<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[196526] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/196526">196526</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-02-12 16:18:40 -0800 (Fri, 12 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Implement child-src directive
https://bugs.webkit.org/show_bug.cgi?id=153562
<rdar://problem/24610087>
Reviewed by Brent Fulgham.
Source/WebCore:
Add support for the child-src directive, <https://w3c.github.io/webappsec-csp/2/#child_src> (29 August 2015),
which formally replaces the deprecated frame-src directive as of the Content Security Policy 2.0 spec. The
child-src directive was first introduced in the Content Security Policy 1.1 spec, <https://www.w3.org/TR/2014/WD-CSP11-20140211/>.
As a side effect of this change, the script URL for a Web Worker is checked against the child-src directive
as opposed to the script-src directive. This is a backward incompatible change from the CSP 1.0 spec.
Tests: http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html
http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html
http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html
http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html
http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Check child-src directive (if applicable).
* loader/ThreadableLoader.h: Add enum value EnforceChildSrcDirective to enum class ContentSecurityPolicyEnforcement to
enforce the child-src directive on redirect.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowChildContextFromSource): Added.
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::checkSourceAndReportViolation): Add message prefix for a child-src violation.
We use the same message prefix as used by Blink.
(WebCore::ContentSecurityPolicyDirectiveList::allowChildContextFromSource): Added.
(WebCore::ContentSecurityPolicyDirectiveList::allowChildFrameFromSource): Modified to check the frame-src
directive (if specified) before checking the child-src directive by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested>.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the child-src directive.
* page/csp/ContentSecurityPolicyDirectiveList.h:
* workers/AbstractWorker.cpp:
(WebCore::AbstractWorker::resolveURL): Check if the script URL for the worker is allowed by the child-src directive
as opposed to the script-src directive. This is a backwards incompatible change from the CSP 1.0 spec.
* workers/Worker.cpp:
(WebCore::Worker::create): Enforce the child-src directive on redirects (if applicable).
LayoutTests:
Add new tests, un-skip now passing tests and update incorrect expected result for test http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html.
* TestExpectations: Remove entry for test http/tests/security/contentSecurityPolicy/worker-script-src.html as it now passes.
Mark all tests in http/tests/security/contentSecurityPolicy/1.1/child-src as PASS so that we run them except for tests
frame-fires-load-event-when-blocked.html and frame-fires-load-event-when-redirect-blocked.html (formerly named frame-blocked.html
and frame-redirect-blocked.html, respectively) as they depend on the fix for <https://bugs.webkit.org/show_bug.cgi?id=153150>.
Skip all other CSP 1.1 tests until we fix <https://bugs.webkit.org/show_bug.cgi?id=85558>. Group some CSP 1.1 entries together.
* fast/workers/worker-inherits-csp-blocks-eval-expected.txt: Update expected result based on change to worker-inherits-csp-blocks-eval.html.
* fast/workers/worker-inherits-csp-blocks-eval.html: Remove source 'self' from script-src directive. This was needed as
a workaround for <https://bugs.webkit.org/show_bug.cgi?id=153158> when the script URL for a worker was checked against the
script-src directive. Now that the script URL is checked against the child-src directive we do not need this workaround.
* fast/workers/worker-inherits-csp-blocks-xhr.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-about-blank-allowed.html: Use js-test-{pre, post}.js as opposed to
js-test.js to avoid duplicate "TEST COMPLETE" output.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-allowed.html: Ditto.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt: Update expected result based on changes to frame-blocked.html.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html: Update test to work without the fix for <https://bugs.webkit.org/show_bug.cgi?id=153150>.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html.
Keep a copy of the original test for when we fix <https://bugs.webkit.org/show_bug.cgi?id=153150>.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html.
Keep a copy of the original test for when we fix <https://bugs.webkit.org/show_bug.cgi?id=153150>.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt: Update expected result based on changes to frame-redirect-blocked.html.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html: Update test to work without the fix for <https://bugs.webkit.org/show_bug.cgi?id=153150>.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html: Use js-test-{pre, post}.js as opposed to
js-test.js to avoid duplicate "TEST COMPLETE" output.
* http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt: Update incorrect expected result to
reflect WebKit error message. The current result reflects the error message used by Blink.
* http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html: Use js-test-{pre, post}.js as opposed to
js-test.js to avoid duplicate "TEST COMPLETE" output.
* http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt: Removed; WebKit does not support shared Web Workers.
* http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html: Removed; WebKit does not support shared Web Workers.
* http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt: Removed; WebKit does not support shared Web Workers.
* http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html: Removed; WebKit does not support shared Web Workers.
* http/tests/security/contentSecurityPolicy/resources/child-src-test.js: Remove logic for testing shared Web Workers as WebKit does not support such workers.
(window.onload): Deleted.
(injectSharedWorker): Deleted.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt: Update expected result based on change to worker-blob-inherits-csp-blocks-eval.html.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html: Remove source 'self' from script-src directive.
This was needed as a workaround for <https://bugs.webkit.org/show_bug.cgi?id=153158> when the script URL for a worker was checked
against the script-src directive. Now that the script URL is checked against the child-src directive we do not need this workaround.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt: Update
expected result based on change to worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html:
Remove source 'self' from script-src directive. This was needed as a workaround for <https://bugs.webkit.org/show_bug.cgi?id=153158> when
the script URL for a worker was checked against the script-src directive. Now that the script URL is checked against the child-src directive
we do not need this workaround.
* http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html: Ditto.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html: Add child-src 'none' and remove FIXME comment.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt: Added.
* http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html: Added.
