Diff
Modified: trunk/LayoutTests/ChangeLog (196525 => 196526)
--- trunk/LayoutTests/ChangeLog 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/ChangeLog 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,3 +1,76 @@
+2016-02-12 Daniel Bates <[email protected]>
+
+ CSP: Implement child-src directive
+ https://bugs.webkit.org/show_bug.cgi?id=153562
+ <rdar://problem/24610087>
+
+ Reviewed by Brent Fulgham.
+
+ Add new tests, un-skip now passing tests and update incorrect expected result for test http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html.
+
+ * TestExpectations: Remove entry for test http/tests/security/contentSecurityPolicy/worker-script-src.html as it now passes.
+ Mark all tests in http/tests/security/contentSecurityPolicy/1.1/child-src as PASS so that we run them except for tests
+ frame-fires-load-event-when-blocked.html and frame-fires-load-event-when-redirect-blocked.html (formerly named frame-blocked.html
+ and frame-redirect-blocked.html, respectively) as they depend on the fix for <https://bugs.webkit.org/show_bug.cgi?id=153150>.
+ Skip all other CSP 1.1 tests until we fix <https://bugs.webkit.org/show_bug.cgi?id=85558>. Group some CSP 1.1 entries together.
+ * fast/workers/worker-inherits-csp-blocks-eval-expected.txt: Update expected result based on change to worker-inherits-csp-blocks-eval.html.
+ * fast/workers/worker-inherits-csp-blocks-eval.html: Remove source 'self' from script-src directive. This was needed as
+ a workaround for <https://bugs.webkit.org/show_bug.cgi?id=153158> when the script URL for a worker was checked against the
+ script-src directive. Now that the script URL is checked against the child-src directive we do not need this workaround.
+ * fast/workers/worker-inherits-csp-blocks-xhr.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-about-blank-allowed.html: Use js-test-{pre, post}.js as opposed to
+ js-test.js to avoid duplicate "TEST COMPLETE" output.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-allowed.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt: Update expected result based on changes to frame-blocked.html.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html: Update test to work without the fix for <https://bugs.webkit.org/show_bug.cgi?id=153150>.
+
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html.
+ Keep a copy of the original test for when we fix <https://bugs.webkit.org/show_bug.cgi?id=153150>.
+
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html.
+ Keep a copy of the original test for when we fix <https://bugs.webkit.org/show_bug.cgi?id=153150>.
+
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt: Update expected result based on changes to frame-redirect-blocked.html.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html: Update test to work without the fix for <https://bugs.webkit.org/show_bug.cgi?id=153150>.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html: Use js-test-{pre, post}.js as opposed to
+ js-test.js to avoid duplicate "TEST COMPLETE" output.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt: Update incorrect expected result to
+ reflect WebKit error message. The current result reflects the error message used by Blink.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html: Use js-test-{pre, post}.js as opposed to
+ js-test.js to avoid duplicate "TEST COMPLETE" output.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt: Removed; WebKit does not support shared Web Workers.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html: Removed; WebKit does not support shared Web Workers.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt: Removed; WebKit does not support shared Web Workers.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html: Removed; WebKit does not support shared Web Workers.
+ * http/tests/security/contentSecurityPolicy/resources/child-src-test.js: Remove logic for testing shared Web Workers as WebKit does not support such workers.
+ (window.onload): Deleted.
+ (injectSharedWorker): Deleted.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt: Update expected result based on change to worker-blob-inherits-csp-blocks-eval.html.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html: Remove source 'self' from script-src directive.
+ This was needed as a workaround for <https://bugs.webkit.org/show_bug.cgi?id=153158> when the script URL for a worker was checked
+ against the script-src directive. Now that the script URL is checked against the child-src directive we do not need this workaround.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt: Update
+ expected result based on change to worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html:
+ Remove source 'self' from script-src directive. This was needed as a workaround for <https://bugs.webkit.org/show_bug.cgi?id=153158> when
+ the script URL for a worker was checked against the script-src directive. Now that the script URL is checked against the child-src directive
+ we do not need this workaround.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html: Ditto.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html: Add child-src 'none' and remove FIXME comment.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html: Added.
+ * platform/ios-simulator/TestExpectations: Remove skip entry for tests in http/tests/security/contentSecurityPolicy/1.1 from this file.
