<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[199612] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/199612">199612</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-04-15 15:23:44 -0700 (Fri, 15 Apr 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Ignore paths in CSP matching after redirects
https://bugs.webkit.org/show_bug.cgi?id=153154
<rdar://problem/24383215>
Reviewed by Brent Fulgham.
Source/WebCore:
For sub-resources that redirect, match the URL that is the result of the redirect against
the source expressions in Content Security Policy ignoring any paths in those source
expressions as per section Paths and Redirects of the Content Security Policy Level 2 spec.,
<https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).
Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html
http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html
http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html
http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html
http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html
http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html
http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html
http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html
http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html
http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html
http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html
http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/object-redirect-allowed.html
http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/object-redirect-blocked.html
http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html
http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html
http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html
http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest): Define a local variable didReceiveRedirectResponse as
to whether this request follows from having received a redirect response from the server. Pass this
information to FrameLoader::checkIfFormActionAllowedByCSP() and PolicyChecker::checkNavigationPolicy()
for its consideration.
* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::redirectReceived): Pass whether we have a non-null redirect
response (i.e. received a redirect response from the server) to DocumentThreadableLoader::isAllowedByContentSecurityPolicy()
for its consideration.
(WebCore::DocumentThreadableLoader::loadRequest): Pass whether we performed a redirect to
DocumentThreadableLoader::isAllowedByContentSecurityPolicy() for its consideration.
(WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Modified to take a boolean
argument as to whether a redirect was performed. We pass this information to the appropriate
ContentSecurityPolicy method.
* loader/DocumentThreadableLoader.h:
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::checkIfFormActionAllowedByCSP): Modified to take a boolean argument as to whether
a redirect response was received and passes this information to ContentSecurityPolicy::allowFormAction()
for its consideration.
(WebCore::FrameLoader::loadURL): Modified to tell PolicyChecker::checkNavigationPolicy() that the navigation
is not in response to having received a redirect response from the server.
(WebCore::FrameLoader::loadWithDocumentLoader): Ditto.
* loader/FrameLoader.h:
* loader/PolicyChecker.cpp:
(WebCore::isAllowedByContentSecurityPolicy): Modified to take a boolean argument as to whether
a redirect response was received and passes this information to the appropriate ContentSecurityPolicy member
function for consideration.
(WebCore::PolicyChecker::checkNavigationPolicy): Modified to take a boolean argument as to whether a redirect
response was received and passes this information through to WebCore::isAllowedByContentSecurityPolicy().
* loader/PolicyChecker.h:
* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::willSendRequestInternal): Modified to tell CachedResourceLoader::canRequest() that
the request is in response to having received a redirect response from the server.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest): Modified to take a boolean argument as to whether a redirect
response was received and passes this information through to the appropriate ContentSecurityPolicy member
function for consideration.
* loader/cache/CachedResourceLoader.h:
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowScriptFromSource): Modified to take an argument as to whether a
redirect response was received and passes this information through to ContentSecurityPolicyDirectiveList.
(WebCore::ContentSecurityPolicy::allowObjectFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowChildContextFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowImageFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowStyleFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowFontFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowMediaFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowConnectToSource): Ditto.
(WebCore::ContentSecurityPolicy::allowFormAction): Ditto.
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::checkSource):
(WebCore::checkFrameAncestors):
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext): Modified to take an argument
as to whether a redirect response was received and passes this information through to the CSP directive.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFont): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForImage): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript): Ditto.
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle): Ditto.
* page/csp/ContentSecurityPolicyDirectiveList.h:
* page/csp/ContentSecurityPolicySource.cpp:
(WebCore::ContentSecurityPolicySource::matches): Modified to take an argument as to whether a redirect response
was received. When the specified URL follows from having received a redirect response then ignore the path
component of the source expression when checking for a match. Otherwise, consider the path component of the
source expression when performing the match.
* page/csp/ContentSecurityPolicySource.h:
* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::matches): Modified to take an argument as to whether a redirect
response was received and pass this information through to ContentSecurityPolicySource::matches().
* page/csp/ContentSecurityPolicySourceList.h:
* page/csp/ContentSecurityPolicySourceListDirective.cpp:
(WebCore::ContentSecurityPolicySourceListDirective::allows): Modified to take an argument as to whether a
redirect response was received and pass this information through to ContentSecurityPolicySourceList::matches().
* page/csp/ContentSecurityPolicySourceListDirective.h:
LayoutTests:
Add tests to ensure that we ignore the path component of a source expression when matching
a sub-resource URL that is the result of a redirect.
* TestExpectations: Unskip test http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html as it now passes.
* http/tests/security/contentSecurityPolicy/audio-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/embed-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/embed-redirect-blocked2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html: Added.
* http/tests/security/contentSecurityPolicy/embed-redirect-blocked3-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/object-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/object-redirect-blocked2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html: Added.
* http/tests/security/contentSecurityPolicy/object-redirect-blocked3-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html: Added.
* http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths-expected.txt: Update expected result now that we pass this test.
* http/tests/security/contentSecurityPolicy/resources/alert-pass.html:
* http/tests/security/contentSecurityPolicy/resources/redirect.pl: For resourceType == "image", load image http://127.0.0.1:8000/security/resources/abe.png
instead of http://127.0.0.1:8000/resources/square20.jpg as the latter does not exist.
* http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php:
* http/tests/security/contentSecurityPolicy/script-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html:
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html.
* platform/ios-simulator/TestExpectations: Skip tests {embed, object}-redirect-blocked{2, 3}.html as they make
use of a plug-in and plug-ins are not supported on iOS.
* platform/wk2/TestExpectations: Skip tests {embed, object}-redirect-blocked3.html on WebKit2 as they fail
because of <https://bugs.webkit.org/show_bug.cgi?id=156612>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsTestExpectations">trunk/LayoutTests/TestExpectations</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyredirectdoesnotmatchpathsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesalertpasshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesredirectpl">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/redirect.pl</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesxslredirectallowedphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestsplatformiossimulatorTestExpectations">trunk/LayoutTests/platform/ios-simulator/TestExpectations</a></li>
<li><a href="#trunkLayoutTestsplatformwk2TestExpectations">trunk/LayoutTests/platform/wk2/TestExpectations</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentLoadercpp">trunk/Source/WebCore/loader/DocumentLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentThreadableLoadercpp">trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentThreadableLoaderh">trunk/Source/WebCore/loader/DocumentThreadableLoader.h</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoadercpp">trunk/Source/WebCore/loader/FrameLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoaderh">trunk/Source/WebCore/loader/FrameLoader.h</a></li>
<li><a href="#trunkSourceWebCoreloaderPolicyCheckercpp">trunk/Source/WebCore/loader/PolicyChecker.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderPolicyCheckerh">trunk/Source/WebCore/loader/PolicyChecker.h</a></li>
<li><a href="#trunkSourceWebCoreloaderSubresourceLoadercpp">trunk/Source/WebCore/loader/SubresourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoadercpp">trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoaderh">trunk/Source/WebCore/loader/cache/CachedResourceLoader.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourcecpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceh">trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectivecpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectiveh">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblocked2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblocked2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblocked3expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked3-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblocked3html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionsrcredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionsrcredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionsrcredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionsrcredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbychildsrcexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbychildsrchtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbychildsrc2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbychildsrc2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbyframesrcexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbyframesrchtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbyframesrc2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbyframesrc2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectblockedbychildsrcexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectblockedbychildsrchtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectblockedbyframesrcexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectblockedbyframesrchtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectallowedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectallowedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblockedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblocked2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblocked2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblocked3expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked3-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblocked3html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowed2expectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowed2html">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/LayoutTests/ChangeLog 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -1,3 +1,82 @@
</span><ins>+2016-04-15 Daniel Bates <dabates@apple.com>
+
+ CSP: Ignore paths in CSP matching after redirects
+ https://bugs.webkit.org/show_bug.cgi?id=153154
+ <rdar://problem/24383215>
+
+ Reviewed by Brent Fulgham.
+
+ Add tests to ensure that we ignore the path component of a source expression when matching
+ a sub-resource URL that is the result of a redirect.
+
+ * TestExpectations: Unskip test http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html as it now passes.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/embed-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/embed-redirect-blocked2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html: Added.