* platform/ios-simulator/TestExpectations: Remove skip entry for tests in http/tests/security/contentSecurityPolicy/1.1 from this file.
Instead we will skip these tests from LayoutTests/TestExpectations since they fail for all ports.
* platform/mac/TestExpectations: Ditto.
* platform/win/TestExpectations: Ditto.
* platform/wk2/TestExpectations: Ditto.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestsfastworkersworkerinheritscspblocksevalexpectedtxt">trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt</a></li>
<li><a href="#trunkLayoutTestsfastworkersworkerinheritscspblocksevalhtml">trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html</a></li>
<li><a href="#trunkLayoutTestsfastworkersworkerinheritscspblocksxhrhtml">trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeaboutblankallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-about-blank-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourceschildsrctestjs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-src-test.js</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspblocksevalexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspblocksevalhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsblockabortsallsubsequentimportsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsblockabortsallsubsequentimportshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsredirectcrossoriginblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerhtml">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html</a></li>
<li><a href="#trunkLayoutTestsplatformiossimulatorTestExpectations">trunk/LayoutTests/platform/ios-simulator/TestExpectations</a></li>
<li><a href="#trunkLayoutTestsplatformmacTestExpectations">trunk/LayoutTests/platform/mac/TestExpectations</a></li>
<li><a href="#trunkLayoutTestsplatformwinTestExpectations">trunk/LayoutTests/platform/win/TestExpectations</a></li>
<li><a href="#trunkLayoutTestsplatformwk2TestExpectations">trunk/LayoutTests/platform/wk2/TestExpectations</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentThreadableLoadercpp">trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderThreadableLoaderh">trunk/Source/WebCore/loader/ThreadableLoader.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
<li><a href="#trunkSourceWebCoreworkersAbstractWorkercpp">trunk/Source/WebCore/workers/AbstractWorker.cpp</a></li>
<li><a href="#trunkSourceWebCoreworkersWorkercpp">trunk/Source/WebCore/workers/Worker.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframefiresloadeventwhenblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframefiresloadeventwhenblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframefiresloadeventwhenredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframefiresloadeventwhenredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframesrctakesprecedenceoverchildsrcexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframesrctakesprecedenceoverchildsrchtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerredirectexpectedtxt">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerredirecthtml">trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkersharedallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkersharedallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkersharedblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkersharedblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/ChangeLog 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,3 +1,76 @@
</span><ins>+2016-02-12 Daniel Bates <dabates@apple.com>
+
+ CSP: Implement child-src directive
+ https://bugs.webkit.org/show_bug.cgi?id=153562
+ <rdar://problem/24610087>
+
+ Reviewed by Brent Fulgham.
+
+ Add new tests, un-skip now passing tests and update incorrect expected result for test http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html.
+
+ * TestExpectations: Remove entry for test http/tests/security/contentSecurityPolicy/worker-script-src.html as it now passes.
+ Mark all tests in http/tests/security/contentSecurityPolicy/1.1/child-src as PASS so that we run them except for tests
+ frame-fires-load-event-when-blocked.html and frame-fires-load-event-when-redirect-blocked.html (formerly named frame-blocked.html
+ and frame-redirect-blocked.html, respectively) as they depend on the fix for <https://bugs.webkit.org/show_bug.cgi?id=153150>.
+ Skip all other CSP 1.1 tests until we fix <https://bugs.webkit.org/show_bug.cgi?id=85558>. Group some CSP 1.1 entries together.
+ * fast/workers/worker-inherits-csp-blocks-eval-expected.txt: Update expected result based on change to worker-inherits-csp-blocks-eval.html.
+ * fast/workers/worker-inherits-csp-blocks-eval.html: Remove source 'self' from script-src directive. This was needed as
+ a workaround for <https://bugs.webkit.org/show_bug.cgi?id=153158> when the script URL for a worker was checked against the
+ script-src directive. Now that the script URL is checked against the child-src directive we do not need this workaround.
+ * fast/workers/worker-inherits-csp-blocks-xhr.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-about-blank-allowed.html: Use js-test-{pre, post}.js as opposed to
+ js-test.js to avoid duplicate "TEST COMPLETE" output.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-allowed.html: Ditto.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt: Update expected result based on changes to frame-blocked.html.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html: Update test to work without the fix for <https://bugs.webkit.org/show_bug.cgi?id=153150>.
+
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html.
+ Keep a copy of the original test for when we fix <https://bugs.webkit.org/show_bug.cgi?id=153150>.
+
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html.
+ Keep a copy of the original test for when we fix <https://bugs.webkit.org/show_bug.cgi?id=153150>.
+
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt: Update expected result based on changes to frame-redirect-blocked.html.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html: Update test to work without the fix for <https://bugs.webkit.org/show_bug.cgi?id=153150>.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html: Use js-test-{pre, post}.js as opposed to
+ js-test.js to avoid duplicate "TEST COMPLETE" output.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt: Update incorrect expected result to
+ reflect WebKit error message. The current result reflects the error message used by Blink.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html: Use js-test-{pre, post}.js as opposed to
+ js-test.js to avoid duplicate "TEST COMPLETE" output.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt: Removed; WebKit does not support shared Web Workers.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html: Removed; WebKit does not support shared Web Workers.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt: Removed; WebKit does not support shared Web Workers.
+ * http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html: Removed; WebKit does not support shared Web Workers.
+ * http/tests/security/contentSecurityPolicy/resources/child-src-test.js: Remove logic for testing shared Web Workers as WebKit does not support such workers.
+ (window.onload): Deleted.
