Diff
Modified: trunk/Source/WebCore/ChangeLog (200129 => 200130)
--- trunk/Source/WebCore/ChangeLog 2016-04-27 16:47:13 UTC (rev 200129)
+++ trunk/Source/WebCore/ChangeLog 2016-04-27 16:48:59 UTC (rev 200130)
@@ -1,3 +1,23 @@
+2016-04-27 Daniel Bates <[email protected]>
+
+ CSP: Add app-specific workaround for Ecobee and Quora
+ https://bugs.webkit.org/show_bug.cgi?id=157005
+ <rdar://problem/25560776>
+
+ Reviewed by Brent Fulgham.
+
+ * page/Settings.in: Add setting allowContentSecurityPolicySourceStarToMatchAnyProtocol (disabled by default).
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowContentSecurityPolicySourceStarToMatchAnyProtocol): Added.
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicySourceList.cpp:
+ (WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar): Modified to return true
+ if ContentSecurityPolicy::allowContentSecurityPolicySourceStarToMatchAnyProtocol() evaluates to true.
+ * platform/RuntimeApplicationChecks.h:
+ * platform/RuntimeApplicationChecks.mm:
+ (WebCore::IOSApplication::isEcobee): Added.
+ (WebCore::IOSApplication::isQuora): Added.
+
2016-04-27 Carlos Garcia Campos <[email protected]>
REGRESSION(r200094): [FreeType] Vertical text is broken after r200094
Modified: trunk/Source/WebCore/page/Settings.in (200129 => 200130)
--- trunk/Source/WebCore/page/Settings.in 2016-04-27 16:47:13 UTC (rev 200129)
+++ trunk/Source/WebCore/page/Settings.in 2016-04-27 16:48:59 UTC (rev 200130)
@@ -254,3 +254,5 @@
userInterfaceDirectionPolicy type=UserInterfaceDirectionPolicy, initial=UserInterfaceDirectionPolicy::Content
systemLayoutDirection type=TextDirection, initial=LTR
+
+allowContentSecurityPolicySourceStarToMatchAnyProtocol initial=false
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (200129 => 200130)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-04-27 16:47:13 UTC (rev 200129)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-04-27 16:48:59 UTC (rev 200130)
@@ -50,6 +50,7 @@
#include "SchemeRegistry.h"
#include "SecurityOrigin.h"
#include "SecurityPolicyViolationEvent.h"
+#include "Settings.h"
#include "TextEncoding.h"
#include <inspector/InspectorValues.h>
#include <inspector/ScriptCallStack.h>
@@ -204,6 +205,13 @@
return m_selfSource->matches(url);
}
+bool ContentSecurityPolicy::allowContentSecurityPolicySourceStarToMatchAnyProtocol() const
+{
+ if (Settings* settings = is<Document>(m_scriptExecutionContext) ? downcast<Document>(*m_scriptExecutionContext).settings() : nullptr)
+ return settings->allowContentSecurityPolicySourceStarToMatchAnyProtocol();
+ return false;
+}
+
bool ContentSecurityPolicy::protocolMatchesSelf(const URL& url) const
{
if (equalLettersIgnoringASCIICase(m_selfSourceProtocol, "http"))
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (200129 => 200130)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-04-27 16:47:13 UTC (rev 200129)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-04-27 16:48:59 UTC (rev 200130)
@@ -125,6 +125,7 @@
void reportInvalidPathCharacter(const String& directiveName, const String& value, const char) const;
void reportInvalidSourceExpression(const String& directiveName, const String& source) const;
bool urlMatchesSelf(const URL&) const;
+ bool allowContentSecurityPolicySourceStarToMatchAnyProtocol() const;
// Used by ContentSecurityPolicyDirectiveList
void reportDuplicateDirective(const String&) const;
Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (200129 => 200130)
--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-04-27 16:47:13 UTC (rev 200129)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-04-27 16:48:59 UTC (rev 200130)
@@ -118,6 +118,9 @@
bool ContentSecurityPolicySourceList::isProtocolAllowedByStar(const URL& url) const
{
+ if (m_policy.allowContentSecurityPolicySourceStarToMatchAnyProtocol())
+ return true;
+
// Although not allowed by the Content Security Policy Level 3 spec., we allow a data URL to match
// "img-src *" and either a data URL or blob URL to match "media-src *" for web compatibility.
