<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[195948] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/195948">195948</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-01-31 19:10:00 -0800 (Sun, 31 Jan 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Use the served CSP header for dedicated workers
https://bugs.webkit.org/show_bug.cgi?id=153157
<rdar://problem/24383254>
And
https://bugs.webkit.org/show_bug.cgi?id=153156
<rdar://problem/24383246>
Patch by Daniel Bates <dabates@apple.com> on 2016-01-31
Reviewed by Brent Fulgham.
Source/WebCore:
Inspired by Blink commit:
<https://src.chromium.org/viewvc/blink?revision=194143&view=revision>
Implement support for respecting Content Security Policy (CSP) HTTP headers included in the
HTTP response for a Web Worker's script as per section Workers of the CSP 2.0 spec,
<https://w3c.github.io/webappsec-csp/2/#processing-model-workers> (29 August 2015).
Currently a Web Worker always inherits the CSP of its owner document. Instead a web worker
will inherit the CSP of its owner document only if its script is incapable of defining a
content security policy (i.e. its origin is a globally unique identifier). Otherwise, the
CSP HTTP headers delivered with the script will be used to define the CSP for the worker.
Tests: fast/workers/worker-inherits-csp-blocks-eval.html
fast/workers/worker-inherits-csp-blocks-xhr.html
http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html
* CMakeLists.txt: Add file ContentSecurityPolicyResponseHeaders.cpp.
* WebCore.vcxproj/WebCore.vcxproj: Add files ContentSecurityPolicyResponseHeaders.{cpp, h}.
* WebCore.vcxproj/WebCore.vcxproj.filters: Ditto.
* WebCore.xcodeproj/project.pbxproj: Ditto.
* dom/Document.cpp:
(WebCore::Document::processHttpEquiv): Update code to use enum class ContentSecurityPolicyHeaderType.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument): Extract logic to collect Content Security Policy HTTP headers
into class ContentSecurityPolicyResponseHeaders and make use of it here.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::CSPDirectiveList::headerType): Modified to use enum class ContentSecurityPolicyHeaderType.
(WebCore::CSPDirectiveList::CSPDirectiveList): Ditto.
(WebCore::CSPDirectiveList::create): Ditto.
(WebCore::ContentSecurityPolicy::responseHeaders): Creates and returns a ContentSecurityPolicyResponseHeaders
object with the parsed CSP policy headers.
(WebCore::ContentSecurityPolicy::didReceiveHeaders): Processed the CSP policy headers represented by the
specified ContentSecurityPolicyResponseHeaders object.
(WebCore::ContentSecurityPolicy::deprecatedHeader): Deleted.
(WebCore::ContentSecurityPolicy::deprecatedHeaderType): Deleted.
* page/csp/ContentSecurityPolicy.h: Defines a class that represents a collection of CSP policy headers.
This class has two purposes:
- It extracts the CSP policy headers from a HTTP response (ResourceResponse object). We make use of
this functionality in both FrameLoader::didBeginDocument() and Worker::didReceiveResponse().
- It serves as a memento that externalizes the internal CSP policy details of an instance of
ContentSecurityPolicy. We make use of this memento functionality to support inheriting the
CSP policy of the worker's owner document in a thread-safe manner. You can create and restore
a memento using ContentSecurityPolicy::responseHeaders() and ContentSecurityPolicy::didReceiveHeaders(), respectively.
* page/csp/ContentSecurityPolicyResponseHeaders.cpp: Added.
(WebCore::ContentSecurityPolicyResponseHeaders::ContentSecurityPolicyResponseHeaders): Extracts the
CSP HTTP headers from a ResourceResponse object.
(WebCore::ContentSecurityPolicyResponseHeaders::isolatedCopy): Make a copy of this object that is
safe to pass to another thread.
* page/csp/ContentSecurityPolicyResponseHeaders.h: Added.
* workers/DedicatedWorkerGlobalScope.cpp:
(WebCore::DedicatedWorkerGlobalScope::create): Modified to use class ContentSecurityPolicyResponseHeaders.
* workers/DedicatedWorkerGlobalScope.h:
* workers/DedicatedWorkerThread.cpp:
(WebCore::DedicatedWorkerThread::create): Ditto.
(WebCore::DedicatedWorkerThread::DedicatedWorkerThread): Ditto.
(WebCore::DedicatedWorkerThread::createWorkerGlobalScope): Ditto.
* workers/DedicatedWorkerThread.h:
* workers/Worker.cpp:
(WebCore::Worker::didReceiveResponse): Create a ContentSecurityPolicyResponseHeaders if the origin of
the worker's script is capable of providing a CSP. Otherwise, we will inherit the CSP of the worker's owner
document in Worker::notifyFinished().
(WebCore::Worker::notifyFinished): Pass the appropriate CSP response headers to WorkerMessagingProxy::startWorkerGlobalScope().
* workers/Worker.h:
* workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): Renamed; formerly named applyContentSecurityPolicyFromString().
Modified to take a ContentSecurityPolicyResponseHeaders and apply it to the ContentSecurityPolicy object associated with the worker.
(WebCore::WorkerGlobalScope::applyContentSecurityPolicyFromString): Deleted.
* workers/WorkerGlobalScope.h:
* workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::startWorkerGlobalScope): Pass the worker's ContentSecurityPolicyResponseHeaders object.
* workers/WorkerThread.cpp:
(WebCore::WorkerThreadStartupData::WorkerThreadStartupData): Added field m_contentSecurityPolicyResponseHeaders to store
the CSP response headers to be applied to the worker's ContentSecurityPolicy object.
(WebCore::WorkerThread::WorkerThread): Modified to use ContentSecurityPolicyResponseHeaders.
(WebCore::WorkerThread::workerThread): Pass the ContentSecurityPolicyResponseHeaders object from the start up data struct
to DedicatedWorkerThread::createWorkerGlobalScope().
* workers/WorkerThread.h:
LayoutTests:
Add new tests to ensure we block eval() in blob-, file-URL workers and block XHR in a file-URL worker.
* TestExpectations: Remove now passing tests http/tests/security/contentSecurityPolicy/worker-{multiple-csp-headers, without-own-csp}.html
and update the associated bug # for tests that fail.
* fast/workers/resources/worker-inherits-csp-blocks-eval.js: Added.
(catch):
* fast/workers/resources/worker-inherits-csp-blocks-xhr.js: Added.
(catch):
* fast/workers/worker-inherits-csp-blocks-eval-expected.txt: Added.
* fast/workers/worker-inherits-csp-blocks-eval.html: Added.
* fast/workers/worker-inherits-csp-blocks-xhr-expected.txt: Added.
* fast/workers/worker-inherits-csp-blocks-xhr.html: Added.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html: Added.
* http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt: Updated expected results as
the result was incorrect.
* http/tests/security/contentSecurityPolicy/worker-without-own-csp-expected.txt: Ditto.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkermultiplecspheadersexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerwithoutowncspexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-own-csp-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreCMakeListstxt">trunk/Source/WebCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreWebCorevcxprojWebCorevcxproj">trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj</a></li>
<li><a href="#trunkSourceWebCoreWebCorevcxprojWebCorevcxprojfilters">trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj.filters</a></li>
<li><a href="#trunkSourceWebCoreWebCorexcodeprojprojectpbxproj">trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoadercpp">trunk/Source/WebCore/loader/FrameLoader.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCoreworkersDedicatedWorkerGlobalScopecpp">trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersDedicatedWorkerGlobalScopeh">trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h</a></li>
<li><a href="#trunkSourceWebCoreworkersDedicatedWorkerThreadcpp">trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersDedicatedWorkerThreadh">trunk/Source/WebCore/workers/DedicatedWorkerThread.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkercpp">trunk/Source/WebCore/workers/Worker.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerh">trunk/Source/WebCore/workers/Worker.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerGlobalScopecpp">trunk/Source/WebCore/workers/WorkerGlobalScope.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerGlobalScopeh">trunk/Source/WebCore/workers/WorkerGlobalScope.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerGlobalScopeProxyh">trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerMessagingProxycpp">trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerMessagingProxyh">trunk/Source/WebCore/workers/WorkerMessagingProxy.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerThreadcpp">trunk/Source/WebCore/workers/WorkerThread.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerThreadh">trunk/Source/WebCore/workers/WorkerThread.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsfastworkersresourcesworkerinheritscspblocksevaljs">trunk/LayoutTests/fast/workers/resources/worker-inherits-csp-blocks-eval.js</a></li>
<li><a href="#trunkLayoutTestsfastworkersresourcesworkerinheritscspblocksxhrjs">trunk/LayoutTests/fast/workers/resources/worker-inherits-csp-blocks-xhr.js</a></li>
<li><a href="#trunkLayoutTestsfastworkersworkerinheritscspblocksevalexpectedtxt">trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastworkersworkerinheritscspblocksevalhtml">trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html</a></li>
<li><a href="#trunkLayoutTestsfastworkersworkerinheritscspblocksxhrexpectedtxt">trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastworkersworkerinheritscspblocksxhrhtml">trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspblocksevalexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspblocksevalhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyResponseHeaderscpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyResponseHeadersh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/LayoutTests/ChangeLog 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -1,3 +1,47 @@
</span><ins>+2016-01-31 Daniel Bates <dabates@apple.com>
+
+ CSP: Use the served CSP header for dedicated workers
+ https://bugs.webkit.org/show_bug.cgi?id=153157
+ <rdar://problem/24383254>
+ And
+ https://bugs.webkit.org/show_bug.cgi?id=153156
+ <rdar://problem/24383246>
+
+ Reviewed by Brent Fulgham.