+ (injectSharedWorker): Deleted.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt: Update expected result based on change to worker-blob-inherits-csp-blocks-eval.html.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html: Remove source 'self' from script-src directive.
+ This was needed as a workaround for <https://bugs.webkit.org/show_bug.cgi?id=153158> when the script URL for a worker was checked
+ against the script-src directive. Now that the script URL is checked against the child-src directive we do not need this workaround.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt: Update
+ expected result based on change to worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html:
+ Remove source 'self' from script-src directive. This was needed as a workaround for <https://bugs.webkit.org/show_bug.cgi?id=153158> when
+ the script URL for a worker was checked against the script-src directive. Now that the script URL is checked against the child-src directive
+ we do not need this workaround.
+ * http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html: Ditto.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html: Add child-src 'none' and remove FIXME comment.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt: Added.
+ * http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html: Added.
+ * platform/ios-simulator/TestExpectations: Remove skip entry for tests in http/tests/security/contentSecurityPolicy/1.1 from this file.
+ Instead we will skip these tests from LayoutTests/TestExpectations since they fail for all ports.
+ * platform/mac/TestExpectations: Ditto.
+ * platform/win/TestExpectations: Ditto.
+ * platform/wk2/TestExpectations: Ditto.
+
</ins><span class="cx"> 2016-02-11 Ryan Haddad <ryanhaddad@apple.com>
</span><span class="cx">
</span><span class="cx"> Re-enable skipped animations tests on ios-simulator
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/TestExpectations 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -792,6 +792,11 @@
</span><span class="cx"> webkit.org/b/52185 fast/css/vertical-align-baseline-rowspan-010.html [ ImageOnlyFailure ]
</span><span class="cx">
</span><span class="cx"> # Content Security Policy failures
</span><ins>+webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
+http/tests/security/contentSecurityPolicy/1.1/child-src [ Pass ]
+webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
+webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
+webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html
</ins><span class="cx"> webkit.org/b/111869 http/tests/security/contentSecurityPolicy/eval-blocked-and-sends-report.html
</span><span class="cx"> webkit.org/b/115700 http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html [ Failure ]
</span><span class="cx"> webkit.org/b/115702 http/tests/security/contentSecurityPolicy/report-cross-origin-no-cookies.html [ Failure ]
</span><span class="lines">@@ -799,6 +804,8 @@
</span><span class="cx"> webkit.org/b/115707 http/tests/security/contentSecurityPolicy/report-uri-scheme-relative.html [ Failure ]
</span><span class="cx"> webkit.org/b/153148 http/tests/security/contentSecurityPolicy/eval-allowed-in-report-only-mode-and-sends-report.html
</span><span class="cx"> webkit.org/b/153150 http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load.html
</span><ins>+webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html
+webkit.org/b/153150 http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html
</ins><span class="cx"> webkit.org/b/153151 http/tests/security/contentSecurityPolicy/icon-allowed.html [ Failure ]
</span><span class="cx"> webkit.org/b/153151 http/tests/security/contentSecurityPolicy/icon-blocked.html [ Failure ]
</span><span class="cx"> webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-allowed.html # Needs testRunner.getManifestThen()
</span><span class="lines">@@ -830,11 +837,7 @@
</span><span class="cx"> webkit.org/b/153167 http/tests/security/contentSecurityPolicy/sandbox-report-only.html [ Failure ]
</span><span class="cx"> webkit.org/b/153168 http/tests/security/contentSecurityPolicy/source-list-parsing-07.html [ Failure ]
</span><span class="cx"> webkit.org/b/153170 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html [ Failure ]
</span><del>-webkit.org/b/153562 http/tests/security/contentSecurityPolicy/worker-script-src.html [ Failure ]
</del><span class="cx"> http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
</span><del>-http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html # Needs expected file.
-http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html # Needs expected file.
-http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html # Needs expected file.
</del><span class="cx">
</span><span class="cx"> # These state object tests purposefully stress a resource limit, and take multiple seconds to run.
</span><span class="cx"> loader/stateobjects/pushstate-size-iframe.html [ Slow ]
</span></span></pre></div>
<a id="trunkLayoutTestsfastworkersworkerinheritscspblocksevalexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><span class="cx"> This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a file-URL Web Worker from using eval() because the parent's CSP does not list unsafe-eval in script-src.
</span><span class="cx">
</span><del>-PASS threw exception EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
</del><ins>+PASS threw exception EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
</ins><span class="cx"> .
</span></span></pre></div>
<a id="trunkLayoutTestsfastworkersworkerinheritscspblocksevalhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-eval.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
</del><ins>+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
</ins><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner) {
</span><span class="cx"> testRunner.dumpAsText();
</span></span></pre></div>
<a id="trunkLayoutTestsfastworkersworkerinheritscspblocksxhrhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/fast/workers/worker-inherits-csp-blocks-xhr.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'none'">
</del><ins>+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; connect-src 'none'">
</ins><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner) {
</span><span class="cx"> testRunner.dumpAsText();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeaboutblankallowedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-about-blank-allowed.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-about-blank-allowed.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-about-blank-allowed.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><ins>+ <script src="/js-test-resources/js-test-pre.js"></script>
</ins><span class="cx"> <script src="/security/contentSecurityPolicy/resources/child-src-test.js"></script>
</span><span class="cx"> <meta http-equiv="Content-Security-Policy" content="child-src 'none';">
</span><span class="cx"> </head>
</span><span class="lines">@@ -10,5 +10,6 @@
</span><span class="cx"> description("'about:blank' should not be blocked by CSP.");
</span><span class="cx"> injectFrame("about:blank", EXPECT_LOAD);
</span><span class="cx"> </script>
</span><ins>+ <script src="/js-test-resources/js-test-post.js"></script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeallowedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-allowed.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-allowed.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-allowed.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><ins>+ <script src="/js-test-resources/js-test-pre.js"></script>
</ins><span class="cx"> <script src="/security/contentSecurityPolicy/resources/child-src-test.js"></script>
</span><span class="cx"> <meta http-equiv="Content-Security-Policy" content="child-src 'self';">
</span><span class="cx"> </head>
</span><span class="lines">@@ -10,6 +10,7 @@
</span><span class="cx"> description("Frames should be governed by 'child-src'.");
</span><span class="cx"> injectFrame("/security/contentSecurityPolicy/resources/alert-pass.html", EXPECT_LOAD);
</span><span class="cx"> </script>
</span><ins>+ <script src="/js-test-resources/js-test-post.js"></script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,13 +1,5 @@
</span><del>-CONSOLE MESSAGE: Refused to frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'none'".
