<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[196283] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/196283">196283</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-02-08 17:26:56 -0800 (Mon, 08 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP connect-src directive should block redirects
https://bugs.webkit.org/show_bug.cgi?id=69359
<rdar://problem/24383025>
Reviewed by Brent Fulgham.
Source/WebCore:
Inspired by Blink patch:
<https://src.chromium.org/viewvc/blink?revision=150246&view=revision>
Apply the connect-src directive of the Content Security Policy for the document or worker to the redirect URL
of an XMLHttpRequest and EventSource load so as to conform to section Paths and Redirects of the CSP 2.0 spec.,
<https://w3c.github.io/webappsec-csp/2/#source-list-paths-and-redirects> (29 August 2015).
Additionally, check that each requested script URL passed to WorkerGlobalScope.importScripts() is allowed by
the CSP of the worker before initiating a load for it. If some URL i is blocked by the CSP policy
then we do not try to load URLs j >= i.
Tests: http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html
http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html
http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html
http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed.html
http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked.html
http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed.html
http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect.html
http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin.html
http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin.html
http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin.html
http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr.html
* fileapi/FileReaderLoader.cpp:
(WebCore::FileReaderLoader::start): Do not enforce a CSP directive as CSP is not applicable to File API.
* inspector/InspectorNetworkAgent.cpp:
(WebCore::InspectorNetworkAgent::loadResource): Do not enforce a CSP directive as CSP should not interfere
with the Web Inspector.
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::loadResourceSynchronously): Modified to take an optional ContentSecurityPolicy
and pass it through to DocumentThreadableLoader::create().
(WebCore::DocumentThreadableLoader::create): Modified to take an optional ContentSecurityPolicy and pass it through
to DocumentThreadableLoader::DocumentThreadableLoader().
(WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Modified to take an optional ContentSecurityPolicy.
Asserts that the CSP allows the load of the request URL so as to catch when a caller creates a loader for a request
that is not allowed by the CSP. The caller should not create a loader for such a request.
(WebCore::DocumentThreadableLoader::redirectReceived): Check if the CSP allows the redirect URL. If it does not
then notify the client that the redirect check failed.
(WebCore::DocumentThreadableLoader::loadRequest): Ditto.
(WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Checks that the specified URL is allowed
by the enforced CSP directive.
(WebCore::DocumentThreadableLoader::contentSecurityPolicy): Returns the ContentSecurityPolicy object passed to
DocumentThreadableLoader on instantiation or the ContentSecurityPolicy object of the associated document.
* loader/DocumentThreadableLoader.h: Add overloaded variants of DocumentThreadableLoader::{create, loadResourceSynchronously}()
that take a std::unique_ptr<ContentSecurityPolicy>&&. Remove some unnecessary headers.
* loader/ThreadableLoader.cpp:
(WebCore::ThreadableLoaderOptions::ThreadableLoaderOptions): Take the CSP directive to enforce and store it.
(WebCore::ThreadableLoaderOptions::isolatedCopy): Copy the CSP directive to enforce.
* loader/ThreadableLoader.h: Added member field to store the CSP directive to enforce (defaults to enforce the
directive connect-src - the most appropriate directive in most circumstances). As of the time of writing,
only WorkerGlobalScope.importScripts() enforces a different directive: script-src.
* loader/WorkerThreadableLoader.cpp:
(WebCore::WorkerThreadableLoader::WorkerThreadableLoader): Pass the SecurityOrigin and ContentSecurityPolicy associated
with the WorkerGlobalScope to WorkerThreadableLoader::MainThreadBridge::MainThreadBridge().
(WebCore::WorkerThreadableLoader::MainThreadBridge::MainThreadBridge): Pass a copy of the worker's ContentSecurityPolicy
to the DocumentThreadableLoader.
* loader/WorkerThreadableLoader.h:
* page/EventSource.cpp:
(WebCore::EventSource::connect): Enforce the CSP directive connect-src on redirects unless we are running in an isolated world.
* workers/AbstractWorker.cpp:
(WebCore::AbstractWorker::resolveURL): Modified to take a boolean whether to bypass the main world Content Security Policy
instead of querying for it directly.
* workers/AbstractWorker.h:
* workers/Worker.cpp:
(WebCore::Worker::create): Added FIXME to enforce child-src directive of the document's CSP to the worker's script URL
on redirect once we fix <https://bugs.webkit.org/show_bug.cgi?id=153562>. For now, do not enforce a CSP policy on redirect
of the worker's script URL.
* workers/WorkerGlobalScope.cpp:
(WebCore::WorkerGlobalScope::importScripts): Check that the requested URL is allowed by the CSP of the worker (if applicable).
Enforce the CSP directive script-src on redirects unless we are running in an isolated world.
* workers/WorkerScriptLoader.cpp:
(WebCore::WorkerScriptLoader::loadSynchronously): Pass SecurityOrigin and ContentSecurityPolicyEnforcement to WorkerThreadableLoader.
(WebCore::WorkerScriptLoader::loadAsynchronously): Ditto.
* workers/WorkerScriptLoader.h:
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::createRequest): Enforce the CSP directive connect-src on redirects unless we are running in
an isolated world.
LayoutTests:
Add more tests, update erroneous expected results, and remove some entries from TestExpectations for tests
that now pass.
* TestExpectations: Remove entries for tests that now pass. The failure of test http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html
was erroneously attributed to <https://bugs.webkit.org/show_bug.cgi?id=153562>.
* http/tests/security/contentSecurityPolicy/resources/determine-content-security-policy-header.php: Added.
* http/tests/security/contentSecurityPolicy/resources/script-set-value.js: Use global variable self instead of window so as to
make this script work both from a Document and a Web Worker. In a document, self refers to the Window object and in a worker
it refers to the WorkerGlobalScope object.
* http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.php: Added.
* http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.php: Added.
* http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.php: Added.
* http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.php: Added.
* http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.php: Added.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt: Remove Blink-specific messages so that the test passes.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html: Added.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html: Added.
* http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt: Substitute Blink-specific error text with the analogous WebKit error text.
* http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html: Ditto.
* http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed.html: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect.html: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin.html: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScripts-redirect-cross-origin-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScript-redirect-cross-origin-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin.html: Added.
* http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin.html: Added.
* http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesscriptsetvaluejs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/script-set-value.js</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerimportscriptsblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerimportscriptsblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorefileapiFileReaderLoadercpp">trunk/Source/WebCore/fileapi/FileReaderLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreinspectorInspectorNetworkAgentcpp">trunk/Source/WebCore/inspector/InspectorNetworkAgent.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentThreadableLoadercpp">trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentThreadableLoaderh">trunk/Source/WebCore/loader/DocumentThreadableLoader.h</a></li>
<li><a href="#trunkSourceWebCoreloaderThreadableLoadercpp">trunk/Source/WebCore/loader/ThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderThreadableLoaderh">trunk/Source/WebCore/loader/ThreadableLoader.h</a></li>
<li><a href="#trunkSourceWebCoreloaderWorkerThreadableLoadercpp">trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderWorkerThreadableLoaderh">trunk/Source/WebCore/loader/WorkerThreadableLoader.h</a></li>
<li><a href="#trunkSourceWebCorepageEventSourcecpp">trunk/Source/WebCore/page/EventSource.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersAbstractWorkercpp">trunk/Source/WebCore/workers/AbstractWorker.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersAbstractWorkerh">trunk/Source/WebCore/workers/AbstractWorker.h</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkercpp">trunk/Source/WebCore/workers/Worker.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerGlobalScopecpp">trunk/Source/WebCore/workers/WorkerGlobalScope.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerScriptLoadercpp">trunk/Source/WebCore/workers/WorkerScriptLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkerScriptLoaderh">trunk/Source/WebCore/workers/WorkerScriptLoader.h</a></li>
<li><a href="#trunkSourceWebCorexmlXMLHttpRequestcpp">trunk/Source/WebCore/xml/XMLHttpRequest.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesdeterminecontentsecuritypolicyheaderphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/determine-content-security-policy-header.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesworkerimportScriptredirectcrossoriginallowedphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesworkerimportScriptredirectcrossoriginblockedphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesworkerxhrallowedphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesworkerxhrredirectcrossoriginallowedphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesworkerxhrredirectcrossoriginblockedphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsblockabortsallsubsequentimportsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsblockabortsallsubsequentimportshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsredirectcrossoriginblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsredirectcrossoriginblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspblocksxhrredirectcrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspblocksxhrredirectcrossoriginhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspimportScriptsredirectcrossoriginallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspimportScriptsredirectcrossoriginallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspimportScriptsredirectcrossoriginblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspimportScriptsredirectcrossoriginblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerwithoutcspimportScriptsredirectcrossoriginallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerwithoutcspimportScriptsredirectcrossoriginallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspforxhrredirectexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspforxhrredirecthtml">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobimportScriptredirectcrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobimportScriptredirectcrossoriginhtml">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobimportScriptsredirectcrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScripts-redirect-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerimportScriptredirectcrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScript-redirect-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerimportScriptsredirectcrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerimportScriptsredirectcrossoriginhtml">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassworkercspforxhrexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassworkercspforxhrredirectcrossoriginexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassworkercspforxhrredirectcrossoriginhtml">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassworkercspforxhrhtml">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/LayoutTests/ChangeLog 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -1,3 +1,53 @@
</span><ins>+2016-02-08 Daniel Bates <dabates@apple.com>
+
+ CSP connect-src directive should block redirects
+ https://bugs.webkit.org/show_bug.cgi?id=69359
+ <rdar://problem/24383025>
+
+ Reviewed by Brent Fulgham.
