Diff
Modified: trunk/LayoutTests/ChangeLog (129142 => 129143)
--- trunk/LayoutTests/ChangeLog 2012-09-20 18:00:18 UTC (rev 129142)
+++ trunk/LayoutTests/ChangeLog 2012-09-20 18:11:19 UTC (rev 129143)
@@ -1,3 +1,21 @@
+2012-09-20 Mike West <[email protected]>
+
+ Support paths in Content Security Policy directives.
+ https://bugs.webkit.org/show_bug.cgi?id=89750
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt:
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-05.html:
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt:
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-06.html:
+ The behavior of these tests changes based on the new functionality.
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html: Added.
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html: Added.
+ New tests for various path cases.
+
2012-09-20 Joshua Bell <[email protected]>
IndexedDB: Rewrite confusing call sequence layout tests
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt (129142 => 129143)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt 2012-09-20 18:00:18 UTC (rev 129142)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05-expected.txt 2012-09-20 18:11:19 UTC (rev 129143)
@@ -1,15 +1,25 @@
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:*/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/thisisa'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/thisisa' is being ignored. Be careful.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/path?query=string'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path?query=string".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/path#anchor'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/path#anchor".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:8000/path?query=string'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path?query=string".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:8000/path#anchor'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/path#anchor".
+
CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'pathwithasemicolon'.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source '127.0.0.1:8000/this'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/this' is being ignored. Be careful.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/thisisa".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/this is a path with spaces".
+
Paths should be ignored when evaluating sources. This test passes if FAIL does not appear in the output, and each of the tests generates a warning about the path component.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05.html (129142 => 129143)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05.html 2012-09-20 18:00:18 UTC (rev 129142)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-05.html 2012-09-20 18:11:19 UTC (rev 129143)
@@ -5,15 +5,15 @@
<script>
var tests = [
['yes', 'script-src 127.0.0.1:*/', 'resources/script.js'],
- ['yes', 'script-src 127.0.0.1:*/path', 'resources/script.js'],
- ['yes', 'script-src 127.0.0.1:*/path?query=string', 'resources/script.js'],
- ['yes', 'script-src 127.0.0.1:*/path#anchor', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:*/path', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:*/path?query=string', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:*/path#anchor', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:8000/', 'resources/script.js'],
- ['yes', 'script-src 127.0.0.1:8000/path', 'resources/script.js'],
- ['yes', 'script-src 127.0.0.1:8000/path?query=string', 'resources/script.js'],
- ['yes', 'script-src 127.0.0.1:8000/path#anchor', 'resources/script.js'],
- ['yes', 'script-src 127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
- ['yes', 'script-src 127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:8000/path', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:8000/path?query=string', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:8000/path#anchor', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
];
</script>
</head>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt (129142 => 129143)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt 2012-09-20 18:00:18 UTC (rev 129142)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06-expected.txt 2012-09-20 18:11:19 UTC (rev 129143)
@@ -1,15 +1,25 @@
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:*/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/path'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/path?query=string'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path?query=string' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/path#anchor'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/path#anchor' is being ignored. Be careful.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/thisisa'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/thisisa' is being ignored. Be careful.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:*/path?query=string'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path?query=string".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:*/path#anchor'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*/path#anchor".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:8000/path?query=string'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path?query=string".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: 'http://127.0.0.1:8000/path#anchor'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/path#anchor".
+
CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'pathwithasemicolon'.
-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains the source 'http://127.0.0.1:8000/this'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '/this' is being ignored. Be careful.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/thisisa".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/this is a path with spaces".
+
Paths should be ignored when evaluating sources. This test passes if FAIL does not appear in the output, and each of the tests generates a warning about the path component.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06.html (129142 => 129143)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06.html 2012-09-20 18:00:18 UTC (rev 129142)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-06.html 2012-09-20 18:11:19 UTC (rev 129143)
@@ -5,15 +5,15 @@
<script>
var tests = [
['yes', 'script-src http://127.0.0.1:*/', 'resources/script.js'],
- ['yes', 'script-src http://127.0.0.1:*/path', 'resources/script.js'],
- ['yes', 'script-src http://127.0.0.1:*/path?query=string', 'resources/script.js'],
- ['yes', 'script-src http://127.0.0.1:*/path#anchor', 'resources/script.js'],
+ ['no', 'script-src http://127.0.0.1:*/path', 'resources/script.js'],
+ ['no', 'script-src http://127.0.0.1:*/path?query=string', 'resources/script.js'],
+ ['no', 'script-src http://127.0.0.1:*/path#anchor', 'resources/script.js'],
['yes', 'script-src http://127.0.0.1:8000/', 'resources/script.js'],
- ['yes', 'script-src http://127.0.0.1:8000/path', 'resources/script.js'],
- ['yes', 'script-src http://127.0.0.1:8000/path?query=string', 'resources/script.js'],
- ['yes', 'script-src http://127.0.0.1:8000/path#anchor', 'resources/script.js'],
- ['yes', 'script-src http://127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
- ['yes', 'script-src http://127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
+ ['no', 'script-src http://127.0.0.1:8000/path', 'resources/script.js'],
+ ['no', 'script-src http://127.0.0.1:8000/path?query=string', 'resources/script.js'],
+ ['no', 'script-src http://127.0.0.1:8000/path#anchor', 'resources/script.js'],
+ ['no', 'script-src http://127.0.0.1:8000/thisisa;pathwithasemicolon', 'resources/script.js'],
+ ['no', 'script-src http://127.0.0.1:8000/this is a path with spaces', 'resources/script.js'],
];
</script>
</head>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt (0 => 129143)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt 2012-09-20 18:11:19 UTC (rev 129143)
@@ -0,0 +1,46 @@
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/sec".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/sec/".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/not-security".