</del><ins>+CONSOLE MESSAGE: Refused to load frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'none'".
</ins><span class="cx">
</span><del>-Frames should be governed by 'child-src'.
</del><ins>+This tests that an <iframe> load is blocked when using Content Security Policy child-src 'none'. This test PASSED if there is no JavaScript alert.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><del>-
-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,14 +1,14 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
- <script src="/security/contentSecurityPolicy/resources/child-src-test.js"></script>
- <meta http-equiv="Content-Security-Policy" content="child-src 'none';">
</del><ins>+<meta http-equiv="Content-Security-Policy" content="child-src 'none'">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</ins><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("Frames should be governed by 'child-src'.");
- injectFrame("/security/contentSecurityPolicy/resources/alert-fail.html", EXPECT_BLOCK);
- </script>
</del><ins>+<p>This tests that an &lt;iframe&gt; load is blocked when using Content Security Policy <code>child-src 'none'</code>. This test PASSED if there is no JavaScript alert.</p>
+<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"></iframe>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframefiresloadeventwhenblockedexpectedtxtfromrev196525trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeblockedexpectedtxt"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked-expected.txt (from rev 196525, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked-expected.txt) (0 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+CONSOLE MESSAGE: Refused to load frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'none'".
+
+Frames should be governed by 'child-src'.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+IFrame load event fired: the IFrame is cross-origin (or was blocked).
+PASS The IFrame should have been blocked (or cross-origin). It was.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframefiresloadeventwhenblockedhtmlfromrev196525trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeblockedhtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html (from rev 196525, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-blocked.html) (0 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/js-test-resources/js-test-pre.js"></script>
+ <script src="/security/contentSecurityPolicy/resources/child-src-test.js"></script>
+ <meta http-equiv="Content-Security-Policy" content="child-src 'none';">
+</head>
+<body>
+ <script>
+ description("Frames should be governed by 'child-src'.");
+ injectFrame("/security/contentSecurityPolicy/resources/alert-fail.html", EXPECT_BLOCK);
+ </script>
+ <script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframefiresloadeventwhenredirectblockedexpectedtxtfromrev196525trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeredirectblockedexpectedtxt"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked-expected.txt (from rev 196525, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt) (0 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+CONSOLE MESSAGE: Refused to load frame 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'self'".
+
+Frames should be governed by 'child-src'. Redirects should be covered.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+IFrame load event fired: the IFrame is cross-origin (or was blocked).
+PASS The IFrame should have been blocked (or cross-origin). It was.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframefiresloadeventwhenredirectblockedhtmlfromrev196525trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeredirectblockedhtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html (from rev 196525, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html) (0 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/js-test-resources/js-test-pre.js"></script>
+ <script src="/security/contentSecurityPolicy/resources/child-src-test.js"></script>
+ <meta http-equiv="Content-Security-Policy" content="child-src 'self';">
+</head>
+<body>
+ <script>
+ description("Frames should be governed by 'child-src'. Redirects should be covered.");
+ injectFrameRedirectingTo("http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html", EXPECT_BLOCK);
+ </script>
+ <script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,13 +1,5 @@
</span><del>-CONSOLE MESSAGE: Refused to frame 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src 'self'".
</del><ins>+CONSOLE MESSAGE: Refused to load frame 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php".
</ins><span class="cx">
</span><del>-Frames should be governed by 'child-src'. Redirects should be covered.
</del><ins>+This tests that the Content Security Policy of the page blocks an <iframe> from loading a document of a different origin through a redirect. This test PASSED if there is no JavaScript alert.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</del><span class="cx">
</span><del>-
-IFrame load event fired: the IFrame is cross-origin (or was blocked).
-PASS The IFrame should have been blocked (or cross-origin). It was.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframeredirectblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-redirect-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,14 +1,14 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
- <script src="/security/contentSecurityPolicy/resources/child-src-test.js"></script>
- <meta http-equiv="Content-Security-Policy" content="child-src 'self';">
</del><ins>+<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</ins><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>- <script>
- description("Frames should be governed by 'child-src'. Redirects should be covered.");
- injectFrameRedirectingTo("http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html", EXPECT_BLOCK);
- </script>
</del><ins>+<p>This tests that the Content Security Policy of the page blocks an &lt;iframe&gt; from loading a document of a different origin through a redirect. This test PASSED if there is no JavaScript alert.</p>
+<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html"></iframe>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframesrctakesprecedenceoverchildsrcexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt (0 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+CONSOLE MESSAGE: Refused to load frame 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "frame-src 'none'".
