<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[198107] releases/WebKitGTK/webkit-2.12</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/198107">198107</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-03-14 03:20:20 -0700 (Mon, 14 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/197724">r197724</a> - CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
https://bugs.webkit.org/show_bug.cgi?id=154122
<rdar://problem/24613336>
Reviewed by Brent Fulgham.
Source/WebCore:
Restrict matching of source expression * to HTTP or HTTPS URLs for all directives except
img-src and media-src. This policy is more restrictive than the policy described in section
Matching Source Expressions of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721>,
which restricts matching * to schemes that are not blob, data, or filesystem.
For directive img-src we restrict matching of * to HTTP, HTTPS, and data URLs. For directive
media-src we restrict matching of * to HTTP, HTTPS, data URLs and blob URLs. We use a
more lenient interpretation of * for directives img-src and media-src than required by
the spec. to mitigate web compatibility issues.
Tests: fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html
fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html
fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html
fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html
fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html
http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html
http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html
http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html
http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html
http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html
http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html
http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html
media/video-with-blob-url-allowed-by-csp-media-src-star.html
media/video-with-data-url-allowed-by-csp-media-src-star.html
media/video-with-file-url-blocked-by-csp-media-src-star.html
* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar): Added.
(WebCore::ContentSecurityPolicySourceList::matches): Modified to only match * if ContentSecurityPolicySourceList::isProtocolAllowedByStar().
evaluates to true.
* page/csp/ContentSecurityPolicySourceList.h:
LayoutTests:
Add tests to ensure that we do not regress our interpretation of * with respect to directives
img-src, media-src, style-src, and default-src.
When running in WebKitTestRunner, skip the tests fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
and media/video-with-blob-url-allowed-by-csp-media-src-star.html as they make use of eventSender.beginDragWithFiles(),
which is not implement. We will need to fix <https://bugs.webkit.org/show_bug.cgi?id=64285>
before we can run these tests in WebKitTestRunner.
* TestExpectations:
* fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html: Added.
* fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html: Added.
* fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html: Added.
* fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html: Added.
* fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html: Added.
* fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html: Added.
* fast/dom/HTMLImageElement/resources/green.png: Added.
* fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html: Added.
* fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html: Added.
* fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html: Added.
* fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html: Added.
* fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html: Added.
* fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html: Added.
* fast/dom/HTMLLinkElement/resources/red-background-color.css: Added.
(#test):
* http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html: Added.
* media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html: Added.
* media/video-with-blob-url-allowed-by-csp-media-src-star.html: Added.
* media/video-with-data-url-allowed-by-csp-media-src-star-expected.html: Added.
* media/video-with-data-url-allowed-by-csp-media-src-star.html: Added.
* media/video-with-file-url-blocked-by-csp-media-src-star-expected.html: Added.
* media/video-with-file-url-blocked-by-csp-media-src-star.html: Added.
* platform/wk2/TestExpectations:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsTestExpectations">releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsplatformwk2TestExpectations">releases/WebKitGTK/webkit-2.12/LayoutTests/platform/wk2/TestExpectations</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCorepagecspContentSecurityPolicySourceListcpp">releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCorepagecspContentSecurityPolicySourceListh">releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithbloburlblockedbycspimgsrcstarexpectedhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithbloburlblockedbycspimgsrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithdataurlallowedbycspimgsrcstarexpectedhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithdataurlallowedbycspimgsrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithfileurlblockedbycspimgsrcstarexpectedhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithfileurlblockedbycspimgsrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementresourcesgreenpng">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/resources/green.png</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithbloburlblockedbycspstylesrcstarexpectedhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithbloburlblockedbycspstylesrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithdataurlblockedbycspstylesrcstarexpectedhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithdataurlblockedbycspstylesrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithfileurlblockedbycspstylesrcstarexpectedhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithfileurlblockedbycspstylesrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementresourcesredbackgroundcolorcss">releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyimagewithhttpurlallowedbycspimgsrcstarexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyimagewithhttpurlallowedbycspimgsrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyimagewithhttpsurlallowedbycspimgsrcstarexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyimagewithhttpsurlallowedbycspimgsrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedbydefaultsrcstarexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedbydefaultsrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicylinkwithhttpurlallowedbycspstylesrcstarexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicylinkwithhttpurlallowedbycspstylesrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicylinkwithhttpsurlallowedbycspstylesrcstarexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicylinkwithhttpsurlallowedbycspstylesrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyvideowithhttpurlallowedbycspmediasrcstarexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyvideowithhttpurlallowedbycspmediasrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyvideowithhttpsurlallowedbycspmediasrcstarexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyvideowithhttpsurlallowedbycspmediasrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsmediavideowithbloburlallowedbycspmediasrcstarexpectedhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsmediavideowithbloburlallowedbycspmediasrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsmediavideowithdataurlallowedbycspmediasrcstarexpectedhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsmediavideowithdataurlallowedbycspmediasrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsmediavideowithfileurlblockedbycspmediasrcstarexpectedhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsmediavideowithfileurlblockedbycspmediasrcstarhtml">releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit212LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (198106 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-03-14 10:19:08 UTC (rev 198106)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -1,5 +1,59 @@
</span><span class="cx"> 2016-03-07 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
+ https://bugs.webkit.org/show_bug.cgi?id=154122
+ <rdar://problem/24613336>
+
+ Reviewed by Brent Fulgham.
