<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[196874] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/196874">196874</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-02-21 10:52:51 -0800 (Sun, 21 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: sandbox directive should be ignored when contained in a policy defined via a meta element
https://bugs.webkit.org/show_bug.cgi?id=154299
<rdar://problem/24680433>
Reviewed by Brent Fulgham.
Source/WebCore:
The Content Security Policy sandbox directive should only be honored when enforcing a policy
defined via an HTTP header as per section sandbox of the Content Security Policy 2.0 spec.,
<https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
Currently we honor the sandbox directive when enforcing a policy defined either via an HTML
meta element or an HTTP header. Instead we should only honor this directive when defined
via an HTTP header and log a message to the Web Inspector console to explain that the directive
was ignored as suggested in <https://www.w3.org/TR/2015/CR-CSP2-20150721/#delivery-html-meta-element>.
Tests: http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php
http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php
http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php
http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html
* dom/Document.cpp:
(WebCore::Document::processHttpEquiv): Substitute ContentSecurityPolicy::processHTTPEquiv() for
ContentSecurityPolicy::didReceiveHeader() as the latter was made private.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::copyStateFrom): Updated as needed based on ContentSecurityPolicy::didReceiveHeader() change below.
(WebCore::ContentSecurityPolicy::didReceiveHeaders): Ditto.
(WebCore::ContentSecurityPolicy::didReceiveHeader): Modified to take argument of type ContentSecurityPolicy::PolicyFrom
and pass it through to ContentSecurityPolicyDirectiveList::create().
(WebCore::ContentSecurityPolicy::reportInvalidDirectiveInHTTPEquivMeta): Logs a message to the Web Inspector console
that the specified directive was ignored because it was delivered via an HTML meta element.
* page/csp/ContentSecurityPolicy.h: Made member function ContentSecurityPolicy::didReceiveHeader() private. Defined
enum class PolicyFrom to represent the source of the Content Security Policy: HTTP equiv meta element, HTTP header, or
inherited from another ContentSecurityPolicy object (this value is only used by ContentSecurityPolicy::copyStateFrom()).
(WebCore::ContentSecurityPolicy::processHTTPEquiv): Added; turns around and calls ContentSecurityPolicy::didReceiveHeader().
The name of this function better describes its purpose - to handle the processing of a Content Security Policy
delivered via <meta http-equiv="Content-Security-Policy" content="...">.
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::create): Modified to take argument of type ContentSecurityPolicy::PolicyFrom
as pass it through to ContentSecurityPolicyDirectiveList::parse().
(WebCore::ContentSecurityPolicyDirectiveList::parse): Modified to ignore the directive sandbox when the Content Security
Policy came from an HTML meta element.
* page/csp/ContentSecurityPolicyDirectiveList.h:
LayoutTests:
Add test http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html to ensure that we ignore
the sandbox directive when delivered via an HTML meta element and log a message to the Web Inspector console.
Remove tests http/tests/security/contentSecurityPolicy/sandbox-{allow-scripts-subframe, empty, empty-subframe}.html
that are no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element and
create analogous tests for when the sandbox directive is delivered via an HTTP header.
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2-expected.txt: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt.
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html.
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html: Removed.
This test is no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element.
An analogous test for when the directive is delivered via an HTTP header is http/tests/security/contentSecurityPolicy//sandbox-allow-scripts-in-http-header.html.
* http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php: Added. Derived from test http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html.
* http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php: Added. Derived from test http/tests/security/contentSecurityPolicy/sandbox-empty.html.
* http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html: Removed.
This test is no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element.
The analogous test for when the directive is delivered via an HTTP header is http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php.
* http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt: Removed.
* http/tests/security/contentSecurityPolicy/sandbox-empty.html: Removed.
This test is no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element.
The analogous test for when the directive is delivered via an HTTP header is http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php.