+
+ Add more tests, update erroneous expected results, and remove some entries from TestExpectations for tests
+ that now pass.
+
+ * TestExpectations: Remove entries for tests that now pass. The failure of test http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html
+ was erroneously attributed to <https://bugs.webkit.org/show_bug.cgi?id=153562>.
+ * http/tests/security/contentSecurityPolicy/resources/determine-content-security-policy-header.php: Added.
+ * http/tests/security/contentSecurityPolicy/resources/script-set-value.js: Use global variable self instead of window so as to
+ make this script work both from a Document and a Web Worker. In a document, self refers to the Window object and in a worker
+ it refers to the WorkerGlobalScope object.
+ * http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.php: Added.
+ * http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.php: Added.
+ * http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.php: Added.
+ * http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.php: Added.
+ * http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.php: Added.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt: Remove Blink-specific messages so that the test passes.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html: Added.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html: Added.
+ * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt: Substitute Blink-specific error text with the analogous WebKit error text.
+ * http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed.html: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect.html: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin.html: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScripts-redirect-cross-origin-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScript-redirect-cross-origin-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin.html: Added.
+ * http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin.html: Added.
+ * http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr.html: Added.
+
</ins><span class="cx"> 2016-02-08 Yusuke Suzuki <utatane.tea@gmail.com>
</span><span class="cx">
</span><span class="cx"> {Map,Set}.prototype.forEach should be visible as own properties
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/LayoutTests/TestExpectations 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -792,9 +792,6 @@
</span><span class="cx"> webkit.org/b/52185 fast/css/vertical-align-baseline-rowspan-010.html [ ImageOnlyFailure ]
</span><span class="cx">
</span><span class="cx"> # Content Security Policy failures
</span><del>-webkit.org/b/69359 http/tests/security/contentSecurityPolicy/connect-src-eventsource-redirect-to-blocked.html [ Failure ]
-webkit.org/b/69359 http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-redirect-to-blocked.html [ Failure ]
-webkit.org/b/69359 http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html [ Failure ]
</del><span class="cx"> webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html
</span><span class="cx"> webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ]
</span><span class="cx"> webkit.org/b/115702 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html [ Failure ]
</span><span class="lines">@@ -833,7 +830,6 @@
</span><span class="cx"> webkit.org/b/153167 http/tests/security/contentSecurityPolicy/sandbox-report-only.html [ Failure ]
</span><span class="cx"> webkit.org/b/153168 http/tests/security/contentSecurityPolicy/source-list-parsing-07.html [ Failure ]
</span><span class="cx"> webkit.org/b/153170 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html [ Failure ]
</span><del>-webkit.org/b/153562 http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html [ Failure ]
</del><span class="cx"> webkit.org/b/153562 http/tests/security/contentSecurityPolicy/worker-script-src.html [ Failure ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html # Needs expected file.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesdeterminecontentsecuritypolicyheaderphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/determine-content-security-policy-header.php (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/determine-content-security-policy-header.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/determine-content-security-policy-header.php 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<?php
+ header("Expires: Thu, 01 Dec 2003 16:00:00 GMT");
+ header("Cache-Control: no-cache, must-revalidate");
+ header("Pragma: no-cache");
+ if ($_GET["csp"]) {
+ $contentSecurityPolicy = $_GET["csp"];
+ // If the magic quotes option is enabled, the CSP could be escaped and
+ // the test would fail.
+ if (get_magic_quotes_gpc())
+ $contentSecurityPolicy = stripslashes($contentSecurityPolicy);
+ header("Content-Security-Policy: " . $contentSecurityPolicy);
+ }
+?>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesscriptsetvaluejs"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/script-set-value.js (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/script-set-value.js 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/script-set-value.js 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -1 +1 @@
</span><del>-window.result = true;
</del><ins>+self.result = true;
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesworkerimportScriptredirectcrossoriginallowedphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.php (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.php 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<?php
+ require "determine-content-security-policy-header.php";
+?>
+self.result = false;
+var exception;
+try {
+ importScripts("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script-set-value.js");
+} catch (e) {
+ exception = e;
+}
+if (exception)
+ self.postMessage("FAIL should not have thrown an exception. Threw exception " + exception + ".");
+else {
+ if (self.result)
+ self.postMessage("PASS did import script from different origin.");
+ else
+ self.postMessage("FAIL did not import script from different origin.");
+}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesworkerimportScriptredirectcrossoriginblockedphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.php (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-blocked.php 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<?php
+ require "determine-content-security-policy-header.php";
+?>
+var exception;
+try {
+ importScripts("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script-set-value.js");
+} catch (e) {
+ exception = e;
+}
+var expectedExceptionCode = 19; // DOMException.NETWORK_ERR
+if (!exception)
+ self.postMessage("FAIL should throw " + expectedExceptionCode + ". But did not throw an exception.");
+else {
+ if (exception.code === expectedExceptionCode)
+ self.postMessage("PASS threw exception " + exception + ".");
+ else
+ self.postMessage("FAIL should throw " + expectedExceptionCode + ". Threw exception " + exception + ".");
+}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesworkerxhrallowedphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.php (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-allowed.php 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<?php
+ require "determine-content-security-policy-header.php";
+?>
+var isAsynchronous = false;
+var xhr = new XMLHttpRequest;
+try {
+ xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/get.txt", isAsynchronous);
+ xhr.send();
+ self.postMessage(xhr.response);
+} catch (exception) {
+ self.postMessage("FAIL should not have thrown an exception. Threw exception " + exception + ".");
+}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesworkerxhrredirectcrossoriginallowedphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.php (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.php 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<?php
+ require "determine-content-security-policy-header.php";
+?>
+var isAsynchronous = false;
+var xhr = new XMLHttpRequest;
+try {
+ xhr.open("GET", "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", isAsynchronous);
+ xhr.send();
+ self.postMessage(xhr.response);
+} catch (exception) {
+ self.postMessage("FAIL should not have thrown an exception. Threw exception " + exception + ".");
+}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesworkerxhrredirectcrossoriginblockedphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.php (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.php 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+<?php
+ require "determine-content-security-policy-header.php";
+?>
+var expectedExceptionCode = 19; // DOMException.NETWORK_ERR
+var isAsynchronous = false;
+var xhr = new XMLHttpRequest;
+try {
+ xhr.open("GET", "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi", isAsynchronous);
+ xhr.send();
+ self.postMessage("FAIL should throw " + expectedExceptionCode + ". But did not throw an exception.");
+} catch (exception) {
+ if (exception.code === expectedExceptionCode)
+ self.postMessage("PASS threw exception " + exception + ".");
+ else
+ self.postMessage("FAIL should throw " + expectedExceptionCode + ". Threw exception " + exception + ".");
+}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -1,6 +1,5 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' http://127.0.0.1:8000".
</span><span class="cx">
</span><del>-This is a testharness.js-based test.
</del><ins>+
</ins><span class="cx"> PASS Blob worker inherits CSP
</span><del>-Harness: the test ran to completion.
</del><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsblockabortsallsubsequentimportsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/workers/resources/worker-importScripts-source1.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
+
+This tests that when calling WorkerGlobalScope.importScripts() will two script URLs that the second script is not loaded if the first script URL was blocked by the Content Security Policy of the worker (inherited from this page).
