<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[201679] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/201679">201679</a></dd>
<dt>Author</dt> <dd>bfulgham@apple.com</dd>
<dt>Date</dt> <dd>2016-06-04 00:20:17 -0700 (Sat, 04 Jun 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Content Security Policy directive, upgrade-insecure-requests (UIR)
https://bugs.webkit.org/show_bug.cgi?id=143653
<rdar://problem/23032067>
Reviewed by Andy Estes.
Source/WebCore:
Modify our loading logic so that we recognize and upgrade insecure requests to secure
requests if the Content Security Policy directive 'upgrade-insecure-requests' is
present.
Add a static helper function to ContentSecurityPolicy to upgrade insecure URLs so
that we don't have to sprinkle the same code all over the loader system.
Tests: http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-simple-ws.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html
http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html
http/tests/ssl/iframe-upgrade.https.html
http/tests/ssl/upgrade-origin-usage.html
http/tests/websocket/tests/hybi/upgrade-simple-ws.html
* Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect): Upgrade insecure requests if the CSP
indicates we should.
* dom/Document.cpp:
(WebCore::Document::initSecurityContext): Populate new document CSP with sets of upgrade host and port combinations.
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestScript): Upgrade insecure requests if
the CSP indicates we should.
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::loadResource): Ditto.
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin): Ditto.
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create): Ditto.
(WebCore::FormSubmission::populateFrameLoadRequest): Add "Upgrade-Insecure-Requests"
header to frame load requests.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::addExtraFieldsToMainResourceRequest): Add the
'Update-Insecure-Requests' header field if necessary.
(WebCore::FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded): Added helper function.
(WebCore::FrameLoader::loadPostRequest): Upgrade insecure requests if the CSP
indicates we should.
(WebCore::FrameLoader::loadResourceSynchronously): Ditto.
(WebCore::FrameLoader::loadDifferentDocumentItem): If loading a form, add the
'Update-Insecure-Requests' header field if necessary.
(WebCore::createWindow): Upgrade insecure requests if the CSP
indicates we should.
* loader/FrameLoader.h:
* loader/PingLoader.cpp:
(WebCore::PingLoader::loadImage): Upgrade insecure requests if the CSP
indicates we should.
(WebCore::PingLoader::sendPing): Ditto.
(WebCore::PingLoader::sendViolationReport): Ditto.
* loader/ResourceLoader.cpp:
(WebCore::ResourceLoader::willSendRequestInternal): Ditto.
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::requestFrame): Ditto.
(WebCore::SubframeLoader::requestObject): Ditto.
* loader/appcache/ApplicationCacheHost.cpp:
(WebCore::ApplicationCacheHost::shouldLoadResourceFromApplicationCache): Ditto.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestImage): Ditto.
(WebCore::CachedResourceLoader::requestResource): Ditto.
* page/DOMWindow.cpp:
(WebCore::DOMWindow::createWindow): Add the 'Update-Insecure-Requests' header
field if necessary.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::copyStateFrom): Populate upgraded resource set
from other context.
(WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Added helper function
to upgrade requests when the upgrade-insecure-requests CSP policy is present, or if
the host and port combination have previously been upgraded.
(WebCore::ContentSecurityPolicy::upgradeInsecureNavigationRequestIfNeeded): Added
helper function to upgrade requests that have been previously upgraded. Cross-site
navigations only get upgraded when they have been previously upgraded.
(WebCore::ContentSecurityPolicy::addInsecureNavigationRequestsToUpgrade): Added.
(WebCore::ContentSecurityPolicy::populateInsecureNavigationRequestsToUpgradeFromOther): Added.
* page/csp/ContentSecurityPolicy.h:
(WebCore::ContentSecurityPolicy::setUpgradeInsecureRequests): Added.
(WebCore::ContentSecurityPolicy::upgradeInsecureRequests): Added.
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList): Use
more C++11 initializations.
(WebCore::ContentSecurityPolicyDirectiveList::setUpgradeInsecureRequests): Added.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Teach this function to
recognize the new directive.
* page/csp/ContentSecurityPolicyDirectiveList.h:
* page/csp/ContentSecurityPolicyDirectiveNames.cpp:
* page/csp/ContentSecurityPolicyDirectiveNames.h:
* platform/network/HTTPHeaderNames.in: Add new 'Upgrade-Insecure-Requests' header field.
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::open): Upgrade insecure requests if the CSP if needed.
LayoutTests:
Some of these tests are based on a set of Blink patches by Mike West <mkwst@chromium.org>.
<https://src.chromium.org/viewvc/blink?revision=192607&view=revision>,
<https://codereview.chromium.org/1178093002>, <https://codereview.chromium.org/1964303003>
The rest of them are based on our own mixedContent tests, revised for upgraded requests.
Note that WebSockets are not part of this testing at present due to https://bugs.webkit.org/show_bug.cgi?id=157884.
* http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html: Added.
* http/tests/security/resources/post-origin-to-parent.html: Added.
* http/tests/ssl/iframe-upgrade.https-expected.txt: Added.
* http/tests/ssl/iframe-upgrade.https.html: Added.
* http/tests/ssl/upgrade-origin-usage-expected.txt: Added.
* http/tests/ssl/upgrade-origin-usage.html: Added.
* http/tests/ssl/resources/origin-usage-iframe-1.html: Added.
* http/tests/ssl/resources/origin-usage-iframe-1.manifest: Added.
* http/tests/ssl/resources/origin-usage-iframe-2.html: Added.
* http/tests/ssl/resources/origin-usage-iframe-2.manifest: Added.
* http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt: Added.
* http/tests/websocket/tests/hybi/upgrade-simple-ws.html: Added.
* TestExpectations: Skip http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-simple-ws.html since the
WebSocket server does not currently support wss sockets.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsplatformmacTestExpectations">trunk/LayoutTests/platform/mac/TestExpectations</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreModuleswebsocketsWebSocketcpp">trunk/Source/WebCore/Modules/websockets/WebSocket.cpp</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#trunkSourceWebCoredomScriptElementcpp">trunk/Source/WebCore/dom/ScriptElement.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentWritercpp">trunk/Source/WebCore/loader/DocumentWriter.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderFormSubmissioncpp">trunk/Source/WebCore/loader/FormSubmission.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoadercpp">trunk/Source/WebCore/loader/FrameLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoaderh">trunk/Source/WebCore/loader/FrameLoader.h</a></li>
<li><a href="#trunkSourceWebCoreloaderPingLoadercpp">trunk/Source/WebCore/loader/PingLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderSubframeLoadercpp">trunk/Source/WebCore/loader/SubframeLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderappcacheApplicationCacheHostcpp">trunk/Source/WebCore/loader/appcache/ApplicationCacheHost.cpp</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoadercpp">trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamescpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamesh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkHTTPHeaderNamesin">trunk/Source/WebCore/platform/network/HTTPHeaderNames.in</a></li>
<li><a href="#trunkSourceWebCorexmlXMLHttpRequestcpp">trunk/Source/WebCore/xml/XMLHttpRequest.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyupgradeinsecureexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyupgradeinsecurephp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php</a></li>
<li>trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/</li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsbasicupgradecorshttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsbasicupgradecorshttpshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsbasicupgradehttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsbasicupgradehttpshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsformupgradeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsformupgradehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheaderauxiliaryexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheaderauxiliaryhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadernestedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadernestedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadersubresourceexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadersubresourcehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadertoplevelexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadertoplevelhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsiframeupgradehttpsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsiframeupgradehttpshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestspropernestedupgradesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestspropernestedupgradeshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsproperopenwindowupgradesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsproperopenwindowupgradeshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html</a></li>
<li>trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/</li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesbasicupgradecorshttpshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcescheckhttpsheaderpl">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesechohttpsheaderpl">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesframewithinsecureaudiovideohtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesframewithinsecurecsshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesframewithinsecureimagehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesframewithredirecthttptohttpsscripthtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesframewithredirecthttpstohttpscripthtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesinsecurexhrinmainframewindowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesmixedcontentwithupgradehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesnestedframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesnestednestedframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesnestednestedwindowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-window.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesnestedwindowhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-window.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesposthttpsheaderpl">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecureaudiovideoinmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecureaudiovideoinmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecurecssiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecurecssiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecureimageinmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecureimageinmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecurexhrinmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecurexhrinmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgraderedirecthttptohttpsscriptiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgraderedirecthttptohttpsscriptiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgraderedirecthttpstohttpscriptiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgraderedirecthttpstohttpscriptiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradesmixedcontentexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradesmixedcontenthtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecurityresourcespostorigintoparenthtml">trunk/LayoutTests/http/tests/security/resources/post-origin-to-parent.html</a></li>
<li><a href="#trunkLayoutTestshttptestsssliframeupgradehttpsexpectedtxt">trunk/LayoutTests/http/tests/ssl/iframe-upgrade.https-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsssliframeupgradehttpshtml">trunk/LayoutTests/http/tests/ssl/iframe-upgrade.https.html</a></li>
<li><a href="#trunkLayoutTestshttptestssslresourcesoriginusageiframe1html">trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.html</a></li>
<li><a href="#trunkLayoutTestshttptestssslresourcesoriginusageiframe1manifest">trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.manifest</a></li>
<li><a href="#trunkLayoutTestshttptestssslresourcesoriginusageiframe2html">trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.html</a></li>
<li><a href="#trunkLayoutTestshttptestssslresourcesoriginusageiframe2manifest">trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.manifest</a></li>
<li><a href="#trunkLayoutTestshttptestssslupgradeoriginusageexpectedtxt">trunk/LayoutTests/http/tests/ssl/upgrade-origin-usage-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssslupgradeoriginusagehtml">trunk/LayoutTests/http/tests/ssl/upgrade-origin-usage.html</a></li>
<li><a href="#trunkLayoutTestshttptestswebsockettestshybiupgradesimplewsexpectedtxt">trunk/LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestswebsockettestshybiupgradesimplewshtml">trunk/LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/LayoutTests/ChangeLog 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -1,3 +1,81 @@
</span><ins>+2016-06-04 Brent Fulgham <bfulgham@apple.com>
+
+ CSP: Content Security Policy directive, upgrade-insecure-requests (UIR)
+ https://bugs.webkit.org/show_bug.cgi?id=143653
+ <rdar://problem/23032067>
+
+ Reviewed by Andy Estes.
