<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197697] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197697">197697</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-03-07 12:21:17 -0800 (Mon, 07 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: object-src directive should prohibit creation of nested browsing context
https://bugs.webkit.org/show_bug.cgi?id=153153
<rdar://problem/24383209>
Reviewed by Brent Fulgham.
Source/WebCore:
Enforce the Content Security Policy object-src directive when fetching a URL for content
that will cause an HTML object or HTML embed element to act as a nested browsing context
(i.e. behave as if the content was loaded in an HTML iframe element). This makes our
enforcement of the object-src directive match the behavior of the object-src directive
in the Content Security Policy 2.0 spec., <http://www.w3.org/TR/2015/CR-CSP2-20150721/>.
Tests: http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html
http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html
http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html
http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Extracted from SubframeLoader::pluginIsLoadable().
Checks if the plugin element is allowed by the Content Security Policy to load the URL and MIME type.
(WebCore::SubframeLoader::pluginIsLoadable): Extract out the logic for determining if
the plugin content is allowed to load by the Content Security Policy into SubframeLoader::isPluginContentAllowedByContentSecurityPolicy()
and make use of this function.
(WebCore::SubframeLoader::requestObject): Modified to call SubframeLoader::isPluginContentAllowedByContentSecurityPolicy()
before loading plugin content into a sub frame. If the plugin content is not allowed to load then we
mark the plugin as unavailable with the reason being that it was blocked by the Content Security Policy.
* loader/SubframeLoader.h:
LayoutTests:
Add test to ensure that we enforce the Content Security Policy object-src directive
for HTML object and HTML embed elements that behave like an HTML iframe element.
* TestExpectations: Remove entries for tests that pass.
* http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html:
* http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html:
* http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt:
* http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html:
Simplify the code used in the above tests and update incorrect expected results.
* http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html: Added.
* http/tests/security/contentSecurityPolicy/resources/object-src-param.js: Removed.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamcodeblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamcodeblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparammovieblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparammovieblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamurlblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamurlblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderSubframeLoadercpp">trunk/Source/WebCore/loader/SubframeLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderSubframeLoaderh">trunk/Source/WebCore/loader/SubframeLoader.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblocked2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblocked2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblocked2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblocked2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcurlblocked2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcurlblocked2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesobjectsrcparamjs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/ChangeLog 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,3 +1,35 @@
</span><ins>+2016-03-07 Daniel Bates <dabates@apple.com>
+
+ CSP: object-src directive should prohibit creation of nested browsing context
+ https://bugs.webkit.org/show_bug.cgi?id=153153
+ <rdar://problem/24383209>
+
+ Reviewed by Brent Fulgham.
+
+ Add test to ensure that we enforce the Content Security Policy object-src directive
+ for HTML object and HTML embed elements that behave like an HTML iframe element.
+
+ * TestExpectations: Remove entries for tests that pass.
+ * http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html: Added.
+
+ * http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html:
+ * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html:
+ * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt:
+ * http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html:
+ Simplify the code used in the above tests and update incorrect expected results.
+
+ * http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/object-src-param.js: Removed.
+
</ins><span class="cx"> 2016-03-07 Ryan Haddad <ryanhaddad@apple.com>
</span><span class="cx">
</span><span class="cx"> Marking js/arraybuffer-wrappers.html as a flaky timeout on Mac
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/TestExpectations 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -845,10 +845,6 @@
</span><span class="cx"> webkit.org/b/153151 http/tests/security/contentSecurityPolicy/icon-blocked.html [ Failure ]
</span><span class="cx"> webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-allowed.html # Needs testRunner.getManifestThen()
</span><span class="cx"> webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-blocked.html # Needs testRunner.getManifestThen()
</span><del>-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html
-webkit.org/b/153153 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html
</del><span class="cx"> webkit.org/b/153154 http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html
</span><span class="cx"> webkit.org/b/153155 http/tests/security/contentSecurityPolicy/style-src-blocked-error-event.html
</span><span class="cx"> webkit.org/b/153159 http/tests/security/contentSecurityPolicy/image-document-default-src-none.html [ Failure ]
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt (0 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+This test passes if there is a console message saying the plugin was blocked.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html (0 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+This test passes if there is a console message saying the plugin was blocked.