+
+PASS threw exception Error: NetworkError: DOM Exception 19.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsblockabortsallsubsequentimportshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,57 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<!-- FIXME: Change 'self' to 'blob:' once we fix <https://bugs.webkit.org/show_bug.cgi?id=153158>. -->
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that when calling WorkerGlobalScope.importScripts() will two script URLs that the second script is not loaded if the first script URL was blocked by the Content Security Policy of the worker (inherited from this page).</p>
+<pre id="result"></pre>
+<script>
+function reportResultAndNotifyDone(message)
+{
+ document.getElementById("result").textContent = message;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var script = [
+ 'self.loadedSource1 = false;',
+ 'self.loadedSource2 = false;',
+ 'var exception;',
+ 'try {',
+ ' importScripts("http://localhost:8000/workers/resources/worker-importScripts-source1.js", "http://localhost:8000/workers/resources/worker-importScripts-source2.js");',
+ '} catch (e) {',
+ ' exception = e;',
+ '}',
+ 'var expectedExceptionCode = 19; // DOMException.NETWORK_ERR',
+ 'if (!exception)',
+ ' self.postMessage("FAIL should throw " + expectedExceptionCode + ". But did not throw an exception.");',
+ 'else {',
+ ' if (self.loadedSource1)',
+ ' self.postMessage("FAIL should not have loaded and executed the first script.");',
+ ' else if (self.loadedSource2)',
+ ' self.postMessage("FAIL should not have loaded and executed the second script.");',
+ ' else if (exception.code == expectedExceptionCode)',
+ ' self.postMessage("PASS threw exception " + exception + ".");',
+ ' else',
+ ' self.postMessage("FAIL should throw " + expectedExceptionCode + ". Threw exception " + exception + ".");',
+ '}',
+].join("\n");
+
+var worker;
+try {
+ worker = new Worker(window.URL.createObjectURL(new Blob([script])));
+ worker.onmessage = function (event) { reportResultAndNotifyDone(event.data); };
+} catch (exception) {
+ reportResultAndNotifyDone("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsredirectcrossoriginblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that the Content Security Policy of the parent origin (this page) blocks a Web Worker from importing a script from a different origin, not listed in script-src, through a redirect.
+
+PASS threw exception Error: NetworkError: DOM Exception 19.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsredirectcrossoriginblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,51 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<!-- FIXME: Change 'self' to 'blob:' once we fix <https://bugs.webkit.org/show_bug.cgi?id=153158>. -->
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that the Content Security Policy of the parent origin (this page) blocks a Web Worker from importing a script from a different origin, not listed in script-src, through a redirect.</p>
+<pre id="result"></pre>
+<script>
+function reportResultAndNotifyDone(message)
+{
+ document.getElementById("result").textContent = message;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var script = [
+ 'var exception;',
+ 'try {',
+ ' importScripts("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script-set-value.js");',
+ '} catch (e) {',
+ ' exception = e;',
+ '}',
+ 'var expectedExceptionCode = 19; // DOMException.NETWORK_ERR',
+ 'if (!exception)',
+ ' self.postMessage("FAIL should throw " + expectedExceptionCode + ". But did not throw an exception.");',
+ 'else {',
+ ' if (exception.code == expectedExceptionCode)',
+ ' self.postMessage("PASS threw exception " + exception + ".");',
+ ' else',
+ ' self.postMessage("FAIL should throw " + expectedExceptionCode + ". Threw exception " + exception + ".");',
+ '}',
+].join("\n");
+
+var worker;
+try {
+ worker = new Worker(window.URL.createObjectURL(new Blob([script])));
+ worker.onmessage = function (event) { reportResultAndNotifyDone(event.data); };
+} catch (exception) {
+ reportResultAndNotifyDone("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspblocksxhrredirectcrossoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests an XHR request made from a worker is blocked if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker.
+
+PASS threw exception Error: NetworkError: DOM Exception 19.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspblocksxhrredirectcrossoriginhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,31 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests an XHR request made from a worker is blocked if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var worker;
+try {
+ worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-blocked.php?csp=" + encodeURIComponent("connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php"));
+ worker.onmessage = function (event) { window.postMessage(event.data, "*") };
+} catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspimportScriptsredirectcrossoriginallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests a Web Worker without a Content Security Policy is allowed to import a script from a different origin through a redirect.
+
+PASS did import script from different origin.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspimportScriptsredirectcrossoriginallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,31 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests a Web Worker without a Content Security Policy is allowed to import a script from a different origin through a redirect.</p>
+<pre id="result"></pre>
+<script>
+function reportResultAndNotifyDone(message)
+{
+ document.getElementById("result").textContent = message;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var worker;
+try {
+ worker = new Worker("resources/worker-importScript-redirect-cross-origin-allowed.php?csp=" + encodeURIComponent("script-src 'self' http://localhost:8000"));
+ worker.onmessage = function (event) { reportResultAndNotifyDone(event.data); };
+} catch (exception) {
+ reportResultAndNotifyDone("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspimportScriptsredirectcrossoriginblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests a Web Worker with Content Security Policy "script-src 'self'" blocks the import of a script from a different origin through a redirect.
+
+PASS threw exception Error: NetworkError: DOM Exception 19.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkercspimportScriptsredirectcrossoriginblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,31 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests a Web Worker with Content Security Policy &quot;script-src 'self'&quot; blocks the import of a script from a different origin through a redirect.</p>
+<pre id="result"></pre>
+<script>
+function reportResultAndNotifyDone(message)
+{
+ document.getElementById("result").textContent = message;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var worker;
+try {
+ worker = new Worker("resources/worker-importScript-redirect-cross-origin-blocked.php?csp=" + encodeURIComponent("script-src 'self'"));
+ worker.onmessage = function (event) { reportResultAndNotifyDone(event.data); };
+} catch (exception) {
+ reportResultAndNotifyDone("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerimportscriptsblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-eval' 'unsafe-inline' 127.0.0.1:8000".
</span><span class="cx">
</span><del>-PASS result is "importScripts blocked: NetworkError: Failed to execute 'importScripts' on 'WorkerGlobalScope': The script at 'http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js' failed to load."
</del><ins>+PASS result is "importScripts blocked: Error: NetworkError: DOM Exception 19"
</ins><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span><span class="cx"> TEST COMPLETE
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerimportscriptsblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-importscripts-blocked.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -15,7 +15,7 @@
</span><span class="cx"> encodeURIComponent("script-src 'unsafe-eval' 'unsafe-inline' 127.0.0.1:8000"));
</span><span class="cx"> worker.onmessage = function (event) {
</span><span class="cx"> result = event.data;
</span><del>- shouldBeEqualToString('result', 'importScripts blocked: NetworkError: Failed to execute \'importScripts\' on \'WorkerGlobalScope\': The script at \'http://localhost:8000/security/contentSecurityPolicy/resources/post-message.js\' failed to load.');
</del><ins>+ shouldBeEqualToString('result', 'importScripts blocked: Error: NetworkError: DOM Exception 19');
</ins><span class="cx"> finishJSTest();
</span><span class="cx"> };
</span><span class="cx"> } catch (e) {
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerwithoutcspimportScriptsredirectcrossoriginallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests a Web Worker without a Content Security Policy is allowed to import a script from a different origin through a redirect.
+
+PASS did import script from different origin.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerwithoutcspimportScriptsredirectcrossoriginallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,32 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"> <!-- Worker should not inherit this policy. -->
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests a Web Worker without a Content Security Policy is allowed to import a script from a different origin through a redirect.</p>
+<pre id="result"></pre>
+<script>
+function reportResultAndNotifyDone(message)
+{
+ document.getElementById("result").textContent = message;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var worker;
+try {
+ worker = new Worker("resources/worker-importScript-redirect-cross-origin-allowed.php");
+ worker.onmessage = function (event) { reportResultAndNotifyDone(event.data); };
+} catch (exception) {
+ reportResultAndNotifyDone("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspforxhrredirectexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that in an isolated world an XHR request is allowed to load even if it redirects to a cross-origin resource that is not listed as a connect-src.