+ * http/tests/security/contentSecurityPolicy/embed-redirect-blocked3-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/object-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/object-redirect-blocked2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html: Added.
+ * http/tests/security/contentSecurityPolicy/object-redirect-blocked3-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html: Added.
+ * http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths-expected.txt: Update expected result now that we pass this test.
+ * http/tests/security/contentSecurityPolicy/resources/alert-pass.html:
+ * http/tests/security/contentSecurityPolicy/resources/redirect.pl: For resourceType == "image", load image http://127.0.0.1:8000/security/resources/abe.png
+ instead of http://127.0.0.1:8000/resources/square20.jpg as the latter does not exist.
+ * http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php:
+ * http/tests/security/contentSecurityPolicy/script-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html:
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html.
+ * platform/ios-simulator/TestExpectations: Skip tests {embed, object}-redirect-blocked{2, 3}.html as they make
+ use of a plug-in and plug-ins are not supported on iOS.
+ * platform/wk2/TestExpectations: Skip tests {embed, object}-redirect-blocked3.html on WebKit2 as they fail
+ because of <https://bugs.webkit.org/show_bug.cgi?id=156612>.
+
</ins><span class="cx"> 2016-04-15 Myles C. Maxfield <mmaxfield@apple.com>
</span><span class="cx">
</span><span class="cx"> [CSS Font Loading] FontFace's promise may never be resolved/rejected if Content Security Policy blocks all the URLs
</span></span></pre></div>
<a id="trunkLayoutTestsTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/TestExpectations (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/TestExpectations 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/LayoutTests/TestExpectations 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -815,7 +815,6 @@
</span><span class="cx"> webkit.org/b/153151 http/tests/security/contentSecurityPolicy/icon-blocked.html [ Failure ]
</span><span class="cx"> webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-allowed.html # Needs testRunner.getManifestThen()
</span><span class="cx"> webkit.org/b/153152 http/tests/security/contentSecurityPolicy/manifest-src-blocked.html # Needs testRunner.getManifestThen()
</span><del>-webkit.org/b/153154 http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths.html
</del><span class="cx"> webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/scripthash-basic-blocked-error-event.html
</span><span class="cx"> webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylehash-basic-blocked-error-event.html
</span><span class="cx"> webkit.org/b/153155 http/tests/security/contentSecurityPolicy/1.1/stylehash-svg-style-basic-blocked-error-event.html
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyaudioredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+</head>
+<body>
+<audio src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/balls-of-the-orient.aif" onloadedmetadata="alertAndDone('PASS')" onerror="alertAndDone('FAIL')"></audio>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<embed type="text/html" src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.html">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirect-request">
+</head>
+<body>
+<embed type="text/html" src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.html">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the object-src directive of the Content Security Policy.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<embed type="text/html" src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-fail.html">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblocked2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/plugins/resources/mock-plugin.pl because it does not appear in the object-src directive of the Content Security Policy.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblocked2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<embed type="text/html" src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/plugins/resources/mock-plugin.pl">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblocked3expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked3-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked3-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked3-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/plugins/resources/mock-plugin.pl because it does not appear in the object-src directive of the Content Security Policy.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyembedredirectblocked3html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<embed src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/plugins/resources/mock-plugin.pl">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+Tests that a cross-origin CSS font loaded via a redirect is allowed by the Content Security Policy even though the policy does not contain a source expression that is an exact match of the redirected URL. This test PASSED if there are no console warning messages.
+
+.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyfontredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+<style>
+@font-face {
+ font-family: "Ahem";
+ src: url("http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/Ahem.woff") format("woff");
+}
+</style>
+</head>
+<body>
+<p>Tests that a cross-origin CSS font loaded via a redirect is allowed by the Content Security Policy even though the policy does not contain a source expression that is an exact match of the redirected URL. This test PASSED if there are no console warning messages.</p>
+<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
+<script>
+// Use a zero timer to wait until the font loaded.
+if (window.testRunner)
+ window.setTimeout("window.testRunner.notifyDone();", 0);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionsrcredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionsrcredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+</script>
+<meta http-equiv="Content-Security-Policy" content="form-action http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<form action="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.html%3FnotifyDone%3D1" method="post"></form>
+<script>document.querySelector("form").submit()</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionsrcredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionsrcredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+</script>
+<meta http-equiv="Content-Security-Policy" content="form-action http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+</head>
+<body>
+<form action="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.html%3FnotifyDone%3D1" method="post"></form>
+<script>document.querySelector("form").submit()</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbychildsrcexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbychildsrchtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<iframe src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbychildsrc2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbychildsrc2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+</head>
+<body>
+<iframe src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbyframesrcexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbyframesrchtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="frame-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<iframe src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbyframesrc2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectallowedbyframesrc2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="frame-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+</head>
+<body>
+<iframe src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectblockedbychildsrcexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the child-src directive of the Content Security Policy.
+Tests that an <iframe> that loads a cross-origin page via a redirect is blocked by the Content Security Policy child-src directive. This test PASSED if there is a console warning message.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectblockedbychildsrchtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that an &lt;iframe&gt; that loads a cross-origin page via a redirect is blocked by the Content Security Policy <code>child-src</code> directive. This test PASSED if there is a console warning message.</p>
+<iframe src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-fail.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectblockedbyframesrcexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the frame-src directive of the Content Security Policy.
+Tests that an <iframe> that loads a cross-origin page via a redirect is blocked by the Content Security Policy frame-src directive. This test PASSED if there is a console warning message.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyiframeredirectblockedbyframesrchtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="frame-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that an &lt;iframe&gt; that loads a cross-origin page via a redirect is blocked by the Content Security Policy <code>frame-src</code> directive. This test PASSED if there is a console warning message.</p>
+<iframe src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-fail.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+Tests that a cross-origin image loaded via a redirect is allowed by the Content Security Policy even though the policy does not contain a source expression that is an exact match of the redirected URL. This test PASSED if there are no console warning messages.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyimageredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+</head>
+<body>
+<p>Tests that a cross-origin image loaded via a redirect is allowed by the Content Security Policy even though the policy does not contain a source expression that is an exact match of the redirected URL. This test PASSED if there are no console warning messages.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/resources/abe.png" width="128" height="128">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectallowedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectallowedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<object type="text/html" data="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.html"></object>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirect-request">
+</head>
+<body>
+<object type="text/html" data="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.html"></object>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblockedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.html because it does not appear in the object-src directive of the Content Security Policy.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblockedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<object type="text/html" data="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-fail.html"></object>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblocked2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/plugins/resources/mock-plugin.pl because it does not appear in the object-src directive of the Content Security Policy.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblocked2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<object type="text/html" data="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/plugins/resources/mock-plugin.pl"></object>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblocked3expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked3-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked3-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked3-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+CONSOLE MESSAGE: Refused to load http://localhost:8000/plugins/resources/mock-plugin.pl because it does not appear in the object-src directive of the Content Security Policy.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyobjectredirectblocked3html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="object-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<object data="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/plugins/resources/mock-plugin.pl"></object>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyredirectdoesnotmatchpathsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths-expected.txt (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths-expected.txt 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/redirect-does-not-match-paths-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -1,4 +1,8 @@
</span><span class="cx">
</span><del>-CONSOLE MESSAGE: XMLHttpRequest cannot load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/xhr-redirect-not-allowed.pl. Request header field Accept-Encoding is not allowed by Access-Control-Allow-Headers.
-FAIL: Timed out waiting for notifyDone to be called
</del><span class="cx">
</span><ins>+PASS CSP ignores paths of redirected resources in matching algorithm for scripts.
+PASS CSP ignores paths of redirect resources in matching algorithm for images.
+PASS CSP ignores paths of redirect resources in matching algorithm for frames.
+PASS CSP ignores paths of redirected resources in matching algorithm for stylesheets.
