- Revision
- 187359
- Author
- [email protected]
- Date
- 2015-07-24 13:41:25 -0700 (Fri, 24 Jul 2015)
Log Message
Fix fallout from merging changes for
<rdar://problem/21707887> CSP doesn't prevent image loading of <object> when page contains <video controls> and ENABLE(MEDIA_CONTROLS_SCRIPT) is enabled
Reviewed by Alexey Proskuryakov.
Source/WebCore:
Tweaked http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html so that
it will test allowing evals in non-main worlds.
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::initScript):
Due to ContentSecurityPolicy::allowEval being modified on ToT, we'd always end up passing true for
the overrideContentSecurityPolicy parameter (since the ContentSecurityPolicy::SuppressReport parameter
was incorrectly treated as a boolean).
Fix this by merging part of the fix for bug 141316.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::defaultCachedResourceOptions):
The correct ContentSecurityPolicyImposition should be DoPolicyCheck. This was the case on ToT but for
some reason it was changed to SkipPolicyCheck when the patch was merged.
* page/DOMSecurityPolicy.cpp:
(WebCore::DOMSecurityPolicy::allowsEval):
Pass false for overrideContentSecurityPolicy.
LayoutTests:
* http/tests/security/contentSecurityPolicy/resources/track.vtt:
Replace this with a track.vtt from ToT which is actually a valid .vtt file that will parse properly.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object.html:
Tweak this test so it will work on the branch - setting object.data in order to force an object's URL to be loaded
when it's already got a renderer only works on ToT, so do it before appending the object element.
* http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt:
Copy the test result from ToT and get rid of the merge conflict.
* http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html:
Copy the test from ToT which also gives us a test for allowing eval in non-main script worlds.
Modified Paths
Diff
Modified: branches/safari-600.8-branch/LayoutTests/ChangeLog (187358 => 187359)
--- branches/safari-600.8-branch/LayoutTests/ChangeLog 2015-07-24 20:31:59 UTC (rev 187358)
+++ branches/safari-600.8-branch/LayoutTests/ChangeLog 2015-07-24 20:41:25 UTC (rev 187359)
@@ -1,3 +1,23 @@
+2015-07-24 Anders Carlsson <[email protected]>
+
+ Fix fallout from merging changes for
+ <rdar://problem/21707887> CSP doesn't prevent image loading of <object> when page contains <video controls> and ENABLE(MEDIA_CONTROLS_SCRIPT) is enabled
+
+ Reviewed by Alexey Proskuryakov.
+
+ * http/tests/security/contentSecurityPolicy/resources/track.vtt:
+ Replace this with a track.vtt from ToT which is actually a valid .vtt file that will parse properly.
+
+ * http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object.html:
+ Tweak this test so it will work on the branch - setting object.data in order to force an object's URL to be loaded
+ when it's already got a renderer only works on ToT, so do it before appending the object element.
+
+ * http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt:
+ Copy the test result from ToT and get rid of the merge conflict.
+
+ * http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html:
+ Copy the test from ToT which also gives us a test for allowing eval in non-main script worlds.
+
2015-07-23 Babak Shafiei <[email protected]>
Merge r187248.
Modified: branches/safari-600.8-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.vtt (187358 => 187359)
--- branches/safari-600.8-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.vtt 2015-07-24 20:31:59 UTC (rev 187358)
+++ branches/safari-600.8-branch/LayoutTests/http/tests/security/contentSecurityPolicy/resources/track.vtt 2015-07-24 20:41:25 UTC (rev 187359)
@@ -1 +1,5 @@
-Subtitles!
+WEBVTT
+
+1
+00:00:00.000 --> 00:00:01.000
+Sample
Modified: branches/safari-600.8-branch/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object.html (187358 => 187359)
--- branches/safari-600.8-branch/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object.html 2015-07-24 20:31:59 UTC (rev 187358)
+++ branches/safari-600.8-branch/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object.html 2015-07-24 20:41:25 UTC (rev 187359)
@@ -20,7 +20,6 @@
var userAgentShadowRoot = internals.ensureUserAgentShadowRoot(document.getElementById("shadow-host"));
var object = document.createElement("object");
- userAgentShadowRoot.appendChild(object);
object.type = "text/html";
object._onload_ = function () {
@@ -28,6 +27,8 @@
// The content document of the HTML object will call testRunner.notifyDone().
}
object.data = ""
+
+ userAgentShadowRoot.appendChild(object);
}
runTest();
Modified: branches/safari-600.8-branch/LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt (187358 => 187359)
--- branches/safari-600.8-branch/LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt 2015-07-24 20:31:59 UTC (rev 187358)
+++ branches/safari-600.8-branch/LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt 2015-07-24 20:41:25 UTC (rev 187359)
@@ -1,10 +1,6 @@
CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
ALERT: BLOCKED in main world
-<<<<<<< HEAD:LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt
-ALERT: LOADED in isolated world
-This test ensures that scripts run in isolated worlds aren't affected by the page's content security policy. Extensions, for example, should be able to load any resource they like.
-=======
CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
ALERT: BLOCKED in isolated world
@@ -13,6 +9,5 @@
ALERT: BLOCKED eval() in main world
ALERT: Called eval() in isolated world
This test ensures that scripts run in isolated worlds are affected by the page's content security policy. Extensions, for example, should not be able to load any resource they like.
