[webkit-changes] [199527] trunk

Wed, 13 Apr 2016 19:40:19 -0700

Title: [199527] trunk
Revision
199527
Author
[email protected]
Date
2016-04-13 19:39:58 -0700 (Wed, 13 Apr 2016)

Log Message

CSP: Nested browsing context created for <object> or <embed> should respect object-src directive
https://bugs.webkit.org/show_bug.cgi?id=156563
<rdar://problem/25715713>

Reviewed by Darin Adler.

Source/WebCore:

As per section object-src of the Content Security Policy Level 2 spec.,
<https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015), a nested browsing
context created for an HTML object or HTML embed element should respect the object-src directive.

Currently a nested browsing context created for an HTML object or HTML embed element respects
the child-src directive or frame-src directive (in that order). Instead such nested browsing
contexts should respect the object-src directive.

Tests: http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src.html
       http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src.html
       http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src.html
       http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src.html
       http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src.html
       http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src.html
       http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src.html
       http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src.html

* loader/PolicyChecker.cpp:
(WebCore::isAllowedByContentSecurityPolicy): Added. Checks whether the specified URL is allowed by the
object-src or the child-src/frame-src directive for a plugin element and non-plugin element, respectively.
(WebCore::PolicyChecker::checkNavigationPolicy): Modified to call isAllowedByContentSecurityPolicy().

LayoutTests:

Add tests to ensure that nested browsing context created for <object> and <embed> respect
the object-src directive.

* http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (199526 => 199527)


--- trunk/LayoutTests/ChangeLog	2016-04-14 02:35:40 UTC (rev 199526)
+++ trunk/LayoutTests/ChangeLog	2016-04-14 02:39:58 UTC (rev 199527)
@@ -1,5 +1,33 @@
 2016-04-13  Daniel Bates  <[email protected]>
 
+        CSP: Nested browsing context created for <object> or <embed> should respect object-src directive
+        https://bugs.webkit.org/show_bug.cgi?id=156563
+        <rdar://problem/25715713>
+
+        Reviewed by Darin Adler.
+
+        Add tests to ensure that nested browsing context created for <object> and <embed> respect
+        the object-src directive.
+
+        * http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src.html: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src.html: Added.
+
+2016-04-13  Daniel Bates  <[email protected]>
+
         CSP: Remove duplicate test meta-outside-head.html
         https://bugs.webkit.org/show_bug.cgi?id=156556

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src-expected.txt (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src-expected.txt	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,2 @@
+ALERT: PASS
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src.html (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src.html	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'self'; child-src 'none'">
+</head>
+<body>
+<embed type="text/html" src=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src-expected.txt (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src-expected.txt	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,2 @@
+ALERT: PASS
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src.html (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src.html	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'self'; frame-src 'none'">
+</head>
+<body>
+<embed type="text/html" src=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src-expected.txt (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src-expected.txt	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,2 @@
+ALERT: PASS
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src.html (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src.html	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'self'; child-src 'none'">
+</head>
+<body>
+<object type="text/html" data=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src-expected.txt (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src-expected.txt	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,2 @@
+ALERT: PASS
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src.html (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src.html	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'self'; frame-src 'none'">
+</head>
+<body>
+<object type="text/html" data=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src-expected.txt (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src-expected.txt	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the object-src directive of the Content Security Policy.
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src.html (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src.html	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'; child-src 'self'">
+</head>
+<body>
+<embed type="text/html" src=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src-expected.txt (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src-expected.txt	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the object-src directive of the Content Security Policy.
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src.html (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src.html	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'; frame-src 'self'">
+</head>
+<body>
+<embed type="text/html" src=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src-expected.txt (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src-expected.txt	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the object-src directive of the Content Security Policy.
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src.html (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src.html	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'; child-src 'self'">
+</head>
+<body>
+<object type="text/html" data=""
+</body>
+</html>

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src-expected.txt (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src-expected.txt	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the object-src directive of the Content Security Policy.
+

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src.html (0 => 199527)


--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src.html	2016-04-14 02:39:58 UTC (rev 199527)
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'; frame-src 'self'">
+</head>
+<body>
+<object type="text/html" data=""
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (199526 => 199527)


--- trunk/Source/WebCore/ChangeLog	2016-04-14 02:35:40 UTC (rev 199526)
+++ trunk/Source/WebCore/ChangeLog	2016-04-14 02:39:58 UTC (rev 199527)
@@ -1,5 +1,35 @@
 2016-04-13  Daniel Bates  <[email protected]>
 
+        CSP: Nested browsing context created for <object> or <embed> should respect object-src directive
+        https://bugs.webkit.org/show_bug.cgi?id=156563
+        <rdar://problem/25715713>
+
+        Reviewed by Darin Adler.
+
+        As per section object-src of the Content Security Policy Level 2 spec.,
+        <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015), a nested browsing
+        context created for an HTML object or HTML embed element should respect the object-src directive.
+
+        Currently a nested browsing context created for an HTML object or HTML embed element respects
+        the child-src directive or frame-src directive (in that order). Instead such nested browsing
+        contexts should respect the object-src directive.
+
+        Tests: http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src.html
+               http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src.html
+               http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src.html
+               http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src.html
+               http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src.html
+               http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src.html
+               http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src.html
+               http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src.html
+
+        * loader/PolicyChecker.cpp:
+        (WebCore::isAllowedByContentSecurityPolicy): Added. Checks whether the specified URL is allowed by the
+        object-src or the child-src/frame-src directive for a plugin element and non-plugin element, respectively.
+        (WebCore::PolicyChecker::checkNavigationPolicy): Modified to call isAllowedByContentSecurityPolicy().
+
+2016-04-13  Daniel Bates  <[email protected]>
+
         CSP: Remove experimental directive reflected-xss
         https://bugs.webkit.org/show_bug.cgi?id=156554

Modified: trunk/Source/WebCore/loader/PolicyChecker.cpp (199526 => 199527)


--- trunk/Source/WebCore/loader/PolicyChecker.cpp	2016-04-14 02:35:40 UTC (rev 199526)
+++ trunk/Source/WebCore/loader/PolicyChecker.cpp	2016-04-14 02:39:58 UTC (rev 199527)
@@ -40,6 +40,7 @@
 #include "FrameLoaderClient.h"
 #include "HTMLFormElement.h"
 #include "HTMLFrameOwnerElement.h"
+#include "HTMLPlugInElement.h"
 #include "SecurityOrigin.h"
 
 #if USE(QUICK_LOOK)
@@ -48,6 +49,15 @@
 
 namespace WebCore {
 
+static bool isAllowedByContentSecurityPolicy(const URL& url, const Element* ownerElement)
+{
+    if (!ownerElement)
+        return true;
+    if (is<HTMLPlugInElement>(ownerElement))
+        return ownerElement->document().contentSecurityPolicy()->allowObjectFromSource(url, ownerElement->isInUserAgentShadowTree());
+    return ownerElement->document().contentSecurityPolicy()->allowChildFrameFromSource(url, ownerElement->isInUserAgentShadowTree());
+}
+
 PolicyChecker::PolicyChecker(Frame& frame)
     : m_frame(frame)
     , m_delegateIsDecidingNavigationPolicy(false)
@@ -86,7 +96,7 @@
         return;
     }
 
-    if (m_frame.ownerElement() && !m_frame.ownerElement()->document().contentSecurityPolicy()->allowChildFrameFromSource(request.url(), m_frame.ownerElement()->isInUserAgentShadowTree())) {
+    if (!isAllowedByContentSecurityPolicy(request.url(), m_frame.ownerElement())) {
         function(request, 0, false);
         return;
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to