+PASS CSP ignores paths of redirect resources in matching algorithm for XHR.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesalertpasshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -1,3 +1,7 @@
</span><span class="cx"> <script>
</span><del>-alert('PASS');
</del><ins>+alert("PASS");
+
+var shouldNotifyDone = document.location.search.indexOf("?notifyDone=1") !== -1 && window.testRunner;
+if (shouldNotifyDone)
+ testRunner.notifyDone();
</ins><span class="cx"> </script>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesredirectpl"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/redirect.pl (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/redirect.pl 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/redirect.pl 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -11,7 +11,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ($resourceType eq "image") {
</span><del>- print "Location: http://127.0.0.1:8000/resources/square20.jpg";
</del><ins>+ print "Location: http://127.0.0.1:8000/security/resources/abe.png";
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ($resourceType eq "plugin") {
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyresourcesxslredirectallowedphp"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> <?php
</span><ins>+require "determine-content-security-policy-header.php";
+
</ins><span class="cx"> header("Content-Type: application/xhtml+xml");
</span><del>-header("Content-Security-Policy: script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000 'unsafe-inline'");
</del><span class="cx"> echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
</span><span class="cx"> echo '<?xml-stylesheet type="text/xsl" href="http://127.0.0.1:8000/resources/redirect.php?code=307&amp;url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.xsl"?>' . "\n";
</span><span class="cx"> ?>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyscriptredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request 'unsafe-inline'">
+<script src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass-and-notify-done.js" onerror="alertAndDone('FAIL')"></script>
+</head>
+<body>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicystylesheetredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="style-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+<link rel="stylesheet" href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/blue.css" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+</head>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+Tests that a SVG font-face element is allowed to load a cross-origin external SVG font via a redirect by the Content Security Policy even though the policy does not contain a source expression that is an exact match of the redirected URL. This test PASSED if there are no console warning messages. This test PASSED if there are no console warning messages.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgfontredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+</head>
+<body>
+<p>Tests that a SVG font-face element is allowed to load a cross-origin external SVG font via a redirect by the Content Security Policy even though the policy does not contain a source expression that is an exact match of the redirected URL. This test PASSED if there are no console warning messages. This test PASSED if there are no console warning messages.</p>
+<svg viewBox="0 0 100 100">
+ <font-face>
+ <font-face-src>
+ <font-face-uri font-family="ABCFont" xlink:href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/ABCFont.svg#ABCFont"></font-face-uri>
+ </font-face-src>
+ </font-face>
+</svg>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+Tests that a cross-origin SVG image loaded via a redirect is allowed by the Content Security Policy even though the policy does not contain a source expression that is an exact match of the redirected URL. This test PASSED if there are no console warning messages. This test PASSED if there are no console warning messages.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicysvgimageredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+</head>
+<body>
+<p>Tests that a cross-origin SVG image loaded via a redirect is allowed by the Content Security Policy even though the policy does not contain a source expression that is an exact match of the redirected URL. This test PASSED if there are no console warning messages. This test PASSED if there are no console warning messages.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/green-square.svg" width="128" height="128">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicytrackredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+</head>
+<body>
+<video>
+ <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+</video>
+<script>
+document.querySelector("track").track.mode = "hidden"; // Load the track
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyvideoredirectallowed2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000/this-path-should-be-ignored-when-matching-a-redirected-request">
+</head>
+<body>
+<video src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/test.mp4" onloadedmetadata="alertAndDone('PASS')" onerror="alertAndDone('FAIL')"></video>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowedhtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -12,6 +12,6 @@
</span><span class="cx"> </script>
</span><span class="cx"> </head>
</span><span class="cx"> <body>
</span><del>-<iframe src="resources/xsl-redirect-allowed.php"></iframe>
</del><ins>+<iframe src="resources/xsl-redirect-allowed.php?csp=script-src+http%3A//127.0.0.1%3A8000/resources/redirect.php+http%3A//localhost%3A8000+%27unsafe-inline%27"></iframe>
</ins><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowed2expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2-expected.txt (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2-expected.txt 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+ALERT: PASS
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowed2htmlfromrev199611trunkLayoutTestshttptestssecuritycontentSecurityPolicyxslredirectallowedhtml"></a>
<div class="copfile"><h4>Copied: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html (from rev 199611, trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html) (0 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+
+ // This is a contrived test. We normally do not allow cross-origin XML Stylesheets.
+ testRunner.addOriginAccessWhitelistEntry("http://127.0.0.1:8000", "http", "localhost", false);
+}
+</script>
+</head>
+<body>
+<iframe src="resources/xsl-redirect-allowed.php?csp=script-src+http%3A//127.0.0.1%3A8000/resources/redirect.php+http%3A//localhost%3A8000/this-path-should-be-ignored-when-matching-a-redirected-request+%27unsafe-inline%27"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformiossimulatorTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/ios-simulator/TestExpectations (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/ios-simulator/TestExpectations 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/LayoutTests/platform/ios-simulator/TestExpectations 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -89,8 +89,12 @@
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-nourl-blocked.html
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html
</span><span class="cx"> http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html
</span><ins>+http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html
+http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-default-src-star.html
</span><span class="cx"> http/tests/security/contentSecurityPolicy/embed-with-no-url-allowed-by-star.html
</span><ins>+http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html
+http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html
</ins><span class="cx"> http/tests/security/contentSecurityPolicy/object-src-param-code-blocked.html
</span><span class="cx"> http/tests/security/contentSecurityPolicy/object-src-param-movie-blocked.html
</span><span class="cx"> http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html
</span></span></pre></div>
<a id="trunkLayoutTestsplatformwk2TestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/wk2/TestExpectations (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/wk2/TestExpectations 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/LayoutTests/platform/wk2/TestExpectations 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -42,6 +42,9 @@
</span><span class="cx"> ########################################
</span><span class="cx"> ### START OF (1) Classified failures with bug reports
</span><span class="cx">
</span><ins>+webkit.org/b/156612 http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html [ Failure ]
+webkit.org/b/156612 http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html [ Failure ]
+
</ins><span class="cx"> # WebKitTestRunner needs to implement testRunner.dumpIconChanges().
</span><span class="cx"> webkit.org/b/44046 http/tests/security/contentSecurityPolicy/icon-allowed.html
</span><span class="cx"> webkit.org/b/44046 http/tests/security/contentSecurityPolicy/icon-blocked.html
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/ChangeLog 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -1,3 +1,126 @@
</span><ins>+2016-04-15 Daniel Bates <dabates@apple.com>
+
+ CSP: Ignore paths in CSP matching after redirects
+ https://bugs.webkit.org/show_bug.cgi?id=153154
+ <rdar://problem/24383215>
+
+ Reviewed by Brent Fulgham.
+
+ For sub-resources that redirect, match the URL that is the result of the redirect against
+ the source expressions in Content Security Policy ignoring any paths in those source
+ expressions as per section Paths and Redirects of the Content Security Policy Level 2 spec.,
+ <https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015).
+
+ Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/embed-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/embed-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/embed-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/embed-redirect-blocked2.html
+ http/tests/security/contentSecurityPolicy/embed-redirect-blocked3.html
+ http/tests/security/contentSecurityPolicy/font-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/form-action-src-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src.html
+ http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2.html
+ http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src.html
+ http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2.html
+ http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-child-src.html
+ http/tests/security/contentSecurityPolicy/iframe-redirect-blocked-by-frame-src.html
+ http/tests/security/contentSecurityPolicy/image-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/object-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/object-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/object-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/object-redirect-blocked2.html
+ http/tests/security/contentSecurityPolicy/object-redirect-blocked3.html
+ http/tests/security/contentSecurityPolicy/script-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/track-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/video-redirect-allowed2.html
+ http/tests/security/contentSecurityPolicy/xsl-redirect-allowed2.html
+
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::willSendRequest): Define a local variable didReceiveRedirectResponse as
+ to whether this request follows from having received a redirect response from the server. Pass this
+ information to FrameLoader::checkIfFormActionAllowedByCSP() and PolicyChecker::checkNavigationPolicy()
+ for its consideration.
+ * loader/DocumentThreadableLoader.cpp:
+ (WebCore::DocumentThreadableLoader::redirectReceived): Pass whether we have a non-null redirect
+ response (i.e. received a redirect response from the server) to DocumentThreadableLoader::isAllowedByContentSecurityPolicy()
+ for its consideration.
+ (WebCore::DocumentThreadableLoader::loadRequest): Pass whether we performed a redirect to
+ DocumentThreadableLoader::isAllowedByContentSecurityPolicy() for its consideration.
+ (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy): Modified to take a boolean
+ argument as to whether a redirect was performed. We pass this information to the appropriate
+ ContentSecurityPolicy method.
+ * loader/DocumentThreadableLoader.h:
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::checkIfFormActionAllowedByCSP): Modified to take a boolean argument as to whether
+ a redirect response was received and passes this information to ContentSecurityPolicy::allowFormAction()
+ for its consideration.