+
+ Some of these tests are based on a set of Blink patches by Mike West <mkwst@chromium.org>.
+ <https://src.chromium.org/viewvc/blink?revision=192607&view=revision>,
+ <https://codereview.chromium.org/1178093002>, <https://codereview.chromium.org/1964303003>
+
+ The rest of them are based on our own mixedContent tests, revised for upgraded requests.
+
+ Note that WebSockets are not part of this testing at present due to https://bugs.webkit.org/show_bug.cgi?id=157884.
+
+ * http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html: Added.
+ * http/tests/security/resources/post-origin-to-parent.html: Added.
+ * http/tests/ssl/iframe-upgrade.https-expected.txt: Added.
+ * http/tests/ssl/iframe-upgrade.https.html: Added.
+ * http/tests/ssl/upgrade-origin-usage-expected.txt: Added.
+ * http/tests/ssl/upgrade-origin-usage.html: Added.
+ * http/tests/ssl/resources/origin-usage-iframe-1.html: Added.
+ * http/tests/ssl/resources/origin-usage-iframe-1.manifest: Added.
+ * http/tests/ssl/resources/origin-usage-iframe-2.html: Added.
+ * http/tests/ssl/resources/origin-usage-iframe-2.manifest: Added.
+ * http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt: Added.
+ * http/tests/websocket/tests/hybi/upgrade-simple-ws.html: Added.
+ * TestExpectations: Skip http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-simple-ws.html since the
+ WebSocket server does not currently support wss sockets.
+
</ins><span class="cx"> 2016-06-03 Myles C. Maxfield <mmaxfield@apple.com>
</span><span class="cx">
</span><span class="cx"> Bopomofo ruby in Dictionary.app is written horizontally (when it should be written vertically)
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyupgradeinsecureexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+CONSOLE MESSAGE: The Content Security Policy directive 'upgrade-insecure-requests' is ignored when delivered in a report-only policy.
+CONSOLE MESSAGE: line 1: [Report Only] Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
+ALERT: PASS
+CSP report received:
+CONTENT_TYPE: application/csp-report
+HTTP_REFERER: http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php
+REQUEST_METHOD: POST
+=== POST DATA ===
+{"csp-report":{"document-uri":"http://127.0.0.1:8000/security/contentSecurityPolicy/report-only-upgrade-insecure.php","referrer":"","violated-directive":"script-src 'self'","effective-directive":"script-src","original-policy":"script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.php","blocked-uri":"","status-code":200}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyreportonlyupgradeinsecurephp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+<?php
+ header("Content-Security-Policy-Report-Only: script-src 'self'; upgrade-insecure-requests; report-uri resources/save-report.php");
+?>
+<script>
+// This script block will trigger a violation report but shouldn't be blocked.
+alert('PASS');
+</script>
+<script src="resources/go-to-echo-report.js"></script>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsbasicupgradecorshttpsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+CONSOLE MESSAGE: line 31: PASS: Successfully retrieved image data.
+This test opens a window that loads an insecure image. We should upgrade this request and thereby avoid triggering a mixed content callback.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsbasicupgradecorshttpshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+}
+</script>
+<p>This test opens a window that loads an insecure image. We should upgrade
+this request and thereby avoid triggering a mixed content callback.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsbasicupgradehttpsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+
+PASS Verify that images are upgraded.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsbasicupgradehttpshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,33 @@
</span><ins>+<!DOCTYPE html>
+<title>Upgrade Insecure Requests: Basics.</title>
+<script src="/js-test-resources/testharness.js"></script>
+<script src="/js-test-resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+// This is a bit of a hack. UPGRADE doesn't upgrade the port number, so we
+// specify this non-existent URL ('http' over port 8443). If UPGRADE doesn't
+// work, it won't load.
+var insecureImage = "http://127.0.0.1:8443/security/resources/abe.png";
+
+(function() {
+ var t = async_test("Verify that images are upgraded.");
+ t.step(function () {
+ var i = document.createElement('img');
+ i.onload = t.step_func(function () {
+ assert_equals(i.naturalHeight, 103, "Height.");
+ assert_equals(i.naturalWidth, 76, "Width.");
+ t.done();
+ });
+ i.onerror = t.step_func(function () {
+ assert_unreached("The image should load successfully.");
+ });
+
+ i.src = insecureImage;
+ });
+}());
+
+</script>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsformupgradeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,5 @@
</span><ins>+
+
+PASS Same-host form submissions are upgraded.
+PASS Cross-host form submissions are upgraded.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsformupgradehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,41 @@
</span><ins>+<!DOCTYPE html>
+<head>
+<title>Upgrade Insecure Requests: Form Submission.</title>
+<script src="/js-test-resources/testharness.js"></script>
+<script src="/js-test-resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+async_test(t => {
+ var iframe = document.createElement('iframe');
+ iframe.srcdoc = "<meta http-equiv='Content-Security-Policy' content='upgrade-insecure-requests'>" +
+ "<form action='http://127.0.0.1:8443/security/resources/post-origin-to-parent.html'></form>" +
+ "<script>document.querySelector('form').submit()</scr" + "ipt>";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source == iframe.contentWindow) {
+ assert_equals("https_127.0.0.1_8443", e.data.origin);
+ t.done();
+ }
+ }));
+
+ document.body.appendChild(iframe);
+}, "Same-host form submissions are upgraded.");
+
+async_test(t => {
+ var iframe = document.createElement('iframe');
+ iframe.srcdoc = "<meta http-equiv='Content-Security-Policy' content='upgrade-insecure-requests'>" +
+ "<form action='http://localhost:8443/security/resources/post-origin-to-parent.html'></form>" +
+ "<script>document.querySelector('form').submit()</scr" + "ipt>";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source == iframe.contentWindow) {
+ assert_equals(e.data.origin, "https_localhost_8443");
+ t.done();
+ }
+ }));
+
+ document.body.appendChild(iframe);
+}, "Cross-host form submissions are upgraded.");
+</script>
+</body>
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheaderauxiliaryexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+
+PASS Verify that nested documents receive an 'HTTPS' header.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheaderauxiliaryhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/js-test-resources/testharness.js"></script>
+ <script src="/js-test-resources/testharnessreport.js"></script>
+ <script>
+ if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+ var t = async_test("Verify that nested documents receive an 'HTTPS' header.");
+ window.addEventListener("message", t.step_func(function (message) {
+ assert_equals(message.data.header, "1");
+ t.done();
+ }));
+
+ window.open("resources/post-https-header.pl");
+ </script>
+</head>
+<body>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadernestedexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,4 @@
</span><ins>+
+
+PASS Verify that nested documents receive an 'HTTPS' header.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadernestedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/js-test-resources/testharness.js"></script>
+ <script src="/js-test-resources/testharnessreport.js"></script>
+ <script>
+ var t = async_test("Verify that nested documents receive an 'HTTPS' header.");
+ window.addEventListener("message", t.step_func(function (message) {
+ assert_equals(message.data.header, "1");
+ t.done();
+ }));
+ </script>
+</head>
+<body>
+ <iframe src="resources/post-https-header.pl"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadersubresourceexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+
+PASS Verify that subresources do not receive an 'Upgrade-Insecure-Requests' header.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadersubresourcehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/js-test-resources/testharness.js"></script>
+ <script src="/js-test-resources/testharnessreport.js"></script>
+ <script>
+ if (window.testRunner)
+ testRunner.setCanOpenWindows();
+
+ var t = async_test("Verify that subresources do not receive an 'Upgrade-Insecure-Requests' header.");
+ fetch("resources/echo-https-header.pl").then(t.step_func(function(res) {
+ return res.json();
+ })).then(t.step_func(function(json) {
+ assert_equals(json.header, "");
+ t.done();
+ }));
+ </script>
+</head>
+<body>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadertoplevelexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+Verify that this request was delivered with an 'Upgrade-Insecure-Requests' header.
+
+Upgrade-Insecure-Requests: 1
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestshttpsheadertoplevelhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows(true);
+ testRunner.waitUntilDone();
+}
+</script>
+<body>
+ <a href="resources/check-https-header.pl">Navigate!</a>
+ <script>
+ document.querySelector('a').click();
+ </script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsiframeupgradehttpsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+
+
+PASS Same-host frames are upgraded.
+PASS Cross-host frames are upgraded.
+PASS Upgrade policy does NOT cascade to nested, cross-host frames.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsiframeupgradehttpshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,57 @@
</span><ins>+<!DOCTYPE html>
+<head>
+<title>Upgrade Insecure Requests: IFrames.</title>
+<script src="/js-test-resources/testharness.js"></script>
+<script src="/js-test-resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+</head>
+<body>
+<script>
+// This test is a bit of a hack. UPGRADE doesn't upgrade the port number, so we
+// specify this non-existent URL ('http' over port 8443). If UPGRADE doesn't
+// work, it won't load.