->>>>>>> 264add7... Isolated worlds should respect Content Security Policy; User Agent Shadow DOM:LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt
Modified: branches/safari-600.8-branch/LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html (187358 => 187359)
--- branches/safari-600.8-branch/LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html 2015-07-24 20:31:59 UTC (rev 187358)
+++ branches/safari-600.8-branch/LayoutTests/http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html 2015-07-24 20:41:25 UTC (rev 187359)
@@ -1,14 +1,14 @@
<!DOCTYPE html>
<html>
<head>
-<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'unsafe-inline'">
<script>
if (window.testRunner) {
testRunner.dumpAsText();
testRunner.waitUntilDone();
}
- tests = 2;
+ tests = 4;
window.addEventListener("message", function(message) {
tests -= 1;
test();
@@ -29,12 +29,30 @@
img.src = ""
}
+ function callEval(isolated) {
+ try {
+ eval("true");
+ alert('Called eval() in ' + (isolated ? "isolated world" : "main world"));
+ window.postMessage("next", "*");
+ } catch (error) {
+ console.log(error);
+ alert('BLOCKED eval() in ' + (isolated ? "isolated world" : "main world"));
+ window.postMessage("next", "*");
+ }
+ }
+
switch (tests) {
- case 2:
+ case 4:
setImgSrc(false);
break;
+ case 3:
+ testRunner.evaluateScriptInIsolatedWorld(1, String(setImgSrc) + "\nsetImgSrc(true);");
+ break;
+ case 2:
+ callEval(false);
+ break;
case 1:
- testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(true);");
+ testRunner.evaluateScriptInIsolatedWorld(1, String(callEval) + "\ncallEval(true);");
break;
case 0:
testRunner.notifyDone();
Modified: branches/safari-600.8-branch/Source/WebCore/ChangeLog (187358 => 187359)
--- branches/safari-600.8-branch/Source/WebCore/ChangeLog 2015-07-24 20:31:59 UTC (rev 187358)
+++ branches/safari-600.8-branch/Source/WebCore/ChangeLog 2015-07-24 20:41:25 UTC (rev 187359)
@@ -1,3 +1,30 @@
+2015-07-24 Anders Carlsson <[email protected]>
+
+ Fix fallout from merging changes for
+ <rdar://problem/21707887> CSP doesn't prevent image loading of <object> when page contains <video controls> and ENABLE(MEDIA_CONTROLS_SCRIPT) is enabled
+
+ Reviewed by Alexey Proskuryakov.
+
+ Tweaked http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html so that
+ it will test allowing evals in non-main worlds.
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::initScript):
+ Due to ContentSecurityPolicy::allowEval being modified on ToT, we'd always end up passing true for
+ the overrideContentSecurityPolicy parameter (since the ContentSecurityPolicy::SuppressReport parameter
+ was incorrectly treated as a boolean).
+ Fix this by merging part of the fix for bug 141316.
+
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::defaultCachedResourceOptions):
+ The correct ContentSecurityPolicyImposition should be DoPolicyCheck. This was the case on ToT but for
+ some reason it was changed to SkipPolicyCheck when the patch was merged.
+
+ * page/DOMSecurityPolicy.cpp:
+ (WebCore::DOMSecurityPolicy::allowsEval):
+ Pass false for overrideContentSecurityPolicy.
+
+
2015-07-23 Babak Shafiei <[email protected]>
Roll out r185838.
Modified: branches/safari-600.8-branch/Source/WebCore/bindings/js/ScriptController.cpp (187358 => 187359)
--- branches/safari-600.8-branch/Source/WebCore/bindings/js/ScriptController.cpp 2015-07-24 20:31:59 UTC (rev 187358)
+++ branches/safari-600.8-branch/Source/WebCore/bindings/js/ScriptController.cpp 2015-07-24 20:41:25 UTC (rev 187359)
@@ -241,9 +241,14 @@
windowShell->window()->updateDocument();
- if (m_frame.document())
- windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
-
+ if (m_frame.document()) {
+ bool shouldBypassMainWorldContentSecurityPolicy = !world.isNormal();
+ if (shouldBypassMainWorldContentSecurityPolicy)
+ windowShell->window()->setEvalEnabled(true);
+ else
+ windowShell->window()->setEvalEnabled(m_frame.document()->contentSecurityPolicy()->allowEval(0, shouldBypassMainWorldContentSecurityPolicy, ContentSecurityPolicy::SuppressReport), m_frame.document()->contentSecurityPolicy()->evalDisabledErrorMessage());
+ }
+
if (Page* page = m_frame.page()) {
attachDebugger(windowShell, page->debugger());
windowShell->window()->setProfileGroup(page->group().identifier());
Modified: branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp (187358 => 187359)
--- branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2015-07-24 20:31:59 UTC (rev 187358)
+++ branches/safari-600.8-branch/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2015-07-24 20:41:25 UTC (rev 187359)
@@ -975,7 +975,7 @@
const ResourceLoaderOptions& CachedResourceLoader::defaultCachedResourceOptions()
{
- static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, ContentSecurityPolicyImposition::SkipPolicyCheck);
+ static ResourceLoaderOptions options(SendCallbacks, SniffContent, BufferData, AllowStoredCredentials, AskClientForAllCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, ContentSecurityPolicyImposition::DoPolicyCheck);
return options;
}
Modified: branches/safari-600.8-branch/Source/WebCore/page/DOMSecurityPolicy.cpp (187358 => 187359)
--- branches/safari-600.8-branch/Source/WebCore/page/DOMSecurityPolicy.cpp 2015-07-24 20:31:59 UTC (rev 187358)
+++ branches/safari-600.8-branch/Source/WebCore/page/DOMSecurityPolicy.cpp 2015-07-24 20:41:25 UTC (rev 187359)
@@ -122,7 +122,7 @@
if (!isActive())
return true;
- return scriptExecutionContext()->contentSecurityPolicy()->allowEval(0, ContentSecurityPolicy::SuppressReport);
+ return scriptExecutionContext()->contentSecurityPolicy()->allowEval(0, false, ContentSecurityPolicy::SuppressReport);
}