+
+ Add tests to ensure that we do not regress our interpretation of * with respect to directives
+ img-src, media-src, style-src, and default-src.
+
+ When running in WebKitTestRunner, skip the tests fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
+ and media/video-with-blob-url-allowed-by-csp-media-src-star.html as they make use of eventSender.beginDragWithFiles(),
+ which is not implement. We will need to fix <https://bugs.webkit.org/show_bug.cgi?id=64285>
+ before we can run these tests in WebKitTestRunner.
+
+ * TestExpectations:
+ * fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html: Added.
+ * fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html: Added.
+ * fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html: Added.
+ * fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html: Added.
+ * fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html: Added.
+ * fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html: Added.
+ * fast/dom/HTMLImageElement/resources/green.png: Added.
+ * fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html: Added.
+ * fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html: Added.
+ * fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html: Added.
+ * fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html: Added.
+ * fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html: Added.
+ * fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html: Added.
+ * fast/dom/HTMLLinkElement/resources/red-background-color.css: Added.
+ (#test):
+ * http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html: Added.
+ * http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html: Added.
+ * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html: Added.
+ * http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html: Added.
+ * http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html: Added.
+ * http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html: Added.
+ * http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html: Added.
+ * media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html: Added.
+ * media/video-with-blob-url-allowed-by-csp-media-src-star.html: Added.
+ * media/video-with-data-url-allowed-by-csp-media-src-star-expected.html: Added.
+ * media/video-with-data-url-allowed-by-csp-media-src-star.html: Added.
+ * media/video-with-file-url-blocked-by-csp-media-src-star-expected.html: Added.
+ * media/video-with-file-url-blocked-by-csp-media-src-star.html: Added.
+ * platform/wk2/TestExpectations:
+
+2016-03-07 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> CSP: object-src directive should prohibit creation of nested browsing context
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=153153
</span><span class="cx"> <rdar://problem/24383209>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations (198106 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations 2016-03-14 10:19:08 UTC (rev 198106)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/TestExpectations 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -852,6 +852,7 @@
</span><span class="cx"> webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]
</span><span class="cx"> webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
</span><span class="cx"> webkit.org/b/154522 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html
</span><ins>+webkit.org/b/155132 http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html [ Failure ]
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
</span><span class="cx">
</span><span class="cx"> # These state object tests purposefully stress a resource limit, and take multiple seconds to run.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithbloburlblockedbycspimgsrcstarexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading image with a blob URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. To run this test by hand, select an image file. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
+<img width="128" height="128" alt="PASS">
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithbloburlblockedbycspimgsrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,56 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+</head>
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+
+var fileInput;
+
+function testFinished()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function loadImage(event)
+{
+ var image = document.createElement("img");
+ image.height = "128";
+ image.width = "128";
+ image.alt = "PASS";
+ image.onload = testFinished;
+ image.onerror = testFinished;
+ image.src = window.URL.createObjectURL(event.target.files[0]);
+
+ document.body.removeChild(fileInput);
+ document.body.appendChild(image);
+}
+
+function runTest()
+{
+ if (!window.eventSender)
+ return;
+
+ var x = fileInput.offsetLeft + fileInput.offsetWidth / 2;
+ var y = fileInput.offsetTop + fileInput.offsetHeight / 2;
+
+ eventSender.beginDragWithFiles(["../resources/abe.png"]);
+ eventSender.mouseMoveTo(x, y);
+ eventSender.mouseUp();
+}
+
+window.onload = function ()
+{
+ fileInput = document.getElementById("file");
+ fileInput.onchange = loadImage;
+ runTest();
+}
+</script>
+<body>
+<p>This tests that loading image with a blob URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. To run this test by hand, select an image file. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
+<input type="file" id="file" accept="image/*">
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithdataurlallowedbycspimgsrcstarexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading image with a data URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAA8CAIAAAC1nk4lAAAAAXNSR0IArs4c6QAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oFFQg4GNq2yCEAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAAR0lEQVRo3u3OQQ0AAAgEoNPkRjeFDzdIQGXyTifS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0vcWUo0A+IZA5H8AAAAASUVORK5CYII=" width="128" height="128">
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithdataurlallowedbycspimgsrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+</head>
+<body>
+<p>This tests that loading image with a data URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAA8CAIAAAC1nk4lAAAAAXNSR0IArs4c6QAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oFFQg4GNq2yCEAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAAR0lEQVRo3u3OQQ0AAAgEoNPkRjeFDzdIQGXyTifS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0vcWUo0A+IZA5H8AAAAASUVORK5CYII=" width="128" height="128">