+ (WebCore::FrameLoader::loadURL): Modified to tell PolicyChecker::checkNavigationPolicy() that the navigation
+ is not in response to having received a redirect response from the server.
+ (WebCore::FrameLoader::loadWithDocumentLoader): Ditto.
+ * loader/FrameLoader.h:
+ * loader/PolicyChecker.cpp:
+ (WebCore::isAllowedByContentSecurityPolicy): Modified to take a boolean argument as to whether
+ a redirect response was received and passes this information to the appropriate ContentSecurityPolicy member
+ function for consideration.
+ (WebCore::PolicyChecker::checkNavigationPolicy): Modified to take a boolean argument as to whether a redirect
+ response was received and passes this information through to WebCore::isAllowedByContentSecurityPolicy().
+ * loader/PolicyChecker.h:
+ * loader/SubresourceLoader.cpp:
+ (WebCore::SubresourceLoader::willSendRequestInternal): Modified to tell CachedResourceLoader::canRequest() that
+ the request is in response to having received a redirect response from the server.
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::canRequest): Modified to take a boolean argument as to whether a redirect
+ response was received and passes this information through to the appropriate ContentSecurityPolicy member
+ function for consideration.
+ * loader/cache/CachedResourceLoader.h:
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowScriptFromSource): Modified to take an argument as to whether a
+ redirect response was received and passes this information through to ContentSecurityPolicyDirectiveList.
+ (WebCore::ContentSecurityPolicy::allowObjectFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowChildFrameFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowChildContextFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowImageFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowStyleFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowFontFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowMediaFromSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowConnectToSource): Ditto.
+ (WebCore::ContentSecurityPolicy::allowFormAction): Ditto.
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::checkSource):
+ (WebCore::checkFrameAncestors):
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext): Modified to take an argument
+ as to whether a redirect response was received and passes this information through to the CSP directive.
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFont): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForImage): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript): Ditto.
+ (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle): Ditto.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+ * page/csp/ContentSecurityPolicySource.cpp:
+ (WebCore::ContentSecurityPolicySource::matches): Modified to take an argument as to whether a redirect response
+ was received. When the specified URL follows from having received a redirect response then ignore the path
+ component of the source expression when checking for a match. Otherwise, consider the path component of the
+ source expression when performing the match.
+ * page/csp/ContentSecurityPolicySource.h:
+ * page/csp/ContentSecurityPolicySourceList.cpp:
+ (WebCore::ContentSecurityPolicySourceList::matches): Modified to take an argument as to whether a redirect
+ response was received and pass this information through to ContentSecurityPolicySource::matches().
+ * page/csp/ContentSecurityPolicySourceList.h:
+ * page/csp/ContentSecurityPolicySourceListDirective.cpp:
+ (WebCore::ContentSecurityPolicySourceListDirective::allows): Modified to take an argument as to whether a
+ redirect response was received and pass this information through to ContentSecurityPolicySourceList::matches().
+ * page/csp/ContentSecurityPolicySourceListDirective.h:
+
</ins><span class="cx"> 2016-04-15 Myles C. Maxfield <mmaxfield@apple.com>
</span><span class="cx">
</span><span class="cx"> [CSS Font Loading] FontFace's promise may never be resolved/rejected if Content Security Policy blocks all the URLs
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -503,13 +503,14 @@
</span><span class="cx"> // callbacks is meant to prevent.
</span><span class="cx"> ASSERT(!newRequest.isNull());
</span><span class="cx">
</span><del>- if (!frameLoader()->checkIfFormActionAllowedByCSP(newRequest.url())) {
</del><ins>+ bool didReceiveRedirectResponse = !redirectResponse.isNull();
+ if (!frameLoader()->checkIfFormActionAllowedByCSP(newRequest.url(), didReceiveRedirectResponse)) {
</ins><span class="cx"> cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ASSERT(timing().fetchStart());
</span><del>- if (!redirectResponse.isNull()) {
</del><ins>+ if (didReceiveRedirectResponse) {
</ins><span class="cx"> // If the redirecting url is not allowed to display content from the target origin,
</span><span class="cx"> // then block the redirect.
</span><span class="cx"> Ref<SecurityOrigin> redirectingOrigin(SecurityOrigin::create(redirectResponse.url()));
</span><span class="lines">@@ -561,7 +562,7 @@
</span><span class="cx">
</span><span class="cx"> setRequest(newRequest);
</span><span class="cx">
</span><del>- if (!redirectResponse.isNull()) {
</del><ins>+ if (didReceiveRedirectResponse) {
</ins><span class="cx"> // We checked application cache for initial URL, now we need to check it for redirected one.
</span><span class="cx"> ASSERT(!m_substituteData.isValid());
</span><span class="cx"> m_applicationCacheHost->maybeLoadMainResourceForRedirect(newRequest, m_substituteData);
</span><span class="lines">@@ -576,12 +577,12 @@
</span><span class="cx"> // listener. But there's no way to do that in practice. So instead we cancel later if the
</span><span class="cx"> // listener tells us to. In practice that means the navigation policy needs to be decided
</span><span class="cx"> // synchronously for these redirect cases.
</span><del>- if (redirectResponse.isNull())
</del><ins>+ if (!didReceiveRedirectResponse)
</ins><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> ASSERT(!m_waitingForNavigationPolicy);
</span><span class="cx"> m_waitingForNavigationPolicy = true;
</span><del>- frameLoader()->policyChecker().checkNavigationPolicy(newRequest, [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
</del><ins>+ frameLoader()->policyChecker().checkNavigationPolicy(newRequest, didReceiveRedirectResponse, [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
</ins><span class="cx"> continueAfterNavigationPolicy(request, shouldContinue);
</span><span class="cx"> });
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -191,7 +191,7 @@
</span><span class="cx"> ASSERT_UNUSED(resource, resource == m_resource);
</span><span class="cx">
</span><span class="cx"> Ref<DocumentThreadableLoader> protect(*this);
</span><del>- if (!isAllowedByContentSecurityPolicy(request.url())) {
</del><ins>+ if (!isAllowedByContentSecurityPolicy(request.url(), !redirectResponse.isNull())) {
</ins><span class="cx"> m_client->didFailRedirectCheck();
</span><span class="cx"> request = ResourceRequest();
</span><span class="cx"> return;
</span><span class="lines">@@ -419,7 +419,8 @@
</span><span class="cx"> // FIXME: FrameLoader::loadSynchronously() does not tell us whether a redirect happened or not, so we guess by comparing the
</span><span class="cx"> // request and response URLs. This isn't a perfect test though, since a server can serve a redirect to the same URL that was
</span><span class="cx"> // requested. Also comparing the request and response URLs as strings will fail if the requestURL still has its credentials.
