ https://bugs.webkit.org/show_bug.cgi?id=233037
+
+ Reviewed by Brent Fulgham.
+
+ Pass pre-redirect URL to allowChildContextFromSource() and allowScriptFromSource().
+
+ * NetworkProcess/NetworkLoadChecker.cpp:
+ (WebKit::NetworkLoadChecker::isAllowedByContentSecurityPolicy):
+
2022-01-06 Russell Epstein <[email protected]>
Cherry-pick r287651. rdar://problem/86338105
Modified: branches/safari-612.4.9.1-branch/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp (287790 => 287791)
--- branches/safari-612.4.9.1-branch/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2022-01-07 23:19:31 UTC (rev 287790)
+++ branches/safari-612.4.9.1-branch/Source/WebKit/NetworkProcess/NetworkLoadChecker.cpp 2022-01-07 23:22:30 UTC (rev 287791)
@@ -290,9 +290,9 @@
case FetchOptions::Destination::Worker:
case FetchOptions::Destination::Serviceworker:
case FetchOptions::Destination::Sharedworker:
- return contentSecurityPolicy->allowChildContextFromSource(request.url(), redirectResponseReceived);
+ return contentSecurityPolicy->allowChildContextFromSource(request.url(), redirectResponseReceived, preRedirectURL);
case FetchOptions::Destination::Script:
- if (request.requester() == ResourceRequest::Requester::ImportScripts && !contentSecurityPolicy->allowScriptFromSource(request.url(), redirectResponseReceived))
+ if (request.requester() == ResourceRequest::Requester::ImportScripts && !contentSecurityPolicy->allowScriptFromSource(request.url(), redirectResponseReceived, preRedirectURL))
return false;
// FIXME: Check CSP for non-importScripts() initiated loads.
return true;
