<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[198292] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/198292">198292</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-03-16 12:46:49 -0700 (Wed, 16 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre><video> and <audio> elements do not obey Content Security Policy on redirect
https://bugs.webkit.org/show_bug.cgi?id=155509
<rdar://problem/10234844>
Reviewed by Alex Christensen.
Source/WebCore:
Fixes an issue where the Content Security Policy of the page was not enforced
on redirects when loading a media subresource via an HTML video or HTML audio
element.
Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html
http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html
http/tests/security/contentSecurityPolicy/font-redirect-allowed.html
http/tests/security/contentSecurityPolicy/font-redirect-blocked.html
http/tests/security/contentSecurityPolicy/image-redirect-allowed.html
http/tests/security/contentSecurityPolicy/image-redirect-blocked.html
http/tests/security/contentSecurityPolicy/script-redirect-allowed.html
http/tests/security/contentSecurityPolicy/script-redirect-blocked.html
http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html
http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html
http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html
http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html
http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html
http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html
http/tests/security/contentSecurityPolicy/track-redirect-allowed.html
http/tests/security/contentSecurityPolicy/track-redirect-blocked.html
http/tests/security/contentSecurityPolicy/video-redirect-allowed.html
http/tests/security/contentSecurityPolicy/video-redirect-blocked.html
http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html
http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html
* inspector/InspectorPageAgent.cpp:
(WebCore::InspectorPageAgent::cachedResourceContent): Treat media resources as raw resources just as we do currently.
(WebCore::InspectorPageAgent::cachedResourceType): Ditto.
* loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::requestResource): Modified to use CachedResourceLoader::requestMedia() instead
of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
more details.
* loader/ResourceLoadInfo.cpp:
(WebCore::toResourceType): Treat media resources as raw resources just as we do currently. Also, add cases for
CachedResource::LinkPrefetch and CachedResource::LinkSubresource (when ENABLE(LINK_PREFETCH) is enabled) and
remove the default statement to force a compile-time error when a new CachedResource enumerator is added and
the switch block in this function is not updated.
* loader/SubresourceLoader.cpp:
(WebCore::logResourceLoaded): Ditto.
* loader/cache/CachedRawResource.cpp:
(WebCore::CachedRawResource::CachedRawResource): Substitute CachedResource::isMainOrMediaOrRawResource() for
CachedResource::isMainOrRawResource() as the latter was renamed to the former.
* loader/cache/CachedRawResource.h:
(isType): Ditto.
* loader/cache/CachedResource.cpp:
(WebCore::defaultPriorityForResourceType): Use priority ResourceLoadPriority::Medium for media resources just as
we do currently.
* loader/cache/CachedResource.h:
(WebCore::CachedResource::isMainOrMediaOrRawResource): Formerly named isMainOrRawResource. Returns true if the type
of this resource is a main resource, media resource, or raw resource.
(WebCore::CachedResource::isMainOrRawResource): Deleted.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::createResource): Treat media resources as raw resources just as we do currently.
(WebCore::CachedResourceLoader::requestMedia): Added.
(WebCore::contentTypeFromResourceType): Consider media resources as MixedContentChecker::ContentType::Active
just as we do currently.
(WebCore::CachedResourceLoader::checkInsecureContent): Apply the mixed content policy to media resources
just as we do currently.
(WebCore::CachedResourceLoader::canRequest): Apply the Same Origin Policy to media resources just as we
do currently. Query the Content Security Policy of the page to determine if the media resource can be
requested.
(WebCore::CachedResourceLoader::determineRevalidationPolicy): Substitute CachedResource::isMainOrMediaOrRawResource()
for CachedResource::isMainOrRawResource() as the latter was renamed to the former.
* loader/cache/CachedResourceLoader.h:
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::startLoading): Modified to use CachedResourceLoader::requestMedia() instead
of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
more details. Additionally, simplified code that determined whether to request the media resource or error out
by coalescing two conditional expressions into one conditional on whether we have a loader and substituted
nullptr for 0.
Source/WebKit2:
Use 0ms as the maximum buffering time for media resource just as we do currently.
* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::maximumBufferingTime):
LayoutTests:
Add tests to ensure that the Content Security Policy is enforced on redirects when
loading a subresource, including a video or audio file.
* http/tests/resources/redirect.php: Fix PHP "undefined index" warnings when either query
parameter code or refresh (or both) are not specified.
* http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/resources/ABCFont.svg: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg.
* http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl: Added.
* http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl: Added.
* http/tests/security/contentSecurityPolicy/resources/green-square.svg: Added.
* http/tests/security/contentSecurityPolicy/resources/red-square.svg: Added.
* http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php: Added.
* http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html:
* http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html: Added.
* platform/efl/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. We will also need to fix
<https://bugs.webkit.org/show_bug.cgi?id=153866> before we can unskip test http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
As far as I can tell the functionality exercised by these tests is not being using by the EFL port.
* platform/gtk/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. As far as I can tell the functionality
exercised by these tests is not being using by the GTK port.
* platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added expected failure result as
AV Foundation is responsible for loading media on iOS. That is, WebCore is not responsible for loading media.
* platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Ditto.
* platform/mac/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. The functionality exercised by these
tests is not used on OS X. Additionally, mark as Failure on Yosemite and ElCapitan the added tests
http/tests/security/contentSecurityPolicy/{video, audio}-redirect-blocked.html as we do not support
Content Security Policy for media redirects in these versions of OS X.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttptestsresourcesredirectphp">trunk/LayoutTests/http/tests/resources/redirect.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMallowsvgfonthtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html</a></li>
<li><a href="#trunkLayoutTestsplatformeflTestExpectations">trunk/LayoutTests/platform/efl/TestExpectations</a></li>
<li><a href="#trunkLayoutTestsplatformgtkTestExpectations">trunk/LayoutTests/platform/gtk/TestExpectations</a></li>
<li><a href="#trunkLayoutTestsplatformmacTestExpectations">trunk/LayoutTests/platform/mac/TestExpectations</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreinspectorInspectorPageAgentcpp">trunk/Source/WebCore/inspector/InspectorPageAgent.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderMediaResourceLoadercpp">trunk/Source/WebCore/loader/MediaResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderResourceLoadInfocpp">trunk/Source/WebCore/loader/ResourceLoadInfo.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderSubresourceLoadercpp">trunk/Source/WebCore/loader/SubresourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedRawResourcecpp">trunk/Source/WebCore/loader/cache/CachedRawResource.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedRawResourceh">trunk/Source/WebCore/loader/cache/CachedRawResource.h</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourcecpp">trunk/Source/WebCore/loader/cache/CachedResource.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceh">trunk/Source/WebCore/loader/cache/CachedResource.h</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoadercpp">trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoaderh">trunk/Source/WebCore/loader/cache/CachedResourceLoader.h</a></li>
<li><a href="#trunkSourceWebCoreplatformgraphicsavfoundationobjcWebCoreAVFResourceLoadermm">trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2WebProcessNetworkWebLoaderStrategycpp">trunk/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesABCFontsvg">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/ABCFont.svg</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesalertfailxsl">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesalertpassxsl">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesgreensquaresvg">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesredsquaresvg">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesxslredirectallowedphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesxslredirectblockedphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestsplatformiossimulatorhttptestssecuritycontentSecurityPolicyaudioredirectblockedexpectedtxt">trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestsplatformiossimulatorhttptestssecuritycontentSecurityPolicyvideoredirectblockedexpectedtxt">trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt</a></li>
</ul>
<h3>Removed Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMresourcesABCFontsvg">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/ChangeLog 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -1,3 +1,80 @@
</span><ins>+2016-03-16 Daniel Bates <dabates@apple.com>
+
+ <video> and <audio> elements do not obey Content Security Policy on redirect
+ https://bugs.webkit.org/show_bug.cgi?id=155509
+ <rdar://problem/10234844>
+
+ Reviewed by Alex Christensen.
+
+ Add tests to ensure that the Content Security Policy is enforced on redirects when
+ loading a subresource, including a video or audio file.
+
+ * http/tests/resources/redirect.php: Fix PHP "undefined index" warnings when either query
+ parameter code or refresh (or both) are not specified.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/ABCFont.svg: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg.
+ * http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl: Added.
+ * http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl: Added.
+ * http/tests/security/contentSecurityPolicy/resources/green-square.svg: Added.
+ * http/tests/security/contentSecurityPolicy/resources/red-square.svg: Added.
+ * http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php: Added.
+ * http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html:
+ * http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html: Added.
+ * platform/efl/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+ until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. We will also need to fix
+ <https://bugs.webkit.org/show_bug.cgi?id=153866> before we can unskip test http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
+ As far as I can tell the functionality exercised by these tests is not being using by the EFL port.
+ * platform/gtk/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+ until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. As far as I can tell the functionality
+ exercised by these tests is not being using by the GTK port.
+ * platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added expected failure result as
+ AV Foundation is responsible for loading media on iOS. That is, WebCore is not responsible for loading media.
+ * platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Ditto.
+ * platform/mac/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+ until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. The functionality exercised by these
+ tests is not used on OS X. Additionally, mark as Failure on Yosemite and ElCapitan the added tests
+ http/tests/security/contentSecurityPolicy/{video, audio}-redirect-blocked.html as we do not support
+ Content Security Policy for media redirects in these versions of OS X.
+
</ins><span class="cx"> 2016-03-16 Jiewen Tan <jiewen_tan@apple.com>
</span><span class="cx">
</span><span class="cx"> URL Parsing should signal failure for illegal IDN
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsresourcesredirectphp"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/resources/redirect.php (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/resources/redirect.php 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/http/tests/resources/redirect.php 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -6,23 +6,21 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> $url = $_GET['url'];
</span><del>- $refresh = $_GET['refresh'];
-
- if (isset($refresh)) {
</del><ins>+
+ if (isset($_GET['refresh'])) {
</ins><span class="cx"> header("HTTP/1.1 200");
</span><del>- header("Refresh: $refresh; url=$url");
</del><ins>+ header("Refresh: " . $_GET['refresh'] . "; url=$url");
</ins><span class="cx"> addCacheControl();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $code = $_GET['code'];
- if (!isset($code))
</del><ins>+ if (!isset($_GET['code']))
</ins><span class="cx"> header("HTTP/1.1 302 Found");
</span><del>- elseif ($code == 308) {
</del><ins>+ elseif ($_GET['code'] == 308) {
</ins><span class="cx"> # Apache 2.2 (and possibly some newer versions) cannot generate a reason string for code 308, and sends a 500 error instead.
