<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[200832] releases/WebKitGTK/webkit-2.12</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/200832">200832</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-05-13 03:37:21 -0700 (Fri, 13 May 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/200030">r200030</a> - REGRESSION (<a href="http://trac.webkit.org/projects/webkit/changeset/196012">r196012</a>): Subresource may be blocked by Content Security Policy if it only matches 'self'
https://bugs.webkit.org/show_bug.cgi?id=156935
<rdar://problem/25351286>
Reviewed by Darin Adler.
Source/WebCore:
Fixes an issue where subresource load may be blocked by the Content Security Policy (CSP) if its URL only
matched 'self'. In particular, the load would be blocked if initiated from a document that inherited the
origin of its owner document (e.g. the document contained in <iframe src="about:blank"></iframe>).
Following <a href="http://trac.webkit.org/projects/webkit/changeset/196012">r196012</a> we compute and cache 'self' and its protocol on instantiation of a ContentSecurityPolicy
object for use when matching a URL against it. These cached values become out-of-date if the document
subsequently inherits the origin of its owner document. Therefore matches against 'self' will fail and
CSP will block a load if its not otherwise allowed by the policy. Previously we would compute 'self' when
parsing the definition of a source list and compute the protocol for 'self' each time we tried to match a
URL against 'self'. So, 'self' would always be up-to-date with respect to the origin of the document.
Tests: http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html
http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Extract out logic for computing and caching
'self' and its protocol into ContentSecurityPolicy::updateSourceSelf() and make use of this function.
(WebCore::ContentSecurityPolicy::updateSourceSelf): Computes and caches 'self' and its protocol with
respect to the specified SecurityOrigin.
(WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): Call ContentSecurityPolicy::updateSourceSelf()
to ensure that we have an up-to-date representation for 'self' and the protocol of 'self' which can
become out-of-date if the document inherited the origin of its owner document.
* page/csp/ContentSecurityPolicy.h:
LayoutTests:
Add tests to ensure that we match 'self' correctly in an iframe with an about:blank document.
* http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html: Added.
* http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCorepagecspContentSecurityPolicycpp">releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceWebCorepagecspContentSecurityPolicyh">releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyiframeblankurlprogrammaticallyaddexternalscriptexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyiframeblankurlprogrammaticallyaddexternalscripthtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyiframesrcdocexternalscriptexpectedtxt">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyiframesrcdocexternalscripthtml">releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit212LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog (200831 => 200832)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-05-13 10:32:58 UTC (rev 200831)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/ChangeLog 2016-05-13 10:37:21 UTC (rev 200832)
</span><span class="lines">@@ -1,3 +1,18 @@
</span><ins>+2016-04-25 Daniel Bates <dabates@apple.com>
+
+ REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self'
+ https://bugs.webkit.org/show_bug.cgi?id=156935
+ <rdar://problem/25351286>
+
+ Reviewed by Darin Adler.
+
+ Add tests to ensure that we match 'self' correctly in an iframe with an about:blank document.
+
+ * http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html: Added.
+
</ins><span class="cx"> 2016-04-22 Dave Hyatt <hyatt@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (r189567): The top of Facebook's messenger.com looks visually broken
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyiframeblankurlprogrammaticallyaddexternalscriptexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt (0 => 200832)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt 2016-05-13 10:37:21 UTC (rev 200832)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+ALERT: PASS
+
+
+--------
+Frame: 'frame'
+--------
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyiframeblankurlprogrammaticallyaddexternalscripthtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html (0 => 200832)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html 2016-05-13 10:37:21 UTC (rev 200832)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
+</head>
+<body>
+<iframe src="about:blank" id="frame"></iframe>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.waitUntilDone();
+}
+
+function appendTestScriptToDocument(contentDocument)
+{
+ var script = contentDocument.createElement("script");
+ script.src = "resources/alert-pass-and-notify-done.js";
+ contentDocument.body.appendChild(script);
+}
+
+appendTestScriptToDocument(document.getElementById("frame").contentDocument);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyiframesrcdocexternalscriptexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt (0 => 200832)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt 2016-05-13 10:37:21 UTC (rev 200832)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212LayoutTestshttptestssecuritycontentSecurityPolicyiframesrcdocexternalscripthtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html (0 => 200832)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html (rev 0)
+++ releases/WebKitGTK/webkit-2.12/LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html 2016-05-13 10:37:21 UTC (rev 200832)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
+</head>
+<body>
+<iframe srcdoc='<script src="resources/alert-pass.js"></script>'></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog (200831 => 200832)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-05-13 10:32:58 UTC (rev 200831)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/ChangeLog 2016-05-13 10:37:21 UTC (rev 200832)
</span><span class="lines">@@ -1,3 +1,35 @@
</span><ins>+2016-04-25 Daniel Bates <dabates@apple.com>
+
+ REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self'
+ https://bugs.webkit.org/show_bug.cgi?id=156935
+ <rdar://problem/25351286>
+
+ Reviewed by Darin Adler.