* http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptsinhttpheader2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptsinhttpheader2php">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyinhttpheaderexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyinhttpheaderinheritedbysubframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyinhttpheaderinheritedbysubframephp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyinhttpheaderphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxinmetatagignoredexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxinmetatagignoredhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptssubframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptssubframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptysubframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptysubframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/LayoutTests/ChangeLog 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -1,3 +1,45 @@
</span><ins>+2016-02-21 Daniel Bates <dabates@apple.com>
+
+ CSP: sandbox directive should be ignored when contained in a policy defined via a meta element
+ https://bugs.webkit.org/show_bug.cgi?id=154299
+ <rdar://problem/24680433>
+
+ Reviewed by Brent Fulgham.
+
+ Add test http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html to ensure that we ignore
+ the sandbox directive when delivered via an HTML meta element and log a message to the Web Inspector console.
+
+ Remove tests http/tests/security/contentSecurityPolicy/sandbox-{allow-scripts-subframe, empty, empty-subframe}.html
+ that are no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element and
+ create analogous tests for when the sandbox directive is delivered via an HTTP header.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2-expected.txt: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt.
+ * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html: Removed.
+ This test is no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element.
+ An analogous test for when the directive is delivered via an HTTP header is http/tests/security/contentSecurityPolicy//sandbox-allow-scripts-in-http-header.html.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php: Added. Derived from test http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php: Added. Derived from test http/tests/security/contentSecurityPolicy/sandbox-empty.html.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html: Removed.
+ This test is no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element.
+ The analogous test for when the directive is delivered via an HTTP header is http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/sandbox-empty.html: Removed.
+ This test is no longer meaningful now that we ignore the sandbox directive when delivered via an HTML meta element.
+ The analogous test for when the directive is delivered via an HTTP header is http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php.
+
+ * http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html: Added.
+
</ins><span class="cx"> 2016-02-21 Commit Queue <commit-queue@webkit.org>
</span><span class="cx">
</span><span class="cx"> Unreviewed, rolling out r196866.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptsexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -1,2 +0,0 @@
</span><del>-ALERT: PASS
-This test passes if it does alert pass.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptsinhttpheader2expectedtxtfromrev196873trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptsexpectedtxt"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2-expected.txt (from rev 196873, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-expected.txt) (0 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2-expected.txt 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+This test passes if it does alert pass.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptsinhttpheader2phpfromrev196873trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptshtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php (from rev 196873, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html) (0 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+<?php
+ header("Content-Security-Policy: sandbox allow-scripts");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+This test passes if it does alert pass.
+<script>
+alert('PASS');
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptssubframeexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe-expected.txt (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe-expected.txt 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe-expected.txt 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -1,2 +0,0 @@
</span><del>-ALERT: PASS
-This test passes if it does alert pass.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptssubframehtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<script>
-if (window.testRunner)
- testRunner.dumpAsText();
-</script>
-<meta http-equiv="Content-Security-Policy" content="sandbox allow-scripts">
-This test passes if it does alert pass.
-<iframe src="data:text/html,<script>alert('PASS');</script>"></iframe>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxallowscriptshtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -1,9 +0,0 @@
</span><del>-<script>
-if (window.testRunner)
- testRunner.dumpAsText();
-</script>
-<meta http-equiv="Content-Security-Policy" content="sandbox allow-scripts">
-This test passes if it does alert pass.