</span><del>- if (requestURL != response.url() && (!isAllowedByContentSecurityPolicy(response.url()) || !isAllowedRedirect(response.url()))) {
</del><ins>+ bool didRedirect = requestURL != response.url();
+ if (didRedirect && (!isAllowedByContentSecurityPolicy(response.url(), didRedirect) || !isAllowedRedirect(response.url()))) {
</ins><span class="cx"> m_client->didFailRedirectCheck();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="lines">@@ -431,17 +432,20 @@
</span><span class="cx"> didFinishLoading(identifier, 0.0);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url)
</del><ins>+bool DocumentThreadableLoader::isAllowedByContentSecurityPolicy(const URL& url, bool didRedirect)
</ins><span class="cx"> {
</span><ins>+ bool overrideContentSecurityPolicy = false;
+ ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived = didRedirect ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
+
</ins><span class="cx"> switch (m_options.contentSecurityPolicyEnforcement) {
</span><span class="cx"> case ContentSecurityPolicyEnforcement::DoNotEnforce:
</span><span class="cx"> return true;
</span><span class="cx"> case ContentSecurityPolicyEnforcement::EnforceChildSrcDirective:
</span><del>- return contentSecurityPolicy().allowChildContextFromSource(url, false); // Do not override policy
</del><ins>+ return contentSecurityPolicy().allowChildContextFromSource(url, overrideContentSecurityPolicy, redirectResponseReceived);
</ins><span class="cx"> case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
</span><del>- return contentSecurityPolicy().allowConnectToSource(url, false); // Do not override policy
</del><ins>+ return contentSecurityPolicy().allowConnectToSource(url, overrideContentSecurityPolicy, redirectResponseReceived);
</ins><span class="cx"> case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
</span><del>- return contentSecurityPolicy().allowScriptFromSource(url, false); // Do not override policy
</del><ins>+ return contentSecurityPolicy().allowScriptFromSource(url, overrideContentSecurityPolicy, redirectResponseReceived);
</ins><span class="cx"> }
</span><span class="cx"> ASSERT_NOT_REACHED();
</span><span class="cx"> return false;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentThreadableLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.h (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.h 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -94,7 +94,7 @@
</span><span class="cx">
</span><span class="cx"> void loadRequest(const ResourceRequest&, SecurityCheckPolicy);
</span><span class="cx"> bool isAllowedRedirect(const URL&);
</span><del>- bool isAllowedByContentSecurityPolicy(const URL&);
</del><ins>+ bool isAllowedByContentSecurityPolicy(const URL&, bool didRedirect = false);
</ins><span class="cx">
</span><span class="cx"> bool isXMLHttpRequest() const final;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -936,12 +936,13 @@
</span><span class="cx"> return m_frame.document()->securityOrigin()->toString();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool FrameLoader::checkIfFormActionAllowedByCSP(const URL& url) const
</del><ins>+bool FrameLoader::checkIfFormActionAllowedByCSP(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><span class="cx"> if (m_submittedFormURL.isEmpty())
</span><span class="cx"> return true;
</span><span class="cx">
</span><del>- return m_frame.document()->contentSecurityPolicy()->allowFormAction(url);
</del><ins>+ auto redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
+ return m_frame.document()->contentSecurityPolicy()->allowFormAction(url, false /* overrideContentSecurityPolicy */, redirectResponseReceived);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> Frame* FrameLoader::opener()
</span><span class="lines">@@ -1240,7 +1241,7 @@
</span><span class="cx"> oldDocumentLoader->setLastCheckedRequest(ResourceRequest());
</span><span class="cx"> policyChecker().stopCheck();
</span><span class="cx"> policyChecker().setLoadType(newLoadType);
</span><del>- policyChecker().checkNavigationPolicy(request, oldDocumentLoader.get(), formState.release(), [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
</del><ins>+ policyChecker().checkNavigationPolicy(request, false /* didReceiveRedirectResponse */, oldDocumentLoader.get(), formState.release(), [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
</ins><span class="cx"> continueFragmentScrollAfterNavigationPolicy(request, shouldContinue);
</span><span class="cx"> });
</span><span class="cx"> return;
</span><span class="lines">@@ -1430,7 +1431,7 @@
</span><span class="cx"> oldDocumentLoader->setTriggeringAction(action);
</span><span class="cx"> oldDocumentLoader->setLastCheckedRequest(ResourceRequest());
</span><span class="cx"> policyChecker().stopCheck();
</span><del>- policyChecker().checkNavigationPolicy(loader->request(), oldDocumentLoader.get(), formState, [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
</del><ins>+ policyChecker().checkNavigationPolicy(loader->request(), false /* didReceiveRedirectResponse */, oldDocumentLoader.get(), formState, [this](const ResourceRequest& request, PassRefPtr<FormState>, bool shouldContinue) {
</ins><span class="cx"> continueFragmentScrollAfterNavigationPolicy(request, shouldContinue);
</span><span class="cx"> });
</span><span class="cx"> return;
</span><span class="lines">@@ -1457,7 +1458,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- policyChecker().checkNavigationPolicy(loader->request(), loader, formState, [this, allowNavigationToInvalidURL](const ResourceRequest& request, PassRefPtr<FormState> formState, bool shouldContinue) {
</del><ins>+ policyChecker().checkNavigationPolicy(loader->request(), false /* didReceiveRedirectResponse */, loader, formState, [this, allowNavigationToInvalidURL](const ResourceRequest& request, PassRefPtr<FormState> formState, bool shouldContinue) {
</ins><span class="cx"> continueLoadAfterNavigationPolicy(request, formState, shouldContinue, allowNavigationToInvalidURL);
</span><span class="cx"> });
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.h (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.h 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/loader/FrameLoader.h 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -226,7 +226,7 @@
</span><span class="cx"> void forceSandboxFlags(SandboxFlags flags) { m_forcedSandboxFlags |= flags; }
</span><span class="cx"> SandboxFlags effectiveSandboxFlags() const;
</span><span class="cx">
</span><del>- bool checkIfFormActionAllowedByCSP(const URL&) const;
</del><ins>+ bool checkIfFormActionAllowedByCSP(const URL&, bool didReceiveRedirectResponse) const;
</ins><span class="cx">
</span><span class="cx"> Frame* opener();
</span><span class="cx"> WEBCORE_EXPORT void setOpener(Frame*);
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderPolicyCheckercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/PolicyChecker.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/PolicyChecker.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/loader/PolicyChecker.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -49,13 +49,14 @@
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-static bool isAllowedByContentSecurityPolicy(const URL& url, const Element* ownerElement)
</del><ins>+static bool isAllowedByContentSecurityPolicy(const URL& url, const Element* ownerElement, bool didReceiveRedirectResponse)
</ins><span class="cx"> {
</span><span class="cx"> if (!ownerElement)
</span><span class="cx"> return true;
</span><ins>+ auto redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
</ins><span class="cx"> if (is<HTMLPlugInElement>(ownerElement))
</span><del>- return ownerElement->document().contentSecurityPolicy()->allowObjectFromSource(url, ownerElement->isInUserAgentShadowTree());
- return ownerElement->document().contentSecurityPolicy()->allowChildFrameFromSource(url, ownerElement->isInUserAgentShadowTree());
</del><ins>+ return ownerElement->document().contentSecurityPolicy()->allowObjectFromSource(url, ownerElement->isInUserAgentShadowTree(), redirectResponseReceived);
+ return ownerElement->document().contentSecurityPolicy()->allowChildFrameFromSource(url, ownerElement->isInUserAgentShadowTree(), redirectResponseReceived);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> PolicyChecker::PolicyChecker(Frame& frame)
</span><span class="lines">@@ -66,12 +67,12 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void PolicyChecker::checkNavigationPolicy(const ResourceRequest& newRequest, NavigationPolicyDecisionFunction function)
</del><ins>+void PolicyChecker::checkNavigationPolicy(const ResourceRequest& newRequest, bool didReceiveRedirectResponse, NavigationPolicyDecisionFunction function)
</ins><span class="cx"> {
</span><del>- checkNavigationPolicy(newRequest, m_frame.loader().activeDocumentLoader(), nullptr, WTFMove(function));
</del><ins>+ checkNavigationPolicy(newRequest, didReceiveRedirectResponse, m_frame.loader().activeDocumentLoader(), nullptr, WTFMove(function));
