Diff
Modified: trunk/LayoutTests/ChangeLog (197696 => 197697)
--- trunk/LayoutTests/ChangeLog 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/ChangeLog 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,3 +1,35 @@
+2016-03-07 Daniel Bates <[email protected]>
+
+ CSP: object-src directive should prohibit creation of nested browsing context
+ https://bugs.webkit.org/show_bug.cgi?id=153153
+ <rdar://problem/24383209>
+
+ Reviewed by Brent Fulgham.
+
+ Add test to ensure that we enforce the Content Security Policy object-src directive
+ for HTML object and HTML embed elements that behave like an HTML iframe element.
+
+ * TestExpectations: Remove entries for tests that pass.
+ * http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html: Added.
+
+ * http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html:
+ * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html:
+ * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html:
+ Simplify the code used in the above tests and update incorrect expected results.
+
+ * http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/object-src-param.js: Removed.
+
2016-03-07 Ryan Haddad <[email protected]>
Marking js/arraybuffer-wrappers.html as a flaky timeout on Mac
Modified: trunk/LayoutTests/TestExpectations (197696 => 197697)
--- trunk/LayoutTests/TestExpectations 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/TestExpectations 2016-03-07 20:21:17 UTC (rev 197697)
@@ -845,10 +845,6 @@
webkit.org/b/153151 http/tests/security/contentSecurityPolicy/icon-blocked.html [ Failure ]
webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-allowed.html # Needs testRunner.getManifestThen()
webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-blocked.html # Needs testRunner.getManifestThen()
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html
webkit.org/b/153154 http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html
webkit.org/b/153155 http/tests/security/contentSecurityPolicy/style-src-blocked-error-event.html
webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-default-src-none.html [ Failure ]
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt (0 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+This test passes if there is a console message saying the plugin was blocked.
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html (0 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html 2016-03-07 20:21:17 UTC (rev 197697)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+This test passes if there is a console message saying the plugin was blocked.
+<embed src=""
+</body>
+</html>
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt (0 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html (0 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html 2016-03-07 20:21:17 UTC (rev 197697)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+<embed src="" type="text/html">
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt (197696 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?code' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?code' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
This test passes if there is a console message saying the plugin was blocked.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html (197696 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,13 +1,18 @@
<!DOCTYPE html>
<html>
<head>
-<script src=""
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText()
+</script>
</head>
<body>
This test passes if there is a console message saying the plugin was blocked.
-<script>
- appendObjectElement('code');
-</script>
+<object type="application/x-webkit-test-netscape">
+ <param name="code" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?code">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt (197696 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?movie' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?movie' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
This test passes if there is a console message saying the plugin was blocked.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html (197696 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,13 +1,18 @@
<!DOCTYPE html>
<html>
<head>
-<script src=""
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</head>
<body>
This test passes if there is a console message saying the plugin was blocked.
-<script>
- appendObjectElement('movie');
-</script>
+<object type="application/x-webkit-test-netscape">
+ <param name="movie" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?movie">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
</body>
</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt (197696 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?src' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?src' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
This test passes if there is a console message saying the plugin was blocked.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html (197696 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,13 +1,18 @@
<!DOCTYPE html>
<html>
<head>
-<script src=""
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</head>
<body>
This test passes if there is a console message saying the plugin was blocked.
-<script>
- appendObjectElement('src');
-</script>
+<object type="application/x-webkit-test-netscape">
+ <param name="src" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?src">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
</body>
</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt (0 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html (0 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html 2016-03-07 20:21:17 UTC (rev 197697)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<object type="application/x-non-existent-plugin">
+ <param name="src" value="resources/alert-fail.html">
+</object>
+</body>
+</html>
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt (197696 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,4 +1,3 @@
-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?url' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?url' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
This test passes if there is a console message saying the plugin was blocked.
Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html (197696 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,13 +1,18 @@
<!DOCTYPE html>
<html>
<head>
-<script src=""
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
+<script src=""
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</head>
<body>
This test passes if there is a console message saying the plugin was blocked.
-<script>
- appendObjectElement('url');
-</script>
+<object type="application/x-webkit-test-netscape">
+ <param name="url" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?url">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
</body>
</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt (0 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html (0 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html 2016-03-07 20:21:17 UTC (rev 197697)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+<object data="" type="text/html"></object>
+</body>
+</html>
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js (197696 => 197697)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,29 +0,0 @@
-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
-}
-
-function appendObjectElement(type) {
- window._onload_ = function () {
- var o = document.createElement('object');
- o.setAttribute('type', 'application/x-webkit-test-netscape');
- o.addEventListener('load', function () {
- console.log('FAIL: The object should have been blocked.');
- if (window.testRunner)
- testRunner.notifyDone();
- });
- o.addEventListener('error', function () {
- console.log('PASS: Error occurred, so load was correctly blocked.');
- if (window.testRunner)
- testRunner.notifyDone();
- });
-
- var p = document.createElement('param');
- p.setAttribute('value', 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?' + type);
- p.setAttribute('name', type);
-
- o.appendChild(p);
-
- document.body.appendChild(o);
- };
-}
Modified: trunk/Source/WebCore/ChangeLog (197696 => 197697)
--- trunk/Source/WebCore/ChangeLog 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/Source/WebCore/ChangeLog 2016-03-07 20:21:17 UTC (rev 197697)
@@ -1,3 +1,33 @@
+2016-03-07 Daniel Bates <[email protected]>
+
+ CSP: object-src directive should prohibit creation of nested browsing context
+ https://bugs.webkit.org/show_bug.cgi?id=153153
+ <rdar://problem/24383209>
+
+ Reviewed by Brent Fulgham.