-<script>
-alert('PASS');
-</script>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-expected.txt 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -1,2 +0,0 @@
</span><del>-CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-empty.html' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
-This test passes if it doesn't alert fail.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyinhttpheaderexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-expected.txt (0 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-expected.txt 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/contentSecurityPolicy/sandbox-empty-in-http-header.php' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x8
+ RenderBlock {HTML} at (0,0) size 800x8
+ RenderBody {BODY} at (8,8) size 784x0
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyinhttpheaderinheritedbysubframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe-expected.txt (0 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe-expected.txt 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
+layer at (0,0) size 800x600
+ RenderView at (0,0) size 800x600
+layer at (0,0) size 800x124
+ RenderBlock {HTML} at (0,0) size 800x124
+ RenderBody {BODY} at (8,8) size 784x108
+ RenderIFrame {IFRAME} at (0,0) size 104x104 [border: (2px inset #000000)]
+ layer at (0,0) size 100x100
+ RenderView at (0,0) size 100x100
+ layer at (0,0) size 100x100
+ RenderBlock {HTML} at (0,0) size 100x100
+ RenderBody {BODY} at (8,8) size 84x84
+ RenderText {#text} at (0,0) size 0x0
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyinhttpheaderinheritedbysubframephp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php (0 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<?php
+ header("Content-Security-Policy: sandbox");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<!-- This test passes if it doesn't alert FAIL. -->
+<iframe src="data:text/html,<script>alert('FAIL');</script>" width="100" height="100"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyinhttpheaderphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php (0 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<?php
+ header("Content-Security-Policy: sandbox");
+?>
+<!DOCTYPE html>
+<html>
+<body>
+<!-- This test passes if it doesn't alert FAIL. -->
+<script>alert('FAIL')</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptysubframeexpectedtxt"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe-expected.txt 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -1,2 +0,0 @@
</span><del>-CONSOLE MESSAGE: Blocked script execution in 'data:text/html,<script>alert('FAIL');</script>' because the document's frame is sandboxed and the 'allow-scripts' permission is not set.
-This test passes if it doesn't alert fail.
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptysubframehtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -1,7 +0,0 @@
</span><del>-<script>
-if (window.testRunner)
- testRunner.dumpAsText();
-</script>
-<meta http-equiv="Content-Security-Policy" content="sandbox">
-This test passes if it doesn't alert fail.
-<iframe src="data:text/html,<script>alert('FAIL');</script>"></iframe>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxemptyhtml"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -1,9 +0,0 @@
</span><del>-<script>
-if (window.testRunner)
- testRunner.dumpAsText();
-</script>
-<meta http-equiv="Content-Security-Policy" content="sandbox">
-This test passes if it doesn't alert fail.
-<script>
-alert('FAIL');
-</script>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxinmetatagignoredexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored-expected.txt (0 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored-expected.txt 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+CONSOLE MESSAGE: The Content Security Policy directive 'sandbox' is ignored when delivered via an HTML meta element.
+ALERT: PASS executed script.
+This tests that the Content Security Policy sandbox directive is ignored when contained in a policy defined via an HTML meta element.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysandboxinmetatagignoredhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html (0 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="sandbox">
+</head>
+<body>
+<p>This tests that the Content Security Policy <code>sandbox</code> directive is ignored when contained in a policy defined via an HTML meta element.</p>
+<script>alert("PASS executed script.")</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/Source/WebCore/ChangeLog 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -1,3 +1,48 @@
</span><ins>+2016-02-21 Daniel Bates <dabates@apple.com>
+
+ CSP: sandbox directive should be ignored when contained in a policy defined via a meta element
+ https://bugs.webkit.org/show_bug.cgi?id=154299
+ <rdar://problem/24680433>
+
+ Reviewed by Brent Fulgham.
+
+ The Content Security Policy sandbox directive should only be honored when enforcing a policy
+ defined via an HTTP header as per section sandbox of the Content Security Policy 2.0 spec.,
+ <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ Currently we honor the sandbox directive when enforcing a policy defined either via an HTML
+ meta element or an HTTP header. Instead we should only honor this directive when defined
+ via an HTTP header and log a message to the Web Inspector console to explain that the directive
+ was ignored as suggested in <https://www.w3.org/TR/2015/CR-CSP2-20150721/#delivery-html-meta-element>.