+ Instead we will skip these tests from LayoutTests/TestExpectations since they fail for all ports.
+ * platform/mac/TestExpectations: Ditto.
+ * platform/win/TestExpectations: Ditto.
+ * platform/wk2/TestExpectations: Ditto.
+
2016-02-11 Ryan Haddad <[email protected]>
Re-enable skipped animations tests on ios-simulator
Modified: trunk/LayoutTests/TestExpectations (196525 => 196526)
--- trunk/LayoutTests/TestExpectations 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/TestExpectations 2016-02-13 00:18:40 UTC (rev 196526)
@@ -792,6 +792,11 @@
webkit.org/b/52185 fast/css/vertical-align-baseline-rowspan-010.html [ ImageOnlyFailure ]
# Content Security Policy failures
+webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
+http/tests/security/contentSecurityPolicy/1.1/child-src [ Pass ]
+webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
+webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
+webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html
webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html
webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ]
webkit.org/b/115702 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html [ Failure ]
@@ -799,6 +804,8 @@
webkit.org/b/115707 http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html [ Failure ]
webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html
webkit.org/b/153150 http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html
+webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html
+webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html
webkit.org/b/153151 http/tests/security/contentSecurityPolicy/icon-allowed.html [ Failure ]
webkit.org/b/153151 http/tests/security/contentSecurityPolicy/icon-blocked.html [ Failure ]
webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-allowed.html # Needs testRunner.getManifestThen()
@@ -830,11 +837,7 @@
webkit.org/b/153167 http/tests/security/contentSecurityPolicy/sandbox-report-only.html [ Failure ]
webkit.org/b/153168 http/tests/security/contentSecurityPolicy/source-list-parsing-07.html [ Failure ]
webkit.org/b/153170 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html [ Failure ]
-webkit.org/b/153562 http/tests/security/contentSecurityPolicy/worker-script-src.html [ Failure ]
http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
-http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html # Needs expected file.
-http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html # Needs expected file.
-http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html # Needs expected file.
# These state object tests purposefully stress a resource limit, and take multiple seconds to run.
loader/stateobjects/pushstate-size-iframe.html [ Slow ]
Modified: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt (196525 => 196526)
--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,4 +1,4 @@
This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a file-URL Web Worker from using eval() because the parent's CSP does not list unsafe-eval in script-src.
-PASS threw exception EvalError: Refused to evaluate a string as _javascript_ because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
+PASS threw exception EvalError: Refused to evaluate a string as _javascript_ because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
.
Modified: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html (196525 => 196526)
--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,7 +1,7 @@
<!DOCTYPE html>
<html>
<head>
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
<script>
if (window.testRunner) {
testRunner.dumpAsText();
Modified: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html (196525 => 196526)
--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,7 +1,7 @@
<!DOCTYPE html>
<html>
<head>
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; connect-src 'none'">
<script>
if (window.testRunner) {
testRunner.dumpAsText();
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-about-blank-allowed.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-about-blank-allowed.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-about-blank-allowed.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,7 +1,7 @@
<!DOCTYPE html>
<html>
<head>
- <script src=""
+ <script src=""
<script src=""
<meta http-equiv="Content-Security-Policy" content="child-src 'none';">
</head>
@@ -10,5 +10,6 @@
description("'about:blank' should not be blocked by CSP.");
injectFrame("about:blank", EXPECT_LOAD);
</script>
+ <script src=""
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-allowed.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-allowed.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-allowed.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,7 +1,7 @@
<!DOCTYPE html>
<html>
<head>
- <script src=""
+ <script src=""
<script src=""
<meta http-equiv="Content-Security-Policy" content="child-src 'self';">
</head>
@@ -10,6 +10,7 @@
description("Frames should be governed by 'child-src'.");
injectFrame("/security/contentSecurityPolicy/resources/alert-pass.html", EXPECT_LOAD);
</script>
+ <script src=""
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,13 +1,5 @@
-CONSOLE MESSAGE: Refused to frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'none'".
+CONSOLE MESSAGE: Refused to load frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'none'".
-Frames should be governed by 'child-src'.
+This tests that an <iframe> load is blocked when using Content Security Policy child-src 'none'. This test PASSED if there is no _javascript_ alert.