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithfileurlblockedbycspimgsrcstarexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading image with a file URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
+<img src="" width="128" height="128" alt="PASS">
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementimagewithfileurlblockedbycspimgsrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+</head>
+<body>
+<p>This tests that loading image with a file URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
+<img src="resources/green.png" width="128" height="128" alt="PASS">
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLImageElementresourcesgreenpng"></a>
<div class="binary"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/resources/green.png</h4>
<pre class="diff"><span>
<span class="cx">(Binary files differ)
</span></span></pre></div>
<span class="cx">Property changes on: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLImageElement/resources/green.png
</span><span class="cx">___________________________________________________________________
</span><a id="svnmimetype"></a>
<div class="addfile"><h4>Added: svn:mime-type</h4></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithbloburlblockedbycspstylesrcstarexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading a stylesheet with a blob URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div style="background-color: green; height: 128px; width: 128px"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithbloburlblockedbycspstylesrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test {
+ background-color: green;
+ height: 128px;
+ width: 128px;
+}
+</style>
+<meta http-equiv="Content-Security-Policy" content="style-src *">
+<script>
+function createLinkElementWithStylesheet(stylesheetURL)
+{
+ var link = document.createElement("link");
+ link.rel = "stylesheet";
+ link.href = stylesheetURL;
+ return link;
+}
+
+var blobURL = window.URL.createObjectURL(new Blob(["#test { background-color: red !important; }"], {type: "text/css"}));
+document.head.appendChild(createLinkElementWithStylesheet(blobURL));
+</script>
+</head>
+<body>
+<p>This tests that loading a stylesheet with a blob URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div id="test"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithdataurlblockedbycspstylesrcstarexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading a stylesheet with a data URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div style="background-color: green; height: 128px; width: 128px"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithdataurlblockedbycspstylesrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test {
+ background-color: green;
+ height: 128px;
+ width: 128px;
+}
+</style>
+<meta http-equiv="Content-Security-Policy" content="style-src *">
+<link rel="stylesheet" href="data:text/css, #test { background-color: red !important; }">
+</head>
+<body>
+<p>This tests that loading a stylesheet with a data URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div id="test"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithfileurlblockedbycspstylesrcstarexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading a stylesheet with a file URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div style="background-color: green; height: 128px; width: 128px"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementlinkwithfileurlblockedbycspstylesrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test {
+ background-color: green;
+ height: 128px;
+ width: 128px;
+}
+</style>
+<meta http-equiv="Content-Security-Policy" content="style-src *">
+<link rel="stylesheet" href="resources/red-background-color.css">
+</head>
+<body>
+<p>This tests that loading a stylesheet with a file URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div id="test"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsfastdomHTMLLinkElementresourcesredbackgroundcolorcss"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+#test { background-color: red !important; }
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyimagewithhttpurlallowedbycspimgsrcstarexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+This tests that loading an image with an HTTP URL is allowed when the page has Content Security Policy "img-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyimagewithhttpurlallowedbycspimgsrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadImage()
+{
+ testPassed("did load image.");
+ finishJSTest();
+}
+
+function failedToLoadImage()
+{
+ testFailed("failed to load image.");
+ finishJSTest();
+}
+</script>
+</head>
+<body>
+<script>
+description("This tests that loading an image with an HTTP URL is allowed when the page has Content Security Policy &quot;img-src *&quot;.");
+</script>
+<img src="http://127.0.0.1:8000/security/resources/abe.png" onload="didLoadImage()" onerror="failedToLoadImage()">
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyimagewithhttpsurlallowedbycspimgsrcstarexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+This tests that loading an image with an HTTPS URL is allowed when the page has Content Security Policy "img-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyimagewithhttpsurlallowedbycspimgsrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadImage()
+{
+ testPassed("did load image.");
+ finishJSTest();
+}
+
+function failedToLoadImage()
+{
+ testFailed("failed to load image.");
+ finishJSTest();
+}
+</script>
+</head>
+<body>
+<script>
+description("This tests that loading an image with an HTTPS URL is allowed when the page has Content Security Policy &quot;img-src *&quot;.");
+</script>
+<img src="https://127.0.0.1:8443/security/resources/abe.png" onload="didLoadImage()" onerror="failedToLoadImage()">
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedbydefaultsrcstarexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "default-src *". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
+
+CONSOLE MESSAGE: Refused to load plugin data from 'javascript:alert('FAIL');' because it violates the following Content Security Policy directive: "default-src *". Note that 'object-src' was not explicitly set, so 'default-src' is used as a fallback.