+
+ Fixes an issue where subresource load may be blocked by the Content Security Policy (CSP) if its URL only
+ matched 'self'. In particular, the load would be blocked if initiated from a document that inherited the
+ origin of its owner document (e.g. the document contained in <iframe src="about:blank"></iframe>).
+
+ Following r196012 we compute and cache 'self' and its protocol on instantiation of a ContentSecurityPolicy
+ object for use when matching a URL against it. These cached values become out-of-date if the document
+ subsequently inherits the origin of its owner document. Therefore matches against 'self' will fail and
+ CSP will block a load if its not otherwise allowed by the policy. Previously we would compute 'self' when
+ parsing the definition of a source list and compute the protocol for 'self' each time we tried to match a
+ URL against 'self'. So, 'self' would always be up-to-date with respect to the origin of the document.
+
+ Tests: http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html
+ http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html
+
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Extract out logic for computing and caching
+ 'self' and its protocol into ContentSecurityPolicy::updateSourceSelf() and make use of this function.
+ (WebCore::ContentSecurityPolicy::updateSourceSelf): Computes and caches 'self' and its protocol with
+ respect to the specified SecurityOrigin.
+ (WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): Call ContentSecurityPolicy::updateSourceSelf()
+ to ensure that we have an up-to-date representation for 'self' and the protocol of 'self' which can
+ become out-of-date if the document inherited the origin of its owner document.
+ * page/csp/ContentSecurityPolicy.h:
+
</ins><span class="cx"> 2016-04-22 Dave Hyatt <hyatt@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (r189567): The top of Facebook's messenger.com looks visually broken
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (200831 => 200832)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-05-13 10:32:58 UTC (rev 200831)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-05-13 10:37:21 UTC (rev 200832)
</span><span class="lines">@@ -59,16 +59,13 @@
</span><span class="cx"> , m_sandboxFlags(SandboxNone)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(scriptExecutionContext.securityOrigin());
</span><del>- auto& securityOrigin = *scriptExecutionContext.securityOrigin();
- m_selfSourceProtocol = securityOrigin.protocol();
- m_selfSource = std::make_unique<ContentSecurityPolicySource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false);
</del><ins>+ updateSourceSelf(*scriptExecutionContext.securityOrigin());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ContentSecurityPolicy::ContentSecurityPolicy(const SecurityOrigin& securityOrigin)
</span><span class="cx"> : m_sandboxFlags(SandboxNone)
</span><span class="cx"> {
</span><del>- m_selfSourceProtocol = securityOrigin.protocol();
- m_selfSource = std::make_unique<ContentSecurityPolicySource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false);
</del><ins>+ updateSourceSelf(securityOrigin);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ContentSecurityPolicy::~ContentSecurityPolicy()
</span><span class="lines">@@ -127,9 +124,22 @@
</span><span class="cx"> applyPolicyToScriptExecutionContext();
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void ContentSecurityPolicy::updateSourceSelf(const SecurityOrigin& securityOrigin)
+{
+ m_selfSourceProtocol = securityOrigin.protocol();
+ m_selfSource = std::make_unique<ContentSecurityPolicySource>(*this, m_selfSourceProtocol, securityOrigin.host(), securityOrigin.port(), emptyString(), false, false);
+}
+
</ins><span class="cx"> void ContentSecurityPolicy::applyPolicyToScriptExecutionContext()
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_scriptExecutionContext);
</span><ins>+
+ // Update source self as the security origin may have changed between the time we were created and now.
+ // For instance, we may have been initially created for an about:blank iframe that later inherited the
+ // security origin of its owner document.
+ ASSERT(m_scriptExecutionContext->securityOrigin());
+ updateSourceSelf(*m_scriptExecutionContext->securityOrigin());
+
</ins><span class="cx"> if (!m_lastPolicyEvalDisabledErrorMessage.isNull())
</span><span class="cx"> m_scriptExecutionContext->disableEval(m_lastPolicyEvalDisabledErrorMessage);
</span><span class="cx"> if (m_sandboxFlags != SandboxNone && is<Document>(m_scriptExecutionContext))
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.h (200831 => 200832)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-05-13 10:32:58 UTC (rev 200831)
+++ releases/WebKitGTK/webkit-2.12/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-05-13 10:37:21 UTC (rev 200832)
</span><span class="lines">@@ -140,6 +140,7 @@
</span><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
</span><ins>+ void updateSourceSelf(const SecurityOrigin&);
</ins><span class="cx"> void applyPolicyToScriptExecutionContext();
</span><span class="cx">
</span><span class="cx"> void didReceiveHeader(const String&, ContentSecurityPolicyHeaderType, ContentSecurityPolicy::PolicyFrom);
</span></span></pre>
</div>
</div>
</body>
</html>