Modified: trunk/LayoutTests/ChangeLog (129571 => 129572)
--- trunk/LayoutTests/ChangeLog 2012-09-25 23:18:43 UTC (rev 129571)
+++ trunk/LayoutTests/ChangeLog 2012-09-25 23:20:22 UTC (rev 129572)
@@ -1,3 +1,15 @@
+2012-09-25 Mike West <[email protected]>
+
+ CSP logging: Be more developer-friendly when 'default-src' is violated.
+ https://bugs.webkit.org/show_bug.cgi?id=97597
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt:
+ * http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt:
+ Rebaselining these tests with the new warning string.
+
2012-09-24 Jeffrey Pfau <[email protected]>
Add WebKit1 SPI for storage blocking preference
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt (129571 => 129572)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt 2012-09-25 23:18:43 UTC (rev 129571)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt 2012-09-25 23:20:22 UTC (rev 129572)
@@ -1,3 +1,3 @@
-CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "default-src 'self'".
+CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
This page should neither alert "FAIL" nor generate any mixed content warnings in the console.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt (129571 => 129572)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt 2012-09-25 23:18:43 UTC (rev 129571)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked-expected.txt 2012-09-25 23:20:22 UTC (rev 129572)
@@ -1,5 +1,5 @@
-CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
+CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
-CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'".
+CONSOLE MESSAGE: Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
This test passes if it doesn't alert fail.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt (129571 => 129572)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt 2012-09-25 23:18:43 UTC (rev 129571)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt 2012-09-25 23:20:22 UTC (rev 129572)
@@ -1,6 +1,6 @@
CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "default-src 'self'".
+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
This script should not execute even through the second CSP header would allow it.
Modified: trunk/Source/WebCore/ChangeLog (129571 => 129572)
--- trunk/Source/WebCore/ChangeLog 2012-09-25 23:18:43 UTC (rev 129571)
+++ trunk/Source/WebCore/ChangeLog 2012-09-25 23:20:22 UTC (rev 129572)
@@ -1,3 +1,25 @@
+2012-09-25 Mike West <[email protected]>
+
+ CSP logging: Be more developer-friendly when 'default-src' is violated.
+ https://bugs.webkit.org/show_bug.cgi?id=97597
+
+ Reviewed by Adam Barth.
+
+ Developers unfamiliar with the details of Content Security Policy might
+ be confused when 'default-src' is used as a fallback for a directive
+ otherwise absent from the policy they've set. This patch adds an
+ explicit explanation to the permission warning in such a situation.
+
+ New warning string is covered by rebaselining existing tests.
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPDirectiveList::checkEvalAndReportViolation):
+ (WebCore::CSPDirectiveList::checkInlineAndReportViolation):
+ (WebCore::CSPDirectiveList::checkSourceAndReportViolation):
+ If the operative directive is 'default-src', output a warning,
+ using the type information present in the report to specify which
+ directive is falling back to the default values.
+
2012-09-25 Beth Dakin <[email protected]>
https://bugs.webkit.org/show_bug.cgi?id=97615
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (129571 => 129572)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-09-25 23:18:43 UTC (rev 129571)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-09-25 23:20:22 UTC (rev 129572)
@@ -887,7 +887,12 @@
{
if (checkEval(directive))
return true;
- reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine, callStack);
+
+ String suffix = String();
+ if (directive == m_defaultSrc)
+ suffix = " Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.";
+
+ reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine, callStack);
if (!m_reportOnly) {
m_policy->reportBlockedScriptExecutionToInspector(directive->text());
return false;
@@ -920,8 +925,13 @@
{
if (checkInline(directive))
return true;
- reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\".\n", KURL(), contextURL, contextLine);
+ String suffix = String();
+ if (directive == m_defaultSrc)
+ suffix = makeString(" Note that '", (isScript ? "script" : "style"), "-src' was not explicitly set, so 'default-src' is used as a fallback.");
+
+ reportViolation(directive->text(), consoleMessage + "\"" + directive->text() + "\"." + suffix + "\n", KURL(), contextURL, contextLine);
+
if (!m_reportOnly) {
if (isScript)
m_policy->reportBlockedScriptExecutionToInspector(directive->text());
@@ -941,7 +951,11 @@
if (type == "form")
prefix = "Refused to send form data to '";
- reportViolation(directive->text(), makeString(prefix, url.string(), "' because it violates the following Content Security Policy directive: \"", directive->text(), "\".\n"), url);
+ String suffix = String();
+ if (directive == m_defaultSrc)
+ suffix = " Note that '" + type + "-src' was not explicitly set, so 'default-src' is used as a fallback.";
+
+ reportViolation(directive->text(), prefix + url.string() + "' because it violates the following Content Security Policy directive: \"" + directive->text() + "\"." + suffix + "\n", url);
return denyIfEnforcingPolicy();
}