+
+CONSOLE MESSAGE: Refused to load plugin data from 'javascript:alert('FAIL');' because it violates the following Content Security Policy directive: "default-src *". Note that 'object-src' was not explicitly set, so 'default-src' is used as a fallback.
+
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyjavascripturlblockedbydefaultsrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+ <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/javascript-url.pl?should_run=no&csp=default-src *"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicylinkwithhttpurlallowedbycspstylesrcstarexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+This tests that loading a stylesheet with an HTTP URL is allowed when the page has Content Security Policy "style-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load stylesheet.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicylinkwithhttpurlallowedbycspstylesrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="style-src * 'unsafe-inline'">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadStylesheet()
+{
+ testPassed("did load stylesheet.");
+ finishJSTest();
+}
+
+function failedToLoadStylesheet()
+{
+ testFailed("failed to load stylesheet.");
+ finishJSTest();
+}
+</script>
+<link rel="stylesheet" href="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style-set-red.css" onload="didLoadStylesheet()" onerror="failedToLoadStylesheet()">
+</head>
+<body>
+<script>
+description("This tests that loading a stylesheet with an HTTP URL is allowed when the page has Content Security Policy &quot;style-src *&quot;.");
+</script>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicylinkwithhttpsurlallowedbycspstylesrcstarexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+This tests that loading a stylesheet with an HTTPS URL is allowed when the page has Content Security Policy "style-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load stylesheet.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicylinkwithhttpsurlallowedbycspstylesrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="style-src * 'unsafe-inline'">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadStylesheet()
+{
+ testPassed("did load stylesheet.");
+ finishJSTest();
+}
+
+function failedToLoadStylesheet()
+{
+ testFailed("failed to load stylesheet.");
+ finishJSTest();
+}
+</script>
+<link rel="stylesheet" href="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/style-set-red.css" onload="didLoadStylesheet()" onerror="failedToLoadStylesheet()">
+</head>
+<body>
+<script>
+description("This tests that loading a stylesheet with an HTTPS URL is allowed when the page has Content Security Policy &quot;style-src *&quot;.");
+</script>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyvideowithhttpurlallowedbycspmediasrcstarexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+This tests that loading a video with an HTTP URL is allowed when the page has Content Security Policy "media-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load video.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyvideowithhttpurlallowedbycspmediasrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,45 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="media-src *">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script src="/media-resources/media-file.js"></script>
+<style>
+video {
+ background-color: red;
+ width: 128px;
+ height: 128px;
+}
+</style>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadVideo()
+{
+ testPassed("did load video.");
+ finishJSTest();
+}
+
+function failedToLoadVideo()
+{
+ testFailed("failed to load video.");
+ finishJSTest();
+}
+
+window.onload = function ()
+{
+ var video = document.getElementById("video");
+ video.oncanplay = didLoadVideo;
+ video.onerror = failedToLoadVideo;
+ video.src = "http://127.0.0.1:8000/media-resources/" + findMediaFile("video", "content/test");
+}
+</script>
+</head>
+<body>
+<script>
+description("This tests that loading a video with an HTTP URL is allowed when the page has Content Security Policy &quot;media-src *&quot;.");