bool isAllowed = url.protocolIsInHTTPFamily();
Modified: trunk/Source/WebCore/platform/RuntimeApplicationChecks.h (200129 => 200130)
--- trunk/Source/WebCore/platform/RuntimeApplicationChecks.h 2016-04-27 16:47:13 UTC (rev 200129)
+++ trunk/Source/WebCore/platform/RuntimeApplicationChecks.h 2016-04-27 16:48:59 UTC (rev 200130)
@@ -73,6 +73,8 @@
WEBCORE_EXPORT bool isTheEconomistOnIphone();
WEBCORE_EXPORT bool isWebProcess();
bool isIBooks();
+WEBCORE_EXPORT bool isEcobee();
+WEBCORE_EXPORT bool isQuora();
} // IOSApplication
Modified: trunk/Source/WebCore/platform/RuntimeApplicationChecks.mm (200129 => 200130)
--- trunk/Source/WebCore/platform/RuntimeApplicationChecks.mm 2016-04-27 16:47:13 UTC (rev 200129)
+++ trunk/Source/WebCore/platform/RuntimeApplicationChecks.mm 2016-04-27 16:48:59 UTC (rev 200130)
@@ -241,6 +241,18 @@
return isIBooks;
}
+bool IOSApplication::isEcobee()
+{
+ static bool isEcobee = applicationBundleIsEqualTo("com.ecobee.athenamobile");
+ return isEcobee;
+}
+
+bool IOSApplication::isQuora()
+{
+ static bool isQuora = applicationBundleIsEqualTo("com.quora.app.mobile");
+ return isQuora;
+}
+
#endif
} // namespace WebCore
Modified: trunk/Source/WebKit/mac/ChangeLog (200129 => 200130)
--- trunk/Source/WebKit/mac/ChangeLog 2016-04-27 16:47:13 UTC (rev 200129)
+++ trunk/Source/WebKit/mac/ChangeLog 2016-04-27 16:48:59 UTC (rev 200130)
@@ -1,3 +1,17 @@
+2016-04-27 Daniel Bates <[email protected]>
+
+ CSP: Add app-specific workaround for Ecobee and Quora
+ https://bugs.webkit.org/show_bug.cgi?id=157005
+ <rdar://problem/25560776>
+
+ Reviewed by Brent Fulgham.
+
+ * Misc/WebKitVersionChecks.h:
+ * WebView/WebView.mm:
+ (shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol): Added.
+ (-[WebView _preferencesChanged:]): Enable setting allowContentSecurityPolicySourceStarToMatchAnyProtocol
+ if applicable.
+
2016-04-26 Joseph Pecoraro <[email protected]>
Uncaught Exception: SecurityError: DOM Exception 18: An attempt was made to break through the security policy of the user agent.
Modified: trunk/Source/WebKit/mac/Misc/WebKitVersionChecks.h (200129 => 200130)
--- trunk/Source/WebKit/mac/Misc/WebKitVersionChecks.h 2016-04-27 16:47:13 UTC (rev 200129)
+++ trunk/Source/WebKit/mac/Misc/WebKitVersionChecks.h 2016-04-27 16:48:59 UTC (rev 200130)
@@ -75,6 +75,7 @@
#define WEBKIT_FIRST_VERSION_WITHOUT_LEGACY_BACKGROUNDSIZE_SHORTHAND_BEHAVIOR 2665 // iOS 7.0
#define WEBKIT_FIRST_VERSION_WITH_LOADING_DURING_COMMON_RUNLOOP_MODES 2665 // iOS 7.0
#define WEBKIT_FIRST_VERSION_WITH_INSECURE_CONTENT_BLOCKING 3454
+#define WEBKIT_FIRST_VERSION_WITH_CONTENT_SECURITY_POLICY_SOURCE_STAR_PROTOCOL_RESTRICTION 3555
#endif // PLATFORM(IOS)
#ifdef __cplusplus
Modified: trunk/Source/WebKit/mac/WebView/WebView.mm (200129 => 200130)
--- trunk/Source/WebKit/mac/WebView/WebView.mm 2016-04-27 16:47:13 UTC (rev 200129)
+++ trunk/Source/WebKit/mac/WebView/WebView.mm 2016-04-27 16:48:59 UTC (rev 200130)
@@ -865,6 +865,16 @@
#endif
}
+static bool shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol()
+{
+#if PLATFORM(IOS)
+ static bool shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol = (IOSApplication::isEcobee() || IOSApplication::isQuora()) && !WebKitLinkedOnOrAfter(WEBKIT_FIRST_VERSION_WITH_CONTENT_SECURITY_POLICY_SOURCE_STAR_PROTOCOL_RESTRICTION);
+ return shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol;
+#else
+ return false;
+#endif
+}
+
#if ENABLE(GAMEPAD)
static void WebKitInitializeGamepadProviderIfNecessary()
{
@@ -2510,6 +2520,8 @@
#if ENABLE(ATTACHMENT_ELEMENT)
settings.setAttachmentElementEnabled([preferences attachmentElementEnabled]);
#endif
+
+ settings.setAllowContentSecurityPolicySourceStarToMatchAnyProtocol(shouldAllowContentSecurityPolicySourceStarToMatchAnyProtocol());
}
static inline IMP getMethod(id o, SEL s)