+
+This tests that an <iframe> load is blocked when using Content Security Policy frame-src 'none'; child-src 'self' because the deprecated directive frame-src takes precedence over the directive child-src. This test PASSED if there is no JavaScript alert.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcframesrctakesprecedenceoverchildsrchtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html (0 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'; child-src 'self'">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<p>This tests that an &lt;iframe&gt; load is blocked when using Content Security Policy <code>frame-src 'none'; child-src 'self'</code> because the deprecated directive frame-src takes precedence over the directive child-src. This test PASSED if there is no JavaScript alert.</p>
+<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerallowedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-allowed.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><ins>+ <script src="/js-test-resources/js-test-pre.js"></script>
</ins><span class="cx"> <script src="/security/contentSecurityPolicy/resources/child-src-test.js"></script>
</span><span class="cx"> <meta http-equiv="Content-Security-Policy" content="child-src 'self';">
</span><span class="cx"> </head>
</span><span class="lines">@@ -10,5 +10,6 @@
</span><span class="cx"> description("Workers should be governed by 'child-src'.");
</span><span class="cx"> injectWorker("/security/contentSecurityPolicy/resources/alert-pass.js", EXPECT_LOAD);
</span><span class="cx"> </script>
</span><ins>+ <script src="/js-test-resources/js-test-post.js"></script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -5,7 +5,7 @@
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span><span class="cx">
</span><span class="cx">
</span><del>-PASS var w = new Worker('/security/contentSecurityPolicy/resources/alert-fail.js'); threw exception SecurityError: Failed to construct 'Worker': Access to the script at 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' is denied by the document's Content Security Policy..
</del><ins>+PASS var w = new Worker('/security/contentSecurityPolicy/resources/alert-fail.js'); threw exception Error: SecurityError: DOM Exception 18.
</ins><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span><span class="cx"> TEST COMPLETE
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <script src="/js-test-resources/js-test.js"></script>
</del><ins>+ <script src="/js-test-resources/js-test-pre.js"></script>
</ins><span class="cx"> <script src="/security/contentSecurityPolicy/resources/child-src-test.js"></script>
</span><span class="cx"> <meta http-equiv="Content-Security-Policy" content="child-src 'none';">
</span><span class="cx"> </head>
</span><span class="lines">@@ -10,5 +10,6 @@
</span><span class="cx"> description("Workers should be governed by 'child-src'.");
</span><span class="cx"> injectWorker("/security/contentSecurityPolicy/resources/alert-fail.js", EXPECT_BLOCK);
</span><span class="cx"> </script>
</span><ins>+ <script src="/js-test-resources/js-test-post.js"></script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (0 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+CONSOLE MESSAGE: Refused to create a child context containing 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php".
+
+This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js") did not throw exception.
+PASS error event dispatched
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkerredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html (0 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php">
+<script src="/js-test-resources/js-test-pre.js"></script>
+</head>
+<body>
+<script>
+window.jsTestIsAsync = true;
+
+description("This tests that the Content Security Policy of the page blocks loading a Web Worker's script from a different origin through a redirect.");
+
+var worker;
+shouldNotThrow('worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js")');
+worker.onerror = function () {
+ testPassed("error event dispatched");
+ finishJSTest();
+};
+</script>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkersharedallowedexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,10 +0,0 @@
</span><del>-SharedWorkers should be governed by 'child-src'.
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS var w = new SharedWorker('/security/contentSecurityPolicy/resources/alert-pass.js'); did not throw exception.
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkersharedallowedhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-allowed.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,14 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
- <script src="/js-test-resources/js-test.js"></script>
- <script src="/security/contentSecurityPolicy/resources/child-src-test.js"></script>
- <meta http-equiv="Content-Security-Policy" content="child-src 'self';">
-</head>
-<body>
- <script>
- description("SharedWorkers should be governed by 'child-src'.");
- injectSharedWorker("/security/contentSecurityPolicy/resources/alert-pass.js", EXPECT_LOAD);
- </script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkersharedblockedexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,12 +0,0 @@
</span><del>-CONSOLE MESSAGE: Refused to create a child context containing 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "child-src 'none'".
-
-SharedWorkers should be governed by 'child-src'.
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-PASS var w = new SharedWorker('/security/contentSecurityPolicy/resources/alert-fail.js'); threw exception SecurityError: Failed to construct 'SharedWorker': Access to the script at 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.js' is denied by the document's Content Security Policy..
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11childsrcworkersharedblockedhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/child-src/worker-shared-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,14 +0,0 @@
</span><del>-<!DOCTYPE html>
-<html>
-<head>
- <script src="/js-test-resources/js-test.js"></script>
- <script src="/security/contentSecurityPolicy/resources/child-src-test.js"></script>
- <meta http-equiv="Content-Security-Policy" content="child-src 'none';">
-</head>
-<body>
- <script>
- description("SharedWorkers should be governed by 'child-src'.");
- injectSharedWorker("/security/contentSecurityPolicy/resources/alert-fail.js", EXPECT_BLOCK);
- </script>
-</body>
-</html>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourceschildsrctestjs"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-src-test.js (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-src-test.js 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/child-src-test.js 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -53,13 +53,3 @@
</span><span class="cx"> finishJSTest();
</span><span class="cx"> };
</span><span class="cx"> }
</span><del>-
-function injectSharedWorker(url, expectBlock) {
- window.onload = function() {
- if (expectBlock == EXPECT_BLOCK)
- shouldThrow("var w = new SharedWorker('" + url + "');");
- else
- shouldNotThrow("var w = new SharedWorker('" + url + "');");
- finishJSTest();
- };
-}
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspblocksevalexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><span class="cx"> This tests that the Content Security Policy (CSP) of the owner document (this page) blocks a blob-URL Web Worker from using eval() because the parent's CSP does not list unsafe-eval in script-src.