+</script>
+<video id="video"></video>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyvideowithhttpsurlallowedbycspmediasrcstarexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+This tests that loading a video with an HTTPS URL is allowed when the page has Content Security Policy "media-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load video.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyvideowithhttpsurlallowedbycspmediasrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,45 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="media-src *">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script src="/media-resources/media-file.js"></script>
+<style>
+video {
+ background-color: red;
+ width: 128px;
+ height: 128px;
+}
+</style>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadVideo()
+{
+ testPassed("did load video.");
+ finishJSTest();
+}
+
+function failedToLoadVideo()
+{
+ testFailed("failed to load video.");
+ finishJSTest();
+}
+
+window.onload = function ()
+{
+ var video = document.getElementById("video");
+ video.oncanplay = didLoadVideo;
+ video.onerror = failedToLoadVideo;
+ video.src = "https://127.0.0.1:8443/media-resources/" + findMediaFile("video", "content/test");
+}
+</script>
+</head>
+<body>
+<script>
+description("This tests that loading a video with an HTTPS URL is allowed when the page has Content Security Policy &quot;media-src *&quot;.");
+</script>
+<video id="video"></video>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsmediavideowithbloburlallowedbycspmediasrcstarexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="media-file.js"></script>
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+
+function testFinished()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+window.onload = function ()
+{
+ var video = document.getElementById("video");
+ video.onloadedmetadata = testFinished;
+ video.onerror = testFinished;
+ video.src = findMediaFile("video", "content/test");
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a blob URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. To run this test by hand, select a video file. This test PASSED if the video loads and its first frame is shown below. Otherwise, it FAILED.</p>
+<video id="video"></video>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsmediavideowithbloburlallowedbycspmediasrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,54 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="media-src *">
+<script src="media-file.js"></script>
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+
+var fileInput;
+
+function testFinished()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function loadVideo(event)
+{
+ var video = document.createElement("video");
+ video.onloadedmetadata = testFinished;
+ video.onerror = testFinished;
+ video.src = window.URL.createObjectURL(event.target.files[0]);
+
+ document.body.removeChild(fileInput);
+ document.body.appendChild(video);
+}
+
+function runTest()
+{
+ if (!window.eventSender)
+ return;
+
+ var x = fileInput.offsetLeft + fileInput.offsetWidth / 2;
+ var y = fileInput.offsetTop + fileInput.offsetHeight / 2;
+
+ eventSender.beginDragWithFiles([findMediaFile("video", "content/test")]);
+ eventSender.mouseMoveTo(x, y);
+ eventSender.mouseUp();
+}
+
+window.onload = function ()
+{
+ fileInput = document.getElementById("file");
+ fileInput.onchange = loadVideo;
+ runTest();
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a blob URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. To run this test by hand, select a video file. This test PASSED if the video loads and its first frame is shown below. Otherwise, it FAILED.</p>
+<input type="file" id="file">
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsmediavideowithdataurlallowedbycspmediasrcstarexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<style>
+video {
+ width: 128px;
+ height: 128px;
+}
+</style>
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+
