[webkit-changes] [290830] trunk

[katherine_cheney]

Title: [290830] trunk

Revision

290830

Author

katherine_che...@apple.com

Date

2022-03-04 07:11:44 -0800 (Fri, 04 Mar 2022)

Log Message

CSP report does not get sent to the document in the case of a detached element
https://bugs.webkit.org/show_bug.cgi?id=237440
<rdar://problem/89081463>

Reviewed by Chris Dumez.

Source/WebCore:

Test: http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached.html

Only send a violation report to the element if it is connected. Check
right before dispatching in case the element gets detached after the
security policy violation has been created. If the element is not
connected in this case, we send the report to the document.

* dom/Element.cpp:
(WebCore::Element::enqueueSecurityPolicyViolationEvent):
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportViolation const):
Also sets the composed value on the violation event as per the spec.

LayoutTests:

* http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/dom/Element.cpp
• trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp

Added Paths

• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached-expected.txt
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached.html

Diff

Modified: trunk/LayoutTests/ChangeLog (290829 => 290830)

--- trunk/LayoutTests/ChangeLog	2022-03-04 13:22:09 UTC (rev 290829)
+++ trunk/LayoutTests/ChangeLog	2022-03-04 15:11:44 UTC (rev 290830)
@@ -1,3 +1,14 @@
+2022-03-04  Kate Cheney  <katherine_che...@apple.com>
+
+        CSP report does not get sent to the document in the case of a detached element
+        https://bugs.webkit.org/show_bug.cgi?id=237440
+        <rdar://problem/89081463>
+
+        Reviewed by Chris Dumez.
+
+        * http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached.html: Added.
+
 2022-03-04  Youenn Fablet  <you...@apple.com>
 
         webrtc/canvas-to-peer-connection.html is flakily failing a test assertion

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached-expected.txt (0 => 290830)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached-expected.txt	2022-03-04 15:11:44 UTC (rev 290830)
@@ -0,0 +1,11 @@
+CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+Tests that a detached element sends a CSP violation report to its document
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Successfully received violation event
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached.html (0 => 290830)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached.html	2022-03-04 15:11:44 UTC (rev 290830)
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-test' 'unsafe-eval'">
+    <script src=""
+</head>
+<body>
+    <script nonce="test">
+        jsTestIsAsync = true;
+
+        description("Tests that a detached element sends a CSP violation report to its document");
+
+        document.addEventListener('securitypolicyviolation', e => {
+            if (e.composed)
+                testPassed("Successfully received violation event");
+            else
+                testFailed("composed value not set on security policy violation");
+
+            finishJSTest();
+        });
+
+        let inlineScript = document.createElement("script");
+        inlineScript.append("alert(FAIL)");
+        (document.head || document.documentElement).appendChild(inlineScript);
+        inlineScript.remove();
+    </script>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (290829 => 290830)

--- trunk/Source/WebCore/ChangeLog	2022-03-04 13:22:09 UTC (rev 290829)
+++ trunk/Source/WebCore/ChangeLog	2022-03-04 15:11:44 UTC (rev 290830)
@@ -1,3 +1,24 @@
+2022-03-04  Kate Cheney  <katherine_che...@apple.com>
+
+        CSP report does not get sent to the document in the case of a detached element
+        https://bugs.webkit.org/show_bug.cgi?id=237440
+        <rdar://problem/89081463>
+
+        Reviewed by Chris Dumez.
+
+        Test: http/tests/security/contentSecurityPolicy/report-violation-to-document-after-element-has-been-detached.html
+
+        Only send a violation report to the element if it is connected. Check
+        right before dispatching in case the element gets detached after the
+        security policy violation has been created. If the element is not
+        connected in this case, we send the report to the document.
+
+        * dom/Element.cpp:
+        (WebCore::Element::enqueueSecurityPolicyViolationEvent):
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::reportViolation const):
+        Also sets the composed value on the violation event as per the spec.
+
 2022-03-04  Kimmo Kinnunen  <kkinnu...@apple.com>
 
         Iteration to search for least active WebGLRenderingContextBase could use min_element

Modified: trunk/Source/WebCore/dom/Element.cpp (290829 => 290830)

--- trunk/Source/WebCore/dom/Element.cpp	2022-03-04 13:22:09 UTC (rev 290829)
+++ trunk/Source/WebCore/dom/Element.cpp	2022-03-04 15:11:44 UTC (rev 290830)
@@ -3253,7 +3253,10 @@
 void Element::enqueueSecurityPolicyViolationEvent(SecurityPolicyViolationEventInit&& eventInit)
 {
     document().eventLoop().queueTask(TaskSource::DOMManipulation, [this, protectedThis = Ref { *this }, event = SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, WTFMove(eventInit), Event::IsTrusted::Yes)] {
-        dispatchEvent(event);
+        if (!isConnected())
+            document().dispatchEvent(event);
+        else
+            dispatchEvent(event);
     });
 }
 

Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (290829 => 290830)

--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp	2022-03-04 13:22:09 UTC (rev 290829)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp	2022-03-04 15:11:44 UTC (rev 290830)
@@ -816,6 +816,7 @@
     violationEventInit.columnNumber = info.columnNumber;
     violationEventInit.sample = info.sample;
     violationEventInit.bubbles = true;
+    violationEventInit.composed = true;
     if (m_client)
         m_client->enqueueSecurityPolicyViolationEvent(WTFMove(violationEventInit));
     else {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes