<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197007] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197007">197007</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-02-23 16:53:29 -0800 (Tue, 23 Feb 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Enable base-uri directive by default
https://bugs.webkit.org/show_bug.cgi?id=154521
<rdar://problem/24762032>
Reviewed by Brent Fulgham.
Source/WebCore:
Tests: http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html
http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::isExperimentalDirectiveName): Move base-uri from the directives considered
experimental to...
(WebCore::isCSPDirectiveName): ...the list of standard directives.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Move logic to parse the base-uri
directive outside the ENABLE(CSP_NEXT) macro guarded section/experimental feature runtime flag.
LayoutTests:
Copy test http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html to
http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html,
making some minor stylistic changes, and update TestExpectations to skip it because it depends
on the firing of event SecurityPolicyViolationEvent, which is disabled as of the time of writing.
We will enable the firing of this event in <https://bugs.webkit.org/show_bug.cgi?id=154522>.
Repurpose test name base-uri-deny.html to test that the base-uri directive prevents the use of
document base URL without depending on the firing of event SecurityPolicyViolationEvent.
Additionally, add test http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html
to ensure that we do not fall back to enforcing the default-src directive in absence of
a base-uri directive as per section base-uri of the Content Security Policy 2.0 spec.,
<https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
* TestExpectations:
* http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html: Repurpose test.
* http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js: Added.
* http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js: Added.
* http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt.
* http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html.
* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt: Update expected result based on change to test (below).
* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Modified to test that we emit
a console warning when base-uri is used as a source expression.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridenyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridenyhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingnosemicolonexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingnosemicolonhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridefaultignoredexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridefaultignoredhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html</a></li>
<li>trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/</li>
<li>trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/base-href/</li>
<li>trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/</li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11resourcesbasehrefresourcessafescriptjs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11resourcessafescriptjs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationbaseuridenyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationbaseuridenyhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (197006 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/ChangeLog 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -1,3 +1,37 @@
</span><ins>+2016-02-23 Daniel Bates <dabates@apple.com>
+
+ CSP: Enable base-uri directive by default
+ https://bugs.webkit.org/show_bug.cgi?id=154521
+ <rdar://problem/24762032>
+
+ Reviewed by Brent Fulgham.
+
+ Copy test http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html to
+ http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html,
+ making some minor stylistic changes, and update TestExpectations to skip it because it depends
+ on the firing of event SecurityPolicyViolationEvent, which is disabled as of the time of writing.
+ We will enable the firing of this event in <https://bugs.webkit.org/show_bug.cgi?id=154522>.
+ Repurpose test name base-uri-deny.html to test that the base-uri directive prevents the use of
+ document base URL without depending on the firing of event SecurityPolicyViolationEvent.
+
+ Additionally, add test http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html
+ to ensure that we do not fall back to enforcing the default-src directive in absence of
+ a base-uri directive as per section base-uri of the Content Security Policy 2.0 spec.,
+ <https://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ * TestExpectations:
+ * http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt:
+ * http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html: Repurpose test.
+ * http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt.
+ * http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html.
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt: Update expected result based on change to test (below).
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Modified to test that we emit
+ a console warning when base-uri is used as a source expression.
+
</ins><span class="cx"> 2016-02-22 Ryosuke Niwa <rniwa@webkit.org>
</span><span class="cx">
</span><span class="cx"> Calling importNode on shadow root causes a crash
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (197006 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/TestExpectations 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -810,6 +810,9 @@
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/form-action-src-get-blocked.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/form-action-src-javascript-blocked.html [ Pass ]
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked.html [ Pass ]
</span><ins>+http/tests/security/contentSecurityPolicy/1.1/base-uri-allow.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html [ Pass ]
+http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html [ Pass ]
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/report-uri-effective-directive.php [ Pass ]
</span><span class="cx"> webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html
</span><span class="cx"> webkit.org/b/154203 http/tests/security/contentSecurityPolicy/1.1/scripthash-default-src.html
</span><span class="lines">@@ -836,6 +839,7 @@
</span><span class="cx"> webkit.org/b/153161 http/tests/security/contentSecurityPolicy/register-bypassing-scheme-partial.html [ Failure ]
</span><span class="cx"> webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]
</span><span class="cx"> webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
</span><ins>+webkit.org/b/154522 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
</span><span class="cx">
</span><span class="cx"> # These state object tests purposefully stress a resource limit, and take multiple seconds to run.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridefaultignoredexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt (0 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: This is a safe script.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridefaultignoredhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html (0 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'">
+<base href="http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/resources/">
+<script src="safe-script.js"></script>
+</head>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridenyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt (197006 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -1,21 +1,4 @@
</span><del>-CONSOLE MESSAGE: Refused to set the document's base URI to 'http://example.com/' because it violates the following Content Security Policy directive: "base-uri 'self'".