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,14 +1,14 @@
<!DOCTYPE html>
<html>
<head>
- <script src=""
- <script src=""
- <meta http-equiv="Content-Security-Policy" content="child-src 'none';">
+<meta http-equiv="Content-Security-Policy" content="child-src 'none'">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</head>
<body>
- <script>
- description("Frames should be governed by 'child-src'.");
- injectFrame("/security/contentSecurityPolicy/resources/alert-fail.html", EXPECT_BLOCK);
- </script>
+<p>This tests that an <iframe> load is blocked when using Content Security Policy <code>child-src 'none'</code>. This test PASSED if there is no _javascript_ alert.</p>
+<iframe src=""
</body>
</html>
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked-expected.txt (from rev 196525, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt) (0 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Refused to load frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'none'".
+
+Frames should be governed by 'child-src'.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+IFrame load event fired: the IFrame is cross-origin (or was blocked).
+PASS The IFrame should have been blocked (or cross-origin). It was.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html (from rev 196525, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html) (0 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+ <script src=""
+ <meta http-equiv="Content-Security-Policy" content="child-src 'none';">
+</head>
+<body>
+ <script>
+ description("Frames should be governed by 'child-src'.");
+ injectFrame("/security/contentSecurityPolicy/resources/alert-fail.html", EXPECT_BLOCK);
+ </script>
+ <script src=""
+</body>
+</html>
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked-expected.txt (from rev 196525, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt) (0 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Refused to load frame 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'self'".
+
+Frames should be governed by 'child-src'. Redirects should be covered.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+IFrame load event fired: the IFrame is cross-origin (or was blocked).
+PASS The IFrame should have been blocked (or cross-origin). It was.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html (from rev 196525, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html) (0 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <script src=""
+ <script src=""
+ <meta http-equiv="Content-Security-Policy" content="child-src 'self';">
+</head>
+<body>
+ <script>
+ description("Frames should be governed by 'child-src'. Redirects should be covered.");
+ injectFrameRedirectingTo("http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html", EXPECT_BLOCK);
+ </script>
+ <script src=""
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,13 +1,5 @@
-CONSOLE MESSAGE: Refused to frame 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'self'".
+CONSOLE MESSAGE: Refused to load frame 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php".
-Frames should be governed by 'child-src'. Redirects should be covered.
+This tests that the Content Security Policy of the page blocks an <iframe> from loading a document of a different origin through a redirect. This test PASSED if there is no _javascript_ alert.
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,14 +1,14 @@
<!DOCTYPE html>
<html>
<head>
- <script src=""
- <script src=""
- <meta http-equiv="Content-Security-Policy" content="child-src 'self';">
+<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</head>
<body>
- <script>
- description("Frames should be governed by 'child-src'. Redirects should be covered.");
- injectFrameRedirectingTo("http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html", EXPECT_BLOCK);
- </script>
+<p>This tests that the Content Security Policy of the page blocks an <iframe> from loading a document of a different origin through a redirect. This test PASSED if there is no _javascript_ alert.</p>
+<iframe src=""
</body>
</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt (0 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Refused to load frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "frame-src 'none'".
+
+This tests that an <iframe> load is blocked when using Content Security Policy frame-src 'none'; child-src 'self' because the deprecated directive frame-src takes precedence over the directive child-src. This test PASSED if there is no _javascript_ alert.
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html (0 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'; child-src 'self'">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<p>This tests that an <iframe> load is blocked when using Content Security Policy <code>frame-src 'none'; child-src 'self'</code> because the deprecated directive frame-src takes precedence over the directive child-src. This test PASSED if there is no _javascript_ alert.</p>
+<iframe src=""
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,7 +1,7 @@
<!DOCTYPE html>
<html>
<head>
- <script src=""
+ <script src=""
<script src=""
<meta http-equiv="Content-Security-Policy" content="child-src 'self';">
</head>
@@ -10,5 +10,6 @@
description("Workers should be governed by 'child-src'.");
injectWorker("/security/contentSecurityPolicy/resources/alert-pass.js", EXPECT_LOAD);
</script>
+ <script src=""
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -5,7 +5,7 @@
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-PASS var w = new Worker('/security/contentSecurityPolicy/resources/alert-fail.js'); threw exception SecurityError: Failed to construct 'Worker': Access to the script at 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' is denied by the document's Content Security Policy..