+async_test(t => {
+ var iframe = document.createElement('iframe');
+ iframe.src = "HTtp://127.0.0.1:8443/security/resources/post-origin-to-parent.html";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source == iframe.contentWindow) {
+ assert_equals(e.data.origin, "https_127.0.0.1_8443");
+ t.done();
+ }
+ }));
+
+ document.body.appendChild(iframe);
+}, "Same-host frames are upgraded.");
+
+async_test(t => {
+ var iframe = document.createElement('iframe');
+ iframe.src = "hTtP://localhost:8443/security/resources/post-origin-to-parent.html";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source == iframe.contentWindow) {
+ assert_equals(e.data.origin, "https_localhost_8443");
+ t.done();
+ }
+ }));
+
+ document.body.appendChild(iframe);
+}, "Cross-host frames are upgraded.");
+
+async_test(t => {
+ var iframe = document.createElement('iframe');
+ iframe.srcdoc = "<a href='HTTP://localhost:8000/security/resources/post-origin-to-parent.html'>Navigate!</a>" +
+ "<script>document.querySelector('a').click()</scr" + "ipt>";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source == iframe.contentWindow) {
+ assert_equals(e.data.origin, "http_localhost_8000");
+ t.done();
+ }
+ }));
+
+ document.body.appendChild(iframe);
+}, "Upgrade policy does NOT cascade to nested, cross-host frames.");
+</script>
+</body>
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestspropernestedupgradesexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+ALERT: PASS
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didStartProvisionalLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didCommitLoadForFrame
+ALERT: PASS
+ALERT: PASS
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didFinishLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe with the 'upgrade-insecure-requests' header. The secure frame has an insecure script reference, which will get upgraded. The secure frame does a secure load of another frame. This other frame specifies an insecure load of this same script. If the nested subresource logic is working properly, the non-secure load in the second nested frame should be upgraded, even though that frame does not use the 'upgrade-insecure-requests' header, because it had been previously upgraded by an enclosing context. The frame two-layers deep also loads a second script using HTTP. This should also be upgraded to HTTPS, since the nested frame inherits the 'upgrade-insecure-request' from its parent.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestspropernestedupgradeshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+}
+</script>
+<p>This test loads a secure iframe with the 'upgrade-insecure-requests' header.
+The secure frame has an insecure script reference, which will get upgraded. The
+secure frame does a secure load of another frame. This other frame specifies an
+insecure load of this same script.
+
+If the nested subresource logic is working properly, the non-secure load in
+the second nested frame should be upgraded, even though that frame does not use
+the 'upgrade-insecure-requests' header, because it had been previously upgraded
+by an enclosing context.
+
+The frame two-layers deep also loads a second script using HTTP. This should also
+be upgraded to HTTPS, since the nested frame inherits the 'upgrade-insecure-request'
+from its parent.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-frame.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsproperopenwindowupgradesexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+ALERT: PASS
+ALERT: PASS
+CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-window.html was not allowed to run insecure content from http://localhost:8443/security/contentSecurityPolicy/resources/alert-pass.js.
+
+This test causes a new window to open performing a secure navigation to a document with the 'upgrade-insecure-requests' header. The secure document has an insecure script reference, which will get upgraded. The secure document does an insecure navigation to a new window. This new navigation should not be upgraded.
+
+The new document does an insecure navigation to a host we have visited before. This navigation should be upgraded, even though the site does not have the 'update-insecure-requests' header. The new document also does an insecure navigation to a second domain, which has not been upgraded before. This navigation should not be upgraded, and will fail (in this test) because we only provide the resource to load under the HTTPS server.
+
+If upgrades are working as expected, there should be two PASS entries in the test output. If there are five entires, the insecure load to a new host is being improperly upgraded.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsproperopenwindowupgradeshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,35 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+ <script>
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+ }
+
+ window.addEventListener("message", function (e) {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, false);
+
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-window.html");
+ </script>
+</head>
+<body>
+<p>This test causes a new window to open performing a secure navigation to a
+document with the 'upgrade-insecure-requests' header. The secure document has
+an insecure script reference, which will get upgraded. The secure document does
+an insecure navigation to a new window. This new navigation should not be upgraded.</p>
+<p>The new document does an insecure navigation to a host we have visited before.
+This navigation should be upgraded, even though the site does not have the
+'update-insecure-requests' header. The new document also does an insecure navigation
+to a second domain, which has not been upgraded before. This navigation should not
+be upgraded, and will fail (in this test) because we only provide the resource to
+load under the HTTPS server.</p>
+<p>If upgrades are working as expected, there should be two PASS entries in the
+test output. If there are five entires, the insecure load to a new host
+is being improperly upgraded.</p>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesbasicupgradecorshttpshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,43 @@
</span><ins>+<!DOCTYPE html>
+<title>Upgrade Insecure Requests: Basics.</title>
+<script src="/js-test-resources/testharness.js"></script>
+<script src="/js-test-resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<div id="console"></div>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+
+// This is a bit of a hack. UPGRADE doesn't upgrade the port number, so we
+// specify this non-existent URL ('http' over port 8443). If UPGRADE doesn't
+// work, it won't load.
+var insecureImage = "http://127.0.0.1:8443/security/resources/abe.png";
+
+(function() {
+ var t = async_test("Verify that images have correct cross-origin behavior.");
+ t.step(function () {
+ var i = document.createElement('img');
+ i.onload = t.step_func(function () {
+ // Draw the image onto a canvas.
+ var canvas = document.createElement('canvas');
+ var ctx = canvas.getContext('2d');
+ ctx.drawImage(i, 0, 0);
+
+ // Grab a pixel to verify that the image is same-origin:
+ try {
+ var pixel = ctx.getImageData(0, 0, 1, 1);
+ t.done();
+ console.log("PASS: Successfully retrieved image data.");
+ } catch (e) {
+ console.log("FAIL: The image should be same-origin with this document.");
+ }
+ });
+ i.onerror = t.step_func(function () {
+ console.log("FAIL: The image should load successfully.");
+ });
+
+ i.src = insecureImage;
+ });
+}());
+</script>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcescheckhttpsheaderpl"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/html\n";
+print "Access-Control-Allow-Origin: *\n";
+print "Cache-Control: no-store\n\n";
+
+print <<DONE
+<!DOCTYPE html>
+<html>
+<head>
+ <script src="/js-test-resources/testharness.js"></script>
+ <script src="/js-test-resources/testharnessreport.js"></script>
+</head>
+<body>
+ <p>Verify that this request was delivered with an 'Upgrade-Insecure-Requests' header.</p>
+ <script>
+ var httpsHeader = "$ENV{"HTTP_UPGRADE_INSECURE_REQUESTS"}";
+ document.write("Upgrade-Insecure-Requests: " + httpsHeader)
+ assert_equals(httpsHeader, "1");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ </script>
+</body>
+</html>
+DONE
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesechohttpsheaderpl"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/html\n";
+print "Access-Control-Allow-Origin: *\n";
+print "Cache-Control: no-store\n\n";
+
+print <<DONE
+{ "header": "$ENV{"HTTP_UPGRADE_INSECURE_REQUESTS"}" }
+DONE
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesframewithinsecureaudiovideohtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<body onload="loaded()">
+<audio src="http://127.0.0.1:8443/resources/test.mp4"></audio>
+<video src="http://127.0.0.1:8443/resources/test.mp4"></video>
+<script>
+function loaded() {
+ if (window.opener)
+ window.opener.postMessage('done', '*');
+}
+</script>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesframewithinsecurecsshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<link rel="stylesheet" href="http://127.0.0.1:8443/security/mixedContent/resources/style.css">
+</head>
+<body>
+This background color should be blue.
+<script>
+if (window.opener)
+ window.opener.postMessage('done', '*');
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesframewithinsecureimagehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<img src="http://127.0.0.1:8443/security/resources/compass.jpg">
+<script>
+window.onload = function() {
+ if (window.opener)
+ window.opener.postMessage('done', '*');
+};
+</script>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesframewithredirecthttptohttpsscripthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<script src="http://127.0.0.1:8443/resources/redirect.php?url=https://127.0.0.1:8443/security/mixedContent/resources/script.js"></script>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesframewithredirecthttpstohttpscripthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<script src="hTtpS://127.0.0.1:8443/resources/redirect.php?url=hTtP://127.0.0.1:8080/security/mixedContent/resources/script.js"></script>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesinsecurexhrinmainframewindowhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,34 @@
</span><ins>+<html>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<body>
+<script>
+
+window.onload = function() {
+ var xhr = new XMLHttpRequest();
+ xhr.onload = function() {
+ alert("PASS: load was not blocked");
+ if (window.testRunner)
+ testRunner.notifyDone();
+ };
+
+ // When XHR is blocked due to mixed content blocking, it just appears as if the load stalls,
+ // see https://bugs.webkit.org/show_bug.cgi?id=145717.
+ setTimeout(function() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 2000);
+
+ try {
+ xhr.open("GET", "http://127.0.0.1:8443/");
+ } catch (ex) {
+ // Firefox raises an exception, which is one way to make this detectable.
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+
+ xhr.send(null);
+};
+</script>
+
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesmixedcontentwithupgradehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+This page includes an insecure script that alerts "PASS". Although it is blocked by CSP, it should be upgraded and executed.
+<script src="http://127.0.0.1:8443/security/contentSecurityPolicy/resources/alert-pass.js"></script>
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesnestedframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-frame.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-frame.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<div>
+ <p>The following script is loaded using 'http', but it should be upgraded to 'https' due to the
+'upgrade-insecure-requests' header.</p>
+ <script src="http://127.0.0.1:8443/security/contentSecurityPolicy/resources/alert-pass.js"></script>
+<div>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-frame.html"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesnestednestedframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-frame.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-frame.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<div>
+ <p>The following script is loaded using 'http', but it should be upgraded to 'https' because the
+enclosing frame has already upgraded it.</p>
+ <script src="http://127.0.0.1:8443/security/contentSecurityPolicy/resources/alert-pass.js"></script>
+<div>
+<div>
+ <p>The following script is loaded using 'http', but should be upgraded to 'https' because the
+enclosing frame is set to upgrade.</p>
+ <script src="http://localhost:8443/security/contentSecurityPolicy/resources/alert-pass.js"></script>
+</div>
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesnestednestedwindowhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-window.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-window.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-window.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<div>
+ <p>The following script is loaded using 'http', but it should be upgraded to 'https' because the
+enclosing frame has already upgraded it.</p>
+ <script src="http://127.0.0.1:8443/security/contentSecurityPolicy/resources/alert-pass.js"></script>
+<div>
+<div>
+ <p>The following script is loaded using 'http', but should NOT be upgraded to 'https' because this
+window does not have 'upgrade-insecure-requests' set, and we have not loaded from this host/port combination
+securely in previous loads.</p>
+ <script src="http://localhost:8443/security/contentSecurityPolicy/resources/alert-pass.js"></script>
+</div>
+<script>
+if (window.opener)
+ window.opener.postMessage('done', '*');
+</script>
+</body>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesnestedwindowhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-window.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-window.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-window.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,40 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+ <script>
+ if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+ }
+
+ window.addEventListener("message", function (e) {
+ if (window.opener)
+ window.opener.postMessage('done', '*');
+ }, false);
+ </script>
+</head>
+<body>
+<div>
+ <p>The following window is loaded using 'http', and should not be upgraded because it is going to a different
+origin. This should generate a '400 - Bad Request'.