+
+ Add new tests to ensure we block eval() in blob-, file-URL workers and block XHR in a file-URL worker.
+
+ * TestExpectations: Remove now passing tests http/tests/security/contentSecurityPolicy/worker-{multiple-csp-headers, without-own-csp}.html
+ and update the associated bug # for tests that fail.
+ * fast/workers/resources/worker-inherits-csp-blocks-eval.js: Added.
+ (catch):
+ * fast/workers/resources/worker-inherits-csp-blocks-xhr.js: Added.
+ (catch):
+ * fast/workers/worker-inherits-csp-blocks-eval-expected.txt: Added.
+ * fast/workers/worker-inherits-csp-blocks-eval.html: Added.
+ * fast/workers/worker-inherits-csp-blocks-xhr-expected.txt: Added.
+ * fast/workers/worker-inherits-csp-blocks-xhr.html: Added.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html: Added.
+ * http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt: Updated expected results as
+ the result was incorrect.
+ * http/tests/security/contentSecurityPolicy/worker-without-own-csp-expected.txt: Ditto.
+
+2016-01-27 Daniel Bates <dabates@apple.com>
+
+ CSP: Use the served CSP header for dedicated workers
+ https://bugs.webkit.org/show_bug.cgi?id=153157
+ And
+ https://bugs.webkit.org/show_bug.cgi?id=153156
+
+ Reviewed by Brent Fulgham.
+
+ Remove some tests that now pass and update the expected results of existing tests.
+
+ * TestExpectations:
+ * http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt:
+ * http/tests/security/contentSecurityPolicy/worker-without-own-csp-expected.txt:
+
</ins><span class="cx"> 2016-01-31 Hunseop Jeong <hs85.jeong@samsung.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed. EFL gardening: rebaseline tests after r195740. (more to follow)
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/LayoutTests/TestExpectations 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -799,6 +799,7 @@
</span><span class="cx"> # Content Security Policy failures
</span><span class="cx"> webkit.org/b/69359 http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked.html [ Failure ]
</span><span class="cx"> webkit.org/b/69359 http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked.html [ Failure ]
</span><ins>+webkit.org/b/69359 http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html [ Failure ]
</ins><span class="cx"> webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html
</span><span class="cx"> webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ]
</span><span class="cx"> webkit.org/b/115702 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html [ Failure ]
</span><span class="lines">@@ -816,11 +817,6 @@
</span><span class="cx"> webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html
</span><span class="cx"> webkit.org/b/153154 http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html
</span><span class="cx"> webkit.org/b/153155 http/tests/security/contentSecurityPolicy/style-src-blocked-error-event.html
</span><del>-webkit.org/b/153156 http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers.html [ Failure ]
-webkit.org/b/153157 http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html [ Failure ]
-webkit.org/b/153157 http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html [ Failure ]
-webkit.org/b/153157 http/tests/security/contentSecurityPolicy/worker-script-src.html [ Failure ]
-webkit.org/b/153157 http/tests/security/contentSecurityPolicy/worker-without-own-csp.html [ Failure ]
</del><span class="cx"> webkit.org/b/153158 http/tests/security/contentSecurityPolicy/blob-urls-match-self.html [ Failure ]
</span><span class="cx"> webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-default-src-none.html [ Failure ]
</span><span class="cx"> webkit.org/b/153160 http/tests/security/contentSecurityPolicy/object-src-does-not-affect-child.html [ Failure ]
</span><span class="lines">@@ -842,6 +838,8 @@
</span><span class="cx"> webkit.org/b/153167 http/tests/security/contentSecurityPolicy/sandbox-report-only.html [ Failure ]
</span><span class="cx"> webkit.org/b/153168 http/tests/security/contentSecurityPolicy/source-list-parsing-07.html [ Failure ]
</span><span class="cx"> webkit.org/b/153170 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html [ Failure ]
</span><ins>+webkit.org/b/153562 http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html [ Failure ]
+webkit.org/b/153562 http/tests/security/contentSecurityPolicy/worker-script-src.html [ Failure ]
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html # Needs expected file.
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html # Needs expected file.
</span></span></pre></div>
<a id="trunkLayoutTestsfastworkersresourcesworkerinheritscspblocksevaljs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/workers/resources/worker-inherits-csp-blocks-eval.js (0 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/workers/resources/worker-inherits-csp-blocks-eval.js (rev 0)
+++ trunk/LayoutTests/fast/workers/resources/worker-inherits-csp-blocks-eval.js 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+var exception;
+try {
+ eval("1 + 0");
+} catch (e) {
+ exception = e;
+}
+if (!exception)
+ self.postMessage("FAIL should throw EvalError. But did not throw an exception.");
+else {
+ if (exception instanceof EvalError)
+ self.postMessage("PASS threw exception " + exception + ".");
+ else
+ self.postMessage("FAIL should throw EvalError. Threw exception " + exception + ".");
+}
</ins></span></pre></div>
<a id="trunkLayoutTestsfastworkersresourcesworkerinheritscspblocksxhrjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/workers/resources/worker-inherits-csp-blocks-xhr.js (0 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/workers/resources/worker-inherits-csp-blocks-xhr.js (rev 0)
+++ trunk/LayoutTests/fast/workers/resources/worker-inherits-csp-blocks-xhr.js 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+var exception;
+try {
+ var xhr = new XMLHttpRequest;
+ var isAsynchronous = false;
+ xhr.open("GET", "non-existent-file", isAsynchronous);
+ xhr.send();
+} catch (e) {
+ exception = e;
+}
+// FIXME: We should be throwing a DOMException.NETWORK_ERR. See <https://bugs.webkit.org/show_bug.cgi?id=153598>.
+var expectedExceptionCode = 18; // DOMException.SECURITY_ERR
+if (!exception)
+ self.postMessage("FAIL should throw " + expectedExceptionCode + ". But did not throw an exception.");
+else {
+ if (exception.code === expectedExceptionCode)
+ self.postMessage("PASS threw exception " + exception + ".");
+ else
+ self.postMessage("FAIL should throw " + expectedExceptionCode + ". Threw exception " + exception + ".");
+}
</ins></span></pre></div>
<a id="trunkLayoutTestsfastworkersworkerinheritscspblocksevalexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt (0 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a file-URL Web Worker from using eval() because the parent's CSP does not list unsafe-eval in script-src.
+
+PASS threw exception EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
+.
</ins></span></pre></div>
<a id="trunkLayoutTestsfastworkersworkerinheritscspblocksevalhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html (0 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html (rev 0)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -0,0 +1,32 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a file-URL Web Worker from using <code>eval()</code> because the parent's CSP does not list <code>unsafe-eval</code> in script-src.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var worker;
+try {
+ worker = new Worker("resources/worker-inherits-csp-blocks-eval.js");
+ worker.onmessage = function (event) { window.postMessage(event.data, "*") };
+} catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsfastworkersworkerinheritscspblocksxhrexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr-expected.txt (0 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr-expected.txt 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+CONSOLE MESSAGE: Refused to connect to 'non-existent-file' because it violates the following Content Security Policy directive: "connect-src 'none'".
+
+This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a file-URL Web Worker from making an XHR request because the parent's CSP contains "connect-src 'none'"
+
+PASS threw exception Error: SecurityError: DOM Exception 18.
</ins></span></pre></div>
<a id="trunkLayoutTestsfastworkersworkerinheritscspblocksxhrhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html (0 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html (rev 0)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -0,0 +1,32 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'none'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a file-URL Web Worker from making an XHR request because the parent's CSP contains &quot;connect-src 'none'&quot;</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var worker;
+try {
+ worker = new Worker("resources/worker-inherits-csp-blocks-xhr.js");
+ worker.onmessage = function (event) { window.postMessage(event.data, "*") };
+} catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspblocksevalexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt (0 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a blob-URL Web Worker from using eval() because the parent's CSP does not list unsafe-eval in script-src.