+PASS var w = new Worker('/security/contentSecurityPolicy/resources/alert-fail.js'); threw exception Error: SecurityError: DOM Exception 18.
PASS successfullyParsed is true
TEST COMPLETE
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,7 +1,7 @@
<!DOCTYPE html>
<html>
<head>
- <script src=""
+ <script src=""
<script src=""
<meta http-equiv="Content-Security-Policy" content="child-src 'none';">
</head>
@@ -10,5 +10,6 @@
description("Workers should be governed by 'child-src'.");
injectWorker("/security/contentSecurityPolicy/resources/alert-fail.js", EXPECT_BLOCK);
</script>
+ <script src=""
</body>
</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (0 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -0,0 +1,13 @@
+CONSOLE MESSAGE: Refused to create a child context containing 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php".
+
+This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url="" did not throw exception.
+PASS error event dispatched
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html (0 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php">
+<script src=""
+</head>
+<body>
+<script>
+window.jsTestIsAsync = true;
+
+description("This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.");
+
+var worker;
+shouldNotThrow('worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=""
+worker._onerror_ = function () {
+ testPassed("error event dispatched");
+ finishJSTest();
+};
+</script>
+<script src=""
+</body>
+</html>
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,10 +0,0 @@
-SharedWorkers should be governed by 'child-src'.
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS var w = new SharedWorker('/security/contentSecurityPolicy/resources/alert-pass.js'); did not throw exception.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <script src=""
- <script src=""
- <meta http-equiv="Content-Security-Policy" content="child-src 'self';">
-</head>
-<body>
- <script>
- description("SharedWorkers should be governed by 'child-src'.");
- injectSharedWorker("/security/contentSecurityPolicy/resources/alert-pass.js", EXPECT_LOAD);
- </script>
-</body>
-</html>
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,12 +0,0 @@
-CONSOLE MESSAGE: Refused to create a child context containing 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "child-src 'none'".
-
-SharedWorkers should be governed by 'child-src'.
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS var w = new SharedWorker('/security/contentSecurityPolicy/resources/alert-fail.js'); threw exception SecurityError: Failed to construct 'SharedWorker': Access to the script at 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' is denied by the document's Content Security Policy..
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,14 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
- <script src=""
- <script src=""
- <meta http-equiv="Content-Security-Policy" content="child-src 'none';">
-</head>
-<body>
- <script>
- description("SharedWorkers should be governed by 'child-src'.");
- injectSharedWorker("/security/contentSecurityPolicy/resources/alert-fail.js", EXPECT_BLOCK);
- </script>
-</body>
-</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-src-test.js (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-src-test.js 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-src-test.js 2016-02-13 00:18:40 UTC (rev 196526)
@@ -53,13 +53,3 @@
finishJSTest();
};
}
-
-function injectSharedWorker(url, expectBlock) {
- window._onload_ = function() {
- if (expectBlock == EXPECT_BLOCK)
- shouldThrow("var w = new SharedWorker('" + url + "');");
- else
- shouldNotThrow("var w = new SharedWorker('" + url + "');");
- finishJSTest();
- };
-}
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,4 +1,4 @@
This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a blob-URL Web Worker from using eval() because the parent's CSP does not list unsafe-eval in script-src.
-PASS threw exception EvalError: Refused to evaluate a string as _javascript_ because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
+PASS threw exception EvalError: Refused to evaluate a string as _javascript_ because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,8 +1,7 @@
<!DOCTYPE html>
<html>
<head>
-<!-- FIXME: Remove 'self' from script-src once we fix <https://bugs.webkit.org/show_bug.cgi?id=153158>. -->
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
<script>
if (window.testRunner) {
testRunner.dumpAsText();
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,4 +1,4 @@
-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/workers/resources/worker-importScripts-source1.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/workers/resources/worker-importScripts-source1.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
This tests that when calling WorkerGlobalScope.importScripts() will two script URLs that the second script is not loaded if the first script URL was blocked by the Content Security Policy of the worker (inherited from this page).
