Diff
Modified: trunk/LayoutTests/ChangeLog (290549 => 290550)
--- trunk/LayoutTests/ChangeLog 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/LayoutTests/ChangeLog 2022-02-26 21:04:49 UTC (rev 290550)
@@ -1,3 +1,16 @@
+2022-02-26 Kate Cheney <katherine_che...@apple.com>
+
+ Update CSP handling of _javascript_ URLs
+ https://bugs.webkit.org/show_bug.cgi?id=236351
+ <rdar://problem/88675827>
+
+ Reviewed by Brent Fulgham.
+
+ * TestExpectations:
+ * http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt:
+ * http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-by-default-src-star-expected.txt:
+ * http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt:
+
2022-02-26 Alan Bujtas <za...@apple.com>
[RenderTreeBuilder] Clean up descendant floats when a block container becomes float
Modified: trunk/LayoutTests/TestExpectations (290549 => 290550)
--- trunk/LayoutTests/TestExpectations 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/LayoutTests/TestExpectations 2022-02-26 21:04:49 UTC (rev 290550)
@@ -928,7 +928,6 @@
imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-header-allowed.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-blocked.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/prefetch-src/prefetch-allowed.html [ Skip ]
-imported/w3c/web-platform-tests/content-security-policy/navigation/to-_javascript_-url-script-src.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/navigate-to/spv-only-sent-to-initiator.sub.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-redirected-blocked.sub.html [ Skip ]
imported/w3c/web-platform-tests/content-security-policy/navigate-to/meta-refresh-cross-origin-blocked.sub.html [ Skip ]
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt (290549 => 290550)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt 2022-02-26 21:04:49 UTC (rev 290550)
@@ -1,5 +1,5 @@
CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
+CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
-CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
This test passes if it doesn't alert fail.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-by-default-src-star-expected.txt (290549 => 290550)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-by-default-src-star-expected.txt 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-by-default-src-star-expected.txt 2022-02-26 21:04:49 UTC (rev 290550)
@@ -1,4 +1,4 @@
+CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to load _javascript_:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to load _javascript_:alert('FAIL'); because it appears in neither the object-src directive nor the default-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' appears in neither the script-src directive nor the default-src directive of the Content Security Policy.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt (290549 => 290550)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt 2022-02-26 21:04:49 UTC (rev 290550)
@@ -1,5 +1,5 @@
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE MESSAGE: Refused to execute a script because its hash or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
Modified: trunk/LayoutTests/imported/w3c/ChangeLog (290549 => 290550)
--- trunk/LayoutTests/imported/w3c/ChangeLog 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/LayoutTests/imported/w3c/ChangeLog 2022-02-26 21:04:49 UTC (rev 290550)
@@ -1,3 +1,14 @@
+2022-02-26 Kate Cheney <katherine_che...@apple.com>
+
+ Update CSP handling of _javascript_ URLs
+ https://bugs.webkit.org/show_bug.cgi?id=236351
+ <rdar://problem/88675827>
+
+ Reviewed by Brent Fulgham.
+
+ * web-platform-tests/content-security-policy/navigation/to-_javascript_-parent-initiated-parent-csp-disallow-expected.txt:
+ * web-platform-tests/content-security-policy/navigation/to-_javascript_-url-script-src-expected.txt:
+
2022-02-24 Oriol Brufau <obru...@igalia.com>
[css-cascade] Support 'revert' in @keyframes
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-_javascript_-parent-initiated-parent-csp-disallow-expected.txt (290549 => 290550)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-_javascript_-parent-initiated-parent-csp-disallow-expected.txt 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-_javascript_-parent-initiated-parent-csp-disallow-expected.txt 2022-02-26 21:04:49 UTC (rev 290550)
@@ -1,4 +1,4 @@
-FAIL Should not have executed the _javascript_ url assert_true: _javascript_ url executed expected true got false
+PASS Should not have executed the _javascript_ url
Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-_javascript_-url-script-src-expected.txt (290549 => 290550)
--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-_javascript_-url-script-src-expected.txt 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/navigation/to-_javascript_-url-script-src-expected.txt 2022-02-26 21:04:49 UTC (rev 290550)
@@ -1,12 +1,6 @@
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+PASS <iframe src=''> blocked without 'unsafe-inline'.