+
+PASS threw exception EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
+.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspblocksevalhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html (0 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -0,0 +1,50 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<!-- FIXME: Remove 'self' from script-src once we fix <https://bugs.webkit.org/show_bug.cgi?id=153158>. -->
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a blob-URL Web Worker from using <code>eval()</code> because the parent's CSP does not list <code>unsafe-eval</code> in script-src.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var script = [
+ 'var exception;',
+ 'try {',
+ ' eval("1 + 0");',
+ '} catch (e) {',
+ ' exception = e;',
+ '}',
+ 'if (!exception)',
+ ' self.postMessage("FAIL should throw EvalError. But did not throw an exception.");',
+ 'else {',
+ ' if (exception instanceof EvalError)',
+ ' self.postMessage("PASS threw exception " + exception + ".");',
+ ' else',
+ ' self.postMessage("FAIL should throw EvalError. Threw exception " + exception + ".");',
+ '}',
+].join("\n");
+
+var worker;
+try {
+ worker = new Worker(window.URL.createObjectURL(new Blob([script])));
+ worker.onmessage = function (event) { window.postMessage(event.data, "*") };
+} catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkermultiplecspheadersexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-multiple-csp-headers-expected.txt 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -1,3 +1,5 @@
</span><ins>+CONSOLE MESSAGE: Refused to connect to 'http://127.0.0.1:8000/xmlhttprequest/resources/get.txt' because it violates the following Content Security Policy directive: "connect-src 'none'".
</ins><span class="cx">
</span><ins>+
</ins><span class="cx"> PASS Worker can have multiple CSP headers
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerwithoutowncspexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-own-csp-expected.txt (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-own-csp-expected.txt 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-own-csp-expected.txt 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><span class="cx">
</span><del>-
</del><span class="cx"> PASS Worker should not inherit document's CSP
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/CMakeLists.txt (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/CMakeLists.txt 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/CMakeLists.txt 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -2067,6 +2067,7 @@
</span><span class="cx"> page/animation/KeyframeAnimation.cpp
</span><span class="cx">
</span><span class="cx"> page/csp/ContentSecurityPolicy.cpp
</span><ins>+ page/csp/ContentSecurityPolicyResponseHeaders.cpp
</ins><span class="cx">
</span><span class="cx"> page/scrolling/AxisScrollSnapOffsets.cpp
</span><span class="cx"> page/scrolling/ScrollLatchingState.cpp
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/ChangeLog 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -1,3 +1,92 @@
</span><ins>+2016-01-31 Daniel Bates <dabates@apple.com>
+
+ CSP: Use the served CSP header for dedicated workers
+ https://bugs.webkit.org/show_bug.cgi?id=153157
+ <rdar://problem/24383254>
+ And
+ https://bugs.webkit.org/show_bug.cgi?id=153156
+ <rdar://problem/24383246>
+
+ Reviewed by Brent Fulgham.
+
+ Inspired by Blink commit:
+ <https://src.chromium.org/viewvc/blink?revision=194143&view=revision>
+
+ Implement support for respecting Content Security Policy (CSP) HTTP headers included in the
+ HTTP response for a Web Worker's script as per section Workers of the CSP 2.0 spec,
+ <https://w3c.github.io/webappsec-csp/2/#processing-model-workers> (29 August 2015).
+
+ Currently a Web Worker always inherits the CSP of its owner document. Instead a web worker
+ will inherit the CSP of its owner document only if its script is incapable of defining a
+ content security policy (i.e. its origin is a globally unique identifier). Otherwise, the
+ CSP HTTP headers delivered with the script will be used to define the CSP for the worker.
+
+ Tests: fast/workers/worker-inherits-csp-blocks-eval.html
+ fast/workers/worker-inherits-csp-blocks-xhr.html
+ http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html
+
+ * CMakeLists.txt: Add file ContentSecurityPolicyResponseHeaders.cpp.
+ * WebCore.vcxproj/WebCore.vcxproj: Add files ContentSecurityPolicyResponseHeaders.{cpp, h}.
+ * WebCore.vcxproj/WebCore.vcxproj.filters: Ditto.
+ * WebCore.xcodeproj/project.pbxproj: Ditto.
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Update code to use enum class ContentSecurityPolicyHeaderType.
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::didBeginDocument): Extract logic to collect Content Security Policy HTTP headers
+ into class ContentSecurityPolicyResponseHeaders and make use of it here.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::CSPDirectiveList::headerType): Modified to use enum class ContentSecurityPolicyHeaderType.
+ (WebCore::CSPDirectiveList::CSPDirectiveList): Ditto.
+ (WebCore::CSPDirectiveList::create): Ditto.
+ (WebCore::ContentSecurityPolicy::responseHeaders): Creates and returns a ContentSecurityPolicyResponseHeaders
+ object with the parsed CSP policy headers.
+ (WebCore::ContentSecurityPolicy::didReceiveHeaders): Processed the CSP policy headers represented by the
+ specified ContentSecurityPolicyResponseHeaders object.
+ (WebCore::ContentSecurityPolicy::deprecatedHeader): Deleted.
+ (WebCore::ContentSecurityPolicy::deprecatedHeaderType): Deleted.
+ * page/csp/ContentSecurityPolicy.h: Defines a class that represents a collection of CSP policy headers.
+ This class has two purposes:
+ - It extracts the CSP policy headers from a HTTP response (ResourceResponse object). We make use of
+ this functionality in both FrameLoader::didBeginDocument() and Worker::didReceiveResponse().
+ - It serves as a memento that externalizes the internal CSP policy details of an instance of
+ ContentSecurityPolicy. We make use of this memento functionality to support inheriting the
+ CSP policy of the worker's owner document in a thread-safe manner. You can create and restore
+ a memento using ContentSecurityPolicy::responseHeaders() and ContentSecurityPolicy::didReceiveHeaders(), respectively.
+ * page/csp/ContentSecurityPolicyResponseHeaders.cpp: Added.
+ (WebCore::ContentSecurityPolicyResponseHeaders::ContentSecurityPolicyResponseHeaders): Extracts the
+ CSP HTTP headers from a ResourceResponse object.
+ (WebCore::ContentSecurityPolicyResponseHeaders::isolatedCopy): Make a copy of this object that is
+ safe to pass to another thread.
+ * page/csp/ContentSecurityPolicyResponseHeaders.h: Added.
+ * workers/DedicatedWorkerGlobalScope.cpp:
+ (WebCore::DedicatedWorkerGlobalScope::create): Modified to use class ContentSecurityPolicyResponseHeaders.
+ * workers/DedicatedWorkerGlobalScope.h:
+ * workers/DedicatedWorkerThread.cpp:
+ (WebCore::DedicatedWorkerThread::create): Ditto.
+ (WebCore::DedicatedWorkerThread::DedicatedWorkerThread): Ditto.
+ (WebCore::DedicatedWorkerThread::createWorkerGlobalScope): Ditto.
+ * workers/DedicatedWorkerThread.h:
+ * workers/Worker.cpp:
+ (WebCore::Worker::didReceiveResponse): Create a ContentSecurityPolicyResponseHeaders if the origin of
+ the worker's script is capable of providing a CSP. Otherwise, we will inherit the CSP of the worker's owner
+ document in Worker::notifyFinished().
+ (WebCore::Worker::notifyFinished): Pass the appropriate CSP response headers to WorkerMessagingProxy::startWorkerGlobalScope().
+ * workers/Worker.h:
+ * workers/WorkerGlobalScope.cpp:
+ (WebCore::WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders): Renamed; formerly named applyContentSecurityPolicyFromString().
+ Modified to take a ContentSecurityPolicyResponseHeaders and apply it to the ContentSecurityPolicy object associated with the worker.
+ (WebCore::WorkerGlobalScope::applyContentSecurityPolicyFromString): Deleted.
+ * workers/WorkerGlobalScope.h:
+ * workers/WorkerMessagingProxy.cpp:
+ (WebCore::WorkerMessagingProxy::startWorkerGlobalScope): Pass the worker's ContentSecurityPolicyResponseHeaders object.
+ * workers/WorkerThread.cpp:
+ (WebCore::WorkerThreadStartupData::WorkerThreadStartupData): Added field m_contentSecurityPolicyResponseHeaders to store
+ the CSP response headers to be applied to the worker's ContentSecurityPolicy object.
+ (WebCore::WorkerThread::WorkerThread): Modified to use ContentSecurityPolicyResponseHeaders.