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,8 +1,7 @@
<!DOCTYPE html>
<html>
<head>
-<!-- FIXME: Change 'self' to 'blob:' once we fix <https://bugs.webkit.org/show_bug.cgi?id=153158>. -->
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
<script>
if (window.testRunner) {
testRunner.dumpAsText();
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,8 +1,7 @@
<!DOCTYPE html>
<html>
<head>
-<!-- FIXME: Change 'self' to 'blob:' once we fix <https://bugs.webkit.org/show_bug.cgi?id=153158>. -->
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php 'unsafe-inline'">
<script>
if (window.testRunner) {
testRunner.dumpAsText();
Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (0 => 196526)
--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
@@ -0,0 +1,3 @@
+This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).
+
+PASS worker failed to load script URL.
Copied: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html (from rev 196525, trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html) (0 => 196526)
--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).</p>
+<pre id="result"></pre>
+<script>
+window._onmessage_ = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var worker;
+ try {
+ worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=""
+ worker._onerror_ = function () {
+ window.postMessage("PASS worker failed to load script URL.", "*");
+ }
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html (196525 => 196526)
--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,8 +1,7 @@
<!DOCTYPE html>
<html>
<head>
-<!-- FIXME: Add child-src 'none' once we implement the child-src directive. -->
-<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; child-src 'none'">
<script>
if (window.testRunner) {
testRunner.dumpAsText();
Modified: trunk/LayoutTests/platform/ios-simulator/TestExpectations (196525 => 196526)
--- trunk/LayoutTests/platform/ios-simulator/TestExpectations 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/platform/ios-simulator/TestExpectations 2016-02-13 00:18:40 UTC (rev 196526)
@@ -92,9 +92,6 @@
fast/history/page-cache-media-source-opened.html [ Skip ]
fast/history/page-cache-removed-source-buffer.html [ Skip ]
-# Content Security Policy 1.1 (ENABLE_CSP_NEXT) is not enabled
-webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
-
# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
webkit.org/b/136452 http/tests/security/contentTypeOptions
Modified: trunk/LayoutTests/platform/mac/TestExpectations (196525 => 196526)
--- trunk/LayoutTests/platform/mac/TestExpectations 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/platform/mac/TestExpectations 2016-02-13 00:18:40 UTC (rev 196526)
@@ -188,9 +188,6 @@
# webkit.org/b/61138, webkit.org/b/84893, webkit.org/b/133321
http/tests/w3c/webperf [ Skip ]
-# Content Security Policy 1.1 (ENABLE_CSP_NEXT) is not enabled
-webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
-
# Perf tests are very flaky, because they run in parallel with other tests.
perf
Modified: trunk/LayoutTests/platform/win/TestExpectations (196525 => 196526)
--- trunk/LayoutTests/platform/win/TestExpectations 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/platform/win/TestExpectations 2016-02-13 00:18:40 UTC (rev 196526)
@@ -374,9 +374,6 @@
webkit.org/b/42435 http/tests/misc/webtiming-two-redirects.php [ Skip ]
webkit.org/b/42435 http/tests/w3c/webperf [ Skip ]
-# Content Security Policy 1.1 (ENABLE_CSP_NEXT) is not enabled
-webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1 [ Skip ]
-
# TODO Application Cache Quotas
webkit.org/b/43458 http/tests/appcache/origin-quota.html [ Skip ]
webkit.org/b/43458 http/tests/appcache/origin-quota-continued-download.html [ Skip ]
Modified: trunk/LayoutTests/platform/wk2/TestExpectations (196525 => 196526)
--- trunk/LayoutTests/platform/wk2/TestExpectations 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/platform/wk2/TestExpectations 2016-02-13 00:18:40 UTC (rev 196526)
@@ -378,10 +378,6 @@
# No CORS support for media elements is implemented yet.
http/tests/security/video-cross-origin-readback.html
-# Content Security Policy 1.1 (ENABLE_CSP_NEXT) is not enabled
-# https://bugs.webkit.org/show_bug.cgi?id=85558
-http/tests/security/contentSecurityPolicy/1.1
-
# X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
http/tests/security/contentTypeOptions
Modified: trunk/Source/WebCore/ChangeLog (196525 => 196526)
--- trunk/Source/WebCore/ChangeLog 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/ChangeLog 2016-02-13 00:18:40 UTC (rev 196526)
@@ -1,3 +1,45 @@
+2016-02-12 Daniel Bates <[email protected]>
+
+ CSP: Implement child-src directive
+ https://bugs.webkit.org/show_bug.cgi?id=153562
+ <rdar://problem/24610087>
+
+ Reviewed by Brent Fulgham.