+ <script>
+ window.open("http://localhost:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-window.html");
+ </script>
+ </p>
+<div>
+<div>
+ <p>The following script is loaded using 'http', but it should be upgraded to 'https' due to the
+'upgrade-insecure-requests' header.</p>
+ <script src="http://127.0.0.1:8443/security/contentSecurityPolicy/resources/alert-pass.js"></script>
+<div>
+<div>
+ <p>The following document is loaded using 'http', but should be upgraded because it is an origin we have previously upgraded.</p>
+ <script>
+ window.open("http://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-window.html");
+ </script>
+<div>
+</body>
+</html>
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesposthttpsheaderpl"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+#!/usr/bin/perl -wT
+use strict;
+
+print "Content-Type: text/html\n";
+print "Access-Control-Allow-Origin: *\n";
+print "Cache-Control: no-store\n\n";
+
+print <<DONE
+<script>
+ var target = window.opener || window.top;
+ target.postMessage({ "header": "$ENV{"HTTP_UPGRADE_INSECURE_REQUESTS"}" }, "*");
+</script>
+DONE
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecureaudiovideoinmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+This test opens a window that loads insecure HTML5 audio and video. Although the main frame in the window is HTTPS, and it is asked to display insecure content, we should upgrade the insecure content to HTTPS and therefore not trigger a mixed content callback.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecureaudiovideoinmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,27 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+
+</script>
+<p>This test opens a window that loads insecure HTML5 audio and video. Although the
+main frame in the window is HTTPS, and it is asked to display insecure content, we should
+upgrade the insecure content to HTTPS and therefore not trigger a mixed content callback.</p>
+<script>
+onload = function() {
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecurecssiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure style sheet. We should upgrade the CSS request to HTTPS, and thereby avoid triggering a mixed content callback.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecurecssiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+}
+</script>
+<p>This test loads a secure iframe that loads an insecure style sheet.
+We should upgrade the CSS request to HTTPS, and thereby avoid triggering
+a mixed content callback.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecureimageinmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+This test opens a window that loads an insecure image. We should upgrade this request and thereby avoid triggering a mixed content callback.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecureimageinmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,26 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+window.addEventListener("message", function (e) {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+
+</script>
+<p>This test opens a window that loads an insecure image. We should upgrade
+this request and thereby avoid triggering a mixed content callback.</p>
+<script>
+onload = function() {
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecurexhrinmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS: load was not blocked
+This test opens a HTTPS window that loads insecure data via XHR. We should upgrade this request and thereby avoid a mixed content callback.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradeinsecurexhrinmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.waitUntilDone();
+ testRunner.dumpAsText();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+}
+
+</script>
+<p>This test opens a HTTPS window that loads insecure data via XHR. We should upgrade
+this request and thereby avoid a mixed content callback.</p>
+<script>
+onload = function() {
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html");
+}
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgraderedirecthttptohttpsscriptiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure script (but with a tricky redirect). We should upgrade the script request, and thereby avoid triggering a mixed content callback.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgraderedirecthttptohttpsscriptiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+}
+</script>
+<p>This test loads a secure iframe that loads an insecure script (but with a
+tricky redirect). We should upgrade the script request, and thereby avoid
+triggering a mixed content callback.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgraderedirecthttpstohttpscriptiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html was not allowed to run insecure content from http://127.0.0.1:8080/security/mixedContent/resources/script.js.
+
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure script (but with a tricky redirect). We should upgrade the relevant requests for the any top-level frames, but not sub-resources of those frames, triggering a mixed content callback.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgraderedirecthttpstohttpscriptiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpFrameLoadCallbacks();
+}
+</script>
+<p>This test loads a secure iframe that loads an insecure script (but with a
+tricky redirect). We should upgrade the relevant requests for the any top-level
+frames, but not sub-resources of those frames, triggering a mixed content callback.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradesmixedcontentexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+ALERT: PASS
+This page should alert "PASS" and not generate any mixed content warnings in the console.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsupgradesmixedcontenthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+This page should alert "PASS" and not generate any mixed content warnings in the console.
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html"></iframe>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecurityresourcespostorigintoparenthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/resources/post-origin-to-parent.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/resources/post-origin-to-parent.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/resources/post-origin-to-parent.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+<script>
+ window.parent.postMessage({ 'origin': document.origin }, '*');
+</script>
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsssliframeupgradehttpsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/ssl/iframe-upgrade.https-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/ssl/iframe-upgrade.https-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/ssl/iframe-upgrade.https-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+
+
+PASS Same-host frames are upgraded.
+PASS Cross-host frames are upgraded.
+PASS Upgrade policy cascades to nested, same-host frames.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsssliframeupgradehttpshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/ssl/iframe-upgrade.https.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/ssl/iframe-upgrade.https.html (rev 0)
+++ trunk/LayoutTests/http/tests/ssl/iframe-upgrade.https.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,57 @@
</span><ins>+<!DOCTYPE html>
+<head>
+<title>Upgrade Insecure Requests: IFrames.</title>
+<script src="/js-test-resources/testharness.js"></script>
+<script src="/js-test-resources/testharnessreport.js"></script>
+
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+</head>
+<body>
+<script>
+// This test is a bit of a hack. UPGRADE doesn't upgrade the port number, so we
+// specify this non-existent URL ('http' over port 8443). If UPGRADE doesn't
+// work, it won't load.
+async_test(t => {
+ var iframe = document.createElement('iframe');
+ iframe.src = "HTtp://127.0.0.1:8443/security/resources/post-origin-to-parent.html";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source == iframe.contentWindow) {
+ assert_equals(e.data.origin, "https_127.0.0.1_8443");
+ t.done();
+ }
+ }));
+
+ document.body.appendChild(iframe);
+}, "Same-host frames are upgraded.");
+
+async_test(t => {
+ var iframe = document.createElement('iframe');
+ iframe.src = "hTtP://localhost:8443/security/resources/post-origin-to-parent.html";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source == iframe.contentWindow) {
+ assert_equals(e.data.origin, "https_localhost_8443");
+ t.done();
+ }
+ }));
+
+ document.body.appendChild(iframe);
+}, "Cross-host frames are upgraded.");
+
+async_test(t => {
+ var iframe = document.createElement('iframe');
+ iframe.srcdoc = "<a href='hTtP://127.0.0.1:8443/security/resources/post-origin-to-parent.html'>Navigate!</a>" +
+ "<script>document.querySelector('a').click()</scr" + "ipt>";
+
+ window.addEventListener('message', t.step_func(e => {
+ if (e.source == iframe.contentWindow) {
+ assert_equals(e.data.origin, "https_127.0.0.1_8443");
+ t.done();
+ }
+ }));
+
+ document.body.appendChild(iframe);
+}, "Upgrade policy cascades to nested, same-host frames.");
+</script>
+</body>
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssslresourcesoriginusageiframe1html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.html (rev 0)
+++ trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<html manifest="origin-usage-iframe-1.manifest">
+<script>
+// iframe-1 is expected to succeed.
+applicationCache.oncached = function() { parent.postMessage("PASS - cached iframe-1", "*"); };
+applicationCache.onerror = function() { parent.postMessage("FAIL - error caching iframe-1, expected this to succeed", "*"); };
+applicationCache.onnoupdate = function() { parent.postMessage("FAIL - no update iframe-1, all caches should have been deleted before this test", "*"); };
+
+</script>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssslresourcesoriginusageiframe1manifest"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.manifest (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.manifest (rev 0)
+++ trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.manifest 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+CACHE MANIFEST
+
+# This adds ~13K to the app cache
+
+CACHE:
+https://127.0.0.1:8443/security/resources/abe.png
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssslresourcesoriginusageiframe2html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.html (rev 0)
+++ trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,8 @@
</span><ins>+<html manifest="origin-usage-iframe-2.manifest">
+<script>
+// iframe-2 is expected to fail due to exceeding the origin quota.
+applicationCache.oncached = function() { parent.postMessage("PASS - cached iframe-2", "*"); };
+applicationCache.onerror = function() { parent.postMessage("FAIL - error caching iframe-2", "*"); };
+applicationCache.onnoupdate = function() { parent.postMessage("FAIL - no update iframe-2, all caches should have been deleted before this test", "*"); };
+</script>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssslresourcesoriginusageiframe2manifest"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.manifest (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.manifest (rev 0)
+++ trunk/LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.manifest 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+CACHE MANIFEST
+
+# This adds ~13K to the app cache
+
+CACHE:
+https://127.0.0.1:8443/security/resources/abe.png
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssslupgradeoriginusageexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/ssl/upgrade-origin-usage-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/ssl/upgrade-origin-usage-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/ssl/upgrade-origin-usage-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+This test checks that per-origin usage is reported correctly when upgrading insecure load requests by loading two iframes which use ~15K each and querying origin usage.
+
+Cleared application cache
+PASS - cached iframe-1
+Usage for https://127.0.0.1:8443 after first frame is between 15000 and 16000 bytes: true
+PASS - cached iframe-2
+Usage for https://127.0.0.1:8443 after second frame is between 30000 and 32000 bytes: true
+Removing Application Cache for https://127.0.0.1:8443
+Usage for https://127.0.0.1:8443: 0
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssslupgradeoriginusagehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/ssl/upgrade-origin-usage.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/ssl/upgrade-origin-usage.html (rev 0)
+++ trunk/LayoutTests/http/tests/ssl/upgrade-origin-usage.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,75 @@
</span><ins>+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+<script>
+
+var drtURL = "https://127.0.0.1:8443";
+
+// Helpers.
+
+function log(message) {
+ document.getElementById("console").innerHTML += message + "<br>";
+}
+
+// Start and end.