+ (WebCore::WorkerThread::workerThread): Pass the ContentSecurityPolicyResponseHeaders object from the start up data struct
+ to DedicatedWorkerThread::createWorkerGlobalScope().
+ * workers/WorkerThread.h:
+
</ins><span class="cx"> 2016-01-31 Darin Adler <darin@apple.com>
</span><span class="cx">
</span><span class="cx"> Get rid of most calls to String::upper; mostly replace them with convertToASCIIUppercase
</span></span></pre></div>
<a id="trunkSourceWebCoreWebCorevcxprojWebCorevcxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -7304,6 +7304,7 @@
</span><span class="cx"> <ClCompile Include="..\page\Chrome.cpp" />
</span><span class="cx"> <ClCompile Include="..\page\animation\CompositeAnimation.cpp" />
</span><span class="cx"> <ClCompile Include="..\page\csp\ContentSecurityPolicy.cpp" />
</span><ins>+ <ClCompile Include="..\page\csp\ContentSecurityPolicyResponseHeaders.cpp" />
</ins><span class="cx"> <ClCompile Include="..\page\ContextMenuContext.cpp" />
</span><span class="cx"> <ClCompile Include="..\page\ContextMenuController.cpp" />
</span><span class="cx"> <ClCompile Include="..\page\Crypto.cpp" />
</span><span class="lines">@@ -20701,6 +20702,7 @@
</span><span class="cx"> <ClInclude Include="..\page\ChromeClient.h" />
</span><span class="cx"> <ClInclude Include="..\page\animation\CompositeAnimation.h" />
</span><span class="cx"> <ClInclude Include="..\page\csp\ContentSecurityPolicy.h" />
</span><ins>+ <ClInclude Include="..\page\csp\ContentSecurityPolicyResponseHeaders.h" />
</ins><span class="cx"> <ClInclude Include="..\page\ContextMenuClient.h" />
</span><span class="cx"> <ClInclude Include="..\page\ContextMenuContext.h" />
</span><span class="cx"> <ClInclude Include="..\page\ContextMenuController.h" />
</span></span></pre></div>
<a id="trunkSourceWebCoreWebCorevcxprojWebCorevcxprojfilters"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj.filters (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj.filters 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/WebCore.vcxproj/WebCore.vcxproj.filters 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -680,6 +680,9 @@
</span><span class="cx"> <ClCompile Include="..\page\csp\ContentSecurityPolicy.cpp">
</span><span class="cx"> <Filter>page\csp</Filter>
</span><span class="cx"> </ClCompile>
</span><ins>+ <ClCompile Include="..\page\csp\ContentSecurityPolicyResponseHeaders.cpp">
+ <Filter>page\csp</Filter>
+ </ClCompile>
</ins><span class="cx"> <ClCompile Include="..\page\ContextMenuController.cpp">
</span><span class="cx"> <Filter>page</Filter>
</span><span class="cx"> </ClCompile>
</span><span class="lines">@@ -7669,6 +7672,9 @@
</span><span class="cx"> <ClInclude Include="..\page\csp\ContentSecurityPolicy.h">
</span><span class="cx"> <Filter>page\csp</Filter>
</span><span class="cx"> </ClInclude>
</span><ins>+ <ClInclude Include="..\page\csp\ContentSecurityPolicyResponseHeaders.h">
+ <Filter>page\csp</Filter>
+ </ClInclude>
</ins><span class="cx"> <ClInclude Include="..\page\ContextMenuClient.h">
</span><span class="cx"> <Filter>page</Filter>
</span><span class="cx"> </ClInclude>
</span></span></pre></div>
<a id="trunkSourceWebCoreWebCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -6167,6 +6167,8 @@
</span><span class="cx"> CE1252531A1BEC0600864480 /* NSStringSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = CE1252521A1BEC0600864480 /* NSStringSPI.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> CE1252551A1BEC0E00864480 /* NSURLDownloadSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = CE1252541A1BEC0E00864480 /* NSURLDownloadSPI.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> CE12525B1A1C018200864480 /* CFNetworkSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = CE12525A1A1C018200864480 /* CFNetworkSPI.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ CE6DADF91C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp in Sources */ = {isa = PBXBuildFile; fileRef = CE6DADF71C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp */; };
+ CE6DADFA1C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h in Headers */ = {isa = PBXBuildFile; fileRef = CE6DADF81C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h */; };
</ins><span class="cx"> CE7B2DB31586ABAD0098B3FA /* AlternativeTextUIController.h in Headers */ = {isa = PBXBuildFile; fileRef = CE7B2DAF1586ABAD0098B3FA /* AlternativeTextUIController.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> CE7B2DB41586ABAD0098B3FA /* AlternativeTextUIController.mm in Sources */ = {isa = PBXBuildFile; fileRef = CE7B2DB01586ABAD0098B3FA /* AlternativeTextUIController.mm */; };
</span><span class="cx"> CE7B2DB51586ABAD0098B3FA /* TextAlternativeWithRange.h in Headers */ = {isa = PBXBuildFile; fileRef = CE7B2DB11586ABAD0098B3FA /* TextAlternativeWithRange.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -14095,6 +14097,8 @@
</span><span class="cx"> CE12525A1A1C018200864480 /* CFNetworkSPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CFNetworkSPI.h; sourceTree = "<group>"; };
</span><span class="cx"> CE5CB1B314EDAB6F00BB2795 /* EventSender.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = EventSender.h; sourceTree = "<group>"; };
</span><span class="cx"> CE6D89294C7AACE0AD89B3DD /* MathMLMencloseElement.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MathMLMencloseElement.h; sourceTree = "<group>"; };
</span><ins>+ CE6DADF71C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = ContentSecurityPolicyResponseHeaders.cpp; path = csp/ContentSecurityPolicyResponseHeaders.cpp; sourceTree = "<group>"; };
+ CE6DADF81C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ContentSecurityPolicyResponseHeaders.h; path = csp/ContentSecurityPolicyResponseHeaders.h; sourceTree = "<group>"; };
</ins><span class="cx"> CE7B2DAF1586ABAD0098B3FA /* AlternativeTextUIController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AlternativeTextUIController.h; sourceTree = "<group>"; };
</span><span class="cx"> CE7B2DB01586ABAD0098B3FA /* AlternativeTextUIController.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = AlternativeTextUIController.mm; sourceTree = "<group>"; };
</span><span class="cx"> CE7B2DB11586ABAD0098B3FA /* TextAlternativeWithRange.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TextAlternativeWithRange.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -22963,6 +22967,8 @@
</span><span class="cx"> children = (
</span><span class="cx"> 97C471D912F925BC0086354B /* ContentSecurityPolicy.cpp */,
</span><span class="cx"> 97C471DA12F925BD0086354B /* ContentSecurityPolicy.h */,
</span><ins>+ CE6DADF71C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp */,
+ CE6DADF81C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h */,
</ins><span class="cx"> );
</span><span class="cx"> name = csp;
</span><span class="cx"> sourceTree = "<group>";
</span><span class="lines">@@ -25001,6 +25007,7 @@
</span><span class="cx"> 5CDFA6C81AA4F2DA00EA8746 /* ContentExtensionActions.h in Headers */,
</span><span class="cx"> 7C93F34E1AA6BF0700A98BAB /* ContentExtensionCompiler.h in Headers */,
</span><span class="cx"> 7CFDC57D1AC1D80500E24A57 /* ContentExtensionError.h in Headers */,
</span><ins>+ CE6DADFA1C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.h in Headers */,
</ins><span class="cx"> 26F0C8981A2E724B002794F8 /* ContentExtensionParser.h in Headers */,
</span><span class="cx"> 26F0C89C1A2EC110002794F8 /* ContentExtensionRule.h in Headers */,
</span><span class="cx"> 26F0C8A01A2EC3BE002794F8 /* ContentExtensionsBackend.h in Headers */,
</span><span class="lines">@@ -31698,6 +31705,7 @@
</span><span class="cx"> 7C48A6D0191C9D6500026674 /* WebKitNamespace.cpp in Sources */,
</span><span class="cx"> A5DEBDA316FB908700836FE0 /* WebKitPlaybackTargetAvailabilityEvent.cpp in Sources */,
</span><span class="cx"> 31C0FF240E4CEB6E007D6FE5 /* WebKitTransitionEvent.cpp in Sources */,
</span><ins>+ CE6DADF91C591E6A003F6A88 /* ContentSecurityPolicyResponseHeaders.cpp in Sources */,
</ins><span class="cx"> 0FCF332E0F2B9A25004B6795 /* WebLayer.mm in Sources */,
</span><span class="cx"> 0709D78E1AE55554004E42F8 /* WebMediaSessionManager.cpp in Sources */,
</span><span class="cx"> 0709D7921AE5557E004E42F8 /* WebMediaSessionManagerMac.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -3258,19 +3258,19 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case HTTPHeaderName::ContentSecurityPolicy:
</span><del>- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::Enforce);
