- Revision
- 196528
- Author
- [email protected]
- Date
- 2016-02-12 16:24:28 -0800 (Fri, 12 Feb 2016)
Log Message
CSP: 'blob:' URLs should not match 'self' in CSP source _expression_ lists.
https://bugs.webkit.org/show_bug.cgi?id=153158
<rdar://problem/24383264>
Reviewed by Brent Fulgham.
Source/WebCore:
A blob URL should not match source 'self' by section Security Considerations for GUID URL schemes
of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/CSP2/> (21 July 2015).
Tests: http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html
http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html
* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::matches): Do not make a distinction between URLs that
contain a nested URL (e.g. blob://http://www.example.com/...) and URLs that do not contain a nested
URL. The URL of the requested resource should be matched against the source list source expressions.
LayoutTests:
Add test http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html to ensure that a
blob URL matches source "blob:".
Replaced text-only test http/tests/security/contentSecurityPolicy/blob-urls-match-self.html with an
analogous reference test http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html
so as ensure that we do not regress the behavior that source 'self' should not match a blob URL
without considering the Content Security Policy violation message as part of the expected result.
The Content Security Policy violation message will differ between test runs because it references
the blob URL that triggered the violation, which is cryptographically random.
* TestExpectations: Remove entry for test http/tests/security/contentSecurityPolicy/blob-urls-match-self.html as the analogous test
blob-url-does-not-match-source-self.htm now passes.
* http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html: Added.
* http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html: Added.
* http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html: Added.
* http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/blob-urls-match-self.html: Removed. See the analogous test blob-url-does-not-match-source-self.html.
Modified Paths
Added Paths
Removed Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (196527 => 196528)
--- trunk/LayoutTests/ChangeLog 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/LayoutTests/ChangeLog 2016-02-13 00:24:28 UTC (rev 196528)
@@ -1,5 +1,32 @@
2016-02-12 Daniel Bates <[email protected]>
+ CSP: 'blob:' URLs should not match 'self' in CSP source _expression_ lists.
+ https://bugs.webkit.org/show_bug.cgi?id=153158
+ <rdar://problem/24383264>
+
+ Reviewed by Brent Fulgham.
+
+ Add test http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html to ensure that a
+ blob URL matches source "blob:".
+
+ Replaced text-only test http/tests/security/contentSecurityPolicy/blob-urls-match-self.html with an
+ analogous reference test http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html
+ so as ensure that we do not regress the behavior that source 'self' should not match a blob URL
+ without considering the Content Security Policy violation message as part of the expected result.
+ The Content Security Policy violation message will differ between test runs because it references
+ the blob URL that triggered the violation, which is cryptographically random.
+
+ * TestExpectations: Remove entry for test http/tests/security/contentSecurityPolicy/blob-urls-match-self.html as the analogous test
+ blob-url-does-not-match-source-self.htm now passes.
+ * http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html: Added.
+ * http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html: Added.
+ * http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html: Added.
+ * http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/blob-urls-match-self.html: Removed. See the analogous test blob-url-does-not-match-source-self.html.
+
+2016-02-12 Daniel Bates <[email protected]>
+
CSP: Implement child-src directive
https://bugs.webkit.org/show_bug.cgi?id=153562
<rdar://problem/24610087>
Modified: trunk/LayoutTests/TestExpectations (196527 => 196528)
--- trunk/LayoutTests/TestExpectations 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/LayoutTests/TestExpectations 2016-02-13 00:24:28 UTC (rev 196528)
@@ -816,7 +816,6 @@
webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html
webkit.org/b/153154 http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html
webkit.org/b/153155 http/tests/security/contentSecurityPolicy/style-src-blocked-error-event.html
-webkit.org/b/153158 http/tests/security/contentSecurityPolicy/blob-urls-match-self.html [ Failure ]
webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-default-src-none.html [ Failure ]
webkit.org/b/153160 http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child.html [ Failure ]
webkit.org/b/153160 http/tests/security/contentSecurityPolicy/plugin-in-iframe-with-csp.html [ Failure ]
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html (0 => 196528)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self-expected.html 2016-02-13 00:24:28 UTC (rev 196528)
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<body>
+<!-- This is an reference HTML document as opposed to a plain text file so as to avoid the need the include the text of
+the Content Security Policy console message when the blob-URL is blocked. The Content Security Policy console message
+will differ between test runs because it contains the uniquely generated blob-URL that triggered the violation. -->
+<p>This tests that a blob-URL _javascript_ script fails to load because it does not match Content Security Policy <code>script-src 'self'</code>.</p>
+<pre>PASS fired error event for blob-URL script.</pre>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html (0 => 196528)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html 2016-02-13 00:24:28 UTC (rev 196528)
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'">
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+</script>
+</head>
+<body>
+<p>This tests that a blob-URL _javascript_ script fails to load because it does not match Content Security Policy <code>script-src 'self'</code>.</p>
+<pre id="console"></pre>
+<script>
+function log(message)
+{
+ document.getElementById("console").appendChild(document.createTextNode(message + "\n"));
+}
+
+function done()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var script = document.createElement("script");
+script._onload_ = function () {
+ log("FAIL should not have fired load event for blob-URL script.");
+ done();
+}
+script._onerror_ = function () {
+ log("PASS fired error event for blob-URL script.");
+ done();
+}
+script.src = "" Blob(["log('FAIL should not have executed blob-URL script.');"]));
+document.head.appendChild(script);
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt (0 => 196528)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob-expected.txt 2016-02-13 00:24:28 UTC (rev 196528)
@@ -0,0 +1,5 @@
+This tests that a blob-URL _javascript_ script loads with Content Security Policy script-src blob:.
