Diff
Modified: trunk/LayoutTests/ChangeLog (133192 => 133193)
--- trunk/LayoutTests/ChangeLog 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/ChangeLog 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,3 +1,23 @@
+2012-11-01 Mike West <[email protected]>
+
+ CSP 1.0: Warn when old-style directives encountered.
+ https://bugs.webkit.org/show_bug.cgi?id=100883
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt:
+ * http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt:
+ * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt:
+ * http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt:
+ * http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt:
+ * http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt:
+ * http/tests/security/contentSecurityPolicy/script-src-none-expected.txt:
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-deprecated-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-deprecated.html: Added.
+ * platform/chromium/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt:
+ * platform/chromium/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt:
+
2012-11-01 Tony Chang <[email protected]>
[Chromium] Unreviewed, marking http/tests/xmlhttprequest/xmlhttprequest-test-send-flag.html
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt (133192 => 133193)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-01-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
This script should not execute even though there are parse errors in the policy.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt (133192 => 133193)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/directive-parsing-multiple-headers-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
This script should not execute even through the second CSP header would allow it.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt (133192 => 133193)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
-
+CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
CONSOLE MESSAGE: line 9: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
CONSOLE MESSAGE: line 7: Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt (133192 => 133193)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,9 +1,6 @@
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
-
+CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
+CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
+CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
CONSOLE MESSAGE: line 1: Refused to execute _javascript_ URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
This test passes if it doesn't alert fail.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt (133192 => 133193)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-allowed-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,12 +1,7 @@
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
ALERT: PASS
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
-
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt (133192 => 133193)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,13 +1,8 @@
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: line 1: Refused to execute _javascript_ URL because it violates the following Content Security Policy directive: "script-src 'none'".
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
-
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt (133192 => 133193)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-in-iframe-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,7 +1,5 @@
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
Loads an iframe (a) which loads an iframe (b) which in turns tries to load an external script. The iframe (a) has a content security policy disabling external scripts. As this policy does not apply to (b), the script should be executed.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt (133192 => 133193)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-src-none-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,5 +1,4 @@
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'none'".
Loads an iframe which in turns tries to load an external script. The iframe has a content security policy disabling external scripts. So the script should not get executed.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-deprecated-expected.txt (0 => 133193)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-deprecated-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-deprecated-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -0,0 +1,21 @@
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
+CONSOLE MESSAGE: The 'policy-uri' directive has been removed from the specification. Please specify a complete policy via the Content-Security-Policy header.
+Test that directives that predate the CSP 1.0 standard generate proper warnings to set developer expectations correctly.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-deprecated.html (0 => 133193)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-deprecated.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-deprecated.html 2012-11-01 17:46:28 UTC (rev 133193)
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=''></script>
+<script>
+var tests = [
+ ['yes', 'allow \'none\'', 'resources/script.js'],
+ ['yes', 'options \'inline-script\'', 'resources/script.js'],
+ ['yes', 'policy-uri http://example.com/policy', 'resources/script.js'],
+];
+</script>
+</head>
+<body _onload_="test()">
+<p>
+ Test that directives that predate the CSP 1.0 standard generate proper
+ warnings to set developer expectations correctly.
+</p>
+
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt (133192 => 133193)
--- trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/inline-script-blocked-_javascript_-url-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,9 +1,6 @@
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'options'.
-
+CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
+CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
+CONSOLE MESSAGE: The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.
CONSOLE MESSAGE: line 1: Refused to execute _javascript_ URL because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:*".
This test passes if it doesn't alert fail.
Modified: trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt (133192 => 133193)
--- trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/contentSecurityPolicy/_javascript_-url-blocked-expected.txt 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,13 +1,8 @@
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
CONSOLE MESSAGE: line 1: Refused to execute _javascript_ URL because it violates the following Content Security Policy directive: "script-src 'none'".
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
+CONSOLE MESSAGE: The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.
-CONSOLE MESSAGE: Unrecognized Content-Security-Policy directive 'allow'.
-
-
Modified: trunk/Source/WebCore/ChangeLog (133192 => 133193)
--- trunk/Source/WebCore/ChangeLog 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/Source/WebCore/ChangeLog 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1,3 +1,27 @@
+2012-11-01 Mike West <[email protected]>
+
+ CSP 1.0: Warn when old-style directives encountered.