</span><span class="cx">
</span><del>-PASS threw exception EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
</del><ins>+PASS threw exception EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
</ins><span class="cx"> .
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspblocksevalhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,8 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<!-- FIXME: Remove 'self' from script-src once we fix <https://bugs.webkit.org/show_bug.cgi?id=153158>. -->
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
</del><ins>+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
</ins><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner) {
</span><span class="cx"> testRunner.dumpAsText();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsblockabortsallsubsequentimportsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/workers/resources/worker-importScripts-source1.js' because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-inline'".
</del><ins>+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/workers/resources/worker-importScripts-source1.js' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline'".
</ins><span class="cx">
</span><span class="cx"> This tests that when calling WorkerGlobalScope.importScripts() will two script URLs that the second script is not loaded if the first script URL was blocked by the Content Security Policy of the worker (inherited from this page).
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsblockabortsallsubsequentimportshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,8 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<!-- FIXME: Change 'self' to 'blob:' once we fix <https://bugs.webkit.org/show_bug.cgi?id=153158>. -->
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
</del><ins>+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
</ins><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner) {
</span><span class="cx"> testRunner.dumpAsText();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyworkerblobinheritscspimportScriptsredirectcrossoriginblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,8 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<!-- FIXME: Change 'self' to 'blob:' once we fix <https://bugs.webkit.org/show_bug.cgi?id=153158>. -->
-<meta http-equiv="Content-Security-Policy" content="script-src 'self' http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php 'unsafe-inline'">
</del><ins>+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php 'unsafe-inline'">
</ins><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner) {
</span><span class="cx"> testRunner.dumpAsText();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerredirectexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (0 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect-expected.txt 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).
+
+PASS worker failed to load script URL.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerredirecthtmlfromrev196525trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerhtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html (from rev 196525, trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html) (0 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -0,0 +1,40 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; child-src http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that in an isolated world that the Content Security Policy of the parent origin (this page) is bypassed and a CSP violation is not triggered when a Web Worker's script URL loads a different origin through a redirect. This test PASSED if there is no CSP violation console message and the redirect fails (since Web Workers can only load a script from the same origin).</p>
+<pre id="result"></pre>
+<script>
+window.onmessage = function (event)
+{
+ document.getElementById("result").textContent = event.data;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function runTest()
+{
+ var worker;
+ try {
+ worker = new Worker("http://127.0.0.1:8000/security/contentSecurityPolicy/resources/redir.php?url=http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js");
+ worker.onerror = function () {
+ window.postMessage("PASS worker failed to load script URL.", "*");
+ }
+ } catch (exception) {
+ window.postMessage("FAIL should not have thrown an exception when creating worker. Threw exception " + exception + ".", "*");
+ }
+}
+
+if (window.testRunner)
+ testRunner.evaluateScriptInIsolatedWorld(0, runTest.toString() + ";runTest();");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityisolatedWorldbypassmainworldcspworkerhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-worker.html 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,8 +1,7 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<!-- FIXME: Add child-src 'none' once we implement the child-src directive. -->
-<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
</del><ins>+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; child-src 'none'">
</ins><span class="cx"> <script>
</span><span class="cx"> if (window.testRunner) {
</span><span class="cx"> testRunner.dumpAsText();
</span></span></pre></div>
<a id="trunkLayoutTestsplatformiossimulatorTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/ios-simulator/TestExpectations (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/ios-simulator/TestExpectations 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/platform/ios-simulator/TestExpectations 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -92,9 +92,6 @@
</span><span class="cx"> fast/history/page-cache-media-source-opened.html [ Skip ]
</span><span class="cx"> fast/history/page-cache-removed-source-buffer.html [ Skip ]
</span><span class="cx">
</span><del>-# Content Security Policy 1.1 (ENABLE_CSP_NEXT) is not enabled
-webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
-
</del><span class="cx"> # X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
</span><span class="cx"> webkit.org/b/136452 http/tests/security/contentTypeOptions
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsplatformmacTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/mac/TestExpectations (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac/TestExpectations 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/platform/mac/TestExpectations 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -188,9 +188,6 @@
</span><span class="cx"> # webkit.org/b/61138, webkit.org/b/84893, webkit.org/b/133321
</span><span class="cx"> http/tests/w3c/webperf [ Skip ]
</span><span class="cx">
</span><del>-# Content Security Policy 1.1 (ENABLE_CSP_NEXT) is not enabled
-webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1
-
</del><span class="cx"> # Perf tests are very flaky, because they run in parallel with other tests.
</span><span class="cx"> perf
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestsplatformwinTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/win/TestExpectations (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/win/TestExpectations 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/platform/win/TestExpectations 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -374,9 +374,6 @@
</span><span class="cx"> webkit.org/b/42435 http/tests/misc/webtiming-two-redirects.php [ Skip ]
</span><span class="cx"> webkit.org/b/42435 http/tests/w3c/webperf [ Skip ]
</span><span class="cx">
</span><del>-# Content Security Policy 1.1 (ENABLE_CSP_NEXT) is not enabled
-webkit.org/b/85558 http/tests/security/contentSecurityPolicy/1.1 [ Skip ]
-
</del><span class="cx"> # TODO Application Cache Quotas
</span><span class="cx"> webkit.org/b/43458 http/tests/appcache/origin-quota.html [ Skip ]
</span><span class="cx"> webkit.org/b/43458 http/tests/appcache/origin-quota-continued-download.html [ Skip ]
</span></span></pre></div>
<a id="trunkLayoutTestsplatformwk2TestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/wk2/TestExpectations (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/wk2/TestExpectations 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/LayoutTests/platform/wk2/TestExpectations 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -378,10 +378,6 @@
</span><span class="cx"> # No CORS support for media elements is implemented yet.