+
+PASS executed blob-URL script.
+PASS fired load event for blob-URL script.
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html (0 => 196528)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html 2016-02-13 00:24:28 UTC (rev 196528)
@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src blob: 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<p>This tests that a blob-URL _javascript_ script loads with Content Security Policy <code>script-src blob:</code>.</p>
+<pre id="console"></pre>
+<script>
+function log(message)
+{
+ document.getElementById("console").appendChild(document.createTextNode(message + "\n"));
+}
+
+function done()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var script = document.createElement("script");
+script._onload_ = function () {
+ log("PASS fired load event for blob-URL script.");
+ done();
+}
+script._onerror_ = function () {
+ log("FAIL should not have fired error event for blob-URL script.");
+ done();
+}
+script.src = "" Blob(["log('PASS executed blob-URL script.');"]));
+document.head.appendChild(script);
+</script>
+</html>
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt (196527 => 196528)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self-expected.txt 2016-02-13 00:24:28 UTC (rev 196528)
@@ -1,2 +0,0 @@
-ALERT: PASS (1/1)!
-blob: URLs are same-origin with the page in which they were created, and should therefore match the 'self' source in CSP directives.
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html (196527 => 196528)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html 2016-02-13 00:24:28 UTC (rev 196528)
@@ -1,30 +0,0 @@
-<!DOCTYPE html>
-<html>
- <head>
- <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'">
- <script src=""
- <script src=""
- <script>
- var t = async_test("blob: does not match 'self' (see step 2 of http://www.w3.org/TR/CSP2/#match-source-_expression_)");
-
- t.step(function () {
- var b = new Blob(['assert_unreached();'], { type: 'application/_javascript_' });
-
- var script = document.createElement('script');
-
- script.addEventListener('load', t.step_func(function () {
- assert_unreached();
- }));
-
- script.addEventListener('error', t.step_func(function () {
- t.done();
- }));
-
- script.src = ""
- document.head.appendChild(script);
- });
- </script>
- </head>
- <body>
- </body>
-</html>
Modified: trunk/Source/WebCore/ChangeLog (196527 => 196528)
--- trunk/Source/WebCore/ChangeLog 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/Source/WebCore/ChangeLog 2016-02-13 00:24:28 UTC (rev 196528)
@@ -1,5 +1,24 @@
2016-02-12 Daniel Bates <[email protected]>
+ CSP: 'blob:' URLs should not match 'self' in CSP source _expression_ lists.
+ https://bugs.webkit.org/show_bug.cgi?id=153158
+ <rdar://problem/24383264>
+
+ Reviewed by Brent Fulgham.
+
+ A blob URL should not match source 'self' by section Security Considerations for GUID URL schemes
+ of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/CSP2/> (21 July 2015).
+
+ Tests: http/tests/security/contentSecurityPolicy/blob-url-does-not-match-source-self.html
+ http/tests/security/contentSecurityPolicy/blob-url-matches-source-blob.html
+
+ * page/csp/ContentSecurityPolicySourceList.cpp:
+ (WebCore::ContentSecurityPolicySourceList::matches): Do not make a distinction between URLs that
+ contain a nested URL (e.g. blob://http://www.example.com/...) and URLs that do not contain a nested
+ URL. The URL of the requested resource should be matched against the source list source expressions.
+
+2016-02-12 Daniel Bates <[email protected]>
+
CSP: Implement child-src directive
https://bugs.webkit.org/show_bug.cgi?id=153562
<rdar://problem/24610087>
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (196527 => 196528)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-02-13 00:22:53 UTC (rev 196527)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-02-13 00:24:28 UTC (rev 196528)
@@ -97,16 +97,17 @@
bool ContentSecurityPolicySourceList::matches(const URL& url)
{
- if (m_allowStar)
+ if (m_allowStar) {
+ // FIXME: Should only match for URLs whose scheme is not blob, data or filesystem.
+ // See <https://bugs.webkit.org/show_bug.cgi?id=154122> for more details.
return true;
+ }
- URL effectiveURL = SecurityOrigin::shouldUseInnerURL(url) ? SecurityOrigin::extractInnerURL(url) : url;
-
- if (m_allowSelf && m_policy.urlMatchesSelf(effectiveURL))
+ if (m_allowSelf && m_policy.urlMatchesSelf(url))
return true;
for (auto& entry : m_list) {
- if (entry.matches(effectiveURL))
+ if (entry.matches(url))
return true;
}