+
+ Add support for the child-src directive, <https://w3c.github.io/webappsec-csp/2/#child_src> (29 August 2015),
+ which formally replaces the deprecated frame-src directive as of the Content Security Policy 2.0 spec. The
+ child-src directive was first introduced in the Content Security Policy 1.1 spec, <https://www.w3.org/TR/2014/WD-CSP11-20140211/>.
+
+ As a side effect of this change, the script URL for a Web Worker is checked against the child-src directive
+ as opposed to the script-src directive. This is a backward incompatible change from the CSP 1.0 spec.
+
+ Tests: http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html
+ http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html
+ http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html
+ http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Check child-src directive (if applicable).
+ * loader/ThreadableLoader.h: Add enum value EnforceChildSrcDirective to enum class ContentSecurityPolicyEnforcement to
+ enforce the child-src directive on redirect.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource): Added.
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::checkSourceAndReportViolation): Add message prefix for a child-src violation.
+ We use the same message prefix as used by Blink.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowChildContextFromSource): Added.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowChildFrameFromSource): Modified to check the frame-src
+ directive (if specified) before checking the child-src directive by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested>.
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the child-src directive.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+ * workers/AbstractWorker.cpp:
+ (WebCore::AbstractWorker::resolveURL): Check if the script URL for the worker is allowed by the child-src directive
+ as opposed to the script-src directive. This is a backwards incompatible change from the CSP 1.0 spec.
+ * workers/Worker.cpp:
+ (WebCore::Worker::create): Enforce the child-src directive on redirects (if applicable).
+
2016-02-12 Saam barati <[email protected]>
The parser doesn't properly protect against global variable references in builtins
Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (196525 => 196526)
--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-02-13 00:18:40 UTC (rev 196526)
@@ -443,6 +443,8 @@
switch (m_options.contentSecurityPolicyEnforcement) {
case ContentSecurityPolicyEnforcement::DoNotEnforce:
return true;
+ case ContentSecurityPolicyEnforcement::EnforceChildSrcDirective:
+ return contentSecurityPolicy().allowChildContextFromSource(url, false); // Do not override policy
case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
return contentSecurityPolicy().allowConnectToSource(url, false); // Do not override policy
case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
Modified: trunk/Source/WebCore/loader/ThreadableLoader.h (196525 => 196526)
--- trunk/Source/WebCore/loader/ThreadableLoader.h 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/loader/ThreadableLoader.h 2016-02-13 00:18:40 UTC (rev 196526)
@@ -61,6 +61,7 @@
enum class ContentSecurityPolicyEnforcement {
DoNotEnforce,
+ EnforceChildSrcDirective,
EnforceConnectSrcDirective,
EnforceScriptSrcDirective,
};
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (196525 => 196526)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-13 00:18:40 UTC (rev 196526)
@@ -257,6 +257,11 @@
return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowChildFrameFromSource>(m_policies, url, reportingStatus);
}
+bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowChildContextFromSource>(m_policies, url, reportingStatus);
+}
+
bool ContentSecurityPolicy::allowImageFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowImageFromSource>(m_policies, url, reportingStatus);
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (196525 => 196526)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-13 00:18:40 UTC (rev 196526)
@@ -84,6 +84,7 @@
bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
+ bool allowChildContextFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (196525 => 196526)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-13 00:18:40 UTC (rev 196526)
@@ -48,6 +48,7 @@
// CSP 1.1 Directives
static const char baseURI[] = "base-uri";
+static const char childSrc[] = "child-src";
static const char formAction[] = "form-action";
static const char pluginTypes[] = "plugin-types";
#if ENABLE(CSP_NEXT)
@@ -222,6 +223,8 @@
const char* prefix;
if (baseURI == effectiveDirective)
prefix = "Refused to set the document's base URI to '";
+ else if (childSrc == effectiveDirective)
+ prefix = "Refused to create a child context containing '";
else if (connectSrc == effectiveDirective)
prefix = "Refused to connect to '";
else if (fontSrc == effectiveDirective)
@@ -314,13 +317,24 @@
return m_reportOnly || checkSource(operativeDirective(m_objectSrc.get()), url);
}
+bool ContentSecurityPolicyDirectiveList::allowChildContextFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+ if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ return checkSourceAndReportViolation(operativeDirective(m_childSrc.get()), url, childSrc);
+ return m_reportOnly || checkSource(operativeDirective(m_childSrc.get()), url);
+}
+
bool ContentSecurityPolicyDirectiveList::allowChildFrameFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
{
if (url.isBlankURL())
return true;
+
+ // We must enforce the frame-src directive (if specified) before enforcing the child-src directive for a nested browsing
+ // context by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested> (29 August 2015).