+
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:8000/security%3bnot-contentSecurityPolicy".
+
+Resources should be rejected unless they match a whitelisted path.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame3-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame4-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame5-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame6-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html (0 => 129143)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html 2012-09-20 18:11:19 UTC (rev 129143)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=''></script>
+<script>
+var security = '%73%65%63%75%72%69%74%79';
+var resources = '%72%65%73%6f%75%72%63%65%73';
+var tests = [
+ ['no', 'script-src 127.0.0.1:*/sec', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:*/sec/', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:8000/not-security', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:8000/security%3bnot-contentSecurityPolicy', 'resources/script.js'],
+ ['yes', 'script-src 127.0.0.1:*/' + security, 'resources/script.js'],
+ ['yes', 'script-src 127.0.0.1:*/security', resources + '/script.js'],
+ ['yes', 'script-src 127.0.0.1:*/' + security, resources + '/script.js'],
+];
+</script>
+</head>
+<body _onload_="test()">
+ <p>
+ Resources should be rejected unless they match a whitelisted path.
+ </p>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt (0 => 129143)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02-expected.txt 2012-09-20 18:11:19 UTC (rev 129143)
@@ -0,0 +1,41 @@
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/not-security#query=string'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security#query=string".
+
+CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: '127.0.0.1:*/not-security?query=string'. It will be ignored.
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 127.0.0.1:*/not-security?query=string".
+
+CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'not-contentSecurityPolicy'.
+
+Resources should be rejected unless they match a whitelisted path.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame3-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame4-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame5-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html (0 => 129143)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html 2012-09-20 18:11:19 UTC (rev 129143)
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=''></script>
+<script>
+var tests = [
+ ['no', 'script-src 127.0.0.1:*/not-security#query=string', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:*/not-security?query=string', 'resources/script.js'],
+ ['yes', 'script-src 127.0.0.1:*/security', 'resources/script.js'],
+ ['yes', 'script-src 127.0.0.1:*/security/', 'resources/script.js'],
+ ['yes', 'script-src 127.0.0.1:*/security/contentSecurityPolicy', 'resources/script.js'],
+ ['yes', 'script-src 127.0.0.1:8000/security;not-contentSecurityPolicy', 'resources/script.js'],
+];
+</script>
+</head>
+<body _onload_="test()">
+ <p>
+ Resources should be rejected unless they match a whitelisted path.
+ </p>
Modified: trunk/Source/WebCore/ChangeLog (129142 => 129143)
--- trunk/Source/WebCore/ChangeLog 2012-09-20 18:00:18 UTC (rev 129142)
+++ trunk/Source/WebCore/ChangeLog 2012-09-20 18:11:19 UTC (rev 129143)
@@ -1,3 +1,53 @@
+2012-09-20 Mike West <[email protected]>
+
+ Support paths in Content Security Policy directives.
+ https://bugs.webkit.org/show_bug.cgi?id=89750
+
+ Reviewed by Adam Barth.
+
+ In CSP 1.0, paths are simply ignored: 'script-src
+ http://example.com/path/to/a/file' would allow script to be loaded from
+ http://example.com/path/to/a/file/_javascript_.js, but also from
+ http://example.com/_javascript_.js.
+
+ This patch is an experimental implementation of more granular path
+ support in CSP source lists as proposed in the current editor's draft of
+ CSP 1.1. Paths are treated as specifying directories in which resources
+ can be found, and are implicitly terminated with a '/': in other words,
+ 'script-src http://a.com/path' is the same as
+ 'script-src http://a.com/path/'. Moreover, paths cannot contain either
+ '?' or '#' characters.
+
+ This is implemented outside the CSP_NEXT flag. All ports will be
+ effected.
+
+ Spec: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#matching
+
+ Tests: http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html
+ http/tests/security/contentSecurityPolicy/source-list-parsing-paths-02.html
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPSource::CSPSource):
+ Store a path along with each CSP source.
+ (WebCore::CSPSource::matches):
+ Check the path when comparing a URL to the source.
+ (WebCore::CSPSource::pathMatches):
+ Compare the URL-decoded version of the resource to validate against
+ the source's stored path. If the resource's path begins with the
+ stored path, then it matches! If not, it doesn't.
+ (CSPSource):
+ Store a path along with each CSP source.
+ (WebCore::CSPSourceList::parse):
+ Pass a 'path' in when creating CSPSource objects.