</span><span class="cx"> http/tests/security/video-cross-origin-readback.html
</span><span class="cx">
</span><del>-# Content Security Policy 1.1 (ENABLE_CSP_NEXT) is not enabled
-# https://bugs.webkit.org/show_bug.cgi?id=85558
-http/tests/security/contentSecurityPolicy/1.1
-
</del><span class="cx"> # X-Content-Type-Options (ENABLE_NOSNIFF) is not enabled.
</span><span class="cx"> http/tests/security/contentTypeOptions
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/ChangeLog 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -1,3 +1,45 @@
</span><ins>+2016-02-12 Daniel Bates <dabates@apple.com>
+
+ CSP: Implement child-src directive
+ https://bugs.webkit.org/show_bug.cgi?id=153562
+ <rdar://problem/24610087>
+
+ Reviewed by Brent Fulgham.
+
+ Add support for the child-src directive, <https://w3c.github.io/webappsec-csp/2/#child_src> (29 August 2015),
+ which formally replaces the deprecated frame-src directive as of the Content Security Policy 2.0 spec. The
+ child-src directive was first introduced in the Content Security Policy 1.1 spec, <https://www.w3.org/TR/2014/WD-CSP11-20140211/>.
+
+ As a side effect of this change, the script URL for a Web Worker is checked against the child-src directive
+ as opposed to the script-src directive. This is a backward incompatible change from the CSP 1.0 spec.
+
+ Tests: http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-blocked.html
+ http/tests/security/contentSecurityPolicy/1.1/child-src/frame-fires-load-event-when-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/1.1/child-src/frame-src-takes-precedence-over-child-src.html
+ http/tests/security/contentSecurityPolicy/1.1/child-src/worker-redirect-blocked.html
+ http/tests/security/isolatedWorld/bypass-main-world-csp-worker-redirect.html
+
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Check child-src directive (if applicable).
+ * loader/ThreadableLoader.h: Add enum value EnforceChildSrcDirective to enum class ContentSecurityPolicyEnforcement to
+ enforce the child-src directive on redirect.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource): Added.
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::checkSourceAndReportViolation): Add message prefix for a child-src violation.
+ We use the same message prefix as used by Blink.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowChildContextFromSource): Added.
+ (WebCore::ContentSecurityPolicyDirectiveList::allowChildFrameFromSource): Modified to check the frame-src
+ directive (if specified) before checking the child-src directive by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested>.
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the child-src directive.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+ * workers/AbstractWorker.cpp:
+ (WebCore::AbstractWorker::resolveURL): Check if the script URL for the worker is allowed by the child-src directive
+ as opposed to the script-src directive. This is a backwards incompatible change from the CSP 1.0 spec.
+ * workers/Worker.cpp:
+ (WebCore::Worker::create): Enforce the child-src directive on redirects (if applicable).
+
</ins><span class="cx"> 2016-02-12 Saam barati <sbarati@apple.com>
</span><span class="cx">
</span><span class="cx"> The parser doesn't properly protect against global variable references in builtins
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -443,6 +443,8 @@
</span><span class="cx"> switch (m_options.contentSecurityPolicyEnforcement) {
</span><span class="cx"> case ContentSecurityPolicyEnforcement::DoNotEnforce:
</span><span class="cx"> return true;
</span><ins>+ case ContentSecurityPolicyEnforcement::EnforceChildSrcDirective:
+ return contentSecurityPolicy().allowChildContextFromSource(url, false); // Do not override policy
</ins><span class="cx"> case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
</span><span class="cx"> return contentSecurityPolicy().allowConnectToSource(url, false); // Do not override policy
</span><span class="cx"> case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderThreadableLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/ThreadableLoader.h (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/ThreadableLoader.h 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/loader/ThreadableLoader.h 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -61,6 +61,7 @@
</span><span class="cx">
</span><span class="cx"> enum class ContentSecurityPolicyEnforcement {
</span><span class="cx"> DoNotEnforce,
</span><ins>+ EnforceChildSrcDirective,
</ins><span class="cx"> EnforceConnectSrcDirective,
</span><span class="cx"> EnforceScriptSrcDirective,
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -257,6 +257,11 @@
</span><span class="cx"> return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowChildFrameFromSource>(m_policies, url, reportingStatus);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+ return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowChildContextFromSource>(m_policies, url, reportingStatus);
+}
+
</ins><span class="cx"> bool ContentSecurityPolicy::allowImageFromSource(const URL& url, bool overrideContentSecurityPolicy, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> return overrideContentSecurityPolicy || isAllowedByAllWithURL<&ContentSecurityPolicyDirectiveList::allowImageFromSource>(m_policies, url, reportingStatus);
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -84,6 +84,7 @@
</span><span class="cx"> bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><ins>+ bool allowChildContextFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</ins><span class="cx"> bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span><span class="cx"> bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false, ContentSecurityPolicy::ReportingStatus = ContentSecurityPolicy::ReportingStatus::SendReport) const;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -48,6 +48,7 @@
</span><span class="cx">
</span><span class="cx"> // CSP 1.1 Directives
</span><span class="cx"> static const char baseURI[] = "base-uri";
</span><ins>+static const char childSrc[] = "child-src";
</ins><span class="cx"> static const char formAction[] = "form-action";
</span><span class="cx"> static const char pluginTypes[] = "plugin-types";
</span><span class="cx"> #if ENABLE(CSP_NEXT)
</span><span class="lines">@@ -222,6 +223,8 @@
</span><span class="cx"> const char* prefix;
</span><span class="cx"> if (baseURI == effectiveDirective)
</span><span class="cx"> prefix = "Refused to set the document's base URI to '";
</span><ins>+ else if (childSrc == effectiveDirective)
+ prefix = "Refused to create a child context containing '";
</ins><span class="cx"> else if (connectSrc == effectiveDirective)
</span><span class="cx"> prefix = "Refused to connect to '";
</span><span class="cx"> else if (fontSrc == effectiveDirective)
</span><span class="lines">@@ -314,13 +317,24 @@
</span><span class="cx"> return m_reportOnly || checkSource(operativeDirective(m_objectSrc.get()), url);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicyDirectiveList::allowChildContextFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
+{
+ if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
+ return checkSourceAndReportViolation(operativeDirective(m_childSrc.get()), url, childSrc);
+ return m_reportOnly || checkSource(operativeDirective(m_childSrc.get()), url);
+}
+
</ins><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowChildFrameFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="cx"> {
</span><span class="cx"> if (url.isBlankURL())
</span><span class="cx"> return true;
</span><ins>+
+ // We must enforce the frame-src directive (if specified) before enforcing the child-src directive for a nested browsing
+ // context by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested> (29 August 2015).