</span><span class="cx"> header("HTTP/1.1 308 Permanent Redirect");
</span><span class="cx"> } else
</span><del>- header("HTTP/1.1 $code");
</del><ins>+ header("HTTP/1.1 " . $_GET['code']);
</ins><span class="cx"> header("Location: $url");
</span><span class="cx"> addCacheControl();
</span><span class="cx"> ?>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<audio src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/balls-of-the-orient.aif" onloadedmetadata="alertAndDone('PASS')" onerror="alertAndDone('FAIL')"></audio>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/resources/balls-of-the-orient.aif' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<audio src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/balls-of-the-orient.aif" onloadedmetadata="alertAndDone('FAIL')" onerror="alertAndDone('PASS')"></audio>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+Tests that a cross-origin CSS font loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+<style>
+@font-face {
+ font-family: "Ahem";
+ src: url("http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/Ahem.woff") format("woff");
+}
+</style>
+</head>
+<body>
+<p>Tests that a cross-origin CSS font loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
+<script>
+// Use a zero timer to wait until the font loaded.
+if (window.testRunner)
+ window.setTimeout("window.testRunner.notifyDone();", 0);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+CONSOLE MESSAGE: Refused to load the font 'http://localhost:8000/resources/Ahem.woff' because it violates the following Content Security Policy directive: "font-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php">
+<style>
+@font-face {
+ font-family: "Ahem";
+ src: url("http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/Ahem.woff") format("woff");
+}
+</style>
+</head>
+<body>
+<p>Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
+<script>
+// Use a zero timer to wait until the font loaded.
+if (window.testRunner)
+ window.setTimeout("window.testRunner.notifyDone();", 0);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+Tests that a cross-origin image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a cross-origin image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/resources/abe.png" width="128" height="128">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/resources/abe.png" width="128" height="128">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesABCFontsvgfromrev198291trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMresourcesABCFontsvg"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/ABCFont.svg (from rev 198291, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg) (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/ABCFont.svg (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/ABCFont.svg 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,35 @@
</span><ins>+<?xml version="1.0"?>
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <defs>
+ <!-- Based on DejaVu Serif (http://dejavu-fonts.org/wiki/index.php?title=License) -->
+ <font id="ABCFont" horiz-adv-x="1716">
+ <font-face
+ font-family="DejaVu Serif"
+ font-weight="400"
+ font-stretch="normal"
+ units-per-em="2048"
+ panose-1="2 6 6 3 5 6 5 2 2 4"
+ ascent="1556"
+ descent="-492"
+ x-height="1063"
+ cap-height="1493"
+ bbox="-1576 -710 3439 2544"
+ underline-thickness="90"
+ underline-position="-85"
+ unicode-range="U+0020-U+1D7E1"
+ />
+
+ <missing-glyph horiz-adv-x="1229" d="M102 -362v1806h1024v-1806h-1024zM217 -248h795v1577h-795v-1577z" />
+
+ <glyph glyph-name="space" unicode=" " horiz-adv-x="651" />
+
+ <glyph glyph-name="a" unicode="a" horiz-adv-x="1221"
+ d="M815 334v225h-237q-137 0 -204 -59t-67 -181q0 -111 68 -176t184 -65q115 0 185.5 71t70.5 185zM999 664v-558h164v-106h-348v115q-61 -74 -141 -109t-187 -35q-177 0 -281 94t-104 254q0 165 119 256t336 91h258v73q0 121 -73.5 187.5t-206.5 66.5q-110 0 -175 -50t-81 -148h-95v215q96 41 186.5 61.5t176.5 20.5q221 0 336.5 -109.5t115.5 -318.5z" />
+ <glyph glyph-name="b" unicode="b" horiz-adv-x="1311"
+ d="M236 106v1344h-177v106h361v-659q54 100 137.5 147.5t206.5 47.5q196 0 320 -155t124 -405t-124 -405.5t-320 -155.5q-123 0 -206.5 47.5t-137.5 147.5v-166h-361v106h177zM420 479q0 -192 73.5 -292.5t213.5 -100.5q141 0 213.5 113t72.5 333q0 221 -72.5 333t-213.5 112q-140 0 -213.5 -101t-73.5 -292v-105z" />
+ <glyph glyph-name="c" unicode="c" horiz-adv-x="1147"
+ d="M1053 319q-39 -170 -150 -259t-287 -89q-232 0 -373 153.5t-141 407.5q0 255 141 407.5t373 152.5q101 0 201 -23.5t201 -71.5v-272h-107q-21 140 -91.5 204t-201.5 64q-149 0 -225 -115.5t-76 -345.5t75.5 -346t225.5 -116q119 0 190 62t97 187h148z" />
+ <glyph glyph-name="ellipsis" unicode="&#x2026;" horiz-adv-x="1638" d="M133 0v268h279v-268h-279zM680 0v268h278v-268h-278zM1225 0v268h278v-268h-278z" />
+ </font>
+ </defs>
+</svg>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesalertfailxsl"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+ <html xml:lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+ <script type="text/javascript">
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ alert("FAIL");
+ </script>
+ </body>
+ </html>
+</xsl:template>
+</xsl:stylesheet>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesalertpassxsl"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+ <html xml:lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+ <script type="text/javascript">
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ alert("PASS");
+ </script>
+ </body>
+ </html>
+</xsl:template>
+</xsl:stylesheet>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesgreensquaresvg"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <rect x="0" y="0" width="100px" height="100px" fill="green"/>
+</svg>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesredsquaresvg"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <rect x="0" y="0" width="100px" height="100px" fill="red"/>
+</svg>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesxslredirectallowedphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<?php
+header("Content-Type: application/xhtml+xml");
+header("Content-Security-Policy: script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000 'unsafe-inline'");
+echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
+echo '<?xml-stylesheet type="text/xsl" href="http://127.0.0.1:8000/resources/redirect.php?code=307&amp;url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.xsl"?>' . "\n";
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+</head>
+<body>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesxslredirectblockedphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<?php
+header("Content-Type: application/xhtml+xml");
+header("Content-Security-Policy: script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'");
+echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
+echo '<?xml-stylesheet type="text/xsl" href="http://127.0.0.1:8000/resources/redirect.php?code=307&amp;url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-fail.xsl"?>' . "\n";
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+</head>
+<body>
+<script type="text/javascript">
+//<![CDATA[
+if (window.testRunner)
+ testRunner.dumpAsText();
+alert("PASS");
+//]]>
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000 'unsafe-inline'">
+<script src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass-and-notify-done.js" onerror="alertAndDone('FAIL')"></script>
+</head>
+<body>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'".