+ ContentSecurityPolicySourceListDirective* directiveToEnforce = operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get());
if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
- return checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, frameSrc);
- return m_reportOnly || checkSource(operativeDirective(m_frameSrc.get()), url);
+ return checkSourceAndReportViolation(directiveToEnforce, url, frameSrc);
+ return m_reportOnly || checkSource(directiveToEnforce, url);
}
bool ContentSecurityPolicyDirectiveList::allowImageFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
@@ -569,6 +583,8 @@
setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_mediaSrc);
else if (equalLettersIgnoringASCIICase(name, connectSrc))
setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_connectSrc);
+ else if (equalLettersIgnoringASCIICase(name, childSrc))
+ setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_childSrc);
else if (equalLettersIgnoringASCIICase(name, sandbox))
applySandboxPolicy(name, value);
else if (equalLettersIgnoringASCIICase(name, reportURI))
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (196525 => 196526)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-02-13 00:18:40 UTC (rev 196526)
@@ -57,6 +57,7 @@
bool allowScriptFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
bool allowObjectFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
bool allowChildFrameFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
+ bool allowChildContextFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
bool allowImageFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
bool allowStyleFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
bool allowFontFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
@@ -114,6 +115,7 @@
std::unique_ptr<ContentSecurityPolicyMediaListDirective> m_pluginTypes;
std::unique_ptr<ContentSecurityPolicySourceListDirective> m_baseURI;
std::unique_ptr<ContentSecurityPolicySourceListDirective> m_connectSrc;
+ std::unique_ptr<ContentSecurityPolicySourceListDirective> m_childSrc;
std::unique_ptr<ContentSecurityPolicySourceListDirective> m_defaultSrc;
std::unique_ptr<ContentSecurityPolicySourceListDirective> m_fontSrc;
std::unique_ptr<ContentSecurityPolicySourceListDirective> m_formAction;
Modified: trunk/Source/WebCore/workers/AbstractWorker.cpp (196525 => 196526)
--- trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-02-13 00:18:40 UTC (rev 196526)
@@ -62,10 +62,8 @@
return URL();
}
- // FIXME: Enforce the child-src directive instead of script-src per <https://w3c.github.io/webappsec-csp/2/#directive-child-src-workers> (29 August 2015).
- // See <https://bugs.webkit.org/show_bug.cgi?id=153562>.
ASSERT(scriptExecutionContext()->contentSecurityPolicy());
- if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL, shouldBypassMainWorldContentSecurityPolicy)) {
+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowChildContextFromSource(scriptURL, shouldBypassMainWorldContentSecurityPolicy)) {
ec = SECURITY_ERR;
return URL();
}
Modified: trunk/Source/WebCore/workers/Worker.cpp (196525 => 196526)
--- trunk/Source/WebCore/workers/Worker.cpp 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/workers/Worker.cpp 2016-02-13 00:18:40 UTC (rev 196526)
@@ -94,8 +94,8 @@
worker->setPendingActivity(worker.ptr());
worker->m_scriptLoader = WorkerScriptLoader::create();
- // FIXME: Enforce Content Security Policy child-src directive when shouldBypassMainWorldContentSecurityPolicy is false. See <https://bugs.webkit.org/show_bug.cgi?id=153562>.
- worker->m_scriptLoader->loadAsynchronously(&context, scriptURL, DenyCrossOriginRequests, ContentSecurityPolicyEnforcement::DoNotEnforce, worker.ptr());
+ auto contentSecurityPolicyEnforcement = shouldBypassMainWorldContentSecurityPolicy ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceChildSrcDirective;
+ worker->m_scriptLoader->loadAsynchronously(&context, scriptURL, DenyCrossOriginRequests, contentSecurityPolicyEnforcement, worker.ptr());
return WTFMove(worker);
}