+function testFinished()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a data URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. This test PASSED if you see a square with a green-to-gray horizontal gradient. Otherwise, it FAILED.</p>
+<video src="data:video/mp4;base64,AAAAGGZ0eXBtcDQyAAAAAW1wNDJtcDQxAAACrW1vb3YAAABsbXZoZAAAAADTABd80wAXfAAAAlgAAAAoAAEAAAEAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAI5dHJhawAAAFx0a2hkAAAAAdMAF3zTABd8AAAAAQAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAyAAAAMgAAAAAAJGVkdHMAAAAcZWxzdAAAAAAAAAABAAAAKAAAAAAAAQAAAAABsW1kaWEAAAAgbWRoZAAAAADTABd80wAXfAAAAlgAAAJYFccAAAAAADpoZGxyAAAAAAAAAAB2aWRlAAAAAAAAAAAAAAAAQXBwbGUgVmlkZW8gTWVkaWEgSGFuZGxlcgAAAAFPbWluZgAAABR2bWhkAAAAAQAAAAAAAAAAAAAAJGRpbmYAAAAcZHJlZgAAAAAAAAABAAAADHVybCAAAAABAAABD3N0YmwAAACrc3RzZAAAAAAAAAABAAAAm21wNHYAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAMgAyAEgAAABIAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY//8AAABFZXNkcwAAAAADNwAAHwQvIBEALuAAAH0AAAB9AAUgAAABsPMAAAG1DuBAwM8AAAEAAAABIACEQPooDKAyox8GAQIAAAAYc3R0cwAAAAAAAAABAAAAAQAAAlgAAAAcc3RzYwAAAAAAAAABAAAAAQAAAAEAAAABAAAAFHN0c3oAAAAAAAACxQAAAAEAAAAUc3RjbwAAAAAAAAABAAAC7QA
AAAhmcmVlAAAACGZyZWUAAALdbWRhdAAAAAh3aWRlAAAAAG1kYXQAAAG2EAMJjF7bCAFgRvbfiNzb8MqOhJBwKtkGGQPFwBJgwxJBwKtkGGQPFwBJhh2CkikFCCBi64HxGi1uVcfsItzm5SWWWEAMwPAQHYPB/5YKAHh/9cQgeL/6wGCNbb+PNv4225srB4D+rB4P/DEcHiIBMHi4BkFk2DwH9WDwf+GI4PEQCYPFwDILJwHgILEHg/1sHgIJcHh/4MHgIGUHi/70HwICPB4CCxB4P9bB4CCXB4f+DB4CBlB4v+9B8CAjjbb+Ntv422/ZWDwH9WDwf+GI4PEQCYPFwDILJsHgP6sHg/8MRweIgEweLgGQWTweAgsQeD/WweAglweH/gweAgZQeL/vQfAgI6DwEFPlbB4D9lB4CCN9jP02/B4D+LB4CBdzFbA4raq6DwH+CIUjLUVtK1V+0N8EFhlrsD1r+dx7IOgeB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAiYYMwPA/44KUHhf88A8Hif+Eeg+b/7g3g8D/bg8B/dg8L/hgoweJ/2RJB83/zZGDwP9WDwH+GDwv/GDxUAmOgfNgEWDwP9WDwH+GDwv/GDxUAmOgfNgEW8Hgf8cFKDwv+eAeDxP/CPQfN/98Hgf7cHgP7sHhf8MFGDxP+yJIPm/+bIweB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAi3g8D/jgpQeF/zwDweJ/4R6D5v/vg8D/bg8B/dg8L/hgoweJ/2RJB83/zYSw/H6cS0/y8v+OU7agt+o9nSz09hV6Zg2yRaBW23Hw/H4jD8uEkSC9OOhLHSdUPx0Ox8rbSD8fD9I3GUheXJWLjKZOmZzG1Strcbabyf9ZrjR8Px+Iw/LhJEgvTjoSx0nVD8dDsfK20g/Hw/SNxlIXlyVi4ymTpmcxtUra3G
2m8n/Wa5" oncanplay="testFinished()"></video>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsmediavideowithdataurlallowedbycspmediasrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,27 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="media-src *">
+<style>
+video {
+ background-color: red;
+ width: 128px;
+ height: 128px;
+}
+</style>
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+
+function testFinished()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a data URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. This test PASSED if you see a square with a green-to-gray horizontal gradient. Otherwise, it FAILED.</p>
+<video src="data:video/mp4;base64,AAAAGGZ0eXBtcDQyAAAAAW1wNDJtcDQxAAACrW1vb3YAAABsbXZoZAAAAADTABd80wAXfAAAAlgAAAAoAAEAAAEAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAI5dHJhawAAAFx0a2hkAAAAAdMAF3zTABd8AAAAAQAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAyAAAAMgAAAAAAJGVkdHMAAAAcZWxzdAAAAAAAAAABAAAAKAAAAAAAAQAAAAABsW1kaWEAAAAgbWRoZAAAAADTABd80wAXfAAAAlgAAAJYFccAAAAAADpoZGxyAAAAAAAAAAB2aWRlAAAAAAAAAAAAAAAAQXBwbGUgVmlkZW8gTWVkaWEgSGFuZGxlcgAAAAFPbWluZgAAABR2bWhkAAAAAQAAAAAAAAAAAAAAJGRpbmYAAAAcZHJlZgAAAAAAAAABAAAADHVybCAAAAABAAABD3N0YmwAAACrc3RzZAAAAAAAAAABAAAAm21wNHYAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAMgAyAEgAAABIAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY//8AAABFZXNkcwAAAAADNwAAHwQvIBEALuAAAH0AAAB9AAUgAAABsPMAAAG1DuBAwM8AAAEAAAABIACEQPooDKAyox8GAQIAAAAYc3R0cwAAAAAAAAABAAAAAQAAAlgAAAAcc3RzYwAAAAAAAAABAAAAAQAAAAEAAAABAAAAFHN0c3oAAAAAAAACxQAAAAEAAAAUc3RjbwAAAAAAAAABAAAC7QA