+
+function startTest() {
+ if (window.testRunner) {
+ testRunner.setAllowsAnySSLCertificate(true);
+ testRunner.clearAllApplicationCaches();
+ log("Cleared application cache");
+ testRunner.dumpApplicationCacheDelegateCallbacks();
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ addFirstIFrame();
+}
+
+function finishTest() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+// Stages.
+
+function addIFrameWithContinuation(src, continuation) {
+ window.onmessage = continuation;
+ var iframe = document.createElement("iframe");
+ iframe.src = src;
+ document.body.appendChild(iframe);
+}
+
+function addFirstIFrame() {
+ // Expected to succeed.
+ addIFrameWithContinuation("http://127.0.0.1:8443/ssl/resources/origin-usage-iframe-1.html", function(event) {
+ log(event.data);
+ var usage = testRunner.applicationCacheDiskUsageForOrigin(drtURL);
+ log("Usage for " + drtURL + " after first frame is between 15000 and 16000 bytes: " + ((usage > 15000) && (usage < 16000)));
+ addSecondIFrame();
+ });
+}
+
+function addSecondIFrame() {
+ addIFrameWithContinuation("http://127.0.0.1:8443/ssl/resources/origin-usage-iframe-2.html", function(event) {
+ log(event.data);
+ var usage = testRunner.applicationCacheDiskUsageForOrigin(drtURL);
+ log("Usage for " + drtURL + " after second frame is between 30000 and 32000 bytes: " + ((usage > 30000) && (usage < 32000)));
+
+ log("Removing Application Cache for " + drtURL);
+ testRunner.clearApplicationCacheForOrigin(drtURL);
+
+ log("Usage for " + drtURL + ": " + testRunner.applicationCacheDiskUsageForOrigin(drtURL));
+
+ finishTest();
+ });
+}
+
+</script>
+</head>
+<body onload="startTest()">
+<p>This test checks that per-origin usage is reported correctly when upgrading insecure load requests by loading two iframes which use ~15K each and querying origin usage.</p>
+</p>
+<pre id="console"></pre>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestswebsockettestshybiupgradesimplewsexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+Simple upgrade insecure Web Socket test
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+Created a socket to 'wss://127.0.0.1:9323/websocket/tests/hybi/simple'; readyState 0.
+The 'ws' protocol should be upgraded to 'wss'. If this happens, we will connect properly and the test will succeed.
+Connected; readyState 1
+Resolved URL: wss://127.0.0.1:9323/websocket/tests/hybi/simple
+Received: 'Hello from Simple WSH.'; readyState 1
+Closed; readyState 3.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestswebsockettestshybiupgradesimplewshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws.html (0 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws.html (rev 0)
+++ trunk/LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws.html 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -0,0 +1,62 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test-pre.js"></script>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+</head>
+<body>
+<div id="description"></div>
+<div id="console"></div>
+<script type="text/javascript">
+description("Simple upgrade insecure Web Socket test");
+
+window.jsTestIsAsync = true;
+
+if (window.testRunner)
+ testRunner.setAllowsAnySSLCertificate(true);
+
+function endTest()
+{
+ clearTimeout(timeoutID);
+ finishJSTest();
+}
+
+var ws = new WebSocket("ws://127.0.0.1:9323/websocket/tests/hybi/simple");
+debug("Created a socket to '" + ws.URL + "'; readyState " + ws.readyState + ".");
+debug("The 'ws' protocol should be upgraded to 'wss'. If this happens, we will connect properly and the test will succeed.");
+
+ws.onopen = function()
+{
+ debug("Connected; readyState " + ws.readyState);
+ debug("Resolved URL: " + ws.URL)
+};
+
+ws.onmessage = function(messageEvent)
+{
+ debug("Received: '" + messageEvent.data + "'; readyState " + ws.readyState);
+};
+
+ws.onclose = function()
+{
+ debug("Closed; readyState " + ws.readyState + ".");
+ endTest();
+};
+
+ws.onerror = function(errorEvent)
+{
+ debug("Error: '" + errorEvent.data + "'; readyState " + ws.readyState);
+ endTest();
+}
+
+function timeOutCallback()
+{
+ debug("Timed out in state: " + ws.readyState);
+ endTest();
+}
+
+var timeoutID = setTimeout(timeOutCallback, 300);
+
+</script>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformmacTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/mac/TestExpectations (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/mac/TestExpectations 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/LayoutTests/platform/mac/TestExpectations 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -1347,3 +1347,5 @@
</span><span class="cx"> webkit.org/b/157990 [ Release ] mathml/wbr-in-mroot-crash.html [ Timeout ]
</span><span class="cx">
</span><span class="cx"> webkit.org/b/158101 imported/blink/http/tests/plugins/get-url-notify-on-removal.html [ Pass Timeout ]
</span><ins>+
+webkit.org/b/143653 [ Yosemite ] http/tests/websocket/tests/hybi/upgrade-simple-ws.html [ Skip ] # Timeout
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/ChangeLog 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -1,3 +1,114 @@
</span><ins>+2016-06-04 Brent Fulgham <bfulgham@apple.com>
+
+ CSP: Content Security Policy directive, upgrade-insecure-requests (UIR)
+ https://bugs.webkit.org/show_bug.cgi?id=143653
+ <rdar://problem/23032067>
+
+ Reviewed by Andy Estes.
+
+ Modify our loading logic so that we recognize and upgrade insecure requests to secure
+ requests if the Content Security Policy directive 'upgrade-insecure-requests' is
+ present.
+
+ Add a static helper function to ContentSecurityPolicy to upgrade insecure URLs so
+ that we don't have to sprinkle the same code all over the loader system.
+
+ Tests: http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-simple-ws.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html
+ http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html
+ http/tests/ssl/iframe-upgrade.https.html
+ http/tests/ssl/upgrade-origin-usage.html
+ http/tests/websocket/tests/hybi/upgrade-simple-ws.html
+
+ * Modules/websockets/WebSocket.cpp:
+ (WebCore::WebSocket::connect): Upgrade insecure requests if the CSP
+ indicates we should.
+ * dom/Document.cpp:
+ (WebCore::Document::initSecurityContext): Populate new document CSP with sets of upgrade host and port combinations.
+ * dom/ScriptElement.cpp:
+ (WebCore::ScriptElement::requestScript): Upgrade insecure requests if
+ the CSP indicates we should.
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::loadResource): Ditto.
+ * loader/DocumentWriter.cpp:
+ (WebCore::DocumentWriter::begin): Ditto.
+ * loader/FormSubmission.cpp:
+ (WebCore::FormSubmission::create): Ditto.
+ (WebCore::FormSubmission::populateFrameLoadRequest): Add "Upgrade-Insecure-Requests"
+ header to frame load requests.
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::addExtraFieldsToMainResourceRequest): Add the
+ 'Update-Insecure-Requests' header field if necessary.
+ (WebCore::FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded): Added helper function.
+ (WebCore::FrameLoader::loadPostRequest): Upgrade insecure requests if the CSP
+ indicates we should.
+ (WebCore::FrameLoader::loadResourceSynchronously): Ditto.
+ (WebCore::FrameLoader::loadDifferentDocumentItem): If loading a form, add the
+ 'Update-Insecure-Requests' header field if necessary.
+ (WebCore::createWindow): Upgrade insecure requests if the CSP
+ indicates we should.
+ * loader/FrameLoader.h:
+ * loader/PingLoader.cpp:
+ (WebCore::PingLoader::loadImage): Upgrade insecure requests if the CSP
+ indicates we should.
+ (WebCore::PingLoader::sendPing): Ditto.
+ (WebCore::PingLoader::sendViolationReport): Ditto.
+ * loader/ResourceLoader.cpp:
+ (WebCore::ResourceLoader::willSendRequestInternal): Ditto.
+ * loader/SubframeLoader.cpp:
+ (WebCore::SubframeLoader::requestFrame): Ditto.
+ (WebCore::SubframeLoader::requestObject): Ditto.
+ * loader/appcache/ApplicationCacheHost.cpp:
+ (WebCore::ApplicationCacheHost::shouldLoadResourceFromApplicationCache): Ditto.
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::requestImage): Ditto.
+ (WebCore::CachedResourceLoader::requestResource): Ditto.
+ * page/DOMWindow.cpp:
+ (WebCore::DOMWindow::createWindow): Add the 'Update-Insecure-Requests' header
+ field if necessary.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::copyStateFrom): Populate upgraded resource set
+ from other context.
+ (WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Added helper function
+ to upgrade requests when the upgrade-insecure-requests CSP policy is present, or if
+ the host and port combination have previously been upgraded.
+ (WebCore::ContentSecurityPolicy::upgradeInsecureNavigationRequestIfNeeded): Added
+ helper function to upgrade requests that have been previously upgraded. Cross-site
+ navigations only get upgraded when they have been previously upgraded.
+ (WebCore::ContentSecurityPolicy::addInsecureNavigationRequestsToUpgrade): Added.
+ (WebCore::ContentSecurityPolicy::populateInsecureNavigationRequestsToUpgradeFromOther): Added.
+ * page/csp/ContentSecurityPolicy.h:
+ (WebCore::ContentSecurityPolicy::setUpgradeInsecureRequests): Added.
+ (WebCore::ContentSecurityPolicy::upgradeInsecureRequests): Added.
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList): Use
+ more C++11 initializations.
+ (WebCore::ContentSecurityPolicyDirectiveList::setUpgradeInsecureRequests): Added.
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Teach this function to
+ recognize the new directive.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+ * page/csp/ContentSecurityPolicyDirectiveNames.cpp:
+ * page/csp/ContentSecurityPolicyDirectiveNames.h:
+ * platform/network/HTTPHeaderNames.in: Add new 'Upgrade-Insecure-Requests' header field.
+ * xml/XMLHttpRequest.cpp:
+ (WebCore::XMLHttpRequest::open): Upgrade insecure requests if the CSP if needed.