</del><ins>+ contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::Enforce);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case HTTPHeaderName::ContentSecurityPolicyReportOnly:
</span><del>- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::Report);
</del><ins>+ contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::Report);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case HTTPHeaderName::XWebKitCSP:
</span><del>- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::PrefixedEnforce);
</del><ins>+ contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::PrefixedEnforce);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case HTTPHeaderName::XWebKitCSPReportOnly:
</span><del>- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::PrefixedReport);
</del><ins>+ contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::PrefixedReport);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> default:
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.cpp 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -685,22 +685,8 @@
</span><span class="cx"> if (!dnsPrefetchControl.isEmpty())
</span><span class="cx"> m_frame.document()->parseDNSPrefetchControlHeader(dnsPrefetchControl);
</span><span class="cx">
</span><del>- String policyValue = m_documentLoader->response().httpHeaderField(HTTPHeaderName::ContentSecurityPolicy);
- if (!policyValue.isEmpty())
- m_frame.document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::Enforce);
</del><ins>+ m_frame.document()->contentSecurityPolicy()->didReceiveHeaders(ContentSecurityPolicyResponseHeaders(m_documentLoader->response()));
</ins><span class="cx">
</span><del>- policyValue = m_documentLoader->response().httpHeaderField(HTTPHeaderName::ContentSecurityPolicyReportOnly);
- if (!policyValue.isEmpty())
- m_frame.document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::Report);
-
- policyValue = m_documentLoader->response().httpHeaderField(HTTPHeaderName::XWebKitCSP);
- if (!policyValue.isEmpty())
- m_frame.document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::PrefixedEnforce);
-
- policyValue = m_documentLoader->response().httpHeaderField(HTTPHeaderName::XWebKitCSPReportOnly);
- if (!policyValue.isEmpty())
- m_frame.document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::PrefixedReport);
-
</del><span class="cx"> String headerContentLanguage = m_documentLoader->response().httpHeaderField(HTTPHeaderName::ContentLanguage);
</span><span class="cx"> if (!headerContentLanguage.isEmpty()) {
</span><span class="cx"> size_t commaIndex = headerContentLanguage.find(',');
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -771,11 +771,11 @@
</span><span class="cx"> class CSPDirectiveList {
</span><span class="cx"> WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><del>- static std::unique_ptr<CSPDirectiveList> create(ContentSecurityPolicy*, const String&, ContentSecurityPolicy::HeaderType);
- CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType);
</del><ins>+ static std::unique_ptr<CSPDirectiveList> create(ContentSecurityPolicy*, const String&, ContentSecurityPolicyHeaderType);
+ CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicyHeaderType);
</ins><span class="cx">
</span><span class="cx"> const String& header() const { return m_header; }
</span><del>- ContentSecurityPolicy::HeaderType headerType() const { return m_headerType; }
</del><ins>+ ContentSecurityPolicyHeaderType headerType() const { return m_headerType; }
</ins><span class="cx">
</span><span class="cx"> bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="lines">@@ -835,7 +835,7 @@
</span><span class="cx"> ContentSecurityPolicy* m_policy;
</span><span class="cx">
</span><span class="cx"> String m_header;
</span><del>- ContentSecurityPolicy::HeaderType m_headerType;
</del><ins>+ ContentSecurityPolicyHeaderType m_headerType;
</ins><span class="cx">
</span><span class="cx"> bool m_reportOnly;
</span><span class="cx"> bool m_haveSandboxPolicy;
</span><span class="lines">@@ -859,17 +859,17 @@
</span><span class="cx"> String m_evalDisabledErrorMessage;
</span><span class="cx"> };
</span><span class="cx">
</span><del>-CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurityPolicy::HeaderType type)
</del><ins>+CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurityPolicyHeaderType type)
</ins><span class="cx"> : m_policy(policy)
</span><span class="cx"> , m_headerType(type)
</span><span class="cx"> , m_reportOnly(false)
</span><span class="cx"> , m_haveSandboxPolicy(false)
</span><span class="cx"> , m_reflectedXSSDisposition(ContentSecurityPolicy::ReflectedXSSUnset)
</span><span class="cx"> {
</span><del>- m_reportOnly = (type == ContentSecurityPolicy::Report || type == ContentSecurityPolicy::PrefixedReport);
</del><ins>+ m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-std::unique_ptr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* policy, const String& header, ContentSecurityPolicy::HeaderType type)
</del><ins>+std::unique_ptr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* policy, const String& header, ContentSecurityPolicyHeaderType type)
</ins><span class="cx"> {
</span><span class="cx"> auto directives = std::make_unique<CSPDirectiveList>(policy, type);
</span><span class="cx"> directives->parse(header);
</span><span class="lines">@@ -1371,8 +1371,23 @@
</span><span class="cx"> didReceiveHeader(policy->header(), policy->headerType());
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void ContentSecurityPolicy::didReceiveHeader(const String& header, HeaderType type)
</del><ins>+ContentSecurityPolicyResponseHeaders ContentSecurityPolicy::responseHeaders() const
</ins><span class="cx"> {
</span><ins>+ ContentSecurityPolicyResponseHeaders result;
+ result.m_headers.reserveInitialCapacity(m_policies.size());
+ for (auto& policy : m_policies)
+ result.m_headers.uncheckedAppend({ policy->header(), policy->headerType() });
+ return result;
+}
+
+void ContentSecurityPolicy::didReceiveHeaders(const ContentSecurityPolicyResponseHeaders& headers)
+{
+ for (auto& header : headers.m_headers)
+ didReceiveHeader(header.first, header.second);
+}
+
+void ContentSecurityPolicy::didReceiveHeader(const String& header, ContentSecurityPolicyHeaderType type)
+{
</ins><span class="cx"> // RFC2616, section 4.2 specifies that headers appearing multiple times can
</span><span class="cx"> // be combined with a comma. Walk the header string, and parse each comma
</span><span class="cx"> // separated chunk as a separate header.
</span><span class="lines">@@ -1403,16 +1418,6 @@
</span><span class="cx"> m_overrideInlineStyleAllowed = value;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const String& ContentSecurityPolicy::deprecatedHeader() const
-{
- return m_policies.isEmpty() ? emptyString() : m_policies[0]->header();
-}
-
-ContentSecurityPolicy::HeaderType ContentSecurityPolicy::deprecatedHeaderType() const
-{
- return m_policies.isEmpty() ? Enforce : m_policies[0]->headerType();
-}
-
</del><span class="cx"> template<bool (CSPDirectiveList::*allowed)(ContentSecurityPolicy::ReportingStatus) const>
</span><span class="cx"> bool isAllowedByAll(const CSPDirectiveListVector& policies, ContentSecurityPolicy::ReportingStatus reportingStatus)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx"> #ifndef ContentSecurityPolicy_h
</span><span class="cx"> #define ContentSecurityPolicy_h
</span><span class="cx">
</span><ins>+#include "ContentSecurityPolicyResponseHeaders.h"
</ins><span class="cx"> #include "URL.h"
</span><span class="cx"> #include "ScriptState.h"
</span><span class="cx"> #include <memory>
</span><span class="lines">@@ -56,13 +57,6 @@
</span><span class="cx">
</span><span class="cx"> void copyStateFrom(const ContentSecurityPolicy*);
</span><span class="cx">
</span><del>- enum HeaderType {
- Report,
- Enforce,
- PrefixedReport,
- PrefixedEnforce
- };
-
</del><span class="cx"> enum class ReportingStatus {
</span><span class="cx"> SendReport,
</span><span class="cx"> SuppressReport
</span><span class="lines">@@ -77,13 +71,10 @@
</span><span class="cx"> BlockReflectedXSS
</span><span class="cx"> };
</span><span class="cx">
</span><del>- void didReceiveHeader(const String&, HeaderType);
</del><ins>+ ContentSecurityPolicyResponseHeaders responseHeaders() const;
+ void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
+ void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType);
</ins><span class="cx">
</span><del>- // These functions are wrong because they assume that there is only one header.
- // FIXME: Replace them with functions that return vectors.