+<embed src="/plugins/resources/mock-plugin.pl">
+</body>
+</html>
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblocked2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt (0 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedsrcurlblocked2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html (0 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+<embed src="resources/alert-fail.html" type="text/html">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamcodeblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?code' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
</del><ins>+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?code' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
</del><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamcodeblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,13 +1,18 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<script src="resources/object-src-param.js"></script>
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
</del><ins>+<script src="/js-test-resources/plugin.js"></script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText()
+</script>
</ins><span class="cx"> </head>
</span><span class="cx"> <body>
</span><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span><del>-<script>
- appendObjectElement('code');
-</script>
</del><ins>+<object type="application/x-webkit-test-netscape">
+ <param name="code" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?code">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparammovieblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?movie' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
</del><ins>+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?movie' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
</del><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparammovieblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,13 +1,18 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<script src="resources/object-src-param.js"></script>
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
</del><ins>+<script src="/js-test-resources/plugin.js"></script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</ins><span class="cx"> </head>
</span><span class="cx"> <body>
</span><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span><del>-<script>
- appendObjectElement('movie');
-</script>
</del><ins>+<object type="application/x-webkit-test-netscape">
+ <param name="movie" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?movie">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?src' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
</del><ins>+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?src' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
</del><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,13 +1,18 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<script src="resources/object-src-param.js"></script>
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
</del><ins>+<script src="/js-test-resources/plugin.js"></script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</ins><span class="cx"> </head>
</span><span class="cx"> <body>
</span><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span><del>-<script>
- appendObjectElement('src');
-</script>
</del><ins>+<object type="application/x-webkit-test-netscape">
+ <param name="src" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?src">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblocked2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt (0 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamsrcblocked2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html (0 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<object type="application/x-non-existent-plugin">
+ <param name="src" value="resources/alert-fail.html">
+</object>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamurlblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,4 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?url' because it violates the following Content Security Policy directive: "object-src http://localhost:8080".
</del><ins>+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?url' because it violates the following Content Security Policy directive: "object-src http://localhost:8000".
</ins><span class="cx">
</span><del>-CONSOLE MESSAGE: line 16: PASS: Error occurred, so load was correctly blocked.
</del><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcparamurlblockedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,13 +1,18 @@
</span><span class="cx"> <!DOCTYPE html>
</span><span class="cx"> <html>
</span><span class="cx"> <head>
</span><del>-<script src="resources/object-src-param.js"></script>
-<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8080">
</del><ins>+<script src="/js-test-resources/plugin.js"></script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://localhost:8000">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
</ins><span class="cx"> </head>
</span><span class="cx"> <body>
</span><span class="cx"> This test passes if there is a console message saying the plugin was blocked.
</span><del>-<script>
- appendObjectElement('url');
-</script>
</del><ins>+<object type="application/x-webkit-test-netscape">
+ <param name="url" value="http://127.0.0.1:8000/plugins/resources/mock-plugin.pl?url">
+</object>
+<script>runAfterPluginLoad(null, NotifyDone);</script>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcurlblocked2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt (0 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2-expected.txt 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+CONSOLE MESSAGE: Refused to load plugin data from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because it violates the following Content Security Policy directive: "object-src 'none'".
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectsrcurlblocked2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html (0 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+</head>
+<body>
+<object data="resources/alert-fail.html" type="text/html"></object>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesobjectsrcparamjs"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/object-src-param.js 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,29 +0,0 @@
</span><del>-if (window.testRunner) {
- testRunner.dumpAsText();
- testRunner.waitUntilDone();
-}
-
-function appendObjectElement(type) {
- window.onload = function () {
- var o = document.createElement('object');
- o.setAttribute('type', 'application/x-webkit-test-netscape');
- o.addEventListener('load', function () {
- console.log('FAIL: The object should have been blocked.');
- if (window.testRunner)
- testRunner.notifyDone();
- });
- o.addEventListener('error', function () {
- console.log('PASS: Error occurred, so load was correctly blocked.');
- if (window.testRunner)
- testRunner.notifyDone();
- });
-
- var p = document.createElement('param');
- p.setAttribute('value', 'http://127.0.0.1:8080/plugins/resources/mock-plugin.pl?' + type);
- p.setAttribute('name', type);
-
- o.appendChild(p);
-
- document.body.appendChild(o);
- };
-}
</del></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/Source/WebCore/ChangeLog 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2016-03-07 Daniel Bates <dabates@apple.com>
+
+ CSP: object-src directive should prohibit creation of nested browsing context
+ https://bugs.webkit.org/show_bug.cgi?id=153153
+ <rdar://problem/24383209>
+
+ Reviewed by Brent Fulgham.
+
+ Enforce the Content Security Policy object-src directive when fetching a URL for content
+ that will cause an HTML object or HTML embed element to act as a nested browsing context
+ (i.e. behave as if the content was loaded in an HTML iframe element). This makes our
+ enforcement of the object-src directive match the behavior of the object-src directive
+ in the Content Security Policy 2.0 spec., <http://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+ Tests: http/tests/security/contentSecurityPolicy/embed-src-url-blocked.html
+ http/tests/security/contentSecurityPolicy/embed-src-url-blocked2.html
+ http/tests/security/contentSecurityPolicy/object-src-param-src-blocked2.html
+ http/tests/security/contentSecurityPolicy/object-src-url-blocked2.html
+
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Extracted from SubframeLoader::pluginIsLoadable().