+
+PASS did receive XHR response.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspforxhrredirecthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,36 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world an XHR request is allowed to load even if it redirects to a cross-origin resource that is not listed as a connect-src.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function testLoadXHRThatRedirects()
+{
+ var xhr = new XMLHttpRequest;
+ xhr.onload = function () { window.postMessage("PASS did receive XHR response.", "*"); };
+ xhr.onerror = function () { window.postMessage("FAIL did not receive XHR response.", "*"); };
+ xhr.open("GET", "http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/xmlhttprequest/resources/access-control-basic-allow.cgi");
+ xhr.send();
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, testLoadXHRThatRedirects.toString() + ";testLoadXHRThatRedirects();");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobimportScriptredirectcrossoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to import a script from a different origin, not listed in script-src, through a redirect.
+
+PASS did import script from different origin.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobimportScriptredirectcrossoriginhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,57 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<!-- FIXME: Change 'self' to 'blob:' once we fix <https://bugs.webkit.org/show_bug.cgi?id=153158>. -->
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php 'unsafe-inline'">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to import a script from a different origin, not listed in script-src, through a redirect.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var script = [
+ 'self.result = false;',
+ 'var exception;',
+ 'try {',
+ ' importScripts("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/script-set-value.js");',
+ '} catch (e) {',
+ ' exception = e;',
+ '}',
+ 'if (exception)',
+ ' self.postMessage("FAIL should not have thrown an exception. Threw exception " + exception + ".");',
+ 'else {',
+ ' if (self.result)',
+ ' self.postMessage("PASS did import script from different origin.");',
+ ' else',
+ ' self.postMessage("FAIL did not import script from different origin.");',
+ '}',
+ ].join("\n");
+
+ var worker;
+ try {
+ worker = new Worker(window.URL.createObjectURL(new Blob([script])));
+ worker.onmessage = function (event) { window.postMessage(event.data, "*"); }
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerblobimportScriptsredirectcrossoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScripts-redirect-cross-origin-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScripts-redirect-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScripts-redirect-cross-origin-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that in an isolated world the Content Security Policy of the parent origin (this page) is bypassed and a Web Worker is allowed to import a script from a different origin, not listed in script-src, through a redirect.
+
+PASS did import script from different origin.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerimportScriptredirectcrossoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScript-redirect-cross-origin-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScript-redirect-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScript-redirect-cross-origin-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that in an isolated world the Content Security Policy of the Web Worker bypassed and the worker is allowed to import a script from a different origin, not listed in its script-src, through a redirect.
+
+PASS did import script from different origin.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerimportScriptsredirectcrossoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that in an isolated world the Content Security Policy of the Web Worker bypassed and the worker is allowed to import a script from a different origin, not listed in its script-src, through a redirect.
+
+PASS did import script from different origin.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerimportScriptsredirectcrossoriginhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,37 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world the Content Security Policy of the Web Worker bypassed and the worker is allowed to import a script from a different origin, not listed in its script-src, through a redirect.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var worker;
+ try {
+ worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/worker-importScript-redirect-cross-origin-allowed.php?csp=" + encodeURIComponent("script-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php"));
+ worker.onmessage = function (event) { window.postMessage(event.data, "*"); }
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassworkercspforxhrexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that in an isolated world an XHR request made from a worker is allowed to load even if the resource is not listed as a connect-src in the CSP of the worker.
+
+PASS
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassworkercspforxhrredirectcrossoriginexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin-expected.txt (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin-expected.txt 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+This tests that in an isolated world an XHR request made from a worker is allowed to load even if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker.
+
+PASS: Cross-domain access allowed.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassworkercspforxhrredirectcrossoriginhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,37 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world an XHR request made from a worker is allowed to load even if it redirects to a cross-origin resource that is not listed as a connect-src in the CSP of the worker.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var worker;
+ try {
+ worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/worker-xhr-redirect-cross-origin-allowed.php?csp=" + encodeURIComponent("connect-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php"));
+ worker.onmessage = function (event) { window.postMessage(event.data, "*") };
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassworkercspforxhrhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr.html (0 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr.html 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -0,0 +1,37 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world an XHR request made from a worker is allowed to load even if the resource is not listed as a connect-src in the CSP of the worker.</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var worker;
+ try {
+ worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/worker-xhr-allowed.php?csp=" + encodeURIComponent("connect-src 'none'"));
+ worker.onmessage = function (event) { window.postMessage(event.data, "*") };
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/ChangeLog 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -1,3 +1,89 @@
</span><ins>+2016-02-08 Daniel Bates <dabates@apple.com>
+
+ CSP connect-src directive should block redirects
+ https://bugs.webkit.org/show_bug.cgi?id=69359
+ <rdar://problem/24383025>
+
+ Reviewed by Brent Fulgham.
+
+ Inspired by Blink patch:
+ <https://src.chromium.org/viewvc/blink?revision=150246&view=revision>
+
+ Apply the connect-src directive of the Content Security Policy for the document or worker to the redirect URL
+ of an XMLHttpRequest and EventSource load so as to conform to section Paths and Redirects of the CSP 2.0 spec.,
+ <https://w3c.github.io/webappsec-csp/2/#source-list-paths-and-redirects> (29 August 2015).
+
+ Additionally, check that each requested script URL passed to WorkerGlobalScope.importScripts() is allowed by
+ the CSP of the worker before initiating a load for it. If some URL i is blocked by the CSP policy
+ then we do not try to load URLs j >= i.
+
+ Tests: http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html
+ http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html
+ http/tests/security/contentSecurityPolicy/worker-csp-blocks-xhr-redirect-cross-origin.html
+ http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-allowed.html
+ http/tests/security/contentSecurityPolicy/worker-csp-importScripts-redirect-cross-origin-blocked.html
+ http/tests/security/contentSecurityPolicy/worker-without-csp-importScripts-redirect-cross-origin-allowed.html
+ http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-redirect.html
+ http/tests/security/isolatedWorld/bypass-main-world-csp-worker-blob-importScript-redirect-cross-origin.html
+ http/tests/security/isolatedWorld/bypass-main-world-csp-worker-importScripts-redirect-cross-origin.html
+ http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr-redirect-cross-origin.html
+ http/tests/security/isolatedWorld/bypass-worker-csp-for-xhr.html
+
+ * fileapi/FileReaderLoader.cpp:
+ (WebCore::FileReaderLoader::start): Do not enforce a CSP directive as CSP is not applicable to File API.
+ * inspector/InspectorNetworkAgent.cpp:
+ (WebCore::InspectorNetworkAgent::loadResource): Do not enforce a CSP directive as CSP should not interfere
+ with the Web Inspector.
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::loadResourceSynchronously): Modified to take an optional ContentSecurityPolicy
+ and pass it through to DocumentThreadableLoader::create().
+ (WebCore::DocumentThreadableLoader::create): Modified to take an optional ContentSecurityPolicy and pass it through
+ to DocumentThreadableLoader::DocumentThreadableLoader().
+ (WebCore::DocumentThreadableLoader::DocumentThreadableLoader): Modified to take an optional ContentSecurityPolicy.
+ Asserts that the CSP allows the load of the request URL so as to catch when a caller creates a loader for a request
+ that is not allowed by the CSP. The caller should not create a loader for such a request.
+ (WebCore::DocumentThreadableLoader::redirectReceived): Check if the CSP allows the redirect URL. If it does not
+ then notify the client that the redirect check failed.
+ (WebCore::DocumentThreadableLoader::loadRequest): Ditto.
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Checks that the specified URL is allowed
+ by the enforced CSP directive.
+ (WebCore::DocumentThreadableLoader::contentSecurityPolicy): Returns the ContentSecurityPolicy object passed to
+ DocumentThreadableLoader on instantiation or the ContentSecurityPolicy object of the associated document.
+ * loader/DocumentThreadableLoader.h: Add overloaded variants of DocumentThreadableLoader::{create, loadResourceSynchronously}()
+ that take a std::unique_ptr<ContentSecurityPolicy>&&. Remove some unnecessary headers.
+ * loader/ThreadableLoader.cpp:
+ (WebCore::ThreadableLoaderOptions::ThreadableLoaderOptions): Take the CSP directive to enforce and store it.
+ (WebCore::ThreadableLoaderOptions::isolatedCopy): Copy the CSP directive to enforce.
+ * loader/ThreadableLoader.h: Added member field to store the CSP directive to enforce (defaults to enforce the
+ directive connect-src - the most appropriate directive in most circumstances). As of the time of writing,
+ only WorkerGlobalScope.importScripts() enforces a different directive: script-src.