+
+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'">
+<script src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-fail.js" onerror="alertAndDone('PASS')"></script>
+</head>
+<body>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="style-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+<link rel="stylesheet" href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/blue.css" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+</head>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Refused to load the stylesheet 'http://localhost:8000/security/contentSecurityPolicy/resources/blue.css' because it violates the following Content Security Policy directive: "style-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="style-src http://127.0.0.1:8000/resources/redirect.php">
+<link rel="stylesheet" href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/blue.css" onload="alertAndDone('FAIL')" onerror="alertAndDone('PASS')">
+</head>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+Tests that a SVG font-face element is allowed to load a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a SVG font-face element is allowed to load a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<svg viewBox="0 0 100 100">
+ <font-face>
+ <font-face-src>
+ <font-face-uri font-family="ABCFont" xlink:href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/ABCFont.svg#ABCFont"></font-face-uri>
+ </font-face-src>
+ </font-face>
+</svg>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+CONSOLE MESSAGE: Refused to load the font 'http://localhost:8000/security/contentSecurityPolicy/resources/ABCFont.svg' because it violates the following Content Security Policy directive: "font-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<svg viewBox="0 0 100 100">
+ <font-face>
+ <font-face-src>
+ <font-face-uri font-family="ABCFont" xlink:href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/ABCFont.svg"></font-face-uri>
+ </font-face-src>
+ </font-face>
+</svg>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+Tests that a cross-origin SVG image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a cross-origin SVG image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/green-square.svg" width="128" height="128">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/contentSecurityPolicy/resources/red-square.svg' because it violates the following Content Security Policy directive: "img-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/red-square.svg" width="128" height="128">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<video>
+ <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+</video>
+<script>
+document.querySelector("track").track.mode = "hidden"; // Load the track
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<video>
+ <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('FAIL')" onerror="alertAndDone('PASS')">
+</video>
+<script>
+document.querySelector("track").track.mode = "hidden"; // Load the track
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMallowsvgfonthtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -24,7 +24,7 @@
</span><span class="cx"> fontFaceSrc.appendChild(fontFaceURI);
</span><span class="cx">
</span><span class="cx"> fontFace.setAttributeNS(null, "font-family", "ABCFont");
</span><del>- fontFaceURI.setAttributeNS("http://www.w3.org/1999/xlink", "href", "resources/ABCFont.svg#ABCFont");
</del><ins>+ fontFaceURI.setAttributeNS("http://www.w3.org/1999/xlink", "href", "../resources/ABCFont.svg#ABCFont");
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> runTest();
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyuserAgentShadowDOMresourcesABCFontsvg"></a>
<div class="delfile"><h4>Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -1,35 +0,0 @@
</span><del>-<?xml version="1.0"?>
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
- <defs>
- <!-- Based on DejaVu Serif (http://dejavu-fonts.org/wiki/index.php?title=License) -->
- <font id="ABCFont" horiz-adv-x="1716">
- <font-face
- font-family="DejaVu Serif"
- font-weight="400"
- font-stretch="normal"
- units-per-em="2048"
- panose-1="2 6 6 3 5 6 5 2 2 4"
- ascent="1556"
- descent="-492"
- x-height="1063"
- cap-height="1493"
- bbox="-1576 -710 3439 2544"
- underline-thickness="90"
- underline-position="-85"
- unicode-range="U+0020-U+1D7E1"
- />
-
- <missing-glyph horiz-adv-x="1229" d="M102 -362v1806h1024v-1806h-1024zM217 -248h795v1577h-795v-1577z" />
-
- <glyph glyph-name="space" unicode=" " horiz-adv-x="651" />
-
- <glyph glyph-name="a" unicode="a" horiz-adv-x="1221"
- d="M815 334v225h-237q-137 0 -204 -59t-67 -181q0 -111 68 -176t184 -65q115 0 185.5 71t70.5 185zM999 664v-558h164v-106h-348v115q-61 -74 -141 -109t-187 -35q-177 0 -281 94t-104 254q0 165 119 256t336 91h258v73q0 121 -73.5 187.5t-206.5 66.5q-110 0 -175 -50t-81 -148h-95v215q96 41 186.5 61.5t176.5 20.5q221 0 336.5 -109.5t115.5 -318.5z" />
- <glyph glyph-name="b" unicode="b" horiz-adv-x="1311"
- d="M236 106v1344h-177v106h361v-659q54 100 137.5 147.5t206.5 47.5q196 0 320 -155t124 -405t-124 -405.5t-320 -155.5q-123 0 -206.5 47.5t-137.5 147.5v-166h-361v106h177zM420 479q0 -192 73.5 -292.5t213.5 -100.5q141 0 213.5 113t72.5 333q0 221 -72.5 333t-213.5 112q-140 0 -213.5 -101t-73.5 -292v-105z" />
- <glyph glyph-name="c" unicode="c" horiz-adv-x="1147"
- d="M1053 319q-39 -170 -150 -259t-287 -89q-232 0 -373 153.5t-141 407.5q0 255 141 407.5t373 152.5q101 0 201 -23.5t201 -71.5v-272h-107q-21 140 -91.5 204t-201.5 64q-149 0 -225 -115.5t-76 -345.5t75.5 -346t225.5 -116q119 0 190 62t97 187h148z" />
- <glyph glyph-name="ellipsis" unicode="&#x2026;" horiz-adv-x="1638" d="M133 0v268h279v-268h-279zM680 0v268h278v-268h-278zM1225 0v268h278v-268h-278z" />
- </font>
- </defs>
-</svg>
</del></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<video src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/test.mp4" onloadedmetadata="alertAndDone('PASS')" onerror="alertAndDone('FAIL')"></video>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/resources/test.mp4' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<video src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/test.mp4" onloadedmetadata="alertAndDone('FAIL')" onerror="alertAndDone('PASS')"></video>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+ALERT: PASS
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+
+ // This is a contrived test. We normally do not allow cross-origin XML Stylesheets.