+ ContentSecurityPolicySourceListDirective* directiveToEnforce = operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get());
</ins><span class="cx"> if (reportingStatus == ContentSecurityPolicy::ReportingStatus::SendReport)
</span><del>- return checkSourceAndReportViolation(operativeDirective(m_frameSrc.get()), url, frameSrc);
- return m_reportOnly || checkSource(operativeDirective(m_frameSrc.get()), url);
</del><ins>+ return checkSourceAndReportViolation(directiveToEnforce, url, frameSrc);
+ return m_reportOnly || checkSource(directiveToEnforce, url);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicyDirectiveList::allowImageFromSource(const URL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
</span><span class="lines">@@ -569,6 +583,8 @@
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_mediaSrc);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, connectSrc))
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_connectSrc);
</span><ins>+ else if (equalLettersIgnoringASCIICase(name, childSrc))
+ setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_childSrc);
</ins><span class="cx"> else if (equalLettersIgnoringASCIICase(name, sandbox))
</span><span class="cx"> applySandboxPolicy(name, value);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, reportURI))
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -57,6 +57,7 @@
</span><span class="cx"> bool allowScriptFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowObjectFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowChildFrameFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><ins>+ bool allowChildContextFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</ins><span class="cx"> bool allowImageFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowStyleFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="cx"> bool allowFontFromSource(const URL&, ContentSecurityPolicy::ReportingStatus) const;
</span><span class="lines">@@ -114,6 +115,7 @@
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicyMediaListDirective> m_pluginTypes;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_baseURI;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_connectSrc;
</span><ins>+ std::unique_ptr<ContentSecurityPolicySourceListDirective> m_childSrc;
</ins><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_defaultSrc;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_fontSrc;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_formAction;
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersAbstractWorkercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/AbstractWorker.cpp (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/workers/AbstractWorker.cpp 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -62,10 +62,8 @@
</span><span class="cx"> return URL();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- // FIXME: Enforce the child-src directive instead of script-src per <https://w3c.github.io/webappsec-csp/2/#directive-child-src-workers> (29 August 2015).
- // See <https://bugs.webkit.org/show_bug.cgi?id=153562>.
</del><span class="cx"> ASSERT(scriptExecutionContext()->contentSecurityPolicy());
</span><del>- if (!scriptExecutionContext()->contentSecurityPolicy()->allowScriptFromSource(scriptURL, shouldBypassMainWorldContentSecurityPolicy)) {
</del><ins>+ if (!scriptExecutionContext()->contentSecurityPolicy()->allowChildContextFromSource(scriptURL, shouldBypassMainWorldContentSecurityPolicy)) {
</ins><span class="cx"> ec = SECURITY_ERR;
</span><span class="cx"> return URL();
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreworkersWorkercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/workers/Worker.cpp (196525 => 196526)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/workers/Worker.cpp 2016-02-13 00:12:54 UTC (rev 196525)
+++ trunk/Source/WebCore/workers/Worker.cpp 2016-02-13 00:18:40 UTC (rev 196526)
</span><span class="lines">@@ -94,8 +94,8 @@
</span><span class="cx"> worker->setPendingActivity(worker.ptr());
</span><span class="cx">
</span><span class="cx"> worker->m_scriptLoader = WorkerScriptLoader::create();
</span><del>- // FIXME: Enforce Content Security Policy child-src directive when shouldBypassMainWorldContentSecurityPolicy is false. See <https://bugs.webkit.org/show_bug.cgi?id=153562>.
- worker->m_scriptLoader->loadAsynchronously(&context, scriptURL, DenyCrossOriginRequests, ContentSecurityPolicyEnforcement::DoNotEnforce, worker.ptr());
</del><ins>+ auto contentSecurityPolicyEnforcement = shouldBypassMainWorldContentSecurityPolicy ? ContentSecurityPolicyEnforcement::DoNotEnforce : ContentSecurityPolicyEnforcement::EnforceChildSrcDirective;
+ worker->m_scriptLoader->loadAsynchronously(&context, scriptURL, DenyCrossOriginRequests, contentSecurityPolicyEnforcement, worker.ptr());
</ins><span class="cx"> return WTFMove(worker);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>