- const String& deprecatedHeader() const;
- HeaderType deprecatedHeaderType() const;
-
</del><span class="cx"> bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyResponseHeaderscpp"></a>
<div class="addfile"><h4>Added: trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.cpp (0 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.cpp (rev 0)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.cpp 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -0,0 +1,62 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ContentSecurityPolicyResponseHeaders.h"
+
+#include "HTTPHeaderNames.h"
+#include "ResourceResponse.h"
+
+namespace WebCore {
+
+ContentSecurityPolicyResponseHeaders::ContentSecurityPolicyResponseHeaders(const ResourceResponse& response)
+{
+ String policyValue = response.httpHeaderField(HTTPHeaderName::ContentSecurityPolicy);
+ if (!policyValue.isEmpty())
+ m_headers.append({ policyValue, ContentSecurityPolicyHeaderType::Enforce });
+
+ policyValue = response.httpHeaderField(HTTPHeaderName::ContentSecurityPolicyReportOnly);
+ if (!policyValue.isEmpty())
+ m_headers.append({ policyValue, ContentSecurityPolicyHeaderType::Report });
+
+ policyValue = response.httpHeaderField(HTTPHeaderName::XWebKitCSP);
+ if (!policyValue.isEmpty())
+ m_headers.append({ policyValue, ContentSecurityPolicyHeaderType::PrefixedEnforce });
+
+ policyValue = response.httpHeaderField(HTTPHeaderName::XWebKitCSPReportOnly);
+ if (!policyValue.isEmpty())
+ m_headers.append({ policyValue, ContentSecurityPolicyHeaderType::PrefixedReport });
+}
+
+ContentSecurityPolicyResponseHeaders ContentSecurityPolicyResponseHeaders::isolatedCopy() const
+{
+ ContentSecurityPolicyResponseHeaders isolatedCopy;
+ isolatedCopy.m_headers.reserveInitialCapacity(m_headers.size());
+ for (auto& header : m_headers)
+ isolatedCopy.m_headers.uncheckedAppend({ header.first.isolatedCopy(), header.second });
+ return isolatedCopy;
+}
+
+} // namespace WebCore
</ins></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyResponseHeadersh"></a>
<div class="addfile"><h4>Added: trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h (0 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h (rev 0)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyResponseHeaders.h 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -0,0 +1,60 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
+ * THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef ContentSecurityPolicyResponseHeaders_h
+#define ContentSecurityPolicyResponseHeaders_h
+
+#include <wtf/Vector.h>
+#include <wtf/text/WTFString.h>
+
+namespace WebCore {
+
+class ContentSecurityPolicy;
+class ResourceResponse;
+
+enum class ContentSecurityPolicyHeaderType {
+ Report,
+ Enforce,
+ PrefixedReport,
+ PrefixedEnforce,
+};
+
+class ContentSecurityPolicyResponseHeaders {
+public:
+ ContentSecurityPolicyResponseHeaders(const ResourceResponse&);
+
+ ContentSecurityPolicyResponseHeaders isolatedCopy() const;
+
+private:
+ friend class ContentSecurityPolicy;
+
+ ContentSecurityPolicyResponseHeaders() = default;
+
+ Vector<std::pair<String, ContentSecurityPolicyHeaderType>> m_headers;
+};
+
+} // namespace WebCore
+
+#endif /* ContentSecurityPolicyResponseHeaders_h */
</ins></span></pre></div>
<a id="trunkSourceWebCoreworkersDedicatedWorkerGlobalScopecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "DedicatedWorkerGlobalScope.h"
</span><span class="cx">
</span><ins>+#include "ContentSecurityPolicyResponseHeaders.h"
</ins><span class="cx"> #include "DOMWindow.h"
</span><span class="cx"> #include "DedicatedWorkerThread.h"
</span><span class="cx"> #include "MessageEvent.h"
</span><span class="lines">@@ -39,10 +40,10 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-Ref<DedicatedWorkerGlobalScope> DedicatedWorkerGlobalScope::create(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, PassRefPtr<SecurityOrigin> topOrigin)
</del><ins>+Ref<DedicatedWorkerGlobalScope> DedicatedWorkerGlobalScope::create(const URL& url, const String& userAgent, DedicatedWorkerThread& thread, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, PassRefPtr<SecurityOrigin> topOrigin)
</ins><span class="cx"> {
</span><span class="cx"> Ref<DedicatedWorkerGlobalScope> context = adoptRef(*new DedicatedWorkerGlobalScope(url, userAgent, thread, topOrigin));
</span><del>- context->applyContentSecurityPolicyFromString(contentSecurityPolicy, contentSecurityPolicyType);
</del><ins>+ context->applyContentSecurityPolicyResponseHeaders(contentSecurityPolicyResponseHeaders);
</ins><span class="cx"> return context;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersDedicatedWorkerGlobalScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.h 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -31,18 +31,18 @@
</span><span class="cx"> #ifndef DedicatedWorkerGlobalScope_h
</span><span class="cx"> #define DedicatedWorkerGlobalScope_h
</span><span class="cx">
</span><del>-#include "ContentSecurityPolicy.h"
</del><span class="cx"> #include "MessagePort.h"
</span><span class="cx"> #include "WorkerGlobalScope.h"
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><ins>+ class ContentSecurityPolicyResponseHeaders;
</ins><span class="cx"> class DedicatedWorkerThread;
</span><span class="cx">
</span><span class="cx"> class DedicatedWorkerGlobalScope : public WorkerGlobalScope {
</span><span class="cx"> public:
</span><span class="cx"> typedef WorkerGlobalScope Base;
</span><del>- static Ref<DedicatedWorkerGlobalScope> create(const URL&, const String& userAgent, DedicatedWorkerThread&, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, PassRefPtr<SecurityOrigin> topOrigin);
</del><ins>+ static Ref<DedicatedWorkerGlobalScope> create(const URL&, const String& userAgent, DedicatedWorkerThread&, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin);
</ins><span class="cx"> virtual ~DedicatedWorkerGlobalScope();
</span><span class="cx">
</span><span class="cx"> virtual bool isDedicatedWorkerGlobalScope() const override { return true; }
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersDedicatedWorkerThreadcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/DedicatedWorkerThread.cpp 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -38,8 +38,8 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-DedicatedWorkerThread::DedicatedWorkerThread(const URL& url, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerObjectProxy& workerObjectProxy, WorkerThreadStartMode startMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, const SecurityOrigin* topOrigin)
- : WorkerThread(url, userAgent, sourceCode, workerLoaderProxy, workerObjectProxy, startMode, contentSecurityPolicy, contentSecurityPolicyType, topOrigin)
</del><ins>+DedicatedWorkerThread::DedicatedWorkerThread(const URL& url, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerObjectProxy& workerObjectProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin)
+ : WorkerThread(url, userAgent, sourceCode, workerLoaderProxy, workerObjectProxy, startMode, contentSecurityPolicyResponseHeaders, topOrigin)
</ins><span class="cx"> , m_workerObjectProxy(workerObjectProxy)
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="lines">@@ -48,9 +48,9 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Ref<WorkerGlobalScope> DedicatedWorkerThread::createWorkerGlobalScope(const URL& url, const String& userAgent, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, PassRefPtr<SecurityOrigin> topOrigin)
</del><ins>+Ref<WorkerGlobalScope> DedicatedWorkerThread::createWorkerGlobalScope(const URL& url, const String& userAgent, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, PassRefPtr<SecurityOrigin> topOrigin)
</ins><span class="cx"> {
</span><del>- return DedicatedWorkerGlobalScope::create(url, userAgent, *this, contentSecurityPolicy, contentSecurityPolicyType, topOrigin);
</del><ins>+ return DedicatedWorkerGlobalScope::create(url, userAgent, *this, contentSecurityPolicyResponseHeaders, topOrigin);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void DedicatedWorkerThread::runEventLoop()
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersDedicatedWorkerThreadh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/DedicatedWorkerThread.h (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/DedicatedWorkerThread.h 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/DedicatedWorkerThread.h 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -30,11 +30,11 @@
</span><span class="cx"> #ifndef DedicatedWorkerThread_h
</span><span class="cx"> #define DedicatedWorkerThread_h
</span><span class="cx">
</span><del>-#include "ContentSecurityPolicy.h"
</del><span class="cx"> #include "WorkerThread.h"
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><ins>+ class ContentSecurityPolicyResponseHeaders;
</ins><span class="cx"> class WorkerObjectProxy;
</span><span class="cx">
</span><span class="cx"> class DedicatedWorkerThread : public WorkerThread {
</span><span class="lines">@@ -48,11 +48,11 @@
</span><span class="cx"> WorkerObjectProxy& workerObjectProxy() const { return m_workerObjectProxy; }
</span><span class="cx">
</span><span class="cx"> protected:
</span><del>- virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType, PassRefPtr<SecurityOrigin> topOrigin) override;
</del><ins>+ virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin) override;
</ins><span class="cx"> virtual void runEventLoop() override;
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- DedicatedWorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerObjectProxy&, WorkerThreadStartMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType, const SecurityOrigin* topOrigin);
</del><ins>+ DedicatedWorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerObjectProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin);
</ins><span class="cx">
</span><span class="cx"> WorkerObjectProxy& m_workerObjectProxy;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/Worker.cpp (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/Worker.cpp 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/Worker.cpp 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx">