+
+ Tests: http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header2.php
+ http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header-inherited-by-subframe.php
+ http/tests/security/contentSecurityPolicy/sandbox-empty-in-http-header.php
+ http/tests/security/contentSecurityPolicy/sandbox-in-meta-tag-ignored.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::processHttpEquiv): Substitute ContentSecurityPolicy::processHTTPEquiv() for
+ ContentSecurityPolicy::didReceiveHeader() as the latter was made private.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::copyStateFrom): Updated as needed based on ContentSecurityPolicy::didReceiveHeader() change below.
+ (WebCore::ContentSecurityPolicy::didReceiveHeaders): Ditto.
+ (WebCore::ContentSecurityPolicy::didReceiveHeader): Modified to take argument of type ContentSecurityPolicy::PolicyFrom
+ and pass it through to ContentSecurityPolicyDirectiveList::create().
+ (WebCore::ContentSecurityPolicy::reportInvalidDirectiveInHTTPEquivMeta): Logs a message to the Web Inspector console
+ that the specified directive was ignored because it was delivered via an HTML meta element.
+ * page/csp/ContentSecurityPolicy.h: Made member function ContentSecurityPolicy::didReceiveHeader() private. Defined
+ enum class PolicyFrom to represent the source of the Content Security Policy: HTTP equiv meta element, HTTP header, or
+ inherited from another ContentSecurityPolicy object (this value is only used by ContentSecurityPolicy::copyStateFrom()).
+ (WebCore::ContentSecurityPolicy::processHTTPEquiv): Added; turns around and calls ContentSecurityPolicy::didReceiveHeader().
+ The name of this function better describes its purpose - to handle the processing of a Content Security Policy
+ delivered via <meta http-equiv="Content-Security-Policy" content="...">.
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::create): Modified to take argument of type ContentSecurityPolicy::PolicyFrom
+ as pass it through to ContentSecurityPolicyDirectiveList::parse().
+ (WebCore::ContentSecurityPolicyDirectiveList::parse): Modified to ignore the directive sandbox when the Content Security
+ Policy came from an HTML meta element.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+
</ins><span class="cx"> 2016-02-21 Commit Queue <commit-queue@webkit.org>
</span><span class="cx">
</span><span class="cx"> Unreviewed, rolling out r196866.
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -3271,19 +3271,19 @@
</span><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case HTTPHeaderName::ContentSecurityPolicy:
</span><del>- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::Enforce);
</del><ins>+ contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::Enforce);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case HTTPHeaderName::ContentSecurityPolicyReportOnly:
</span><del>- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::Report);
</del><ins>+ contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::Report);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case HTTPHeaderName::XWebKitCSP:
</span><del>- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::PrefixedEnforce);
</del><ins>+ contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::PrefixedEnforce);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case HTTPHeaderName::XWebKitCSPReportOnly:
</span><del>- contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicyHeaderType::PrefixedReport);
</del><ins>+ contentSecurityPolicy()->processHTTPEquiv(content, ContentSecurityPolicyHeaderType::PrefixedReport);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> default:
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -78,7 +78,7 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_policies.isEmpty());
</span><span class="cx"> for (auto& policy : other->m_policies)
</span><del>- didReceiveHeader(policy->header(), policy->headerType());
</del><ins>+ didReceiveHeader(policy->header(), policy->headerType(), ContentSecurityPolicy::PolicyFrom::Inherited);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ContentSecurityPolicyResponseHeaders ContentSecurityPolicy::responseHeaders() const
</span><span class="lines">@@ -93,10 +93,10 @@