+ testRunner.addOriginAccessWhitelistEntry("http://127.0.0.1:8000", "http", "localhost", false);
+}
+</script>
+</head>
+<body>
+<iframe src="resources/xsl-redirect-allowed.php"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.xsl' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'".
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+
+ // This is a contrived test. We normally do not allow cross-origin XML Stylesheets.
+ testRunner.addOriginAccessWhitelistEntry("http://127.0.0.1:8000", "http", "localhost", false);
+}
+</script>
+</head>
+<body>
+<iframe src="resources/xsl-redirect-blocked.php"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformeflTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/efl/TestExpectations (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/efl/TestExpectations 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/platform/efl/TestExpectations 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -643,7 +643,6 @@
</span><span class="cx"> webkit.org/b/153866 http/tests/media/video-served-as-text.html [ Crash ]
</span><span class="cx"> webkit.org/b/153866 http/tests/media/video-throttled-load-metadata.html [ Crash ]
</span><span class="cx"> webkit.org/b/153866 http/tests/media/video-useragent.html [ Crash ]
</span><del>-webkit.org/b/153866 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Crash ]
</del><span class="cx"> webkit.org/b/153866 http/tests/security/inactive-document-with-empty-security-origin.html [ Crash ]
</span><span class="cx"> webkit.org/b/153866 http/tests/security/isolatedWorld/userGestureEvents.html [ Crash ]
</span><span class="cx"> webkit.org/b/153866 http/tests/security/local-video-source-from-remote.html [ Crash ]
</span><span class="lines">@@ -2966,3 +2965,6 @@
</span><span class="cx"> fast/scrolling/rtl-scrollbars-overflow-padding.html [ ImageOnlyFailure ]
</span><span class="cx"> fast/scrolling/rtl-scrollbars-overflow-simple.html [ ImageOnlyFailure ]
</span><span class="cx"> fast/scrolling/rtl-scrollbars-overflow.html [ ImageOnlyFailure ]
</span><ins>+
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 webkit.org/b/153866 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformgtkTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/gtk/TestExpectations (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/gtk/TestExpectations 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/platform/gtk/TestExpectations 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -691,6 +691,8 @@
</span><span class="cx"> webkit.org/b/154390 http/tests/media/hls/hls-accessiblity-describes-video.html [ Timeout Failure ]
</span><span class="cx"> webkit.org/b/154390 http/tests/media/hls/video-cookie.html [ Failure ]
</span><span class="cx">
</span><ins>+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
</ins><span class="cx">
</span><span class="cx"> #////////////////////////////////////////////////////////////////////////////////////////
</span><span class="cx"> # End of Expected failures
</span></span></pre></div>
<a id="trunkLayoutTestsplatformiossimulatorhttptestssecuritycontentSecurityPolicyaudioredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: FAIL
+
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformiossimulatorhttptestssecuritycontentSecurityPolicyvideoredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt (0 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: FAIL
+
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformmacTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/mac/TestExpectations (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac/TestExpectations 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/LayoutTests/platform/mac/TestExpectations 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -1342,3 +1342,10 @@
</span><span class="cx"> [ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow-padding.html [ ImageOnlyFailure ]
</span><span class="cx"> [ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow-simple.html [ ImageOnlyFailure ]
</span><span class="cx"> [ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow.html [ ImageOnlyFailure ]
</span><ins>+
+# Content Security Policy for media redirects is not supported on some OSes.
+[ Yosemite ElCapitan ] http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html [ Failure ]
+[ Yosemite ElCapitan ] http/tests/security/contentSecurityPolicy/video-redirect-blocked.html [ Failure ]
+
+webkit.org/b/155505 [ ElCapitan+ ] http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 [ ElCapitan+ ] http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/ChangeLog 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -1,3 +1,86 @@
</span><ins>+2016-03-16 Daniel Bates <dabates@apple.com>
+
+ <video> and <audio> elements do not obey Content Security Policy on redirect
+ https://bugs.webkit.org/show_bug.cgi?id=155509
+ <rdar://problem/10234844>
+
+ Reviewed by Alex Christensen.