+ https://bugs.webkit.org/show_bug.cgi?id=100883
+
+ Reviewed by Adam Barth.
+
+ In Mozilla's pre-W3C-spec implementation, a few directives are
+ implemented that were either renamed, reworked, or removed from CSP 1.0.
+ This patch adds special warning messages for three of those directives
+ to set developer expectations correctly.
+
+ Test: http/tests/security/contentSecurityPolicy/source-list-parsing-deprecated.html
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPDirectiveList::parseDirective):
+ (WebCore::CSPDirectiveList::addDirective):
+ (WebCore::ContentSecurityPolicy::reportUnsupportedDirective):
+ * page/ContentSecurityPolicy.h:
+ Rename 'reportUnrecognizedDirectives' to
+ 'reportUnsupportedDirectives', and teach it to give more descriptive
+ error messages when encountering 'allow', 'options', and
+ 'policy-uri'.
+
2012-11-01 Pavel Feldman <[email protected]>
Web Inspector: Update CodeMirror to v3
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (133192 => 133193)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-11-01 17:46:28 UTC (rev 133193)
@@ -1191,7 +1191,7 @@
// The directive-name must be non-empty.
if (nameBegin == position) {
skipWhile<isNotASCIISpace>(position, end);
- m_policy->reportUnrecognizedDirective(String(nameBegin, position - nameBegin));
+ m_policy->reportUnsupportedDirective(String(nameBegin, position - nameBegin));
return false;
}
@@ -1202,7 +1202,7 @@
if (!skipExactly<isASCIISpace>(position, end)) {
skipWhile<isNotASCIISpace>(position, end);
- m_policy->reportUnrecognizedDirective(String(nameBegin, position - nameBegin));
+ m_policy->reportUnsupportedDirective(String(nameBegin, position - nameBegin));
return false;
}
@@ -1304,7 +1304,7 @@
}
#endif
else
- m_policy->reportUnrecognizedDirective(name);
+ m_policy->reportUnsupportedDirective(name);
}
ContentSecurityPolicy::ContentSecurityPolicy(ScriptExecutionContext* scriptExecutionContext)
@@ -1596,9 +1596,23 @@
PingLoader::reportContentSecurityPolicyViolation(frame, reportURIs[i], report);
}
-void ContentSecurityPolicy::reportUnrecognizedDirective(const String& name) const
+void ContentSecurityPolicy::reportUnsupportedDirective(const String& name) const
{
+ DEFINE_STATIC_LOCAL(String, allow, (ASCIILiteral("allow")));
+ DEFINE_STATIC_LOCAL(String, options, (ASCIILiteral("options")));
+ DEFINE_STATIC_LOCAL(String, policyURI, (ASCIILiteral("policy-uri")));
+ DEFINE_STATIC_LOCAL(String, allowMessage, (ASCIILiteral("The 'allow' directive has been replaced with 'default-src'. Please use that directive instead, as 'allow' has no effect.")));
+ DEFINE_STATIC_LOCAL(String, optionsMessage, (ASCIILiteral("The 'options' directive has been replaced with 'unsafe-inline' and 'unsafe-eval' source expressions for the 'script-src' and 'style-src' directives. Please use those directives instead, as 'options' has no effect.")));
+ DEFINE_STATIC_LOCAL(String, policyURIMessage, (ASCIILiteral("The 'policy-uri' directive has been removed from the specification. Please specify a complete policy via the Content-Security-Policy header.")));
+
String message = makeString("Unrecognized Content-Security-Policy directive '", name, "'.\n");
+ if (equalIgnoringCase(name, allow))
+ message = allowMessage;
+ else if (equalIgnoringCase(name, options))
+ message = optionsMessage;
+ else if (equalIgnoringCase(name, policyURI))
+ message = policyURIMessage;
+
logToConsole(message);
}
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.h (133192 => 133193)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.h 2012-11-01 17:45:01 UTC (rev 133192)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.h 2012-11-01 17:46:28 UTC (rev 133193)
@@ -108,7 +108,7 @@
void reportInvalidNonce(const String&) const;
void reportInvalidPluginTypes(const String&) const;
void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
- void reportUnrecognizedDirective(const String&) const;
+ void reportUnsupportedDirective(const String&) const;
void reportViolation(const String& directiveText, const String& consoleMessage, const KURL& blockedURL, const Vector<KURL>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), ScriptState* = 0) const;
void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