+ Checks if the plugin element is allowed by the Content Security Policy to load the URL and MIME type.
+ (WebCore::SubframeLoader::pluginIsLoadable): Extract out the logic for determining if
+ the plugin content is allowed to load by the Content Security Policy into SubframeLoader::isPluginContentAllowedByContentSecurityPolicy()
+ and make use of this function.
+ (WebCore::SubframeLoader::requestObject): Modified to call SubframeLoader::isPluginContentAllowedByContentSecurityPolicy()
+ before loading plugin content into a sub frame. If the plugin content is not allowed to load then we
+ mark the plugin as unavailable with the reason being that it was blocked by the Content Security Policy.
+ * loader/SubframeLoader.h:
+
</ins><span class="cx"> 2016-03-06 Gavin Barraclough <barraclough@apple.com>
</span><span class="cx">
</span><span class="cx"> Convert DOMTimer to std::chrono::milliseconds
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderSubframeLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/SubframeLoader.cpp (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/SubframeLoader.cpp 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/Source/WebCore/loader/SubframeLoader.cpp 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -104,6 +104,20 @@
</span><span class="cx"> return shouldUsePlugin(completedURL, mimeType, false, useFallback);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool SubframeLoader::isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType) const
+{
+ if (!document())
+ return true;
+
+ ASSERT(document()->contentSecurityPolicy());
+ const ContentSecurityPolicy& contentSecurityPolicy = *document()->contentSecurityPolicy();
+
+ String declaredMimeType = document()->isPluginDocument() && document()->ownerElement() ?
+ document()->ownerElement()->fastGetAttribute(HTMLNames::typeAttr) : pluginElement.fastGetAttribute(HTMLNames::typeAttr);
+ bool isInUserAgentShadowTree = pluginElement.isInUserAgentShadowTree();
+ return contentSecurityPolicy.allowObjectFromSource(url, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, url, isInUserAgentShadowTree);
+}
+
</ins><span class="cx"> bool SubframeLoader::pluginIsLoadable(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType)
</span><span class="cx"> {
</span><span class="cx"> if (MIMETypeRegistry::isJavaAppletMIMEType(mimeType)) {
</span><span class="lines">@@ -122,12 +136,7 @@
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- String declaredMimeType = document()->isPluginDocument() && document()->ownerElement() ?
- document()->ownerElement()->fastGetAttribute(HTMLNames::typeAttr) :
- pluginElement.fastGetAttribute(HTMLNames::typeAttr);
- bool isInUserAgentShadowTree = pluginElement.isInUserAgentShadowTree();
- if (!document()->contentSecurityPolicy()->allowObjectFromSource(url, isInUserAgentShadowTree)
- || !document()->contentSecurityPolicy()->allowPluginType(mimeType, declaredMimeType, url, isInUserAgentShadowTree)) {
</del><ins>+ if (!isPluginContentAllowedByContentSecurityPolicy(pluginElement, url, mimeType)) {
</ins><span class="cx"> RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject();
</span><span class="cx"> renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
</span><span class="cx"> return false;
</span><span class="lines">@@ -227,6 +236,12 @@
</span><span class="cx"> return success;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ if (!isPluginContentAllowedByContentSecurityPolicy(ownerElement, completedURL, mimeType)) {
+ RenderEmbeddedObject* renderer = ownerElement.renderEmbeddedObject();
+ renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
+ return false;
+ }
+
</ins><span class="cx"> // If the plug-in element already contains a subframe, loadOrRedirectSubframe will re-use it. Otherwise,
</span><span class="cx"> // it will create a new frame and set it as the RenderWidget's Widget, causing what was previously
</span><span class="cx"> // in the widget to be torn down.
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderSubframeLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/SubframeLoader.h (197696 => 197697)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/SubframeLoader.h 2016-03-07 19:39:44 UTC (rev 197696)
+++ trunk/Source/WebCore/loader/SubframeLoader.h 2016-03-07 20:21:17 UTC (rev 197697)
</span><span class="lines">@@ -77,6 +77,8 @@
</span><span class="cx"> Frame* loadSubframe(HTMLFrameOwnerElement&, const URL&, const String& name, const String& referrer);
</span><span class="cx"> bool loadPlugin(HTMLPlugInImageElement&, const URL&, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues, bool useFallback);
</span><span class="cx">
</span><ins>+ bool isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement&, const URL&, const String& mimeType) const;
+
</ins><span class="cx"> bool shouldUsePlugin(const URL&, const String& mimeType, bool hasFallback, bool& useFallback);
</span><span class="cx"> bool pluginIsLoadable(HTMLPlugInImageElement&, const URL&, const String& mimeType);
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>