+
+ Fixes an issue where the Content Security Policy of the page was not enforced
+ on redirects when loading a media subresource via an HTML video or HTML audio
+ element.
+
+ Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/font-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/font-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/image-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/image-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/script-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/script-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/track-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/track-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/video-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/video-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html
+
+ * inspector/InspectorPageAgent.cpp:
+ (WebCore::InspectorPageAgent::cachedResourceContent): Treat media resources as raw resources just as we do currently.
+ (WebCore::InspectorPageAgent::cachedResourceType): Ditto.
+ * loader/MediaResourceLoader.cpp:
+ (WebCore::MediaResourceLoader::requestResource): Modified to use CachedResourceLoader::requestMedia() instead
+ of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
+ resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
+ initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
+ more details.
+ * loader/ResourceLoadInfo.cpp:
+ (WebCore::toResourceType): Treat media resources as raw resources just as we do currently. Also, add cases for
+ CachedResource::LinkPrefetch and CachedResource::LinkSubresource (when ENABLE(LINK_PREFETCH) is enabled) and
+ remove the default statement to force a compile-time error when a new CachedResource enumerator is added and
+ the switch block in this function is not updated.
+ * loader/SubresourceLoader.cpp:
+ (WebCore::logResourceLoaded): Ditto.
+ * loader/cache/CachedRawResource.cpp:
+ (WebCore::CachedRawResource::CachedRawResource): Substitute CachedResource::isMainOrMediaOrRawResource() for
+ CachedResource::isMainOrRawResource() as the latter was renamed to the former.
+ * loader/cache/CachedRawResource.h:
+ (isType): Ditto.
+ * loader/cache/CachedResource.cpp:
+ (WebCore::defaultPriorityForResourceType): Use priority ResourceLoadPriority::Medium for media resources just as
+ we do currently.
+ * loader/cache/CachedResource.h:
+ (WebCore::CachedResource::isMainOrMediaOrRawResource): Formerly named isMainOrRawResource. Returns true if the type
+ of this resource is a main resource, media resource, or raw resource.
+ (WebCore::CachedResource::isMainOrRawResource): Deleted.
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::createResource): Treat media resources as raw resources just as we do currently.
+ (WebCore::CachedResourceLoader::requestMedia): Added.
+ (WebCore::contentTypeFromResourceType): Consider media resources as MixedContentChecker::ContentType::Active
+ just as we do currently.
+ (WebCore::CachedResourceLoader::checkInsecureContent): Apply the mixed content policy to media resources
+ just as we do currently.
+ (WebCore::CachedResourceLoader::canRequest): Apply the Same Origin Policy to media resources just as we
+ do currently. Query the Content Security Policy of the page to determine if the media resource can be
+ requested.
+ (WebCore::CachedResourceLoader::determineRevalidationPolicy): Substitute CachedResource::isMainOrMediaOrRawResource()
+ for CachedResource::isMainOrRawResource() as the latter was renamed to the former.
+ * loader/cache/CachedResourceLoader.h:
+ * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+ (WebCore::WebCoreAVFResourceLoader::startLoading): Modified to use CachedResourceLoader::requestMedia() instead
+ of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
+ resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
+ initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
+ more details. Additionally, simplified code that determined whether to request the media resource or error out
+ by coalescing two conditional expressions into one conditional on whether we have a loader and substituted
+ nullptr for 0.
+
</ins><span class="cx"> 2016-03-16 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed, rolling out r198235, r198240, r198241, and
</span></span></pre></div>
<a id="trunkSourceWebCoreinspectorInspectorPageAgentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/inspector/InspectorPageAgent.cpp (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/inspector/InspectorPageAgent.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/inspector/InspectorPageAgent.cpp 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -163,6 +163,7 @@
</span><span class="cx"> case CachedResource::Script:
</span><span class="cx"> *result = downcast<CachedScript>(*cachedResource).script().toString();
</span><span class="cx"> return true;
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> case CachedResource::RawResource: {
</span><span class="cx"> auto* buffer = cachedResource->resourceBuffer();
</span><span class="cx"> if (!buffer)
</span><span class="lines">@@ -314,6 +315,7 @@
</span><span class="cx"> return InspectorPageAgent::StylesheetResource;
</span><span class="cx"> case CachedResource::Script:
</span><span class="cx"> return InspectorPageAgent::ScriptResource;
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> case CachedResource::RawResource:
</span><span class="cx"> return InspectorPageAgent::XHRResource;
</span><span class="cx"> case CachedResource::MainResource:
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderMediaResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/MediaResourceLoader.cpp (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/MediaResourceLoader.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/MediaResourceLoader.cpp 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -55,13 +55,14 @@
</span><span class="cx"> RequestOriginPolicy corsPolicy = !m_crossOriginMode.isNull() ? PotentiallyCrossOriginEnabled : UseDefaultOriginRestrictionsForType;
</span><span class="cx"> StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalLettersIgnoringASCIICase(m_crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
</span><span class="cx">
</span><del>- // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
</del><ins>+ // FIXME: Skip Content Security Policy check if the element that inititated this request
+ // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
</ins><span class="cx"> CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching));
</span><span class="cx">
</span><span class="cx"> if (!m_crossOriginMode.isNull())
</span><span class="cx"> updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
</span><span class="cx">
</span><del>- CachedResourceHandle<CachedRawResource> resource = m_document.cachedResourceLoader().requestRawResource(cacheRequest);
</del><ins>+ CachedResourceHandle<CachedRawResource> resource = m_document.cachedResourceLoader().requestMedia(cacheRequest);
</ins><span class="cx"> if (!resource)
</span><span class="cx"> return nullptr;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderResourceLoadInfocpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/ResourceLoadInfo.cpp (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/ResourceLoadInfo.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/ResourceLoadInfo.cpp 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -55,6 +55,7 @@