</span><span class="cx"> void ContentSecurityPolicy::didReceiveHeaders(const ContentSecurityPolicyResponseHeaders& headers)
</span><span class="cx"> {
</span><span class="cx"> for (auto& header : headers.m_headers)
</span><del>- didReceiveHeader(header.first, header.second);
</del><ins>+ didReceiveHeader(header.first, header.second, ContentSecurityPolicy::PolicyFrom::HTTPHeader);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-void ContentSecurityPolicy::didReceiveHeader(const String& header, ContentSecurityPolicyHeaderType type)
</del><ins>+void ContentSecurityPolicy::didReceiveHeader(const String& header, ContentSecurityPolicyHeaderType type, ContentSecurityPolicy::PolicyFrom policyFrom)
</ins><span class="cx"> {
</span><span class="cx"> // RFC2616, section 4.2 specifies that headers appearing multiple times can
</span><span class="cx"> // be combined with a comma. Walk the header string, and parse each comma
</span><span class="lines">@@ -110,7 +110,7 @@
</span><span class="cx">
</span><span class="cx"> // header1,header2 OR header1
</span><span class="cx"> // ^ ^
</span><del>- std::unique_ptr<ContentSecurityPolicyDirectiveList> policy = ContentSecurityPolicyDirectiveList::create(*this, String(begin, position - begin), type);
</del><ins>+ std::unique_ptr<ContentSecurityPolicyDirectiveList> policy = ContentSecurityPolicyDirectiveList::create(*this, String(begin, position - begin), type, policyFrom);
</ins><span class="cx"> if (!policy->allowEval(0, ContentSecurityPolicy::ReportingStatus::SuppressReport))
</span><span class="cx"> m_lastPolicyEvalDisabledErrorMessage = policy->evalDisabledErrorMessage();
</span><span class="cx">
</span><span class="lines">@@ -457,6 +457,11 @@
</span><span class="cx"> logToConsole("The Content Security Policy directive '" + directiveName + "' is ignored when delivered in a report-only policy.");
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void ContentSecurityPolicy::reportInvalidDirectiveInHTTPEquivMeta(const String& directiveName) const
+{
+ logToConsole("The Content Security Policy directive '" + directiveName + "' is ignored when delivered via an HTML meta element.");
+}
+
</ins><span class="cx"> void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const
</span><span class="cx"> {
</span><span class="cx"> String message = makeString("The value for Content Security Policy directive '", directiveName, "' contains an invalid character: '", value, "'. Non-whitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/rfc3986#section-2.1.");
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -67,9 +67,14 @@
</span><span class="cx"> };
</span><span class="cx"> ReflectedXSSDisposition reflectedXSSDisposition() const;
</span><span class="cx">
</span><ins>+ enum class PolicyFrom {
+ HTTPEquivMeta,
+ HTTPHeader,
+ Inherited,
+ };
</ins><span class="cx"> ContentSecurityPolicyResponseHeaders responseHeaders() const;
</span><span class="cx"> void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&);
</span><del>- void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType);
</del><ins>+ void processHTTPEquiv(const String& content, ContentSecurityPolicyHeaderType type) { didReceiveHeader(content, type, ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta); }
</ins><span class="cx">
</span><span class="cx"> enum class ReportingStatus {
</span><span class="cx"> SendReport,
</span><span class="lines">@@ -123,6 +128,7 @@
</span><span class="cx"> void reportInvalidSandboxFlags(const String&) const;
</span><span class="cx"> void reportInvalidReflectedXSS(const String&) const;
</span><span class="cx"> void reportInvalidDirectiveInReportOnlyMode(const String&) const;
</span><ins>+ void reportInvalidDirectiveInHTTPEquivMeta(const String&) const;
</ins><span class="cx"> void reportMissingReportURI(const String&) const;
</span><span class="cx"> void reportUnsupportedDirective(const String&) const;
</span><span class="cx"> void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<String>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
</span><span class="lines">@@ -136,6 +142,8 @@
</span><span class="cx"> void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
</span><span class="cx"> void applyPolicyToScriptExecutionContext();
</span><span class="cx">