+ * loader/WorkerThreadableLoader.cpp:
+ (WebCore::WorkerThreadableLoader::WorkerThreadableLoader): Pass the SecurityOrigin and ContentSecurityPolicy associated
+ with the WorkerGlobalScope to WorkerThreadableLoader::MainThreadBridge::MainThreadBridge().
+ (WebCore::WorkerThreadableLoader::MainThreadBridge::MainThreadBridge): Pass a copy of the worker's ContentSecurityPolicy
+ to the DocumentThreadableLoader.
+ * loader/WorkerThreadableLoader.h:
+ * page/EventSource.cpp:
+ (WebCore::EventSource::connect): Enforce the CSP directive connect-src on redirects unless we are running in an isolated world.
+ * workers/AbstractWorker.cpp:
+ (WebCore::AbstractWorker::resolveURL): Modified to take a boolean whether to bypass the main world Content Security Policy
+ instead of querying for it directly.
+ * workers/AbstractWorker.h:
+ * workers/Worker.cpp:
+ (WebCore::Worker::create): Added FIXME to enforce child-src directive of the document's CSP to the worker's script URL
+ on redirect once we fix <https://bugs.webkit.org/show_bug.cgi?id=153562>. For now, do not enforce a CSP policy on redirect
+ of the worker's script URL.
+ * workers/WorkerGlobalScope.cpp:
+ (WebCore::WorkerGlobalScope::importScripts): Check that the requested URL is allowed by the CSP of the worker (if applicable).
+ Enforce the CSP directive script-src on redirects unless we are running in an isolated world.
+ * workers/WorkerScriptLoader.cpp:
+ (WebCore::WorkerScriptLoader::loadSynchronously): Pass SecurityOrigin and ContentSecurityPolicyEnforcement to WorkerThreadableLoader.
+ (WebCore::WorkerScriptLoader::loadAsynchronously): Ditto.
+ * workers/WorkerScriptLoader.h:
+ * xml/XMLHttpRequest.cpp:
+ (WebCore::XMLHttpRequest::createRequest): Enforce the CSP directive connect-src on redirects unless we are running in
+ an isolated world.
+
</ins><span class="cx"> 2016-02-08 Antti Koivisto <antti@apple.com>
</span><span class="cx">
</span><span class="cx"> Try to fix Yosemite build.
</span></span></pre></div>
<a id="trunkSourceWebCorefileapiFileReaderLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/fileapi/FileReaderLoader.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/fileapi/FileReaderLoader.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/fileapi/FileReaderLoader.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -97,6 +97,7 @@
</span><span class="cx"> options.preflightPolicy = ConsiderPreflight;
</span><span class="cx"> options.setAllowCredentials(AllowStoredCredentials);
</span><span class="cx"> options.crossOriginRequestPolicy = DenyCrossOriginRequests;
</span><ins>+ options.contentSecurityPolicyEnforcement = ContentSecurityPolicyEnforcement::DoNotEnforce;
</ins><span class="cx">
</span><span class="cx"> if (m_client)
</span><span class="cx"> m_loader = ThreadableLoader::create(scriptExecutionContext, this, request, options);
</span></span></pre></div>
<a id="trunkSourceWebCoreinspectorInspectorNetworkAgentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/inspector/InspectorNetworkAgent.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/inspector/InspectorNetworkAgent.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/inspector/InspectorNetworkAgent.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -679,6 +679,7 @@
</span><span class="cx"> options.setAllowCredentials(AllowStoredCredentials);
</span><span class="cx"> options.setDefersLoadingPolicy(DefersLoadingPolicy::DisallowDefersLoading); // So the request is never deferred.
</span><span class="cx"> options.crossOriginRequestPolicy = AllowCrossOriginRequests;
</span><ins>+ options.contentSecurityPolicyEnforcement = ContentSecurityPolicyEnforcement::DoNotEnforce;
</ins><span class="cx">
</span><span class="cx"> // InspectorThreadableLoaderClient deletes itself when the load completes.
</span><span class="cx"> InspectorThreadableLoaderClient* inspectorThreadableLoaderClient = new InspectorThreadableLoaderClient(callback.copyRef());
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -35,6 +35,7 @@
</span><span class="cx"> #include "CachedResourceLoader.h"
</span><span class="cx"> #include "CachedResourceRequest.h"
</span><span class="cx"> #include "CachedResourceRequestInitiators.h"
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "CrossOriginAccessControl.h"
</span><span class="cx"> #include "CrossOriginPreflightResultCache.h"
</span><span class="cx"> #include "Document.h"
</span><span class="lines">@@ -53,32 +54,45 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-void DocumentThreadableLoader::loadResourceSynchronously(Document& document, const ResourceRequest& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options)
</del><ins>+void DocumentThreadableLoader::loadResourceSynchronously(Document& document, const ResourceRequest& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options, std::unique_ptr<ContentSecurityPolicy>&& contentSecurityPolicy)
</ins><span class="cx"> {
</span><span class="cx"> // The loader will be deleted as soon as this function exits.
</span><del>- RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, LoadSynchronously, request, options));
</del><ins>+ RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, LoadSynchronously, request, options, WTFMove(contentSecurityPolicy)));
</ins><span class="cx"> ASSERT(loader->hasOneRef());
</span><span class="cx"> }
</span><span class="cx">
</span><del>-PassRefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, const ResourceRequest& request, const ThreadableLoaderOptions& options)
</del><ins>+void DocumentThreadableLoader::loadResourceSynchronously(Document& document, const ResourceRequest& request, ThreadableLoaderClient& client, const ThreadableLoaderOptions& options)
</ins><span class="cx"> {
</span><del>- RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, LoadAsynchronously, request, options));
</del><ins>+ loadResourceSynchronously(document, request, client, options, nullptr);
+}
+
+PassRefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, const ResourceRequest& request, const ThreadableLoaderOptions& options, std::unique_ptr<ContentSecurityPolicy>&& contentSecurityPolicy)
+{
+ RefPtr<DocumentThreadableLoader> loader = adoptRef(new DocumentThreadableLoader(document, client, LoadAsynchronously, request, options, WTFMove(contentSecurityPolicy)));
</ins><span class="cx"> if (!loader->m_resource)
</span><span class="cx"> loader = nullptr;
</span><span class="cx"> return loader.release();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-DocumentThreadableLoader::DocumentThreadableLoader(Document& document, ThreadableLoaderClient& client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options)
</del><ins>+PassRefPtr<DocumentThreadableLoader> DocumentThreadableLoader::create(Document& document, ThreadableLoaderClient& client, const ResourceRequest& request, const ThreadableLoaderOptions& options)
+{
+ return DocumentThreadableLoader::create(document, client, request, options, nullptr);
+}
+
+DocumentThreadableLoader::DocumentThreadableLoader(Document& document, ThreadableLoaderClient& client, BlockingBehavior blockingBehavior, const ResourceRequest& request, const ThreadableLoaderOptions& options, std::unique_ptr<ContentSecurityPolicy>&& contentSecurityPolicy)
</ins><span class="cx"> : m_client(&client)
</span><span class="cx"> , m_document(document)
</span><span class="cx"> , m_options(options)
</span><span class="cx"> , m_sameOriginRequest(securityOrigin()->canRequest(request.url()))
</span><span class="cx"> , m_simpleRequest(true)
</span><span class="cx"> , m_async(blockingBehavior == LoadAsynchronously)
</span><ins>+ , m_contentSecurityPolicy(WTFMove(contentSecurityPolicy))
</ins><span class="cx"> {
</span><span class="cx"> // Setting an outgoing referer is only supported in the async code path.
</span><span class="cx"> ASSERT(m_async || request.httpReferrer().isEmpty());
</span><span class="cx">
</span><ins>+ ASSERT_WITH_SECURITY_IMPLICATION(isAllowedByContentSecurityPolicy(request.url()));
+
</ins><span class="cx"> if (m_sameOriginRequest || m_options.crossOriginRequestPolicy == AllowCrossOriginRequests) {
</span><span class="cx"> loadRequest(request, DoSecurityCheck);
</span><span class="cx"> return;
</span><span class="lines">@@ -177,6 +191,12 @@
</span><span class="cx"> ASSERT_UNUSED(resource, resource == m_resource);
</span><span class="cx">
</span><span class="cx"> Ref<DocumentThreadableLoader> protect(*this);
</span><ins>+ if (!isAllowedByContentSecurityPolicy(request.url())) {
+ m_client->didFailRedirectCheck();
+ request = ResourceRequest();
+ return;
+ }
+
</ins><span class="cx"> // Allow same origin requests to continue after allowing clients to audit the redirect.