+PASS <iframe> navigated to '_javascript_:' blocked without 'unsafe-inline'.
+PASS <iframe src=''> with 'unsafe-inline' navigated to '_javascript_:' blocked in this document
+PASS <iframe src=''> without 'unsafe-inline' navigated to '_javascript_:' blocked in this document.
-Harness Error (TIMEOUT), message = null
-
-TIMEOUT <iframe src=''> blocked without 'unsafe-inline'. Test timed out
-FAIL <iframe> navigated to '_javascript_:' blocked without 'unsafe-inline'. assert_unreached: The CSP event should be fired in the embedding document, not in the embedee. Reached unreachable code
-TIMEOUT <iframe src=''> with 'unsafe-inline' navigated to '_javascript_:' blocked in this document Test timed out
-FAIL <iframe src=''> without 'unsafe-inline' navigated to '_javascript_:' blocked in this document. assert_unreached: The CSP event should be fired in the embedding document, not in the embedee. Reached unreachable code
-
Modified: trunk/Source/WebCore/ChangeLog (290549 => 290550)
--- trunk/Source/WebCore/ChangeLog 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/Source/WebCore/ChangeLog 2022-02-26 21:04:49 UTC (rev 290550)
@@ -1,3 +1,24 @@
+2022-02-26 Kate Cheney <katherine_che...@apple.com>
+
+ Update CSP handling of _javascript_ URLs
+ https://bugs.webkit.org/show_bug.cgi?id=236351
+ <rdar://problem/88675827>
+
+ Reviewed by Brent Fulgham.
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::executeJavaScriptURL):
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::continueLoadAfterNewWindowPolicy):
+ (WebCore::createWindow):
+ * loader/SubframeLoader.cpp:
+ (WebCore::FrameLoader::SubframeLoader::requestFrame):
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::setLocation):
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowJavaScriptURLs const):
+ * page/csp/ContentSecurityPolicy.h:
+
2022-02-26 Alan Bujtas <za...@apple.com>
[RenderTreeBuilder] Clean up descendant floats when a block container becomes float
Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (290549 => 290550)
--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2022-02-26 21:04:49 UTC (rev 290550)
@@ -794,7 +794,7 @@
if (requesterSecurityOrigin && !requesterSecurityOrigin->isSameOriginDomain(m_frame.document()->securityOrigin()))
return;
- if (!m_frame.page() || !m_frame.document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame.document()->url().string(), eventHandlerPosition().m_line, url.string()))
+ if (!m_frame.page() || !m_frame.document()->contentSecurityPolicy()->allowJavaScriptURLs(m_frame.document()->url().string(), eventHandlerPosition().m_line, url.string(), nullptr))
return;
// We need to hold onto the Frame here because executing script can
Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (290549 => 290550)
--- trunk/Source/WebCore/loader/FrameLoader.cpp 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2022-02-26 21:04:49 UTC (rev 290550)
@@ -3564,7 +3564,7 @@
Ref<Frame> frame(m_frame);
- if (request.url().protocolIsJavaScript() && !frame->document()->contentSecurityPolicy()->allowJavaScriptURLs(frame->document()->url().string(), { }, request.url().string()))
+ if (request.url().protocolIsJavaScript() && !frame->document()->contentSecurityPolicy()->allowJavaScriptURLs(frame->document()->url().string(), { }, request.url().string(), nullptr))
return;
RefPtr<Frame> mainFrame = m_client->dispatchCreatePage(action, openerPolicy);
@@ -4104,7 +4104,7 @@
created = false;
// FIXME: Provide line number information with respect to the opener's document.
- if (request.resourceRequest().url().protocolIsJavaScript() && !openerFrame.document()->contentSecurityPolicy()->allowJavaScriptURLs(openerFrame.document()->url().string(), { }, request.resourceRequest().url().string()))
+ if (request.resourceRequest().url().protocolIsJavaScript() && !openerFrame.document()->contentSecurityPolicy()->allowJavaScriptURLs(openerFrame.document()->url().string(), { }, request.resourceRequest().url().string(), nullptr))
return nullptr;
if (!request.frameName().isEmpty() && !isBlankTargetFrameName(request.frameName())) {
Modified: trunk/Source/WebCore/loader/SubframeLoader.cpp (290549 => 290550)
--- trunk/Source/WebCore/loader/SubframeLoader.cpp 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/Source/WebCore/loader/SubframeLoader.cpp 2022-02-26 21:04:49 UTC (rev 290550)
@@ -85,6 +85,10 @@
if (shouldConvertInvalidURLsToBlank() && !url.isValid())
url = ""
+ // Check the CSP of the embedder to determine if we allow execution of _javascript_: URLs via child frame navigation.