+ (WebCore::CSPSourceList::parsePath):
+ Actually parse the path, flagging errors if '?' or '#' are present,
+ URL-decoding the result, and ensuring that a terminal '/' is
+ added if necessary.
+ (WebCore::CSPSourceList::addSourceSelf):
+ Ensure that 'self' sources have an empty path.
+ * page/ContentSecurityPolicy.h:
+ Dropping the "ignored path component" console warning.
+
2012-09-20 Joanmarie Diggs <[email protected]>
[GTK] ControlsPanel string is not localized in LocalizedStringsGtk
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (129142 => 129143)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-09-20 18:00:18 UTC (rev 129142)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-09-20 18:11:19 UTC (rev 129143)
@@ -71,6 +71,11 @@
return !isASCIISpace(c);
}
+bool isPathComponentCharacter(UChar c)
+{
+ return c != '?' && c != '#';
+}
+
bool isHostCharacter(UChar c)
{
return isASCIIAlphanumeric(c) || c == '-';
@@ -132,10 +137,11 @@
class CSPSource {
public:
- CSPSource(const String& scheme, const String& host, int port, bool hostHasWildcard, bool portHasWildcard)
+ CSPSource(const String& scheme, const String& host, int port, const String& path, bool hostHasWildcard, bool portHasWildcard)
: m_scheme(scheme)
, m_host(host)
, m_port(port)
+ , m_path(path)
, m_hostHasWildcard(hostHasWildcard)
, m_portHasWildcard(portHasWildcard)
{
@@ -147,7 +153,7 @@
return false;
if (isSchemeOnly())
return true;
- return hostMatches(url) && portMatches(url);
+ return hostMatches(url) && portMatches(url) && pathMatches(url);
}
private:
@@ -165,6 +171,16 @@
}
+ bool pathMatches(const KURL& url) const
+ {
+ if (m_path.isEmpty())
+ return true;
+
+ String path = decodeURLEscapeSequences(url.path());
+
+ return path.startsWith(m_path, false);
+ }
+
bool portMatches(const KURL& url) const
{
if (m_portHasWildcard)
@@ -189,6 +205,7 @@
String m_scheme;
String m_host;
int m_port;
+ String m_path;
bool m_hostHasWildcard;
bool m_portHasWildcard;
@@ -287,9 +304,7 @@
continue;
if (scheme.isEmpty())
scheme = m_policy->securityOrigin()->protocol();
- if (!path.isEmpty())
- m_policy->reportIgnoredPathComponent(m_directiveName, String(beginSource, position - beginSource), path);
- m_list.append(CSPSource(scheme, host, port, hostHasWildcard, portHasWildcard));
+ m_list.append(CSPSource(scheme, host, port, path, hostHasWildcard, portHasWildcard));
} else
m_policy->reportInvalidSourceExpression(m_directiveName, String(beginSource, position - beginSource));
@@ -474,16 +489,23 @@
return true;
}
-// FIXME: Deal with an actual path. This just sucks up everything to the end of the string.
bool CSPSourceList::parsePath(const UChar* begin, const UChar* end, String& path)
{
ASSERT(begin <= end);
ASSERT(path.isEmpty());
- if (begin == end)
+ const UChar* position = begin;
+ skipWhile<isPathComponentCharacter>(position, end);
+ // path/to/file.js?query=string || path/to/file.js#anchor
+ // ^ ^
+ if (position < end)
return false;
- path = String(begin, end - begin);
+ path = decodeURLEscapeSequences(String(begin, end - begin));
+ if (!path.endsWith('/'))
+ path = path + '/';
+
+ ASSERT(position == end && path.endsWith('/'));
return true;
}
@@ -520,7 +542,7 @@
void CSPSourceList::addSourceSelf()
{
- m_list.append(CSPSource(m_policy->securityOrigin()->protocol(), m_policy->securityOrigin()->host(), m_policy->securityOrigin()->port(), false, false));
+ m_list.append(CSPSource(m_policy->securityOrigin()->protocol(), m_policy->securityOrigin()->host(), m_policy->securityOrigin()->port(), String(), false, false));
}
void CSPSourceList::addSourceStar()
@@ -1550,12 +1572,6 @@
logToConsole(message);
}
-void ContentSecurityPolicy::reportIgnoredPathComponent(const String& directiveName, const String& completeSource, const String& path) const
-{
- String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains the source '", completeSource, "'. Content Security Policy 1.0 supports only schemes, hosts, and ports. Paths might be supported in the future, but for now, '", path, "' is being ignored. Be careful.");
- logToConsole(message);
-}
-
void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source) const
{
String message = makeString("The source list for Content Security Policy directive '", directiveName, "' contains an invalid source: '", source, "'. It will be ignored.");
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (129142 => 129143)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.h 2012-09-20 18:00:18 UTC (rev 129142)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h 2012-09-20 18:11:19 UTC (rev 129143)
@@ -100,7 +100,6 @@
void gatherReportURIs(DOMStringList&) const;
void reportDuplicateDirective(const String&) const;
- void reportIgnoredPathComponent(const String& directiveName, const String& completeSource, const String& path) const;
void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
void reportInvalidNonce(const String&) const;
void reportInvalidPluginTypes(const String&) const;