AAAhmcmVlAAAACGZyZWUAAALdbWRhdAAAAAh3aWRlAAAAAG1kYXQAAAG2EAMJjF7bCAFgRvbfiNzb8MqOhJBwKtkGGQPFwBJgwxJBwKtkGGQPFwBJhh2CkikFCCBi64HxGi1uVcfsItzm5SWWWEAMwPAQHYPB/5YKAHh/9cQgeL/6wGCNbb+PNv4225srB4D+rB4P/DEcHiIBMHi4BkFk2DwH9WDwf+GI4PEQCYPFwDILJwHgILEHg/1sHgIJcHh/4MHgIGUHi/70HwICPB4CCxB4P9bB4CCXB4f+DB4CBlB4v+9B8CAjjbb+Ntv422/ZWDwH9WDwf+GI4PEQCYPFwDILJsHgP6sHg/8MRweIgEweLgGQWTweAgsQeD/WweAglweH/gweAgZQeL/vQfAgI6DwEFPlbB4D9lB4CCN9jP02/B4D+LB4CBdzFbA4raq6DwH+CIUjLUVtK1V+0N8EFhlrsD1r+dx7IOgeB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAiYYMwPA/44KUHhf88A8Hif+Eeg+b/7g3g8D/bg8B/dg8L/hgoweJ/2RJB83/zZGDwP9WDwH+GDwv/GDxUAmOgfNgEWDwP9WDwH+GDwv/GDxUAmOgfNgEW8Hgf8cFKDwv+eAeDxP/CPQfN/98Hgf7cHgP7sHhf8MFGDxP+yJIPm/+bIweB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAi3g8D/jgpQeF/zwDweJ/4R6D5v/vg8D/bg8B/dg8L/hgoweJ/2RJB83/zYSw/H6cS0/y8v+OU7agt+o9nSz09hV6Zg2yRaBW23Hw/H4jD8uEkSC9OOhLHSdUPx0Ox8rbSD8fD9I3GUheXJWLjKZOmZzG1Strcbabyf9ZrjR8Px+Iw/LhJEgvTjoSx0nVD8dDsfK20g/Hw/SNxlIXlyVi4ymTpmcxtUra3G
2m8n/Wa5" oncanplay="testFinished()" onerror="testFinished()"></video>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsmediavideowithfileurlblockedbycspmediasrcstarexpectedhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#equivalent-expected-result {
+ background-color: green;
+ width: 128px;
+ height: 128px;
+}
+</style>
+</head>
+<body>
+<p>This tests that loading a video with a file URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. This test PASSED if you see a solid green square. Otherwise, it FAILED.</p>
+<div id="equivalent-expected-result"></div>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsmediavideowithfileurlblockedbycspmediasrcstarhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html (0 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -0,0 +1,36 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="media-src *">
+<style>
+video {
+ background-color: green;
+ width: 128px;
+ height: 128px;
+}
+</style>
+<script src="media-file.js"></script>
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+
+function testFinished()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+window.onload = function ()
+{
+ var video = document.getElementById("video");
+ video.onloadedmetadata = testFinished;
+ video.onerror = testFinished;
+ video.src = findMediaFile("video", "content/test");
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a file URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. This test PASSED if you see a solid green square. Otherwise, it FAILED.</p>
+<video id="video"></video>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestsplatformwk2TestExpectations"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/platform/wk2/TestExpectations (198106 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/platform/wk2/TestExpectations 2016-03-14 10:19:08 UTC (rev 198106)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/platform/wk2/TestExpectations 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -622,6 +622,7 @@
</span><span class="cx"> # https://bugs.webkit.org/show_bug.cgi?id=64285
</span><span class="cx"> editing/pasteboard/file-drag-to-editable.html
</span><span class="cx"> editing/pasteboard/file-input-files-access.html
</span><ins>+fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
</ins><span class="cx"> fast/dom/Window/window-postmessage-clone-frames.html
</span><span class="cx"> fast/dom/Window/window-postmessage-clone.html
</span><span class="cx"> fast/events/data-transfer-files-attribute-identity.html
</span><span class="lines">@@ -674,6 +675,7 @@
</span><span class="cx"> http/tests/local/formdata/send-form-data-with-empty-file-filename.html
</span><span class="cx"> http/tests/local/formdata/upload-events.html
</span><span class="cx"> http/tests/security/clipboard/clipboard-file-access.html
</span><ins>+media/video-with-blob-url-allowed-by-csp-media-src-star.html
</ins><span class="cx"> media/video-src-blob.html
</span><span class="cx"> storage/indexeddb/noblobs.html
</span><span class="cx"> storage/indexeddb/noblobs-private.html
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (198106 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-03-14 10:19:08 UTC (rev 198106)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -1,5 +1,46 @@
</span><span class="cx"> 2016-03-07 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
+ https://bugs.webkit.org/show_bug.cgi?id=154122
+ <rdar://problem/24613336>
+
+ Reviewed by Brent Fulgham.