</del><ins>+CONSOLE MESSAGE: Refused to set the document's base URI to 'http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/resources/base-href/' because it violates the following Content Security Policy directive: "base-uri 'none'".
</ins><span class="cx">
</span><del>-Check that base URIs cannot be set if they violate the page's policy.
</del><ins>+ALERT: This is a safe script.
</ins><span class="cx">
</span><del>-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-Kicking off the tests:
-PASS document.baseURI is document.location.href
-PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/base-uri-deny.html"
-PASS window.e.referrer is ""
-PASS window.e.blockedURI is "http://example.com"
-PASS window.e.violatedDirective is "base-uri 'self'"
-PASS window.e.effectiveDirective is "base-uri"
-PASS window.e.originalPolicy is "base-uri 'self'"
-PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/base-uri-deny.html"
-PASS window.e.lineNumber is 24
-PASS successfullyParsed is true
-
-TEST COMPLETE
-
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridenyhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html (197006 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -1,33 +1,12 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>- <meta http-equiv="Content-Security-Policy" content="base-uri 'self'">
- <script src="http://localhost:8000/js-test-resources/js-test-pre.js"></script>
- <script src="http://localhost:8000/security/contentSecurityPolicy/resources/securitypolicyviolation-test.js"></script>
- <script>
- description('Check that base URIs cannot be set if they violate the page\'s policy.');
-
- var expectations = {
- 'documentURI': document.location.toString(),
- 'referrer': document.referrer,
- 'blockedURI': 'http://example.com',
- 'violatedDirective': 'base-uri \'self\'',
- 'effectiveDirective': 'base-uri',
- 'originalPolicy': 'base-uri \'self\'',
- 'sourceFile': document.location.toString(),
- 'lineNumber': 24
- };
-
- function run() {
- var base = document.createElement('base');
- base.href = 'http://example.com/';
- document.head.appendChild(base);
-
- shouldBe('document.baseURI', 'document.location.href');
- }
- </script>
- <script src="http://localhost:8000/js-test-resources/js-test-post.js"></script>
</del><ins>+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="base-uri 'none'">
+<base href="http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/resources/base-href/">
+<script src="resources/safe-script.js"></script>
</ins><span class="cx"> </head>
</span><del>-<body>
-</body>
</del><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11resourcesbasehrefresourcessafescriptjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js (0 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+alert("CSP violation");
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11resourcessafescriptjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js (0 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+alert("This is a safe script.");
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationbaseuridenyexpectedtxtfromrev197006trunkLayoutTestshttptestssecuritycontentSecurityPolicy11baseuridenyexpectedtxt"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt (from rev 197006, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt) (0 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+CONSOLE MESSAGE: Refused to set the document's base URI to 'http://example.com/' because it violates the following Content Security Policy directive: "base-uri 'self'".
+
+Check that base URIs cannot be set if they violate the page's policy.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+Kicking off the tests:
+PASS document.baseURI is document.location.href
+PASS window.e.documentURI is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/base-uri-deny.html"
+PASS window.e.referrer is ""
+PASS window.e.blockedURI is "http://example.com"
+PASS window.e.violatedDirective is "base-uri 'self'"
+PASS window.e.effectiveDirective is "base-uri"
+PASS window.e.originalPolicy is "base-uri 'self'"
+PASS window.e.sourceFile is "http://127.0.0.1:8000/security/contentSecurityPolicy/1.1/base-uri-deny.html"
+PASS window.e.lineNumber is 24
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11securitypolicyviolationbaseuridenyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html (0 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -0,0 +1,33 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="base-uri 'self'">
+<script src="http://localhost:8000/js-test-resources/js-test-pre.js"></script>
+<script src="http://localhost:8000/security/contentSecurityPolicy/resources/securitypolicyviolation-test.js"></script>
+<script>
+ description("Check that base URIs cannot be set if they violate the page's policy.");
+
+ var expectations = {
+ 'documentURI': document.location.toString(),
+ 'referrer': document.referrer,
+ 'blockedURI': 'http://example.com',
+ 'violatedDirective': "base-uri 'self'",
+ 'effectiveDirective': 'base-uri',
+ 'originalPolicy': "base-uri 'self'",
+ 'sourceFile': document.location.toString(),
+ 'lineNumber': 24
+ };
+
+ function run() {
+ var base = document.createElement('base');
+ base.href = 'http://example.com/';
+ document.head.appendChild(base);
+
+ shouldBe('document.baseURI', 'document.location.href');
+ }
+</script>
+<script src="http://localhost:8000/js-test-resources/js-test-post.js"></script>
+</head>
+<body>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingnosemicolonexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt (197006 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -2,6 +2,7 @@
</span><span class="cx"> CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'object-src' as a source expression. Did you mean 'script-src ...; object-src...' (note the semicolon)?
</span><span class="cx"> CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'style-src' as a source expression. Did you mean 'script-src ...; style-src...' (note the semicolon)?