+
+ Enforce the Content Security Policy object-src directive when fetching a URL for content
+ that will cause an HTML object or HTML embed element to act as a nested browsing context
+ (i.e. behave as if the content was loaded in an HTML iframe element). This makes our
+ enforcement of the object-src directive match the behavior of the object-src directive
+ in the Content Security Policy 2.0 spec., <http://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ Tests: http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html
+ http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html
+ http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html
+ http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html
+
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Extracted from SubframeLoader::pluginIsLoadable().
+ Checks if the plugin element is allowed by the Content Security Policy to load the URL and MIME type.
+ (WebCore::SubframeLoader::pluginIsLoadable): Extract out the logic for determining if
+ the plugin content is allowed to load by the Content Security Policy into SubframeLoader::isPluginContentAllowedByContentSecurityPolicy()
+ and make use of this function.
+ (WebCore::SubframeLoader::requestObject): Modified to call SubframeLoader::isPluginContentAllowedByContentSecurityPolicy()
+ before loading plugin content into a sub frame. If the plugin content is not allowed to load then we
+ mark the plugin as unavailable with the reason being that it was blocked by the Content Security Policy.
+ * loader/SubframeLoader.h:
+
2016-03-06 Gavin Barraclough <[email protected]>
Convert DOMTimer to std::chrono::milliseconds
Modified: trunk/Source/WebCore/loader/SubframeLoader.cpp (197696 => 197697)
--- trunk/Source/WebCore/loader/SubframeLoader.cpp 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/Source/WebCore/loader/SubframeLoader.cpp 2016-03-07 20:21:17 UTC (rev 197697)
@@ -104,6 +104,20 @@
return shouldUsePlugin(completedURL, mimeType, false, useFallback);
}
+bool SubframeLoader::isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType) const
+{
+ if (!document())
+ return true;
+
+ ASSERT(document()->contentSecurityPolicy());
+ const ContentSecurityPolicy& contentSecurityPolicy = *document()->contentSecurityPolicy();
+
+ String declaredMimeType = document()->isPluginDocument() && document()->ownerElement() ?
+ document()->ownerElement()->fastGetAttribute(HTMLNames::typeAttr) : pluginElement.fastGetAttribute(HTMLNames::typeAttr);
+ bool isInUserAgentShadowTree = pluginElement.isInUserAgentShadowTree();
+ return contentSecurityPolicy.allowObjectFromSource(url, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, url, isInUserAgentShadowTree);
+}
+
bool SubframeLoader::pluginIsLoadable(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType)
{
if (MIMETypeRegistry::isJavaAppletMIMEType(mimeType)) {
@@ -122,12 +136,7 @@
return false;
}
- String declaredMimeType = document()->isPluginDocument() && document()->ownerElement() ?
- document()->ownerElement()->fastGetAttribute(HTMLNames::typeAttr) :
- pluginElement.fastGetAttribute(HTMLNames::typeAttr);
- bool isInUserAgentShadowTree = pluginElement.isInUserAgentShadowTree();
- if (!document()->contentSecurityPolicy()->allowObjectFromSource(url, isInUserAgentShadowTree)
- || !document()->contentSecurityPolicy()->allowPluginType(mimeType, declaredMimeType, url, isInUserAgentShadowTree)) {
+ if (!isPluginContentAllowedByContentSecurityPolicy(pluginElement, url, mimeType)) {
RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject();
renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
return false;
@@ -227,6 +236,12 @@
return success;
}
+ if (!isPluginContentAllowedByContentSecurityPolicy(ownerElement, completedURL, mimeType)) {
+ RenderEmbeddedObject* renderer = ownerElement.renderEmbeddedObject();
+ renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
+ return false;
+ }
+
// If the plug-in element already contains a subframe, loadOrRedirectSubframe will re-use it. Otherwise,
// it will create a new frame and set it as the RenderWidget's Widget, causing what was previously
// in the widget to be torn down.
Modified: trunk/Source/WebCore/loader/SubframeLoader.h (197696 => 197697)
--- trunk/Source/WebCore/loader/SubframeLoader.h 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/Source/WebCore/loader/SubframeLoader.h 2016-03-07 20:21:17 UTC (rev 197697)
@@ -77,6 +77,8 @@
Frame* loadSubframe(HTMLFrameOwnerElement&, const URL&, const String& name, const String& referrer);
bool loadPlugin(HTMLPlugInImageElement&, const URL&, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues, bool useFallback);
+ bool isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement&, const URL&, const String& mimeType) const;
+
bool shouldUsePlugin(const URL&, const String& mimeType, bool hasFallback, bool& useFallback);
bool pluginIsLoadable(HTMLPlugInImageElement&, const URL&, const String& mimeType);