</span><span class="cx"> #include "DOMWindow.h"
</span><span class="cx"> #include "CachedResourceLoader.h"
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "Document.h"
</span><span class="cx"> #include "EventListener.h"
</span><span class="cx"> #include "EventNames.h"
</span><span class="lines">@@ -40,6 +41,7 @@
</span><span class="cx"> #include "InspectorInstrumentation.h"
</span><span class="cx"> #include "MessageEvent.h"
</span><span class="cx"> #include "NetworkStateNotifier.h"
</span><ins>+#include "SecurityOrigin.h"
</ins><span class="cx"> #include "TextEncoding.h"
</span><span class="cx"> #include "WorkerGlobalScopeProxy.h"
</span><span class="cx"> #include "WorkerScriptLoader.h"
</span><span class="lines">@@ -150,8 +152,11 @@
</span><span class="cx"> m_contextProxy->notifyNetworkStateChange(isOnLine);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void Worker::didReceiveResponse(unsigned long identifier, const ResourceResponse&)
</del><ins>+void Worker::didReceiveResponse(unsigned long identifier, const ResourceResponse& response)
</ins><span class="cx"> {
</span><ins>+ const URL& responseURL = response.url();
+ if (!responseURL.protocolIs("blob") && !responseURL.protocolIs("file") && !SecurityOrigin::create(responseURL)->isUnique())
+ m_contentSecurityPolicyResponseHeaders = ContentSecurityPolicyResponseHeaders(response);
</ins><span class="cx"> InspectorInstrumentation::didReceiveScriptResponse(scriptExecutionContext(), identifier);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -160,8 +165,8 @@
</span><span class="cx"> if (m_scriptLoader->failed())
</span><span class="cx"> dispatchEvent(Event::create(eventNames().errorEvent, false, true));
</span><span class="cx"> else {
</span><del>- WorkerThreadStartMode startMode = DontPauseWorkerGlobalScopeOnStart;
- m_contextProxy->startWorkerGlobalScope(m_scriptLoader->url(), scriptExecutionContext()->userAgent(m_scriptLoader->url()), m_scriptLoader->script(), startMode);
</del><ins>+ const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders = m_contentSecurityPolicyResponseHeaders ? m_contentSecurityPolicyResponseHeaders.value() : scriptExecutionContext()->contentSecurityPolicy()->responseHeaders();
+ m_contextProxy->startWorkerGlobalScope(m_scriptLoader->url(), scriptExecutionContext()->userAgent(m_scriptLoader->url()), m_scriptLoader->script(), contentSecurityPolicyResponseHeaders, DontPauseWorkerGlobalScopeOnStart);
</ins><span class="cx"> InspectorInstrumentation::scriptImported(scriptExecutionContext(), m_scriptLoader->identifier(), m_scriptLoader->script());
</span><span class="cx"> }
</span><span class="cx"> m_scriptLoader = nullptr;
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/Worker.h (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/Worker.h 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/Worker.h 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -29,11 +29,13 @@
</span><span class="cx">
</span><span class="cx"> #include "AbstractWorker.h"
</span><span class="cx"> #include "ActiveDOMObject.h"
</span><ins>+#include "ContentSecurityPolicyResponseHeaders.h"
</ins><span class="cx"> #include "EventListener.h"
</span><span class="cx"> #include "EventTarget.h"
</span><span class="cx"> #include "MessagePort.h"
</span><span class="cx"> #include "WorkerScriptLoaderClient.h"
</span><span class="cx"> #include <wtf/Forward.h>
</span><ins>+#include <wtf/Optional.h>
</ins><span class="cx"> #include <wtf/PassRefPtr.h>
</span><span class="cx"> #include <wtf/RefPtr.h>
</span><span class="cx"> #include <wtf/text/AtomicStringHash.h>
</span><span class="lines">@@ -83,6 +85,7 @@
</span><span class="cx">
</span><span class="cx"> RefPtr<WorkerScriptLoader> m_scriptLoader;
</span><span class="cx"> WorkerGlobalScopeProxy* m_contextProxy; // The proxy outlives the worker to perform thread shutdown.
</span><ins>+ Optional<ContentSecurityPolicyResponseHeaders> m_contentSecurityPolicyResponseHeaders;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerGlobalScopecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerGlobalScope.cpp (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -85,10 +85,10 @@
</span><span class="cx"> thread().workerReportingProxy().workerGlobalScopeDestroyed();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void WorkerGlobalScope::applyContentSecurityPolicyFromString(const String& policy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType)
</del><ins>+void WorkerGlobalScope::applyContentSecurityPolicyResponseHeaders(const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders)
</ins><span class="cx"> {
</span><span class="cx"> setContentSecurityPolicy(std::make_unique<ContentSecurityPolicy>(this));
</span><del>- contentSecurityPolicy()->didReceiveHeader(policy, contentSecurityPolicyType);
</del><ins>+ contentSecurityPolicy()->didReceiveHeaders(contentSecurityPolicyResponseHeaders);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> URL WorkerGlobalScope::completeURL(const String& url) const
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerGlobalScopeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerGlobalScope.h (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerGlobalScope.h 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/WorkerGlobalScope.h 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -27,7 +27,6 @@
</span><span class="cx"> #ifndef WorkerGlobalScope_h
</span><span class="cx"> #define WorkerGlobalScope_h
</span><span class="cx">
</span><del>-#include "ContentSecurityPolicy.h"
</del><span class="cx"> #include "EventListener.h"
</span><span class="cx"> #include "EventTarget.h"
</span><span class="cx"> #include "ScriptExecutionContext.h"
</span><span class="lines">@@ -45,6 +44,7 @@
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><span class="cx"> class Blob;
</span><ins>+ class ContentSecurityPolicyResponseHeaders;
</ins><span class="cx"> class ScheduledAction;
</span><span class="cx"> class WorkerLocation;
</span><span class="cx"> class WorkerNavigator;
</span><span class="lines">@@ -131,7 +131,7 @@
</span><span class="cx">
</span><span class="cx"> protected:
</span><span class="cx"> WorkerGlobalScope(const URL&, const String& userAgent, WorkerThread&, PassRefPtr<SecurityOrigin> topOrigin);
</span><del>- void applyContentSecurityPolicyFromString(const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType);
</del><ins>+ void applyContentSecurityPolicyResponseHeaders(const ContentSecurityPolicyResponseHeaders&);
</ins><span class="cx">
</span><span class="cx"> virtual void logExceptionToConsole(const String& errorMessage, const String& sourceURL, int lineNumber, int columnNumber, RefPtr<Inspector::ScriptCallStack>&&) override;
</span><span class="cx"> void addMessageToWorkerConsole(MessageSource, MessageLevel, const String& message, const String& sourceURL, unsigned lineNumber, unsigned columnNumber, RefPtr<Inspector::ScriptCallStack>&&, JSC::ExecState* = 0, unsigned long requestIdentifier = 0);
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerGlobalScopeProxyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/WorkerGlobalScopeProxy.h 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -38,6 +38,7 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><ins>+ class ContentSecurityPolicyResponseHeaders;
</ins><span class="cx"> class URL;
</span><span class="cx"> class Worker;
</span><span class="cx">
</span><span class="lines">@@ -48,7 +49,7 @@
</span><span class="cx">
</span><span class="cx"> virtual ~WorkerGlobalScopeProxy() { }
</span><span class="cx">
</span><del>- virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode) = 0;
</del><ins>+ virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, WorkerThreadStartMode) = 0;
</ins><span class="cx">
</span><span class="cx"> virtual void terminateWorkerGlobalScope() = 0;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerMessagingProxycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -72,12 +72,12 @@
</span><span class="cx"> || (is<WorkerGlobalScope>(*m_scriptExecutionContext) && currentThread() == downcast<WorkerGlobalScope>(*m_scriptExecutionContext).thread().threadID()));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void WorkerMessagingProxy::startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode)
</del><ins>+void WorkerMessagingProxy::startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, WorkerThreadStartMode startMode)
</ins><span class="cx"> {
</span><span class="cx"> // FIXME: This need to be revisited when we support nested worker one day
</span><span class="cx"> ASSERT(m_scriptExecutionContext);
</span><span class="cx"> Document& document = downcast<Document>(*m_scriptExecutionContext);
</span><del>- RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode, document.contentSecurityPolicy()->deprecatedHeader(), document.contentSecurityPolicy()->deprecatedHeaderType(), document.topOrigin());
</del><ins>+ RefPtr<DedicatedWorkerThread> thread = DedicatedWorkerThread::create(scriptURL, userAgent, sourceCode, *this, *this, startMode, contentSecurityPolicyResponseHeaders, document.topOrigin());
</ins><span class="cx"> workerThreadCreated(thread);
</span><span class="cx"> thread->start();
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerMessagingProxyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerMessagingProxy.h (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerMessagingProxy.h 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/WorkerMessagingProxy.h 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -40,6 +40,7 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><ins>+ class ContentSecurityPolicyResponseHeaders;
</ins><span class="cx"> class DedicatedWorkerThread;
</span><span class="cx"> class ScriptExecutionContext;
</span><span class="cx"> class Worker;
</span><span class="lines">@@ -51,7 +52,7 @@
</span><span class="cx">
</span><span class="cx"> // Implementations of WorkerGlobalScopeProxy.
