[webkit-changes] [WebKit/WebKit] c5a368: Adhere to policy inheritance according to policy c...
Ryan Reno
noreply at github.com
Tue Sep 20 09:32:19 PDT 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c5a36846f1963ea20839faf2d9b0c70e6ecde564
https://github.com/WebKit/WebKit/commit/c5a36846f1963ea20839faf2d9b0c70e6ecde564
Author: Ryan Reno <rreno at apple.com>
Date: 2022-09-20 (Tue, 20 Sep 2022)
Changed paths:
M LayoutTests/TestExpectations
M LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt
M LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.http-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/gen/top.meta/script-src-wildcard/script-tag.http-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/gen/top.meta/script-src-wildcard/script-tag.https-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/history-iframe.sub-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/history.sub-expected.txt
M LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt
R LayoutTests/platform/glib/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt
A LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt
A LayoutTests/platform/mac/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt
M Source/WebCore/dom/Document.cpp
M Source/WebCore/dom/Document.h
M Source/WebCore/dom/SecurityContext.cpp
M Source/WebCore/dom/SecurityContext.h
M Source/WebCore/history/HistoryItem.h
M Source/WebCore/loader/CrossOriginOpenerPolicy.cpp
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/DocumentWriter.cpp
M Source/WebCore/loader/DocumentWriter.h
M Source/WebCore/loader/NavigationRequester.cpp
M Source/WebCore/loader/NavigationRequester.h
M Source/WebCore/loader/PolicyContainer.h
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
M Source/WebCore/page/csp/ContentSecurityPolicy.h
M Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h
Log Message:
-----------
Adhere to policy inheritance according to policy container
https://bugs.webkit.org/show_bug.cgi?id=224745
rdar://96067238
Reviewed by Chris Dumez.
This modifies our implementation of CSP inheritance when navigating to local schemes by using the PolicyContainer[1].
We now keep track of the initiating document's policies and store the policies in history, if applicable.
[1] https://html.spec.whatwg.org/multipage/origin.html#policy-containers
* LayoutTests/TestExpectations:
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.http-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/gen/top.http-rp/script-src-wildcard/script-tag.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/gen/top.meta/script-src-wildcard/script-tag.http-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/gen/top.meta/script-src-wildcard/script-tag.https-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/blob-url-inherits-from-initiator.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/history-iframe.sub-expected.txt:
* LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/history.sub-expected.txt:
* LayoutTests/platform/glib/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt: Removed.
* LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url-expected.txt:
* LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-expected.txt:
* LayoutTests/platform/ios-wk2/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt: Copied from LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt.
* LayoutTests/platform/mac/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt: Copied from LayoutTests/imported/w3c/web-platform-tests/content-security-policy/inheritance/inheritance-from-initiator.sub-expected.txt.
Rebaselined tests. New platform-specific expectations are because Apple platforms fail tests that gtk-wk2 passes.
* Source/WebCore/dom/Document.cpp:
(WebCore::Document::inheritPolicyContainerFrom):
(WebCore::Document::crossOriginOpenerPolicy const):
(WebCore::Document::setReferrerPolicy): Deleted.
(WebCore::Document::setCrossOriginOpenerPolicy): Deleted.
* Source/WebCore/dom/Document.h:
* Source/WebCore/dom/SecurityContext.cpp:
(WebCore::SecurityContext::setReferrerPolicy):
(WebCore::SecurityContext::policyContainer const):
(WebCore::SecurityContext::inheritPolicyContainerFrom):
* Source/WebCore/dom/SecurityContext.h:
(WebCore::SecurityContext::setCrossOriginOpenerPolicy):
(WebCore::SecurityContext::referrerPolicy const):
(WebCore::SecurityContext::inheritPolicyContainerFrom):
These changes reorganize the security policies to be
owned by the SecurityContext. This moves the getters/setters
and adds an inheritance API.
* Source/WebCore/history/HistoryItem.h:
(WebCore::HistoryItem::policyContainer const):
(WebCore::HistoryItem::setPolicyContainer):
These changes support adding policy container to history,
if applicable.
* Source/WebCore/loader/CrossOriginOpenerPolicy.cpp:
(WebCore::computeResponseOriginAndCOOP):
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::commitData):
* Source/WebCore/loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin):
* Source/WebCore/loader/DocumentWriter.h:
(WebCore::DocumentWriter::begin):
Optionally pass the NavigationAction which
triggered the load into the DocumentWriter so
policies can be inherited if needed.
* Source/WebCore/loader/NavigationRequester.cpp:
(WebCore::NavigationRequester::from):
* Source/WebCore/loader/NavigationRequester.h:
(WebCore::NavigationRequester::encode const):
(WebCore::NavigationRequester::decode):
* Source/WebCore/loader/PolicyContainer.h:
(WebCore::PolicyContainer::isolatedCopy const):
(WebCore::PolicyContainer::isolatedCopy):
(WebCore::PolicyContainer::encode const):
(WebCore::PolicyContainer::decode):
These changes support the addition of CSP to the
PolicyContainer and add the PolicyContainer to the
NavigationRequester so it can be inherited, if needed.
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::inheritHeadersFrom):
* Source/WebCore/page/csp/ContentSecurityPolicy.h:
(WebCore::ContentSecurityPolicy::referrer const):
Since we store just the CSP List in the PolicyContainer
this adds an API for parsing the list into usable objects
when inheriting CSP.
* Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h:
(WebCore::operator==):
Changes to support addition to PolicyContainer.
Canonical link: https://commits.webkit.org/254679@main
More information about the webkit-changes
mailing list