+
</ins><span class="cx"> 2016-06-03 Myles C. Maxfield <mmaxfield@apple.com>
</span><span class="cx">
</span><span class="cx"> Bopomofo ruby in Dictionary.app is written horizontally (when it should be written vertically)
</span></span></pre></div>
<a id="trunkSourceWebCoreModuleswebsocketsWebSocketcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/Modules/websockets/WebSocket.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/Modules/websockets/WebSocket.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/Modules/websockets/WebSocket.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -1,5 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 2011 Google Inc. All rights reserved.
</span><ins>+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions are
</span><span class="lines">@@ -230,6 +231,9 @@
</span><span class="cx"> ec = SYNTAX_ERR;
</span><span class="cx"> return;
</span><span class="cx"> }
</span><ins>+
+ scriptExecutionContext()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(m_url, ContentSecurityPolicy::InsecureRequestType::Load);
+
</ins><span class="cx"> if (!portAllowed(m_url)) {
</span><span class="cx"> scriptExecutionContext()->addConsoleMessage(MessageSource::JS, MessageLevel::Error, "WebSocket port " + String::number(m_url.port()) + " blocked");
</span><span class="cx"> m_state = CLOSED;
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -5160,16 +5160,26 @@
</span><span class="cx">
</span><span class="cx"> // If we do not obtain a meaningful origin from the URL, then we try to
</span><span class="cx"> // find one via the frame hierarchy.
</span><ins>+ Frame* parentFrame = m_frame->tree().parent();
+ Frame* openerFrame = m_frame->loader().opener();
</ins><span class="cx">
</span><del>- Frame* ownerFrame = m_frame->tree().parent();
</del><ins>+ Frame* ownerFrame = parentFrame;
</ins><span class="cx"> if (!ownerFrame)
</span><del>- ownerFrame = m_frame->loader().opener();
</del><ins>+ ownerFrame = openerFrame;
</ins><span class="cx">
</span><span class="cx"> if (!ownerFrame) {
</span><span class="cx"> didFailToInitializeSecurityOrigin();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><ins>+
+ Document* openerDocument = openerFrame ? openerFrame->document() : nullptr;
</ins><span class="cx">
</span><ins>+ // Per <http://www.w3.org/TR/upgrade-insecure-requests/>, new browsing contexts must inherit from an
+ // ongoing set of upgraded requests. When opening a new browsing context, we need to capture its
+ // existing upgrade request. Nested browsing contexts are handled during DocumentWriter::begin.
+ if (openerDocument)
+ contentSecurityPolicy()->inheritInsecureNavigationRequestsToUpgradeFromOpener(*openerDocument->contentSecurityPolicy());
+
</ins><span class="cx"> if (isSandboxed(SandboxOrigin)) {
</span><span class="cx"> // If we're supposed to inherit our security origin from our owner,
</span><span class="cx"> // but we're also sandboxed, the only thing we inherit is the ability
</span></span></pre></div>
<a id="trunkSourceWebCoredomScriptElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/ScriptElement.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/ScriptElement.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/dom/ScriptElement.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -2,7 +2,7 @@
</span><span class="cx"> * Copyright (C) 1999 Lars Knoll (knoll@kde.org)
</span><span class="cx"> * (C) 1999 Antti Koivisto (koivisto@kde.org)
</span><span class="cx"> * (C) 2001 Dirk Mueller (mueller@kde.org)
</span><del>- * Copyright (C) 2003, 2004, 2005, 2006, 2007, 2008 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2003-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2008 Nikolas Zimmermann <zimmermann@kde.org>
</span><span class="cx"> *
</span><span class="cx"> * This library is free software; you can redistribute it and/or
</span><span class="lines">@@ -264,6 +264,8 @@
</span><span class="cx">
</span><span class="cx"> CachedResourceRequest request(ResourceRequest(m_element.document().completeURL(sourceUrl)), options);
</span><span class="cx">
</span><ins>+ m_element.document().contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
+
</ins><span class="cx"> String crossOriginMode = m_element.fastGetAttribute(HTMLNames::crossoriginAttr);
</span><span class="cx"> if (!crossOriginMode.isNull()) {
</span><span class="cx"> m_requestUsesAccessControl = true;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentWritercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentWriter.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentWriter.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/loader/DocumentWriter.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "DocumentWriter.h"
</span><span class="cx">
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "DOMImplementation.h"
</span><span class="cx"> #include "DOMWindow.h"
</span><span class="cx"> #include "Frame.h"
</span><span class="lines">@@ -143,6 +144,17 @@
</span><span class="cx"> else
</span><span class="cx"> document->createDOMWindow();
</span><span class="cx">
</span><ins>+ // Per <http://www.w3.org/TR/upgrade-insecure-requests/>, we need to retain an ongoing set of upgraded
+ // requests in new navigation contexts. Although this information is present when we construct the
+ // Document object, it is discard in the subsequent 'clear' statements below. So, we must capture it
+ // so we can restore it.
+ HashSet<RefPtr<SecurityOrigin>> insecureNavigationRequestsToUpgrade;
+ bool upgradeInsecureRequests = false;
+ if (auto* existingDocument = m_frame->document()) {
+ upgradeInsecureRequests = existingDocument->contentSecurityPolicy()->upgradeInsecureRequests();
+ insecureNavigationRequestsToUpgrade = existingDocument->contentSecurityPolicy()->takeNavigationRequestsToUpgrade();
+ }
+
</ins><span class="cx"> m_frame->loader().clear(document.ptr(), !shouldReuseDefaultView, !shouldReuseDefaultView);
</span><span class="cx"> clear();
</span><span class="cx">
</span><span class="lines">@@ -157,6 +169,9 @@
</span><span class="cx"> m_frame->loader().setOutgoingReferrer(url);
</span><span class="cx"> m_frame->setDocument(document.copyRef());
</span><span class="cx">
</span><ins>+ document->contentSecurityPolicy()->setUpgradeInsecureRequests(upgradeInsecureRequests);
+ document->contentSecurityPolicy()->setInsecureNavigationRequestsToUpgrade(WTFMove(insecureNavigationRequestsToUpgrade));
+
</ins><span class="cx"> if (m_decoder)
</span><span class="cx"> document->setDecoder(m_decoder.get());
</span><span class="cx"> if (ownerDocument) {
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFormSubmissioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FormSubmission.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FormSubmission.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/loader/FormSubmission.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -1,5 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 2010 Google Inc. All rights reserved.
</span><ins>+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions are
</span><span class="lines">@@ -31,6 +32,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "FormSubmission.h"
</span><span class="cx">
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "DOMFormData.h"
</span><span class="cx"> #include "Document.h"
</span><span class="cx"> #include "Event.h"
</span><span class="lines">@@ -188,6 +190,8 @@
</span><span class="cx"> bool isMultiPartForm = false;
</span><span class="cx"> String encodingType = copiedAttributes.encodingType();
</span><span class="cx">
</span><ins>+ document.contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(actionURL, ContentSecurityPolicy::InsecureRequestType::FormSubmission);
+
</ins><span class="cx"> if (copiedAttributes.method() == PostMethod) {
</span><span class="cx"> isMultiPartForm = copiedAttributes.isMultiPartForm();
</span><span class="cx"> if (isMultiPartForm && isMailtoForm) {
</span><span class="lines">@@ -269,6 +273,7 @@
</span><span class="cx">
</span><span class="cx"> frameRequest.resourceRequest().setURL(requestURL());
</span><span class="cx"> FrameLoader::addHTTPOriginIfNeeded(frameRequest.resourceRequest(), m_origin);
</span><ins>+ FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded(frameRequest.resourceRequest());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -369,6 +369,7 @@
</span><span class="cx"> frameRequest.setFrameName(m_frame.document()->baseTarget());
</span><span class="cx">
</span><span class="cx"> addHTTPOriginIfNeeded(frameRequest.resourceRequest(), outgoingOrigin());
</span><ins>+ m_frame.document()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(frameRequest.resourceRequest(), ContentSecurityPolicy::InsecureRequestType::Navigation);
</ins><span class="cx">
</span><span class="cx"> loadFrameRequest(frameRequest, triggeringEvent, nullptr);
</span><span class="cx"> }
</span><span class="lines">@@ -2547,6 +2548,9 @@
</span><span class="cx"> // FIXME: Using m_loadType seems wrong for some callers.
</span><span class="cx"> // If we are only preparing to load the main resource, that is previous load's load type!
</span><span class="cx"> addExtraFieldsToRequest(request, m_loadType, true);
</span><ins>+
+ // Upgrade-Insecure-Requests should only be added to main resource requests
+ addHTTPUpgradeInsecureRequestsIfNeeded(request);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void FrameLoader::addExtraFieldsToRequest(ResourceRequest& request, FrameLoadType loadType, bool mainResource)
</span><span class="lines">@@ -2653,6 +2657,16 @@
</span><span class="cx"> request.setHTTPOrigin(origin);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded(ResourceRequest& request)
+{
+ if (request.url().protocolIs("https")) {
+ // FIXME: Identify HSTS cases and avoid adding the header. <https://bugs.webkit.org/show_bug.cgi?id=157885>
+ return;
+ }
+
+ request.setHTTPHeaderField(HTTPHeaderName::UpgradeInsecureRequests, ASCIILiteral("1"));
+}
+
</ins><span class="cx"> void FrameLoader::loadPostRequest(const FrameLoadRequest& request, const String& referrer, FrameLoadType loadType, Event* event, PassRefPtr<FormState> prpFormState)
</span><span class="cx"> {
</span><span class="cx"> RefPtr<FormState> formState = prpFormState;
</span><span class="lines">@@ -2677,6 +2691,9 @@
</span><span class="cx"> workingResourceRequest.setHTTPContentType(contentType);
</span><span class="cx"> addExtraFieldsToRequest(workingResourceRequest, loadType, true);
</span><span class="cx">
</span><ins>+ if (Document* document = m_frame.document())
+ document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(workingResourceRequest, ContentSecurityPolicy::InsecureRequestType::Load);
+
</ins><span class="cx"> NavigationAction action(workingResourceRequest, loadType, true, event, request.shouldOpenExternalURLsPolicy(), request.downloadAttribute());
</span><span class="cx">
</span><span class="cx"> if (!frameName.isEmpty()) {
</span><span class="lines">@@ -2735,6 +2752,8 @@
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+ m_frame.document()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(newRequest, ContentSecurityPolicy::InsecureRequestType::Load);
+
</ins><span class="cx"> if (error.isNull()) {
</span><span class="cx"> ASSERT(!newRequest.isNull());
</span><span class="cx">
</span><span class="lines">@@ -3318,6 +3337,7 @@
</span><span class="cx"> request.setHTTPContentType(item.formContentType());
</span><span class="cx"> RefPtr<SecurityOrigin> securityOrigin = SecurityOrigin::createFromString(item.referrer());
</span><span class="cx"> addHTTPOriginIfNeeded(request, securityOrigin->toString());
</span><ins>+ addHTTPUpgradeInsecureRequestsIfNeeded(request);
</ins><span class="cx">
</span><span class="cx"> // Make sure to add extra fields to the request after the Origin header is added for the FormData case.