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-void PolicyChecker::checkNavigationPolicy(const ResourceRequest& request, DocumentLoader* loader, PassRefPtr<FormState> formState, NavigationPolicyDecisionFunction function)
</del><ins>+void PolicyChecker::checkNavigationPolicy(const ResourceRequest& request, bool didReceiveRedirectResponse, DocumentLoader* loader, PassRefPtr<FormState> formState, NavigationPolicyDecisionFunction function)
</ins><span class="cx"> {
</span><span class="cx"> NavigationAction action = loader->triggeringAction();
</span><span class="cx"> if (action.isEmpty()) {
</span><span class="lines">@@ -96,7 +97,7 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (!isAllowedByContentSecurityPolicy(request.url(), m_frame.ownerElement())) {
</del><ins>+ if (!isAllowedByContentSecurityPolicy(request.url(), m_frame.ownerElement(), didReceiveRedirectResponse)) {
</ins><span class="cx"> function(request, 0, false);
</span><span class="cx"> return;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderPolicyCheckerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/PolicyChecker.h (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/PolicyChecker.h 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/loader/PolicyChecker.h 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -55,8 +55,8 @@
</span><span class="cx"> public:
</span><span class="cx"> explicit PolicyChecker(Frame&);
</span><span class="cx">
</span><del>- void checkNavigationPolicy(const ResourceRequest&, DocumentLoader*, PassRefPtr<FormState>, NavigationPolicyDecisionFunction);
- void checkNavigationPolicy(const ResourceRequest&, NavigationPolicyDecisionFunction);
</del><ins>+ void checkNavigationPolicy(const ResourceRequest&, bool didReceiveRedirectResponse, DocumentLoader*, PassRefPtr<FormState>, NavigationPolicyDecisionFunction);
+ void checkNavigationPolicy(const ResourceRequest&, bool didReceiveRedirectResponse, NavigationPolicyDecisionFunction);
</ins><span class="cx"> void checkNewWindowPolicy(const NavigationAction&, const ResourceRequest&, PassRefPtr<FormState>, const String& frameName, NewWindowPolicyDecisionFunction);
</span><span class="cx"> void checkContentPolicy(const ResourceResponse&, ContentPolicyDecisionFunction);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderSubresourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/SubresourceLoader.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/SubresourceLoader.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/loader/SubresourceLoader.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -185,8 +185,8 @@
</span><span class="cx"> if (m_frame)
</span><span class="cx"> m_frame->mainFrame().diagnosticLoggingClient().logDiagnosticMessageWithResult(DiagnosticLoggingKeys::cachedResourceRevalidationKey(), emptyString(), DiagnosticLoggingResultFail, ShouldSample::Yes);
</span><span class="cx"> }
</span><del>-
- if (!m_documentLoader->cachedResourceLoader().canRequest(m_resource->type(), newRequest.url(), options())) {
</del><ins>+
+ if (!m_documentLoader->cachedResourceLoader().canRequest(m_resource->type(), newRequest.url(), options(), false /* forPreload */, true /* didReceiveRedirectResponse */)) {
</ins><span class="cx"> cancel();
</span><span class="cx"> return;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -373,7 +373,7 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool forPreload)
</del><ins>+bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url, const ResourceLoaderOptions& options, bool forPreload, bool didReceiveRedirectResponse)
</ins><span class="cx"> {
</span><span class="cx"> if (document() && !document()->securityOrigin()->canDisplay(url)) {
</span><span class="cx"> if (!forPreload)
</span><span class="lines">@@ -383,6 +383,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool skipContentSecurityPolicyCheck = options.contentSecurityPolicyImposition() == ContentSecurityPolicyImposition::SkipPolicyCheck;
</span><ins>+ ContentSecurityPolicy::RedirectResponseReceived redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
</ins><span class="cx">
</span><span class="cx"> // Some types of resources can be loaded only from the same origin. Other
</span><span class="cx"> // types of resources, like Images, Scripts, and CSS, can be loaded from
</span><span class="lines">@@ -424,30 +425,30 @@
</span><span class="cx"> switch (type) {
</span><span class="cx"> #if ENABLE(XSLT)
</span><span class="cx"> case CachedResource::XSLStyleSheet:
</span><del>- if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck))
</del><ins>+ if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><span class="cx"> break;
</span><span class="cx"> #endif
</span><span class="cx"> case CachedResource::Script:
</span><del>- if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck))
</del><ins>+ if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><span class="cx"> if (frame() && !frame()->settings().isScriptEnabled())
</span><span class="cx"> return false;
</span><span class="cx"> break;
</span><span class="cx"> case CachedResource::CSSStyleSheet:
</span><del>- if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, skipContentSecurityPolicyCheck))
</del><ins>+ if (!m_document->contentSecurityPolicy()->allowStyleFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><span class="cx"> break;
</span><span class="cx"> case CachedResource::SVGDocumentResource:
</span><span class="cx"> case CachedResource::ImageResource:
</span><del>- if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, skipContentSecurityPolicyCheck))
</del><ins>+ if (!m_document->contentSecurityPolicy()->allowImageFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><span class="cx"> break;
</span><span class="cx"> #if ENABLE(SVG_FONTS)
</span><span class="cx"> case CachedResource::SVGFontResource:
</span><span class="cx"> #endif
</span><span class="cx"> case CachedResource::FontResource: {
</span><del>- if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, skipContentSecurityPolicyCheck))
</del><ins>+ if (!m_document->contentSecurityPolicy()->allowFontFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -462,7 +463,7 @@
</span><span class="cx"> #if ENABLE(VIDEO_TRACK)
</span><span class="cx"> case CachedResource::TextTrackResource:
</span><span class="cx"> #endif
</span><del>- if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, skipContentSecurityPolicyCheck))
</del><ins>+ if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, skipContentSecurityPolicyCheck, redirectResponseReceived))
</ins><span class="cx"> return false;
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.h (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.h 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -131,8 +131,9 @@
</span><span class="cx"> void preload(CachedResource::Type, CachedResourceRequest&, const String& charset);
</span><span class="cx"> void checkForPendingPreloads();
</span><span class="cx"> void printPreloadStats();
</span><del>- bool canRequest(CachedResource::Type, const URL&, const ResourceLoaderOptions&, bool forPreload = false);
</del><span class="cx">
</span><ins>+ bool canRequest(CachedResource::Type, const URL&, const ResourceLoaderOptions&, bool forPreload = false, bool didReceiveRedirectResponse = false);
+
</ins><span class="cx"> static const ResourceLoaderOptions& defaultCachedResourceOptions();
</span><span class="cx">
</span><span class="cx"> void documentDidFinishLoadEvent();
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -365,13 +365,13 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, bool overrideContentSecurityPolicy) const
</del><ins>+bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
</ins><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span><span class="cx"> return true;
</span><span class="cx"> if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
</span><span class="cx"> return true;
</span><del>- const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForScript, url);
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForScript, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</ins><span class="cx"> if (!violatedDirective)
</span><span class="cx"> return true;
</span><span class="cx"> String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, *violatedDirective, url, "Refused to load");
</span><span class="lines">@@ -379,7 +379,7 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowObjectFromSource(const URL& url, bool overrideContentSecurityPolicy) const
</del><ins>+bool ContentSecurityPolicy::allowObjectFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
</ins><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span><span class="cx"> return true;
</span><span class="lines">@@ -388,7 +388,7 @@
</span><span class="cx"> // As per section object-src of the Content Security Policy Level 3 spec., <http://w3c.github.io/webappsec-csp> (Editor's Draft, 29 February 2016),
</span><span class="cx"> // "If plugin content is loaded without an associated URL (perhaps an object element lacks a data attribute, but loads some default plugin based
</span><span class="cx"> // on the specified type), it MUST be blocked if object-src's value is 'none', but will otherwise be allowed".