</span><span class="cx"> #endif
</span><span class="cx"> return ResourceType::Font;
</span><span class="cx">
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> case CachedResource::RawResource:
</span><span class="cx"> return ResourceType::Raw;
</span><span class="cx">
</span><span class="lines">@@ -62,8 +63,11 @@
</span><span class="cx"> case CachedResource::TextTrackResource:
</span><span class="cx"> return ResourceType::Media;
</span><span class="cx"> #endif
</span><del>- default:
</del><ins>+#if ENABLE(LINK_PREFETCH)
+ case CachedResource::LinkPrefetch:
+ case CachedResource::LinkSubresource:
</ins><span class="cx"> ASSERT_NOT_REACHED();
</span><ins>+#endif
</ins><span class="cx"> };
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderSubresourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -350,6 +350,7 @@
</span><span class="cx"> #endif
</span><span class="cx"> resourceType = DiagnosticLoggingKeys::fontKey();
</span><span class="cx"> break;
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> case CachedResource::RawResource:
</span><span class="cx"> resourceType = DiagnosticLoggingKeys::rawKey();
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedRawResourcecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedRawResource.cpp (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedRawResource.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedRawResource.cpp 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx"> , m_identifier(0)
</span><span class="cx"> , m_allowEncodedDataReplacement(true)
</span><span class="cx"> {
</span><del>- ASSERT(isMainOrRawResource());
</del><ins>+ ASSERT(isMainOrMediaOrRawResource());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> const char* CachedRawResource::calculateIncrementalDataChunk(SharedBuffer* data, unsigned& incrementalDataLength)
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedRawResourceh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedRawResource.h (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedRawResource.h 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedRawResource.h 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -95,7 +95,7 @@
</span><span class="cx"> } // namespace WebCore
</span><span class="cx">
</span><span class="cx"> SPECIALIZE_TYPE_TRAITS_BEGIN(WebCore::CachedRawResource)
</span><del>- static bool isType(const WebCore::CachedResource& resource) { return resource.isMainOrRawResource(); }
</del><ins>+ static bool isType(const WebCore::CachedResource& resource) { return resource.isMainOrMediaOrRawResource(); }
</ins><span class="cx"> SPECIALIZE_TYPE_TRAITS_END()
</span><span class="cx">
</span><span class="cx"> #endif // CachedRawResource_h
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourcecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResource.cpp (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -74,6 +74,7 @@
</span><span class="cx"> #if ENABLE(SVG_FONTS)
</span><span class="cx"> case CachedResource::SVGFontResource:
</span><span class="cx"> #endif
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> case CachedResource::FontResource:
</span><span class="cx"> case CachedResource::RawResource:
</span><span class="cx"> return ResourceLoadPriority::Medium;
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResource.h (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResource.h 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedResource.h 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -69,6 +69,7 @@
</span><span class="cx"> #if ENABLE(SVG_FONTS)
</span><span class="cx"> SVGFontResource,
</span><span class="cx"> #endif
</span><ins>+ MediaResource,
</ins><span class="cx"> RawResource,
</span><span class="cx"> SVGDocumentResource
</span><span class="cx"> #if ENABLE(XSLT)
</span><span class="lines">@@ -159,8 +160,8 @@
</span><span class="cx"> bool areAllClientsXMLHttpRequests() const;
</span><span class="cx">
</span><span class="cx"> bool isImage() const { return type() == ImageResource; }
</span><del>- // FIXME: CachedRawResource could be either a main resource or a raw XHR resource.
- bool isMainOrRawResource() const { return type() == MainResource || type() == RawResource; }
</del><ins>+ // FIXME: CachedRawResource could be a main resource, an audio/video resource, or a raw XHR/icon resource.
+ bool isMainOrMediaOrRawResource() const { return type() == MainResource || type() == MediaResource || type() == RawResource; }
</ins><span class="cx"> bool ignoreForRequestCount() const
</span><span class="cx"> {
</span><span class="cx"> return type() == MainResource
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -100,6 +100,7 @@
</span><span class="cx"> #endif
</span><span class="cx"> case CachedResource::FontResource:
</span><span class="cx"> return new CachedFont(request, sessionID);
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> case CachedResource::RawResource:
</span><span class="cx"> case CachedResource::MainResource:
</span><span class="cx"> return new CachedRawResource(request, type, sessionID);
</span><span class="lines">@@ -269,6 +270,11 @@
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestMedia(CachedResourceRequest& request)
+{
+ return downcast<CachedRawResource>(requestResource(CachedResource::MediaResource, request).get());
+}
+
</ins><span class="cx"> CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestRawResource(CachedResourceRequest& request)
</span><span class="cx"> {
</span><span class="cx"> return downcast<CachedRawResource>(requestResource(CachedResource::RawResource, request).get());
</span><span class="lines">@@ -295,6 +301,7 @@
</span><span class="cx"> return MixedContentChecker::ContentType::Active;
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> case CachedResource::RawResource:
</span><span class="cx"> case CachedResource::SVGDocumentResource:
</span><span class="cx"> return MixedContentChecker::ContentType::Active;
</span><span class="lines">@@ -337,6 +344,7 @@
</span><span class="cx"> #if ENABLE(VIDEO_TRACK)
</span><span class="cx"> case CachedResource::TextTrackResource:
</span><span class="cx"> #endif
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> case CachedResource::RawResource:
</span><span class="cx"> case CachedResource::ImageResource:
</span><span class="cx"> #if ENABLE(SVG_FONTS)
</span><span class="lines">@@ -384,6 +392,7 @@
</span><span class="cx"> #if ENABLE(SVG_FONTS)
</span><span class="cx"> case CachedResource::SVGFontResource:
</span><span class="cx"> #endif
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> case CachedResource::FontResource:
</span><span class="cx"> case CachedResource::RawResource:
</span><span class="cx"> #if ENABLE(LINK_PREFETCH)
</span><span class="lines">@@ -446,12 +455,13 @@
</span><span class="cx"> case CachedResource::LinkSubresource:
</span><span class="cx"> #endif
</span><span class="cx"> break;
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> #if ENABLE(VIDEO_TRACK)
</span><span class="cx"> case CachedResource::TextTrackResource:
</span><ins>+#endif
</ins><span class="cx"> if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, skipContentSecurityPolicyCheck))
</span><span class="cx"> return false;
</span><span class="cx"> break;
</span><del>-#endif
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // SVG Images have unique security rules that prevent all subresource requests except for data urls.