</span><span class="cx"> // See https://bugs.webkit.org/show_bug.cgi?id=22194 for more discussion.
</span><span class="lines">@@ -3608,6 +3628,7 @@
</span><span class="cx"> if (!referrer.isEmpty())
</span><span class="cx"> requestWithReferrer.resourceRequest().setHTTPReferrer(referrer);
</span><span class="cx"> FrameLoader::addHTTPOriginIfNeeded(requestWithReferrer.resourceRequest(), openerFrame.loader().outgoingOrigin());
</span><ins>+ FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded(requestWithReferrer.resourceRequest());
</ins><span class="cx">
</span><span class="cx"> Page* oldPage = openerFrame.page();
</span><span class="cx"> if (!oldPage)
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.h (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.h 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/loader/FrameLoader.h 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -202,6 +202,7 @@
</span><span class="cx"> void addExtraFieldsToMainResourceRequest(ResourceRequest&);
</span><span class="cx">
</span><span class="cx"> static void addHTTPOriginIfNeeded(ResourceRequest&, const String& origin);
</span><ins>+ static void addHTTPUpgradeInsecureRequestsIfNeeded(ResourceRequest&);
</ins><span class="cx">
</span><span class="cx"> FrameLoaderClient& client() const { return m_client; }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderPingLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/PingLoader.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/PingLoader.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/loader/PingLoader.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -1,6 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 2010 Google Inc. All rights reserved.
</span><span class="cx"> * Copyright (C) 2015 Roopesh Chander (roop@roopc.net)
</span><ins>+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions are
</span><span class="lines">@@ -33,6 +34,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "PingLoader.h"
</span><span class="cx">
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "Document.h"
</span><span class="cx"> #include "FormData.h"
</span><span class="cx"> #include "Frame.h"
</span><span class="lines">@@ -80,6 +82,9 @@
</span><span class="cx"> return;
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+ if (Document* document = frame.document())
+ document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request, ContentSecurityPolicy::InsecureRequestType::Load);
+
</ins><span class="cx"> request.setHTTPHeaderField(HTTPHeaderName::CacheControl, "max-age=0");
</span><span class="cx"> String referrer = SecurityPolicy::generateReferrerHeader(frame.document()->referrerPolicy(), request.url(), frame.loader().outgoingReferrer());
</span><span class="cx"> if (!referrer.isEmpty())
</span><span class="lines">@@ -102,6 +107,8 @@
</span><span class="cx"> return;
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+ frame.document()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request, ContentSecurityPolicy::InsecureRequestType::Load);
+
</ins><span class="cx"> request.setHTTPMethod("POST");
</span><span class="cx"> request.setHTTPContentType("text/ping");
</span><span class="cx"> request.setHTTPBody(FormData::create("PING"));
</span><span class="lines">@@ -133,6 +140,9 @@
</span><span class="cx"> return;
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+ if (Document* document = frame.document())
+ document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request, ContentSecurityPolicy::InsecureRequestType::Load);
+
</ins><span class="cx"> request.setHTTPMethod(ASCIILiteral("POST"));
</span><span class="cx"> request.setHTTPBody(WTFMove(report));
</span><span class="cx"> switch (reportType) {
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderSubframeLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/SubframeLoader.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/SubframeLoader.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/loader/SubframeLoader.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2006-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
</span><span class="cx"> * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. (http://www.torchmobile.com/)
</span><span class="cx"> * Copyright (C) 2008 Alp Toker <alp@atoker.com>
</span><span class="lines">@@ -231,6 +231,8 @@
</span><span class="cx"> if (!url.isEmpty())
</span><span class="cx"> completedURL = completeURL(url);
</span><span class="cx">
</span><ins>+ document()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(completedURL, ContentSecurityPolicy::InsecureRequestType::Load);
+
</ins><span class="cx"> bool hasFallbackContent = is<HTMLObjectElement>(ownerElement) && downcast<HTMLObjectElement>(ownerElement).hasFallbackContent();
</span><span class="cx">
</span><span class="cx"> bool useFallback;
</span><span class="lines">@@ -300,8 +302,11 @@
</span><span class="cx"> return widget;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-Frame* SubframeLoader::loadOrRedirectSubframe(HTMLFrameOwnerElement& ownerElement, const URL& url, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
</del><ins>+Frame* SubframeLoader::loadOrRedirectSubframe(HTMLFrameOwnerElement& ownerElement, const URL& requestUrl, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList lockBackForwardList)
</ins><span class="cx"> {
</span><ins>+ URL url = requestUrl;
+ ownerElement.document().contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(url, ContentSecurityPolicy::InsecureRequestType::Load);
+
</ins><span class="cx"> Frame* frame = ownerElement.contentFrame();
</span><span class="cx"> if (frame)
</span><span class="cx"> frame->navigationScheduler().scheduleLocationChange(m_frame.document(), m_frame.document()->securityOrigin(), url, m_frame.loader().outgoingReferrer(), lockHistory, lockBackForwardList);
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderappcacheApplicationCacheHostcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/appcache/ApplicationCacheHost.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/appcache/ApplicationCacheHost.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/loader/appcache/ApplicationCacheHost.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2008, 2009 Apple Inc. All Rights Reserved.
</del><ins>+ * Copyright (C) 2008-2016 Apple Inc. All Rights Reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #include "ApplicationCache.h"
</span><span class="cx"> #include "ApplicationCacheGroup.h"
</span><span class="cx"> #include "ApplicationCacheResource.h"
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "DocumentLoader.h"
</span><span class="cx"> #include "DOMApplicationCache.h"
</span><span class="cx"> #include "FileSystem.h"
</span><span class="lines">@@ -370,12 +371,18 @@
</span><span class="cx"> m_applicationCache = applicationCache;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool ApplicationCacheHost::shouldLoadResourceFromApplicationCache(const ResourceRequest& request, ApplicationCacheResource*& resource)
</del><ins>+bool ApplicationCacheHost::shouldLoadResourceFromApplicationCache(const ResourceRequest& originalRequest, ApplicationCacheResource*& resource)
</ins><span class="cx"> {
</span><span class="cx"> ApplicationCache* cache = applicationCache();
</span><span class="cx"> if (!cache || !cache->isComplete())
</span><span class="cx"> return false;
</span><span class="cx">
</span><ins>+ ResourceRequest request(originalRequest);
+ if (Frame* loaderFrame = m_documentLoader.frame()) {
+ if (Document* document = loaderFrame->document())
+ document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request, ContentSecurityPolicy::InsecureRequestType::Load);
+ }
+
</ins><span class="cx"> // If the resource is not to be fetched using the HTTP GET mechanism or equivalent, or if its URL has a different
</span><span class="cx"> // <scheme> component than the application cache's manifest, then fetch the resource normally.
</span><span class="cx"> if (!ApplicationCache::requestIsHTTPOrHTTPSGet(request) || !equalIgnoringASCIICase(request.url().protocol(), cache->manifestResource()->url().protocol()))
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -2,7 +2,7 @@
</span><span class="cx"> Copyright (C) 1998 Lars Knoll (knoll@mpi-hd.mpg.de)
</span><span class="cx"> Copyright (C) 2001 Dirk Mueller (mueller@kde.org)
</span><span class="cx"> Copyright (C) 2002 Waldo Bastian (bastian@kde.org)
</span><del>- Copyright (C) 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Apple Inc. All rights reserved.