</span><span class="cx"> // (Only use these methods in the worker object thread.)
</span><del>- virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode) override;
</del><ins>+ virtual void startWorkerGlobalScope(const URL& scriptURL, const String& userAgent, const String& sourceCode, const ContentSecurityPolicyResponseHeaders&, WorkerThreadStartMode) override;
</ins><span class="cx"> virtual void terminateWorkerGlobalScope() override;
</span><span class="cx"> virtual void postMessageToWorkerGlobalScope(PassRefPtr<SerializedScriptValue>, std::unique_ptr<MessagePortChannelArray>) override;
</span><span class="cx"> virtual bool hasPendingActivity() const override;
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerThreadcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerThread.cpp (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerThread.cpp 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/WorkerThread.cpp 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -28,6 +28,7 @@
</span><span class="cx">
</span><span class="cx"> #include "WorkerThread.h"
</span><span class="cx">
</span><ins>+#include "ContentSecurityPolicyResponseHeaders.h"
</ins><span class="cx"> #include "DedicatedWorkerGlobalScope.h"
</span><span class="cx"> #include "ScriptSourceCode.h"
</span><span class="cx"> #include "SecurityOrigin.h"
</span><span class="lines">@@ -69,33 +70,31 @@
</span><span class="cx"> struct WorkerThreadStartupData {
</span><span class="cx"> WTF_MAKE_NONCOPYABLE(WorkerThreadStartupData); WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><del>- WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, const SecurityOrigin* topOrigin);
</del><ins>+ WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin);
</ins><span class="cx">
</span><span class="cx"> URL m_scriptURL;
</span><span class="cx"> String m_userAgent;
</span><span class="cx"> String m_sourceCode;
</span><span class="cx"> WorkerThreadStartMode m_startMode;
</span><del>- String m_contentSecurityPolicy;
- ContentSecurityPolicy::HeaderType m_contentSecurityPolicyType;
</del><ins>+ ContentSecurityPolicyResponseHeaders m_contentSecurityPolicyResponseHeaders;
</ins><span class="cx"> RefPtr<SecurityOrigin> m_topOrigin;
</span><span class="cx"> };
</span><span class="cx">
</span><del>-WorkerThreadStartupData::WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, const SecurityOrigin* topOrigin)
</del><ins>+WorkerThreadStartupData::WorkerThreadStartupData(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin)
</ins><span class="cx"> : m_scriptURL(scriptURL.isolatedCopy())
</span><span class="cx"> , m_userAgent(userAgent.isolatedCopy())
</span><span class="cx"> , m_sourceCode(sourceCode.isolatedCopy())
</span><span class="cx"> , m_startMode(startMode)
</span><del>- , m_contentSecurityPolicy(contentSecurityPolicy.isolatedCopy())
- , m_contentSecurityPolicyType(contentSecurityPolicyType)
</del><ins>+ , m_contentSecurityPolicyResponseHeaders(contentSecurityPolicyResponseHeaders.isolatedCopy())
</ins><span class="cx"> , m_topOrigin(topOrigin ? &topOrigin->isolatedCopy().get() : nullptr)
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-WorkerThread::WorkerThread(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerReportingProxy& workerReportingProxy, WorkerThreadStartMode startMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType contentSecurityPolicyType, const SecurityOrigin* topOrigin)
</del><ins>+WorkerThread::WorkerThread(const URL& scriptURL, const String& userAgent, const String& sourceCode, WorkerLoaderProxy& workerLoaderProxy, WorkerReportingProxy& workerReportingProxy, WorkerThreadStartMode startMode, const ContentSecurityPolicyResponseHeaders& contentSecurityPolicyResponseHeaders, const SecurityOrigin* topOrigin)
</ins><span class="cx"> : m_threadID(0)
</span><span class="cx"> , m_workerLoaderProxy(workerLoaderProxy)
</span><span class="cx"> , m_workerReportingProxy(workerReportingProxy)
</span><del>- , m_startupData(std::make_unique<WorkerThreadStartupData>(scriptURL, userAgent, sourceCode, startMode, contentSecurityPolicy, contentSecurityPolicyType, topOrigin))
</del><ins>+ , m_startupData(std::make_unique<WorkerThreadStartupData>(scriptURL, userAgent, sourceCode, startMode, contentSecurityPolicyResponseHeaders, topOrigin))
</ins><span class="cx"> #if ENABLE(NOTIFICATIONS) || ENABLE(LEGACY_NOTIFICATIONS)
</span><span class="cx"> , m_notificationClient(0)
</span><span class="cx"> #endif
</span><span class="lines">@@ -145,7 +144,7 @@
</span><span class="cx">
</span><span class="cx"> {
</span><span class="cx"> LockHolder lock(m_threadCreationMutex);
</span><del>- m_workerGlobalScope = createWorkerGlobalScope(m_startupData->m_scriptURL, m_startupData->m_userAgent, m_startupData->m_contentSecurityPolicy, m_startupData->m_contentSecurityPolicyType, m_startupData->m_topOrigin.release());
</del><ins>+ m_workerGlobalScope = createWorkerGlobalScope(m_startupData->m_scriptURL, m_startupData->m_userAgent, m_startupData->m_contentSecurityPolicyResponseHeaders, m_startupData->m_topOrigin.release());
</ins><span class="cx">
</span><span class="cx"> if (m_runLoop.terminated()) {
</span><span class="cx"> // The worker was terminated before the thread had a chance to run. Since the context didn't exist yet,
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerThreadh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerThread.h (195947 => 195948)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerThread.h 2016-02-01 02:22:58 UTC (rev 195947)
+++ trunk/Source/WebCore/workers/WorkerThread.h 2016-02-01 03:10:00 UTC (rev 195948)
</span><span class="lines">@@ -27,7 +27,6 @@
</span><span class="cx"> #ifndef WorkerThread_h
</span><span class="cx"> #define WorkerThread_h
</span><span class="cx">
</span><del>-#include "ContentSecurityPolicy.h"
</del><span class="cx"> #include "WorkerRunLoop.h"
</span><span class="cx"> #include <memory>
</span><span class="cx"> #include <wtf/Forward.h>
</span><span class="lines">@@ -36,6 +35,7 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><ins>+ class ContentSecurityPolicyResponseHeaders;
</ins><span class="cx"> class URL;
</span><span class="cx"> class NotificationClient;
</span><span class="cx"> class SecurityOrigin;
</span><span class="lines">@@ -68,10 +68,10 @@
</span><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> protected:
</span><del>- WorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerReportingProxy&, WorkerThreadStartMode, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType, const SecurityOrigin* topOrigin);
</del><ins>+ WorkerThread(const URL&, const String& userAgent, const String& sourceCode, WorkerLoaderProxy&, WorkerReportingProxy&, WorkerThreadStartMode, const ContentSecurityPolicyResponseHeaders&, const SecurityOrigin* topOrigin);
</ins><span class="cx">
</span><span class="cx"> // Factory method for creating a new worker context for the thread.
</span><del>- virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const String& contentSecurityPolicy, ContentSecurityPolicy::HeaderType, PassRefPtr<SecurityOrigin> topOrigin) = 0;
</del><ins>+ virtual Ref<WorkerGlobalScope> createWorkerGlobalScope(const URL&, const String& userAgent, const ContentSecurityPolicyResponseHeaders&, PassRefPtr<SecurityOrigin> topOrigin) = 0;
</ins><span class="cx">
</span><span class="cx"> // Executes the event loop for the worker thread. Derived classes can override to perform actions before/after entering the event loop.
</span><span class="cx"> virtual void runEventLoop();
</span></span></pre>
</div>
</div>
</body>
</html>