</span><del>- const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes);
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::Yes);
</ins><span class="cx"> if (!violatedDirective)
</span><span class="cx"> return true;
</span><span class="cx"> String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::objectSrc, *violatedDirective, url, "Refused to load");
</span><span class="lines">@@ -396,13 +396,13 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowChildFrameFromSource(const URL& url, bool overrideContentSecurityPolicy) const
</del><ins>+bool ContentSecurityPolicy::allowChildFrameFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
</ins><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span><span class="cx"> return true;
</span><span class="cx"> if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
</span><span class="cx"> return true;
</span><del>- const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url);
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</ins><span class="cx"> if (!violatedDirective)
</span><span class="cx"> return true;
</span><span class="cx"> const char* effectiveViolatedDirective = violatedDirective->name() == ContentSecurityPolicyDirectiveNames::frameSrc ? ContentSecurityPolicyDirectiveNames::frameSrc : ContentSecurityPolicyDirectiveNames::childSrc;
</span><span class="lines">@@ -411,13 +411,13 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, bool overrideContentSecurityPolicy) const
</del><ins>+bool ContentSecurityPolicy::allowChildContextFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
</ins><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span><span class="cx"> return true;
</span><span class="cx"> if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
</span><span class="cx"> return true;
</span><del>- const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, url);
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</ins><span class="cx"> if (!violatedDirective)
</span><span class="cx"> return true;
</span><span class="cx"> String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::childSrc, *violatedDirective, url, "Refused to load");
</span><span class="lines">@@ -425,13 +425,13 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowImageFromSource(const URL& url, bool overrideContentSecurityPolicy) const
</del><ins>+bool ContentSecurityPolicy::allowImageFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
</ins><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span><span class="cx"> return true;
</span><span class="cx"> if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
</span><span class="cx"> return true;
</span><del>- const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForImage, url);
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForImage, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</ins><span class="cx"> if (!violatedDirective)
</span><span class="cx"> return true;
</span><span class="cx"> String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::imgSrc, *violatedDirective, url, "Refused to load");
</span><span class="lines">@@ -439,13 +439,13 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, bool overrideContentSecurityPolicy) const
</del><ins>+bool ContentSecurityPolicy::allowStyleFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
</ins><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span><span class="cx"> return true;
</span><span class="cx"> if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
</span><span class="cx"> return true;
</span><del>- const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle, url);
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</ins><span class="cx"> if (!violatedDirective)
</span><span class="cx"> return true;
</span><span class="cx"> String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::styleSrc, *violatedDirective, url, "Refused to load");
</span><span class="lines">@@ -453,13 +453,13 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowFontFromSource(const URL& url, bool overrideContentSecurityPolicy) const
</del><ins>+bool ContentSecurityPolicy::allowFontFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
</ins><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span><span class="cx"> return true;
</span><span class="cx"> if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
</span><span class="cx"> return true;
</span><del>- const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFont, url);
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFont, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</ins><span class="cx"> if (!violatedDirective)
</span><span class="cx"> return true;
</span><span class="cx"> String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::fontSrc, *violatedDirective, url, "Refused to load");
</span><span class="lines">@@ -467,13 +467,13 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, bool overrideContentSecurityPolicy) const
</del><ins>+bool ContentSecurityPolicy::allowMediaFromSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
</ins><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span><span class="cx"> return true;
</span><span class="cx"> if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
</span><span class="cx"> return true;
</span><del>- const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia, url);
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</ins><span class="cx"> if (!violatedDirective)
</span><span class="cx"> return true;
</span><span class="cx"> String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::mediaSrc, *violatedDirective, url, "Refused to load");
</span><span class="lines">@@ -481,13 +481,13 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowConnectToSource(const URL& url, bool overrideContentSecurityPolicy) const
</del><ins>+bool ContentSecurityPolicy::allowConnectToSource(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
</ins><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span><span class="cx"> return true;
</span><span class="cx"> if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
</span><span class="cx"> return true;
</span><del>- const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url);
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</ins><span class="cx"> if (!violatedDirective)
</span><span class="cx"> return true;
</span><span class="cx"> String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::connectSrc, *violatedDirective, url, "Refused to connect to");
</span><span class="lines">@@ -495,13 +495,13 @@
</span><span class="cx"> return violatedDirective->directiveList().isReportOnly();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicy::allowFormAction(const URL& url, bool overrideContentSecurityPolicy) const
</del><ins>+bool ContentSecurityPolicy::allowFormAction(const URL& url, bool overrideContentSecurityPolicy, RedirectResponseReceived redirectResponseReceived) const
</ins><span class="cx"> {
</span><span class="cx"> if (overrideContentSecurityPolicy)
</span><span class="cx"> return true;
</span><span class="cx"> if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
</span><span class="cx"> return true;
</span><del>- const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, url);
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirective = violatedDirectiveInAnyPolicy(&ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</ins><span class="cx"> if (!violatedDirective)
</span><span class="cx"> return true;
</span><span class="cx"> String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::formAction, *violatedDirective, url, "Refused to load");
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -75,27 +75,34 @@
</span><span class="cx"> void didReceiveHeaders(const ContentSecurityPolicyResponseHeaders&, ReportParsingErrors = ReportParsingErrors::Yes);
</span><span class="cx"> void processHTTPEquiv(const String& content, ContentSecurityPolicyHeaderType type) { didReceiveHeader(content, type, ContentSecurityPolicy::PolicyFrom::HTTPEquivMeta); }
</span><span class="cx">
</span><ins>+ bool allowScriptWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
+ bool allowStyleWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
+
</ins><span class="cx"> bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false) const;
</span><span class="cx"> bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, bool overrideContentSecurityPolicy = false) const;
</span><del>- bool allowScriptWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
</del><span class="cx"> bool allowInlineScript(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& scriptContent, bool overrideContentSecurityPolicy = false) const;
</span><del>- bool allowStyleWithNonce(const String& nonce, bool overrideContentSecurityPolicy = false) const;
</del><span class="cx"> bool allowInlineStyle(const String& contextURL, const WTF::OrdinalNumber& contextLine, const String& styleContent, bool overrideContentSecurityPolicy = false) const;
</span><ins>+
</ins><span class="cx"> bool allowEval(JSC::ExecState*, bool overrideContentSecurityPolicy = false) const;
</span><ins>+
</ins><span class="cx"> bool allowPluginType(const String& type, const String& typeAttribute, const URL&, bool overrideContentSecurityPolicy = false) const;
</span><del>- bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
- bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
- bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
- bool allowChildContextFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
- bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
- bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
- bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
- bool allowMediaFromSource(const URL&, bool overrideContentSecurityPolicy = false) const;
- bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false) const;
- bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false) const;
- bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false) const;
</del><ins>+
</ins><span class="cx"> bool allowFrameAncestors(const Frame&, const URL&, bool overrideContentSecurityPolicy = false) const;
</span><span class="cx">
</span><ins>+ enum class RedirectResponseReceived { No, Yes };
+ bool allowScriptFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowChildFrameFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowChildContextFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowImageFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowStyleFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowFontFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowMediaFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowConnectToSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowFormAction(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+
+ bool allowObjectFromSource(const URL&, bool overrideContentSecurityPolicy = false, RedirectResponseReceived = RedirectResponseReceived::No) const;
+ bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false) const;
+
</ins><span class="cx"> void setOverrideAllowInlineStyle(bool);
</span><span class="cx">
</span><span class="cx"> void gatherReportURIs(DOMStringList&) const;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -61,9 +61,9 @@
</span><span class="cx"> return !directive || directive->allowInline();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty = ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No)
</del><ins>+static inline bool checkSource(ContentSecurityPolicySourceListDirective* directive, const URL& url, bool didReceiveRedirectResponse = false, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty = ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No)
</ins><span class="cx"> {
</span><del>- return !directive || directive->allows(url, shouldAllowEmptyURLIfSourceListEmpty);
</del><ins>+ return !directive || directive->allows(url, didReceiveRedirectResponse, shouldAllowEmptyURLIfSourceListEmpty);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static inline bool checkHash(ContentSecurityPolicySourceListDirective* directive, const ContentSecurityPolicyHash& hash)
</span><span class="lines">@@ -80,8 +80,9 @@
</span><span class="cx"> {
</span><span class="cx"> if (!directive)
</span><span class="cx"> return true;
</span><ins>+ bool didReceiveRedirectResponse = false;
</ins><span class="cx"> for (Frame* current = frame.tree().parent(); current; current = current->tree().parent()) {
</span><del>- if (!directive->allows(current->document()->url(), ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No))
</del><ins>+ if (!directive->allows(current->document()->url(), didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone::No))
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx"> return true;
</span><span class="lines">@@ -189,38 +190,38 @@
</span><span class="cx"> return m_baseURI.get();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext(const URL& url) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><span class="cx"> ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_childSrc.get());
</span><del>- if (checkSource(operativeDirective, url))
</del><ins>+ if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return operativeDirective;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource(const URL& url) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><span class="cx"> ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_connectSrc.get());
</span><del>- if (checkSource(operativeDirective, url))
</del><ins>+ if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return operativeDirective;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFont(const URL& url) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFont(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><span class="cx"> ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_fontSrc.get());
</span><del>- if (checkSource(operativeDirective, url))
</del><ins>+ if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return operativeDirective;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction(const URL& url) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><del>- if (checkSource(m_formAction.get(), url))
</del><ins>+ if (checkSource(m_formAction.get(), url, didReceiveRedirectResponse))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return m_formAction.get();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame(const URL& url) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><span class="cx"> if (url.isBlankURL())
</span><span class="cx"> return nullptr;
</span><span class="lines">@@ -228,7 +229,7 @@
</span><span class="cx"> // We must enforce the frame-src directive (if specified) before enforcing the child-src directive for a nested browsing
</span><span class="cx"> // context by <https://w3c.github.io/webappsec-csp/2/#directive-child-src-nested> (29 August 2015).