</span><span class="cx"> if (isAllowedRedirect(request.url()))
</span><span class="cx"> return;
</span><span class="lines">@@ -406,7 +426,7 @@
</span><span class="cx"> // FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the
</span><span class="cx"> // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
</span><span class="cx"> // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
</span><del>- if (requestURL != response.url() && !isAllowedRedirect(response.url())) {
</del><ins>+ if (requestURL != response.url() && (!isAllowedByContentSecurityPolicy(response.url()) || !isAllowedRedirect(response.url()))) {
</ins><span class="cx"> m_client->didFailRedirectCheck();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="lines">@@ -418,6 +438,20 @@
</span><span class="cx"> didFinishLoading(identifier, 0.0);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url)
+{
+ switch (m_options.contentSecurityPolicyEnforcement) {
+ case ContentSecurityPolicyEnforcement::DoNotEnforce:
+ return true;
+ case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
+ return contentSecurityPolicy().allowConnectToSource(url, false); // Do not override policy
+ case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
+ return contentSecurityPolicy().allowScriptFromSource(url, false); // Do not override policy
+ }
+ ASSERT_NOT_REACHED();
+ return false;
+}
+
</ins><span class="cx"> bool DocumentThreadableLoader::isAllowedRedirect(const URL& url)
</span><span class="cx"> {
</span><span class="cx"> if (m_options.crossOriginRequestPolicy == AllowCrossOriginRequests)
</span><span class="lines">@@ -436,4 +470,12 @@
</span><span class="cx"> return m_options.securityOrigin ? m_options.securityOrigin.get() : m_document.securityOrigin();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+const ContentSecurityPolicy& DocumentThreadableLoader::contentSecurityPolicy() const
+{
+ if (m_contentSecurityPolicy)
+ return *m_contentSecurityPolicy.get();
+ ASSERT(m_document.contentSecurityPolicy());
+ return *m_document.contentSecurityPolicy();
+}
+
</ins><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentThreadableLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.h (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -33,16 +33,13 @@
</span><span class="cx">
</span><span class="cx"> #include "CachedRawResourceClient.h"
</span><span class="cx"> #include "CachedResourceHandle.h"
</span><del>-#include "FrameLoaderTypes.h"
</del><span class="cx"> #include "ThreadableLoader.h"
</span><del>-#include <wtf/Forward.h>
</del><span class="cx"> #include <wtf/PassRefPtr.h>
</span><span class="cx"> #include <wtf/RefCounted.h>
</span><del>-#include <wtf/RefPtr.h>
-#include <wtf/text/WTFString.h>
</del><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx"> class CachedRawResource;
</span><ins>+ class ContentSecurityPolicy;
</ins><span class="cx"> class Document;
</span><span class="cx"> class URL;
</span><span class="cx"> class ResourceRequest;
</span><span class="lines">@@ -52,8 +49,12 @@
</span><span class="cx"> class DocumentThreadableLoader : public RefCounted<DocumentThreadableLoader>, public ThreadableLoader, private CachedRawResourceClient {
</span><span class="cx"> WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> public:
</span><ins>+ static void loadResourceSynchronously(Document&, const ResourceRequest&, ThreadableLoaderClient&, const ThreadableLoaderOptions&, std::unique_ptr<ContentSecurityPolicy>&&);
</ins><span class="cx"> static void loadResourceSynchronously(Document&, const ResourceRequest&, ThreadableLoaderClient&, const ThreadableLoaderOptions&);
</span><ins>+
+ static PassRefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, const ResourceRequest&, const ThreadableLoaderOptions&, std::unique_ptr<ContentSecurityPolicy>&&);
</ins><span class="cx"> static PassRefPtr<DocumentThreadableLoader> create(Document&, ThreadableLoaderClient&, const ResourceRequest&, const ThreadableLoaderOptions&);
</span><ins>+
</ins><span class="cx"> virtual ~DocumentThreadableLoader();
</span><span class="cx">
</span><span class="cx"> virtual void cancel() override;
</span><span class="lines">@@ -72,7 +73,7 @@
</span><span class="cx"> LoadAsynchronously
</span><span class="cx"> };
</span><span class="cx">
</span><del>- DocumentThreadableLoader(Document&, ThreadableLoaderClient&, BlockingBehavior, const ResourceRequest&, const ThreadableLoaderOptions&);
</del><ins>+ DocumentThreadableLoader(Document&, ThreadableLoaderClient&, BlockingBehavior, const ResourceRequest&, const ThreadableLoaderOptions&, std::unique_ptr<ContentSecurityPolicy>&&);
</ins><span class="cx">
</span><span class="cx"> void clearResource();
</span><span class="cx">
</span><span class="lines">@@ -95,10 +96,12 @@
</span><span class="cx">
</span><span class="cx"> void loadRequest(const ResourceRequest&, SecurityCheckPolicy);
</span><span class="cx"> bool isAllowedRedirect(const URL&);
</span><ins>+ bool isAllowedByContentSecurityPolicy(const URL&);
</ins><span class="cx">
</span><span class="cx"> bool isXMLHttpRequest() const override final;
</span><span class="cx">
</span><span class="cx"> SecurityOrigin* securityOrigin() const;
</span><ins>+ const ContentSecurityPolicy& contentSecurityPolicy() const;
</ins><span class="cx">
</span><span class="cx"> CachedResourceHandle<CachedRawResource> m_resource;
</span><span class="cx"> ThreadableLoaderClient* m_client;
</span><span class="lines">@@ -108,6 +111,7 @@
</span><span class="cx"> bool m_simpleRequest;
</span><span class="cx"> bool m_async;
</span><span class="cx"> std::unique_ptr<ResourceRequest> m_actualRequest; // non-null during Access Control preflight checks
</span><ins>+ std::unique_ptr<ContentSecurityPolicy> m_contentSecurityPolicy;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/ThreadableLoader.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/ThreadableLoader.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/loader/ThreadableLoader.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -51,10 +51,11 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-ThreadableLoaderOptions::ThreadableLoaderOptions(const ResourceLoaderOptions& baseOptions, PreflightPolicy preflightPolicy, CrossOriginRequestPolicy crossOriginRequestPolicy, RefPtr<SecurityOrigin>&& securityOrigin, String&& initiator)
</del><ins>+ThreadableLoaderOptions::ThreadableLoaderOptions(const ResourceLoaderOptions& baseOptions, PreflightPolicy preflightPolicy, CrossOriginRequestPolicy crossOriginRequestPolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, RefPtr<SecurityOrigin>&& securityOrigin, String&& initiator)
</ins><span class="cx"> : ResourceLoaderOptions(baseOptions)
</span><span class="cx"> , preflightPolicy(preflightPolicy)
</span><span class="cx"> , crossOriginRequestPolicy(crossOriginRequestPolicy)
</span><ins>+ , contentSecurityPolicyEnforcement(contentSecurityPolicyEnforcement)
</ins><span class="cx"> , securityOrigin(WTFMove(securityOrigin))
</span><span class="cx"> , initiator(WTFMove(initiator))
</span><span class="cx"> {
</span><span class="lines">@@ -65,8 +66,7 @@
</span><span class="cx"> RefPtr<SecurityOrigin> securityOriginCopy;
</span><span class="cx"> if (securityOrigin)
</span><span class="cx"> securityOriginCopy = securityOrigin->isolatedCopy();
</span><del>- return std::make_unique<ThreadableLoaderOptions>(*this, preflightPolicy, crossOriginRequestPolicy,
- WTFMove(securityOriginCopy), initiator.isolatedCopy());
</del><ins>+ return std::make_unique<ThreadableLoaderOptions>(*this, preflightPolicy, crossOriginRequestPolicy, contentSecurityPolicyEnforcement, WTFMove(securityOriginCopy), initiator.isolatedCopy());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> PassRefPtr<ThreadableLoader> ThreadableLoader::create(ScriptExecutionContext* context, ThreadableLoaderClient* client, const ResourceRequest& request, const ThreadableLoaderOptions& options)
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderThreadableLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/ThreadableLoader.h (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/ThreadableLoader.h 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/loader/ThreadableLoader.h 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -59,15 +59,22 @@
</span><span class="cx"> PreventPreflight
</span><span class="cx"> };
</span><span class="cx">
</span><ins>+ enum class ContentSecurityPolicyEnforcement {
+ DoNotEnforce,
+ EnforceConnectSrcDirective,
+ EnforceScriptSrcDirective,
+ };
+
</ins><span class="cx"> struct ThreadableLoaderOptions : ResourceLoaderOptions {
</span><span class="cx"> ThreadableLoaderOptions();
</span><del>- ThreadableLoaderOptions(const ResourceLoaderOptions&, PreflightPolicy, CrossOriginRequestPolicy, RefPtr<SecurityOrigin>&&, String&& initiator);
</del><ins>+ ThreadableLoaderOptions(const ResourceLoaderOptions&, PreflightPolicy, CrossOriginRequestPolicy, ContentSecurityPolicyEnforcement, RefPtr<SecurityOrigin>&&, String&& initiator);
</ins><span class="cx"> ~ThreadableLoaderOptions();
</span><span class="cx">
</span><span class="cx"> std::unique_ptr<ThreadableLoaderOptions> isolatedCopy() const;
</span><span class="cx">
</span><span class="cx"> PreflightPolicy preflightPolicy; // If AccessControl is used, how to determine if a preflight is needed.