</span><span class="lines">@@ -742,7 +752,7 @@
</span><span class="cx">
</span><span class="cx"> // FIXME: We should use the same cache policy for all resource types. The raw resource policy is overly strict
</span><span class="cx"> // while the normal subresource policy is too loose.
</span><del>- if (existingResource->isMainOrRawResource()) {
</del><ins>+ if (existingResource->isMainOrMediaOrRawResource()) {
</ins><span class="cx"> bool strictPolicyDisabled = frame()->loader().isStrictRawResourceValidationPolicyDisabledForTesting();
</span><span class="cx"> bool canReuseRawResource = strictPolicyDisabled || downcast<CachedRawResource>(*existingResource).canReuse(request);
</span><span class="cx"> if (!canReuseRawResource)
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.h (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -76,6 +76,7 @@
</span><span class="cx"> CachedResourceHandle<CachedCSSStyleSheet> requestUserCSSStyleSheet(CachedResourceRequest&);
</span><span class="cx"> CachedResourceHandle<CachedScript> requestScript(CachedResourceRequest&);
</span><span class="cx"> CachedResourceHandle<CachedFont> requestFont(CachedResourceRequest&, bool isSVG);
</span><ins>+ CachedResourceHandle<CachedRawResource> requestMedia(CachedResourceRequest&);
</ins><span class="cx"> CachedResourceHandle<CachedRawResource> requestRawResource(CachedResourceRequest&);
</span><span class="cx"> CachedResourceHandle<CachedRawResource> requestMainResource(CachedResourceRequest&);
</span><span class="cx"> CachedResourceHandle<CachedSVGDocument> requestSVGDocument(CachedResourceRequest&);
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformgraphicsavfoundationobjcWebCoreAVFResourceLoadermm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -67,15 +67,16 @@
</span><span class="cx">
</span><span class="cx"> NSURLRequest *nsRequest = [m_avRequest.get() request];
</span><span class="cx">
</span><del>- // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
</del><ins>+ // FIXME: Skip Content Security Policy check if the element that inititated this request
+ // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
</ins><span class="cx"> CachedResourceRequest request(nsRequest, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::DisallowCaching));
</span><span class="cx">
</span><span class="cx"> request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
</span><del>- CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader();
- m_resource = loader ? loader->requestRawResource(request) : 0;
- if (m_resource)
</del><ins>+ if (CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader()) {
+ m_resource = loader->requestMedia(request);
</ins><span class="cx"> m_resource->addClient(this);
</span><del>- else {
</del><ins>+ } else {
+ m_resource = nullptr;
</ins><span class="cx"> LOG_ERROR("Failed to start load for media at url %s", [[[nsRequest URL] absoluteString] UTF8String]);
</span><span class="cx"> [m_avRequest.get() finishLoadingWithError:0];
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebKit2/ChangeLog 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2016-03-16 Daniel Bates <dabates@apple.com>
+
+ <video> and <audio> elements do not obey Content Security Policy on redirect
+ https://bugs.webkit.org/show_bug.cgi?id=155509
+ <rdar://problem/10234844>
+
+ Reviewed by Alex Christensen.
+
+ Use 0ms as the maximum buffering time for media resource just as we do currently.
+
+ * WebProcess/Network/WebLoaderStrategy.cpp:
+ (WebKit::maximumBufferingTime):
+
</ins><span class="cx"> 2016-03-16 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed, rolling out r198235, r198240, r198241, and
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessNetworkWebLoaderStrategycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp (198291 => 198292)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp 2016-03-16 19:33:47 UTC (rev 198291)
+++ trunk/Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp 2016-03-16 19:46:49 UTC (rev 198292)
</span><span class="lines">@@ -106,6 +106,7 @@
</span><span class="cx"> return std::chrono::milliseconds::max();
</span><span class="cx"> case CachedResource::ImageResource:
</span><span class="cx"> return 500_ms;
</span><ins>+ case CachedResource::MediaResource:
</ins><span class="cx"> case CachedResource::MainResource:
</span><span class="cx"> case CachedResource::RawResource:
</span><span class="cx"> case CachedResource::SVGDocumentResource:
</span></span></pre>
</div>
</div>
</body>
</html>