</span><span class="cx"> ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_frameSrc ? m_frameSrc.get() : m_childSrc.get());
</span><del>- if (checkSource(operativeDirective, url))
</del><ins>+ if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return operativeDirective;
</span><span class="cx"> }
</span><span class="lines">@@ -240,28 +241,28 @@
</span><span class="cx"> return m_frameAncestors.get();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForImage(const URL& url) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForImage(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><span class="cx"> ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_imgSrc.get());
</span><del>- if (checkSource(operativeDirective, url))
</del><ins>+ if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return operativeDirective;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia(const URL& url) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForMedia(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><span class="cx"> ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_mediaSrc.get());
</span><del>- if (checkSource(operativeDirective, url))
</del><ins>+ if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return operativeDirective;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource(const URL& url, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForObjectSource(const URL& url, bool didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty) const
</ins><span class="cx"> {
</span><span class="cx"> if (url.isBlankURL())
</span><span class="cx"> return nullptr;
</span><span class="cx"> ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_objectSrc.get());
</span><del>- if (checkSource(operativeDirective, url, shouldAllowEmptyURLIfSourceListEmpty))
</del><ins>+ if (checkSource(operativeDirective, url, didReceiveRedirectResponse, shouldAllowEmptyURLIfSourceListEmpty))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return operativeDirective;
</span><span class="cx"> }
</span><span class="lines">@@ -273,18 +274,18 @@
</span><span class="cx"> return m_pluginTypes.get();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><span class="cx"> ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_scriptSrc.get());
</span><del>- if (checkSource(operativeDirective, url))
</del><ins>+ if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return operativeDirective;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle(const URL& url) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForStyle(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><span class="cx"> ContentSecurityPolicySourceListDirective* operativeDirective = this->operativeDirective(m_styleSrc.get());
</span><del>- if (checkSource(operativeDirective, url))
</del><ins>+ if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
</ins><span class="cx"> return nullptr;
</span><span class="cx"> return operativeDirective;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -57,18 +57,18 @@
</span><span class="cx"> const ContentSecurityPolicyDirective* violatedDirectiveForStyleNonce(const String&) const;
</span><span class="cx">
</span><span class="cx"> const ContentSecurityPolicyDirective* violatedDirectiveForBaseURI(const URL&) const;
</span><del>- const ContentSecurityPolicyDirective* violatedDirectiveForChildContext(const URL&) const;
- const ContentSecurityPolicyDirective* violatedDirectiveForConnectSource(const URL&) const;
- const ContentSecurityPolicyDirective* violatedDirectiveForFont(const URL&) const;
- const ContentSecurityPolicyDirective* violatedDirectiveForFormAction(const URL&) const;
- const ContentSecurityPolicyDirective* violatedDirectiveForFrame(const URL&) const;
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirectiveForChildContext(const URL&, bool didReceiveRedirectResponse) const;
+ const ContentSecurityPolicyDirective* violatedDirectiveForConnectSource(const URL&, bool didReceiveRedirectResponse) const;
+ const ContentSecurityPolicyDirective* violatedDirectiveForFont(const URL&, bool didReceiveRedirectResponse) const;
+ const ContentSecurityPolicyDirective* violatedDirectiveForFormAction(const URL&, bool didReceiveRedirectResponse) const;
+ const ContentSecurityPolicyDirective* violatedDirectiveForFrame(const URL&, bool didReceiveRedirectResponse) const;
</ins><span class="cx"> const ContentSecurityPolicyDirective* violatedDirectiveForFrameAncestor(const Frame&) const;
</span><del>- const ContentSecurityPolicyDirective* violatedDirectiveForImage(const URL&) const;
- const ContentSecurityPolicyDirective* violatedDirectiveForMedia(const URL&) const;
- const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone) const;
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirectiveForImage(const URL&, bool didReceiveRedirectResponse) const;
+ const ContentSecurityPolicyDirective* violatedDirectiveForMedia(const URL&, bool didReceiveRedirectResponse) const;
+ const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&, bool didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone) const;
</ins><span class="cx"> const ContentSecurityPolicyDirective* violatedDirectiveForPluginType(const String& type, const String& typeAttribute) const;
</span><del>- const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&) const;
- const ContentSecurityPolicyDirective* violatedDirectiveForStyle(const URL&) const;
</del><ins>+ const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&, bool didReceiveRedirectResponse) const;
+ const ContentSecurityPolicyDirective* violatedDirectiveForStyle(const URL&, bool didReceiveRedirectResponse) const;
</ins><span class="cx">
</span><span class="cx"> const ContentSecurityPolicyDirective* defaultSrc() const { return m_defaultSrc.get(); }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourcecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -43,13 +43,13 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicySource::matches(const URL& url) const
</del><ins>+bool ContentSecurityPolicySource::matches(const URL& url, bool didReceiveRedirectResponse) const
</ins><span class="cx"> {
</span><span class="cx"> if (!schemeMatches(url))
</span><span class="cx"> return false;
</span><span class="cx"> if (isSchemeOnly())
</span><span class="cx"> return true;
</span><del>- return hostMatches(url) && portMatches(url) && pathMatches(url);
</del><ins>+ return hostMatches(url) && portMatches(url) && (didReceiveRedirectResponse || pathMatches(url));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicySource::schemeMatches(const URL& url) const
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.h (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.h 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySource.h 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -38,7 +38,7 @@
</span><span class="cx"> public:
</span><span class="cx"> ContentSecurityPolicySource(const ContentSecurityPolicy&, const String& scheme, const String& host, int port, const String& path, bool hostHasWildcard, bool portHasWildcard);
</span><span class="cx">
</span><del>- bool matches(const URL&) const;
</del><ins>+ bool matches(const URL&, bool didReceiveRedirectResponse = false) const;
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> bool schemeMatches(const URL&) const;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -128,7 +128,7 @@
</span><span class="cx"> return isAllowed;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicySourceList::matches(const URL& url)
</del><ins>+bool ContentSecurityPolicySourceList::matches(const URL& url, bool didReceiveRedirectResponse)
</ins><span class="cx"> {
</span><span class="cx"> if (m_allowStar && isProtocolAllowedByStar(url))
</span><span class="cx"> return true;
</span><span class="lines">@@ -137,7 +137,7 @@
</span><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> for (auto& entry : m_list) {
</span><del>- if (entry.matches(url))
</del><ins>+ if (entry.matches(url, didReceiveRedirectResponse))
</ins><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -45,7 +45,7 @@
</span><span class="cx">
</span><span class="cx"> void parse(const String&);
</span><span class="cx">
</span><del>- bool matches(const URL&);
</del><ins>+ bool matches(const URL&, bool didReceiveRedirectResponse);
</ins><span class="cx"> bool matches(const ContentSecurityPolicyHash&) const;
</span><span class="cx"> bool matches(const String& nonce) const;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectivecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -40,11 +40,11 @@
</span><span class="cx"> m_sourceList.parse(value);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ContentSecurityPolicySourceListDirective::allows(const URL& url, ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty)
</del><ins>+bool ContentSecurityPolicySourceListDirective::allows(const URL& url, bool didReceiveRedirectResponse, ShouldAllowEmptyURLIfSourceListIsNotNone shouldAllowEmptyURLIfSourceListEmpty)
</ins><span class="cx"> {
</span><span class="cx"> if (url.isEmpty())
</span><span class="cx"> return shouldAllowEmptyURLIfSourceListEmpty == ShouldAllowEmptyURLIfSourceListIsNotNone::Yes && !m_sourceList.isNone();
</span><del>- return m_sourceList.matches(url);
</del><ins>+ return m_sourceList.matches(url, didReceiveRedirectResponse);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> bool ContentSecurityPolicySourceListDirective::allows(const String& nonce) const
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectiveh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h (199611 => 199612)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h 2016-04-15 21:28:12 UTC (rev 199611)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h 2016-04-15 22:23:44 UTC (rev 199612)
</span><span class="lines">@@ -39,7 +39,7 @@
</span><span class="cx"> ContentSecurityPolicySourceListDirective(const ContentSecurityPolicyDirectiveList&, const String& name, const String& value);
</span><span class="cx">
</span><span class="cx"> enum class ShouldAllowEmptyURLIfSourceListIsNotNone { No, Yes };
</span><del>- bool allows(const URL&, ShouldAllowEmptyURLIfSourceListIsNotNone);
</del><ins>+ bool allows(const URL&, bool didReceiveRedirectResponse, ShouldAllowEmptyURLIfSourceListIsNotNone);
</ins><span class="cx"> bool allows(const ContentSecurityPolicyHash&) const;
</span><span class="cx"> bool allows(const String& nonce) const;
</span><span class="cx"> bool allowInline() const { return m_sourceList.allowInline(); }
</span></span></pre>
</div>
</div>
</body>
</html>