</span><span class="cx"> CrossOriginRequestPolicy crossOriginRequestPolicy;
</span><ins>+ ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement { ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective };
</ins><span class="cx"> RefPtr<SecurityOrigin> securityOrigin;
</span><span class="cx"> String initiator; // This cannot be an AtomicString, as isolatedCopy() wouldn't create an object that's safe for passing to another thread.
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderWorkerThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/loader/WorkerThreadableLoader.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "WorkerThreadableLoader.h"
</span><span class="cx">
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "Document.h"
</span><span class="cx"> #include "DocumentThreadableLoader.h"
</span><span class="cx"> #include "ResourceError.h"
</span><span class="lines">@@ -51,7 +52,7 @@
</span><span class="cx"> WorkerThreadableLoader::WorkerThreadableLoader(WorkerGlobalScope* workerGlobalScope, ThreadableLoaderClient* client, const String& taskMode, const ResourceRequest& request, const ThreadableLoaderOptions& options)
</span><span class="cx"> : m_workerGlobalScope(workerGlobalScope)
</span><span class="cx"> , m_workerClientWrapper(ThreadableLoaderClientWrapper::create(client))
</span><del>- , m_bridge(*(new MainThreadBridge(m_workerClientWrapper, m_workerGlobalScope->thread().workerLoaderProxy(), taskMode, request, options, workerGlobalScope->url().strippedForUseAsReferrer())))
</del><ins>+ , m_bridge(*(new MainThreadBridge(m_workerClientWrapper, workerGlobalScope->thread().workerLoaderProxy(), taskMode, request, options, workerGlobalScope->url().strippedForUseAsReferrer(), workerGlobalScope->securityOrigin(), workerGlobalScope->contentSecurityPolicy())))
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -83,7 +84,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> WorkerThreadableLoader::MainThreadBridge::MainThreadBridge(PassRefPtr<ThreadableLoaderClientWrapper> workerClientWrapper, WorkerLoaderProxy& loaderProxy, const String& taskMode,
</span><del>- const ResourceRequest& request, const ThreadableLoaderOptions& options, const String& outgoingReferrer)
</del><ins>+ const ResourceRequest& request, const ThreadableLoaderOptions& options, const String& outgoingReferrer,
+ const SecurityOrigin* securityOrigin, const ContentSecurityPolicy* contentSecurityPolicy)
</ins><span class="cx"> : m_workerClientWrapper(workerClientWrapper)
</span><span class="cx"> , m_loaderProxy(loaderProxy)
</span><span class="cx"> , m_taskMode(taskMode.isolatedCopy())
</span><span class="lines">@@ -92,8 +94,14 @@
</span><span class="cx">
</span><span class="cx"> auto* requestData = request.copyData().release();
</span><span class="cx"> auto* optionsCopy = options.isolatedCopy().release();
</span><ins>+
+ ASSERT(securityOrigin);
+ ASSERT(contentSecurityPolicy);
+ auto* contentSecurityPolicyCopy = std::make_unique<ContentSecurityPolicy>(*securityOrigin).release();
+ contentSecurityPolicyCopy->copyStateFrom(contentSecurityPolicy);
+
</ins><span class="cx"> StringCapture capturedOutgoingReferrer(outgoingReferrer);
</span><del>- m_loaderProxy.postTaskToLoader([this, requestData, optionsCopy, capturedOutgoingReferrer](ScriptExecutionContext& context) {
</del><ins>+ m_loaderProxy.postTaskToLoader([this, requestData, optionsCopy, contentSecurityPolicyCopy, capturedOutgoingReferrer](ScriptExecutionContext& context) {
</ins><span class="cx"> ASSERT(isMainThread());
</span><span class="cx"> Document& document = downcast<Document>(context);
</span><span class="cx">
</span><span class="lines">@@ -105,7 +113,7 @@
</span><span class="cx"> // FIXME: If the a site requests a local resource, then this will return a non-zero value but the sync path
</span><span class="cx"> // will return a 0 value. Either this should return 0 or the other code path should do a callback with
</span><span class="cx"> // a failure.
</span><del>- m_mainThreadLoader = DocumentThreadableLoader::create(document, *this, *request, *options);
</del><ins>+ m_mainThreadLoader = DocumentThreadableLoader::create(document, *this, *request, *options, std::unique_ptr<ContentSecurityPolicy>(contentSecurityPolicyCopy));
</ins><span class="cx"> ASSERT(m_mainThreadLoader);
</span><span class="cx"> });
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderWorkerThreadableLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/WorkerThreadableLoader.h (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/WorkerThreadableLoader.h 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/loader/WorkerThreadableLoader.h 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -43,6 +43,7 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><ins>+ class ContentSecurityPolicy;
</ins><span class="cx"> class ResourceError;
</span><span class="cx"> class ResourceRequest;
</span><span class="cx"> class WorkerGlobalScope;
</span><span class="lines">@@ -94,7 +95,7 @@
</span><span class="cx"> class MainThreadBridge : public ThreadableLoaderClient {
</span><span class="cx"> public:
</span><span class="cx"> // All executed on the worker context's thread.
</span><del>- MainThreadBridge(PassRefPtr<ThreadableLoaderClientWrapper>, WorkerLoaderProxy&, const String& taskMode, const ResourceRequest&, const ThreadableLoaderOptions&, const String& outgoingReferrer);
</del><ins>+ MainThreadBridge(PassRefPtr<ThreadableLoaderClientWrapper>, WorkerLoaderProxy&, const String& taskMode, const ResourceRequest&, const ThreadableLoaderOptions&, const String& outgoingReferrer, const SecurityOrigin*, const ContentSecurityPolicy*);
</ins><span class="cx"> void cancel();
</span><span class="cx"> void destroy();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepageEventSourcecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/EventSource.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/EventSource.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/page/EventSource.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -129,6 +129,7 @@
</span><span class="cx"> options.crossOriginRequestPolicy = UseAccessControl;
</span><span class="cx"> options.setDataBufferingPolicy(DoNotBufferData);
</span><span class="cx"> options.securityOrigin = origin;
</span><ins>+ options.contentSecurityPolicyEnforcement = scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective;
</ins><span class="cx">
</span><span class="cx"> m_loader = ThreadableLoader::create(scriptExecutionContext(), this, request, options);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersAbstractWorkercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/AbstractWorker.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -43,7 +43,7 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-URL AbstractWorker::resolveURL(const String& url, ExceptionCode& ec)
</del><ins>+URL AbstractWorker::resolveURL(const String& url, bool shouldBypassMainWorldContentSecurityPolicy, ExceptionCode& ec)
</ins><span class="cx"> {
</span><span class="cx"> if (url.isEmpty()) {
</span><span class="cx"> ec = SYNTAX_ERR;
</span><span class="lines">@@ -65,7 +65,7 @@
</span><span class="cx"> // FIXME: Enforce the child-src directive instead of script-src per <https://w3c.github.io/webappsec-csp/2/#directive-child-src-workers> (29 August 2015).
</span><span class="cx"> // See <https://bugs.webkit.org/show_bug.cgi?id=153562>.