+
+ Restrict matching of source expression * to HTTP or HTTPS URLs for all directives except
+ img-src and media-src. This policy is more restrictive than the policy described in section
+ Matching Source Expressions of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721>,
+ which restricts matching * to schemes that are not blob, data, or filesystem.
+
+ For directive img-src we restrict matching of * to HTTP, HTTPS, and data URLs. For directive
+ media-src we restrict matching of * to HTTP, HTTPS, data URLs and blob URLs. We use a
+ more lenient interpretation of * for directives img-src and media-src than required by
+ the spec. to mitigate web compatibility issues.
+
+ Tests: fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
+ fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html
+ fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html
+ fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html
+ fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html
+ fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html
+ http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html
+ http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html
+ http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html
+ http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html
+ http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html
+ http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html
+ http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html
+ media/video-with-blob-url-allowed-by-csp-media-src-star.html
+ media/video-with-data-url-allowed-by-csp-media-src-star.html
+ media/video-with-file-url-blocked-by-csp-media-src-star.html
+
+ * page/csp/ContentSecurityPolicySourceList.cpp:
+ (WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar): Added.
+ (WebCore::ContentSecurityPolicySourceList::matches): Modified to only match * if ContentSecurityPolicySourceList::isProtocolAllowedByStar().
+ evaluates to true.
+ * page/csp/ContentSecurityPolicySourceList.h:
+
+2016-03-07 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> Cleanup: Add convenience function URL::procotolIsBlob()
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=155127
</span><span class="cx"> <rdar://problem/25016829>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCorepagecspContentSecurityPolicySourceListcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (198106 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-03-14 10:19:08 UTC (rev 198106)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -95,13 +95,24 @@
</span><span class="cx"> parse(characters, characters + value.length());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicySourceList::isProtocolAllowedByStar(const URL& url) const
+{
+ // Although not allowed by the Content Security Policy Level 3 spec., we allow a data URL to match
+ // "img-src *" and either a data URL or blob URL to match "media-src *" for web compatibility.
+ // FIXME: We should not hardcode the directive names. We should make use of the constants in ContentSecurityPolicyDirectiveList.cpp.
+ // See <https://bugs.webkit.org/show_bug.cgi?id=155133>.
+ bool isAllowed = url.protocolIsInHTTPFamily();
+ if (equalLettersIgnoringASCIICase(m_directiveName, "img-src"))
+ isAllowed |= url.protocolIsData();
+ else if (equalLettersIgnoringASCIICase(m_directiveName, "media-src"))
+ isAllowed |= url.protocolIsData() || url.protocolIsBlob();
+ return isAllowed;
+}
+
</ins><span class="cx"> bool ContentSecurityPolicySourceList::matches(const URL& url)
</span><span class="cx"> {
</span><del>- if (m_allowStar) {
- // FIXME: Should only match for URLs whose scheme is not blob, data or filesystem.
- // See <https://bugs.webkit.org/show_bug.cgi?id=154122> for more details.
</del><ins>+ if (m_allowStar && isProtocolAllowedByStar(url))
</ins><span class="cx"> return true;
</span><del>- }
</del><span class="cx">
</span><span class="cx"> if (m_allowSelf && m_policy.urlMatchesSelf(url))
</span><span class="cx"> return true;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCorepagecspContentSecurityPolicySourceListh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (198106 => 198107)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h 2016-03-14 10:19:08 UTC (rev 198106)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h 2016-03-14 10:20:20 UTC (rev 198107)
</span><span class="lines">@@ -55,6 +55,8 @@
</span><span class="cx"> bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHasWildcard);
</span><span class="cx"> bool parsePath(const UChar* begin, const UChar* end, String& path);
</span><span class="cx">
</span><ins>+ bool isProtocolAllowedByStar(const URL&) const;
+
</ins><span class="cx"> const ContentSecurityPolicy& m_policy;
</span><span class="cx"> Vector<ContentSecurityPolicySource> m_list;
</span><span class="cx"> String m_directiveName;
</span></span></pre>
</div>
</div>
</body>
</html>