+ if (!scriptURL.isEmpty() && !ownerElement.document().contentSecurityPolicy()->allowJavaScriptURLs(aboutBlankURL().string(), { }, scriptURL.string(), &ownerElement))
+ scriptURL = URL();
+
// If we will schedule a _javascript_ URL load, we need to delay the firing of the load event at least until we've run the _javascript_ in the URL.
CompletionHandlerCallingScope stopDelayingLoadEvent;
if (!scriptURL.isEmpty()) {
Modified: trunk/Source/WebCore/page/DOMWindow.cpp (290549 => 290550)
--- trunk/Source/WebCore/page/DOMWindow.cpp 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/Source/WebCore/page/DOMWindow.cpp 2022-02-26 21:04:49 UTC (rev 290550)
@@ -2419,6 +2419,10 @@
if (isInsecureScriptAccess(activeWindow, completedURL.string()))
return;
+ // Check the CSP of the embedder to determine if we allow execution of _javascript_: URLs via child frame navigation.
+ if (completedURL.protocolIsJavaScript() && frameElement() && !frameElement()->document().contentSecurityPolicy()->allowJavaScriptURLs(aboutBlankURL().string(), { }, completedURL.string(), frameElement()))
+ return;
+
// We want a new history item if we are processing a user gesture.
LockHistory lockHistory = (locking != LockHistoryBasedOnGestureState || !UserGestureIndicator::processingUserGesture()) ? LockHistory::Yes : LockHistory::No;
LockBackForwardList lockBackForwardList = (locking != LockHistoryBasedOnGestureState) ? LockBackForwardList::Yes : LockBackForwardList::No;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (290549 => 290550)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2022-02-26 21:04:49 UTC (rev 290550)
@@ -363,14 +363,12 @@
return hashes;
}
-bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const OrdinalNumber& contextLine, const String& source, bool overrideContentSecurityPolicy) const
+bool ContentSecurityPolicy::allowJavaScriptURLs(const String& contextURL, const OrdinalNumber& contextLine, const String& source, Element* element) const
{
- if (overrideContentSecurityPolicy)
- return true;
bool didNotifyInspector = false;
auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
String consoleMessage = consoleMessageForViolation(violatedDirective, URL(), "Refused to execute a script", "its hash or 'unsafe-inline'");
- reportViolation(violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()));
+ reportViolation(violatedDirective, "inline"_s, consoleMessage, contextURL, source, TextPosition(contextLine, OrdinalNumber()), URL(), nullptr, element);
if (!didNotifyInspector && violatedDirective.directiveList().isReportOnly()) {
reportBlockedScriptExecutionToInspector(violatedDirective.text());
didNotifyInspector = true;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (290549 => 290550)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2022-02-26 18:44:03 UTC (rev 290549)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2022-02-26 21:04:49 UTC (rev 290550)
@@ -98,7 +98,7 @@
bool allowScriptWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
bool allowStyleWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
- bool allowJavaScriptURLs(const String& contextURL, const OrdinalNumber& contextLine, const String& code, bool overrideContentSecurityPolicy = false) const;
+ bool allowJavaScriptURLs(const String& contextURL, const OrdinalNumber& contextLine, const String& code, Element*) const;
bool allowInlineEventHandlers(const String& contextURL, const OrdinalNumber& contextLine, const String& code, Element*, bool overrideContentSecurityPolicy = false) const;
bool allowInlineScript(const String& contextURL, const OrdinalNumber& contextLine, StringView scriptContent, Element&, const String& nonce, bool overrideContentSecurityPolicy = false) const;
bool allowNonParserInsertedScripts(const URL& sourceURL, const URL& contextURL, const OrdinalNumber&, const String& nonce, const StringView&, ParserInserted) const;