</span><ins>+ void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicy::PolicyFrom);
+
</ins><span class="cx"> ScriptExecutionContext* m_scriptExecutionContext { nullptr };
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySource> m_selfSource;
</span><span class="cx"> String m_selfSourceProtocol;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -115,10 +115,10 @@
</span><span class="cx"> m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-std::unique_ptr<ContentSecurityPolicyDirectiveList> ContentSecurityPolicyDirectiveList::create(ContentSecurityPolicy& policy, const String& header, ContentSecurityPolicyHeaderType type)
</del><ins>+std::unique_ptr<ContentSecurityPolicyDirectiveList> ContentSecurityPolicyDirectiveList::create(ContentSecurityPolicy& policy, const String& header, ContentSecurityPolicyHeaderType type, ContentSecurityPolicy::PolicyFrom from)
</ins><span class="cx"> {
</span><span class="cx"> auto directives = std::make_unique<ContentSecurityPolicyDirectiveList>(policy, type);
</span><del>- directives->parse(header);
</del><ins>+ directives->parse(header, from);
</ins><span class="cx">
</span><span class="cx"> if (!directives->checkEval(directives->operativeDirective(directives->m_scriptSrc.get()))) {
</span><span class="cx"> String message = makeString("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get())->text(), "\".\n");
</span><span class="lines">@@ -389,7 +389,7 @@
</span><span class="cx"> // policy = directive-list
</span><span class="cx"> // directive-list = [ directive *( ";" [ directive ] ) ]
</span><span class="cx"> //
</span><del>-void ContentSecurityPolicyDirectiveList::parse(const String& policy)
</del><ins>+void ContentSecurityPolicyDirectiveList::parse(const String& policy, ContentSecurityPolicy::PolicyFrom policyFrom)
</ins><span class="cx"> {
</span><span class="cx"> m_header = policy;
</span><span class="cx"> if (policy.isEmpty())
</span><span class="lines">@@ -406,7 +406,18 @@
</span><span class="cx"> String name, value;
</span><span class="cx"> if (parseDirective(directiveBegin, position, name, value)) {
</span><span class="cx"> ASSERT(!name.isEmpty());
</span><del>- addDirective(name, value);
</del><ins>+ switch (policyFrom) {
+ case ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta:
+ // FIXME: We also need to ignore directive report-uri (https://bugs.webkit.org/show_bug.cgi?id=154307).
+ if (equalLettersIgnoringASCIICase(name, sandbox)) {
+ m_policy.reportInvalidDirectiveInHTTPEquivMeta(name);
+ break;
+ }
+ FALLTHROUGH;
+ default:
+ addDirective(name, value);
+ break;
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ASSERT(position == end || *position == ';');
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (196873 => 196874)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-02-21 18:43:22 UTC (rev 196873)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-02-21 18:52:51 UTC (rev 196874)
</span><span class="lines">@@ -41,7 +41,7 @@
</span><span class="cx"> WTF_MAKE_FAST_ALLOCATED;
</span><span class="cx"> WTF_MAKE_NONCOPYABLE(ContentSecurityPolicyDirectiveList)
</span><span class="cx"> public:
</span><del>- static std::unique_ptr<ContentSecurityPolicyDirectiveList> create(ContentSecurityPolicy&, const String&, ContentSecurityPolicyHeaderType);
</del><ins>+ static std::unique_ptr<ContentSecurityPolicyDirectiveList> create(ContentSecurityPolicy&, const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicy::PolicyFrom);
</ins><span class="cx"> ContentSecurityPolicyDirectiveList(ContentSecurityPolicy&, ContentSecurityPolicyHeaderType);
</span><span class="cx">
</span><span class="cx"> const String& header() const { return m_header; }
</span><span class="lines">@@ -72,7 +72,7 @@
</span><span class="cx"> const Vector<String>& reportURIs() const { return m_reportURIs; }
</span><span class="cx">
</span><span class="cx"> private:
</span><del>- void parse(const String&);
</del><ins>+ void parse(const String&, ContentSecurityPolicy::PolicyFrom);
</ins><span class="cx">
</span><span class="cx"> bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
</span><span class="cx"> void parseReportURI(const String& name, const String& value);
</span></span></pre>
</div>
</div>
</body>
</html>