</span><span class="cx"> CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'form-action' as a source expression. Did you mean 'script-src ...; form-action...' (note the semicolon)?
</span><ins>+CONSOLE MESSAGE: The Content Security Policy directive 'script-src' contains 'base-uri' as a source expression. Did you mean 'script-src ...; base-uri...' (note the semicolon)?
</ins><span class="cx"> If a web author forgets a semicolon, we should do our best to warn them that the policy they've defined is probably not what they intended.
</span><span class="cx">
</span><span class="cx">
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysourcelistparsingnosemicolonhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html (197006 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -5,7 +5,7 @@
</span><span class="cx"> <script>
</span><span class="cx"> var tests = [
</span><span class="cx"> ['yes', 'default-src \'self\' script-src example.com', 'resources/script.js'],
</span><del>- ['yes', "script-src 'self' object-src 'self' style-src * form-action 'self'", 'resources/script.js'],
</del><ins>+ ['yes', "script-src 'self' object-src 'self' style-src * form-action 'self' base-uri 'self'", 'resources/script.js'],
</ins><span class="cx"> ];
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (197006 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/Source/WebCore/ChangeLog 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -1,3 +1,21 @@
</span><ins>+2016-02-23 Daniel Bates <dabates@apple.com>
+
+ CSP: Enable base-uri directive by default
+ https://bugs.webkit.org/show_bug.cgi?id=154521
+ <rdar://problem/24762032>
+
+ Reviewed by Brent Fulgham.
+
+ Tests: http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html
+ http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html
+
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::isExperimentalDirectiveName): Move base-uri from the directives considered
+ experimental to...
+ (WebCore::isCSPDirectiveName): ...the list of standard directives.
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Move logic to parse the base-uri
+ directive outside the ENABLE(CSP_NEXT) macro guarded section/experimental feature runtime flag.
+
</ins><span class="cx"> 2016-02-23 Gavin Barraclough <barraclough@apple.com>
</span><span class="cx">
</span><span class="cx"> Add a mechanism to automatically ramp up timer alignment.
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (197006 => 197007)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-24 00:32:40 UTC (rev 197006)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-02-24 00:53:29 UTC (rev 197007)
</span><span class="lines">@@ -59,9 +59,7 @@
</span><span class="cx">
</span><span class="cx"> static inline bool isExperimentalDirectiveName(const String& name)
</span><span class="cx"> {
</span><del>- return equalLettersIgnoringASCIICase(name, baseURI)
- || equalLettersIgnoringASCIICase(name, pluginTypes)
- || equalLettersIgnoringASCIICase(name, reflectedXSS);
</del><ins>+ return equalLettersIgnoringASCIICase(name, pluginTypes) || equalLettersIgnoringASCIICase(name, reflectedXSS);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> #else
</span><span class="lines">@@ -75,7 +73,8 @@
</span><span class="cx">
</span><span class="cx"> bool isCSPDirectiveName(const String& name)
</span><span class="cx"> {
</span><del>- return equalLettersIgnoringASCIICase(name, connectSrc)
</del><ins>+ return equalLettersIgnoringASCIICase(name, baseURI)
+ || equalLettersIgnoringASCIICase(name, connectSrc)
</ins><span class="cx"> || equalLettersIgnoringASCIICase(name, defaultSrc)
</span><span class="cx"> || equalLettersIgnoringASCIICase(name, fontSrc)
</span><span class="cx"> || equalLettersIgnoringASCIICase(name, formAction)
</span><span class="lines">@@ -601,15 +600,15 @@
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_childSrc);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, formAction))
</span><span class="cx"> setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_formAction);
</span><ins>+ else if (equalLettersIgnoringASCIICase(name, baseURI))
+ setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_baseURI);
</ins><span class="cx"> else if (equalLettersIgnoringASCIICase(name, sandbox))
</span><span class="cx"> applySandboxPolicy(name, value);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, reportURI))
</span><span class="cx"> parseReportURI(name, value);
</span><span class="cx"> #if ENABLE(CSP_NEXT)
</span><span class="cx"> else if (m_policy.experimentalFeaturesEnabled()) {
</span><del>- if (equalLettersIgnoringASCIICase(name, baseURI))
- setCSPDirective<ContentSecurityPolicySourceListDirective>(name, value, m_baseURI);
- else if (equalLettersIgnoringASCIICase(name, pluginTypes))
</del><ins>+ if (equalLettersIgnoringASCIICase(name, pluginTypes))
</ins><span class="cx"> setCSPDirective<ContentSecurityPolicyMediaListDirective>(name, value, m_pluginTypes);
</span><span class="cx"> else if (equalLettersIgnoringASCIICase(name, reflectedXSS))
</span><span class="cx"> parseReflectedXSS(name, value);
</span></span></pre>
</div>
</div>
</body>
</html>