</span><span class="cx"> ASSERT(scriptExecutionContext()->contentSecurityPolicy());
</span><del>- if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL, scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy())) {
</del><ins>+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL, shouldBypassMainWorldContentSecurityPolicy)) {
</ins><span class="cx"> ec = SECURITY_ERR;
</span><span class="cx"> return URL();
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersAbstractWorkerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/AbstractWorker.h (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/AbstractWorker.h 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/workers/AbstractWorker.h 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -54,7 +54,7 @@
</span><span class="cx"> AbstractWorker() = default;
</span><span class="cx">
</span><span class="cx"> // Helper function that converts a URL to an absolute URL and checks the result for validity.
</span><del>- URL resolveURL(const String& url, ExceptionCode& ec);
</del><ins>+ URL resolveURL(const String& url, bool shouldBypassMainWorldContentSecurityPolicy, ExceptionCode&);
</ins><span class="cx"> intptr_t asID() const { return reinterpret_cast<intptr_t>(this); }
</span><span class="cx">
</span><span class="cx"> private:
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/Worker.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/Worker.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/workers/Worker.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -83,18 +83,19 @@
</span><span class="cx">
</span><span class="cx"> worker->suspendIfNeeded();
</span><span class="cx">
</span><del>- URL scriptURL = worker->resolveURL(url, ec);
</del><ins>+ bool shouldBypassMainWorldContentSecurityPolicy = context.shouldBypassMainWorldContentSecurityPolicy();
+ URL scriptURL = worker->resolveURL(url, shouldBypassMainWorldContentSecurityPolicy, ec);
</ins><span class="cx"> if (scriptURL.isEmpty())
</span><span class="cx"> return nullptr;
</span><span class="cx">
</span><del>- worker->m_shouldBypassMainWorldContentSecurityPolicy = context.shouldBypassMainWorldContentSecurityPolicy();
</del><ins>+ worker->m_shouldBypassMainWorldContentSecurityPolicy = shouldBypassMainWorldContentSecurityPolicy;
</ins><span class="cx">
</span><span class="cx"> // The worker context does not exist while loading, so we must ensure that the worker object is not collected, nor are its event listeners.
</span><span class="cx"> worker->setPendingActivity(worker.ptr());
</span><span class="cx">
</span><span class="cx"> worker->m_scriptLoader = WorkerScriptLoader::create();
</span><del>- worker->m_scriptLoader->loadAsynchronously(&context, scriptURL, DenyCrossOriginRequests, worker.ptr());
-
</del><ins>+ // FIXME: Enforce Content Security Policy child-src directive when shouldBypassMainWorldContentSecurityPolicy is false. See <https://bugs.webkit.org/show_bug.cgi?id=153562>.
+ worker->m_scriptLoader->loadAsynchronously(&context, scriptURL, DenyCrossOriginRequests, ContentSecurityPolicyEnforcement::DoNotEnforce, worker.ptr());
</ins><span class="cx"> return WTFMove(worker);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerGlobalScopecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerGlobalScope.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/workers/WorkerGlobalScope.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -183,8 +183,15 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> for (auto& url : completedURLs) {
</span><ins>+ // FIXME: Convert this to check the isolated world's Content Security Policy once webkit.org/b/104520 is solved.
+ bool shouldBypassMainWorldContentSecurityPolicy = scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy();
+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(url, shouldBypassMainWorldContentSecurityPolicy)) {
+ ec = NETWORK_ERR;
+ return;
+ }
+
</ins><span class="cx"> Ref<WorkerScriptLoader> scriptLoader = WorkerScriptLoader::create();
</span><del>- scriptLoader->loadSynchronously(scriptExecutionContext(), url, AllowCrossOriginRequests);
</del><ins>+ scriptLoader->loadSynchronously(scriptExecutionContext(), url, AllowCrossOriginRequests, shouldBypassMainWorldContentSecurityPolicy ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective);
</ins><span class="cx">
</span><span class="cx"> // If the fetching attempt failed, throw a NETWORK_ERR exception and abort all these steps.
</span><span class="cx"> if (scriptLoader->failed()) {
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerScriptLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerScriptLoader.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerScriptLoader.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/workers/WorkerScriptLoader.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx">
</span><span class="cx"> #include "WorkerScriptLoader.h"
</span><span class="cx">
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "ResourceResponse.h"
</span><span class="cx"> #include "ScriptExecutionContext.h"
</span><span class="cx"> #include "SecurityOrigin.h"
</span><span class="lines">@@ -53,7 +54,7 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void WorkerScriptLoader::loadSynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, CrossOriginRequestPolicy crossOriginRequestPolicy)
</del><ins>+void WorkerScriptLoader::loadSynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, CrossOriginRequestPolicy crossOriginRequestPolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement)
</ins><span class="cx"> {
</span><span class="cx"> m_url = url;
</span><span class="cx">
</span><span class="lines">@@ -67,11 +68,13 @@
</span><span class="cx"> options.setAllowCredentials(AllowStoredCredentials);
</span><span class="cx"> options.crossOriginRequestPolicy = crossOriginRequestPolicy;
</span><span class="cx"> options.setSendLoadCallbacks(SendCallbacks);
</span><ins>+ options.securityOrigin = scriptExecutionContext->securityOrigin();
+ options.contentSecurityPolicyEnforcement = contentSecurityPolicyEnforcement;
</ins><span class="cx">
</span><span class="cx"> WorkerThreadableLoader::loadResourceSynchronously(downcast<WorkerGlobalScope>(scriptExecutionContext), *request, *this, options);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void WorkerScriptLoader::loadAsynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, CrossOriginRequestPolicy crossOriginRequestPolicy, WorkerScriptLoaderClient* client)
</del><ins>+void WorkerScriptLoader::loadAsynchronously(ScriptExecutionContext* scriptExecutionContext, const URL& url, CrossOriginRequestPolicy crossOriginRequestPolicy, ContentSecurityPolicyEnforcement contentSecurityPolicyEnforcement, WorkerScriptLoaderClient* client)
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(client);
</span><span class="cx"> m_client = client;
</span><span class="lines">@@ -85,6 +88,8 @@
</span><span class="cx"> options.setAllowCredentials(AllowStoredCredentials);
</span><span class="cx"> options.crossOriginRequestPolicy = crossOriginRequestPolicy;
</span><span class="cx"> options.setSendLoadCallbacks(SendCallbacks);
</span><ins>+ options.securityOrigin = scriptExecutionContext->securityOrigin();
+ options.contentSecurityPolicyEnforcement = contentSecurityPolicyEnforcement;
</ins><span class="cx">
</span><span class="cx"> // During create, callbacks may happen which remove the last reference to this object.
</span><span class="cx"> Ref<WorkerScriptLoader> protect(*this);
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkerScriptLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/WorkerScriptLoader.h (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/WorkerScriptLoader.h 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/workers/WorkerScriptLoader.h 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -54,8 +54,8 @@
</span><span class="cx"> return adoptRef(*new WorkerScriptLoader);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void loadSynchronously(ScriptExecutionContext*, const URL&, CrossOriginRequestPolicy);
- void loadAsynchronously(ScriptExecutionContext*, const URL&, CrossOriginRequestPolicy, WorkerScriptLoaderClient*);
</del><ins>+ void loadSynchronously(ScriptExecutionContext*, const URL&, CrossOriginRequestPolicy, ContentSecurityPolicyEnforcement);
+ void loadAsynchronously(ScriptExecutionContext*, const URL&, CrossOriginRequestPolicy, ContentSecurityPolicyEnforcement, WorkerScriptLoaderClient*);
</ins><span class="cx">
</span><span class="cx"> void notifyError();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorexmlXMLHttpRequestcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (196282 => 196283)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-02-09 01:25:35 UTC (rev 196282)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-02-09 01:26:56 UTC (rev 196283)
</span><span class="lines">@@ -755,6 +755,7 @@
</span><span class="cx"> options.setCredentialRequest(m_includeCredentials ? ClientRequestedCredentials : ClientDidNotRequestCredentials);
</span><span class="cx"> options.crossOriginRequestPolicy = UseAccessControl;
</span><span class="cx"> options.securityOrigin = securityOrigin();
</span><ins>+ options.contentSecurityPolicyEnforcement = scriptExecutionContext()->shouldBypassMainWorldContentSecurityPolicy() ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective;
</ins><span class="cx"> options.initiator = cachedResourceRequestInitiators().xmlhttprequest;
</span><span class="cx">
</span><span class="cx"> if (m_timeoutMilliseconds) {
</span></span></pre>
</div>
</div>
</body>
</html>