</del><ins>+ Copyright (C) 2004-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> Copyright (C) 2009 Torch Mobile Inc. http://www.torchmobile.com/
</span><span class="cx">
</span><span class="cx"> This library is free software; you can redistribute it and/or
</span><span class="lines">@@ -179,6 +179,8 @@
</span><span class="cx"> {
</span><span class="cx"> if (Frame* frame = this->frame()) {
</span><span class="cx"> if (frame->loader().pageDismissalEventBeingDispatched() != FrameLoader::PageDismissalType::None) {
</span><ins>+ if (Document* document = frame->document())
+ document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
</ins><span class="cx"> URL requestURL = request.resourceRequest().url();
</span><span class="cx"> if (requestURL.isValid() && canRequest(CachedResource::ImageResource, requestURL, request.options(), request.forPreload()))
</span><span class="cx"> PingLoader::loadImage(*frame, requestURL);
</span><span class="lines">@@ -547,6 +549,9 @@
</span><span class="cx">
</span><span class="cx"> CachedResourceHandle<CachedResource> CachedResourceLoader::requestResource(CachedResource::Type type, CachedResourceRequest& request)
</span><span class="cx"> {
</span><ins>+ if (Document* document = this->document())
+ document->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(request.mutableResourceRequest(), ContentSecurityPolicy::InsecureRequestType::Load);
+
</ins><span class="cx"> URL url = request.resourceRequest().url();
</span><span class="cx">
</span><span class="cx"> LOG(ResourceLoading, "CachedResourceLoader::requestResource '%s', charset '%s', priority=%d, forPreload=%u", url.stringCenterEllipsizedToLength().latin1().data(), request.charset().latin1().data(), request.priority() ? static_cast<int>(request.priority().value()) : -1, request.forPreload());
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -46,6 +46,7 @@
</span><span class="cx"> #include "JSMainThreadExecState.h"
</span><span class="cx"> #include "ParsingUtilities.h"
</span><span class="cx"> #include "PingLoader.h"
</span><ins>+#include "ResourceRequest.h"
</ins><span class="cx"> #include "RuntimeEnabledFeatures.h"
</span><span class="cx"> #include "SchemeRegistry.h"
</span><span class="cx"> #include "SecurityOrigin.h"
</span><span class="lines">@@ -111,6 +112,9 @@
</span><span class="cx"> ASSERT(m_policies.isEmpty());
</span><span class="cx"> for (auto& policy : other->m_policies)
</span><span class="cx"> didReceiveHeader(policy->header(), policy->headerType(), ContentSecurityPolicy::PolicyFrom::Inherited);
</span><ins>+
+ m_upgradeInsecureRequests = other->m_upgradeInsecureRequests;
+ m_insecureNavigationRequestsToUpgrade.add(other->m_insecureNavigationRequestsToUpgrade.begin(), other->m_insecureNavigationRequestsToUpgrade.end());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ContentSecurityPolicy::didCreateWindowShell(JSDOMWindowShell& windowShell) const
</span><span class="lines">@@ -754,5 +758,70 @@
</span><span class="cx"> return false;
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><ins>+
+void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(ResourceRequest& request, InsecureRequestType requestType)
+{
+ URL url = request.url();
+ upgradeInsecureRequestIfNeeded(url, requestType);
+ request.setURL(url);
+}
+
+void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(URL& url, InsecureRequestType requestType)
+{
+ if (!url.protocolIs("http") && !url.protocolIs("ws"))
+ return;
+
+ bool upgradeRequest = m_insecureNavigationRequestsToUpgrade.contains(SecurityOrigin::create(url));
+ if (requestType == InsecureRequestType::Load || requestType == InsecureRequestType::FormSubmission)
+ upgradeRequest |= m_upgradeInsecureRequests;
</ins><span class="cx">
</span><ins>+ if (!upgradeRequest)
+ return;
+
+ if (url.protocolIs("http"))
+ url.setProtocol("https");
+ else if (url.protocolIs("ws"))
+ url.setProtocol("wss");
+ else
+ return;
+
+ if (url.port() == 80)
+ url.setPort(443);
</ins><span class="cx"> }
</span><ins>+
+void ContentSecurityPolicy::setUpgradeInsecureRequests(bool upgradeInsecureRequests)
+{
+ m_upgradeInsecureRequests = upgradeInsecureRequests;
+ if (!m_upgradeInsecureRequests)
+ return;
+
+ if (!m_scriptExecutionContext)
+ return;
+
+ // Store the upgrade domain as an 'insecure' protocol so we can quickly identify
+ // origins we should upgrade.
+ URL upgradeURL = m_scriptExecutionContext->url();
+ if (upgradeURL.protocolIs("https"))
+ upgradeURL.setProtocol("http");
+ else if (upgradeURL.protocolIs("wss"))
+ upgradeURL.setProtocol("ws");
+
+ m_insecureNavigationRequestsToUpgrade.add(SecurityOrigin::create(upgradeURL));
+}
+
+void ContentSecurityPolicy::inheritInsecureNavigationRequestsToUpgradeFromOpener(const ContentSecurityPolicy& other)
+{
+ m_insecureNavigationRequestsToUpgrade.add(other.m_insecureNavigationRequestsToUpgrade.begin(), other.m_insecureNavigationRequestsToUpgrade.end());
+}
+
+HashSet<RefPtr<SecurityOrigin>>&& ContentSecurityPolicy::takeNavigationRequestsToUpgrade()
+{
+ return WTFMove(m_insecureNavigationRequestsToUpgrade);
+}
+
+void ContentSecurityPolicy::setInsecureNavigationRequestsToUpgrade(HashSet<RefPtr<SecurityOrigin>>&& insecureNavigationRequests)
+{
+ m_insecureNavigationRequestsToUpgrade = WTFMove(insecureNavigationRequests);
+}
+
+}
</ins></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -27,6 +27,9 @@
</span><span class="cx"> #pragma once
</span><span class="cx">
</span><span class="cx"> #include "ContentSecurityPolicyResponseHeaders.h"
</span><ins>+#include "SecurityOrigin.h"
+#include "SecurityOriginHash.h"
+#include <wtf/HashSet.h>
</ins><span class="cx"> #include <wtf/OptionSet.h>
</span><span class="cx"> #include <wtf/Vector.h>
</span><span class="cx"> #include <wtf/text/TextPosition.h>
</span><span class="lines">@@ -47,6 +50,7 @@
</span><span class="cx"> class DOMStringList;
</span><span class="cx"> class Frame;
</span><span class="cx"> class JSDOMWindowShell;
</span><ins>+class ResourceRequest;
</ins><span class="cx"> class ScriptExecutionContext;
</span><span class="cx"> class SecurityOrigin;
</span><span class="cx"> class TextEncoding;
</span><span class="lines">@@ -148,6 +152,16 @@
</span><span class="cx"> // Used by ContentSecurityPolicySource
</span><span class="cx"> bool protocolMatchesSelf(const URL&) const;
</span><span class="cx">
</span><ins>+ void setUpgradeInsecureRequests(bool);
+ bool upgradeInsecureRequests() const { return m_upgradeInsecureRequests; }
+ enum class InsecureRequestType { Load, FormSubmission, Navigation };
+ void upgradeInsecureRequestIfNeeded(ResourceRequest&, InsecureRequestType);
+ void upgradeInsecureRequestIfNeeded(URL&, InsecureRequestType);
+
+ HashSet<RefPtr<SecurityOrigin>>&& takeNavigationRequestsToUpgrade();
+ void inheritInsecureNavigationRequestsToUpgradeFromOpener(const ContentSecurityPolicy&);
+ void setInsecureNavigationRequestsToUpgrade(HashSet<RefPtr<SecurityOrigin>>&&);
+
</ins><span class="cx"> private:
</span><span class="cx"> void logToConsole(const String& message, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
</span><span class="cx"> void updateSourceSelf(const SecurityOrigin&);
</span><span class="lines">@@ -174,8 +188,10 @@
</span><span class="cx"> SandboxFlags m_sandboxFlags;
</span><span class="cx"> bool m_overrideInlineStyleAllowed { false };
</span><span class="cx"> bool m_isReportingEnabled { true };
</span><ins>+ bool m_upgradeInsecureRequests { false };
</ins><span class="cx"> OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineScripts;
</span><span class="cx"> OptionSet<ContentSecurityPolicyHashAlgorithm> m_hashAlgorithmsForInlineStylesheets;
</span><ins>+ HashSet<RefPtr<SecurityOrigin>> m_insecureNavigationRequestsToUpgrade;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> template<typename Predicate, typename... Args>
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -100,8 +100,6 @@
</span><span class="cx"> ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList(ContentSecurityPolicy& policy, ContentSecurityPolicyHeaderType type)
</span><span class="cx"> : m_policy(policy)
</span><span class="cx"> , m_headerType(type)
</span><del>- , m_reportOnly(false)
- , m_haveSandboxPolicy(false)
</del><span class="cx"> {
</span><span class="cx"> m_reportOnly = (type == ContentSecurityPolicyHeaderType::Report || type == ContentSecurityPolicyHeaderType::PrefixedReport);
</span><span class="cx"> }
</span><span class="lines">@@ -435,6 +433,20 @@
</span><span class="cx"> m_policy.reportInvalidSandboxFlags(invalidTokens);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void ContentSecurityPolicyDirectiveList::setUpgradeInsecureRequests(const String& name)
+{
+ if (m_reportOnly) {
+ m_policy.reportInvalidDirectiveInReportOnlyMode(name);
+ return;
+ }
+ if (m_upgradeInsecureRequests) {
+ m_policy.reportDuplicateDirective(name);
+ return;
+ }
+ m_upgradeInsecureRequests = true;
+ m_policy.setUpgradeInsecureRequests(true);
+}
+
</ins><span class="cx"> void ContentSecurityPolicyDirectiveList::addDirective(const String& name, const String& value)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!name.isEmpty());
</span><span class="lines">@@ -481,6 +493,8 @@
</span><span class="cx"> applySandboxPolicy(name, value);
</span><span class="cx"> else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::reportURI))
</span><span class="cx"> parseReportURI(name, value);
</span><ins>+ else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::upgradeInsecureRequests))
+ setUpgradeInsecureRequests(name);
</ins><span class="cx"> else
</span><span class="cx"> m_policy.reportUnsupportedDirective(name);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -86,6 +86,7 @@
</span><span class="cx"> void parsePluginTypes(const String& name, const String& value);
</span><span class="cx"> void addDirective(const String& name, const String& value);
</span><span class="cx"> void applySandboxPolicy(const String& name, const String& sandboxPolicy);
</span><ins>+ void setUpgradeInsecureRequests(const String& name);
</ins><span class="cx">
</span><span class="cx"> template <class CSPDirectiveType>
</span><span class="cx"> void setCSPDirective(const String& name, const String& value, std::unique_ptr<CSPDirectiveType>&);
</span><span class="lines">@@ -100,8 +101,9 @@
</span><span class="cx"> String m_header;
</span><span class="cx"> ContentSecurityPolicyHeaderType m_headerType;
</span><span class="cx">
</span><del>- bool m_reportOnly;
- bool m_haveSandboxPolicy;
</del><ins>+ bool m_reportOnly { false };
+ bool m_haveSandboxPolicy { false };
+ bool m_upgradeInsecureRequests { false };
</ins><span class="cx">
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicyMediaListDirective> m_pluginTypes;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_baseURI;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -46,6 +46,7 @@
</span><span class="cx"> const char* const sandbox = "sandbox";
</span><span class="cx"> const char* const scriptSrc = "script-src";
</span><span class="cx"> const char* const styleSrc = "style-src";
</span><ins>+const char* const upgradeInsecureRequests = "upgrade-insecure-requests";
</ins><span class="cx">
</span><span class="cx"> } // namespace ContentSecurityPolicyDirectiveNames
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -45,6 +45,7 @@
</span><span class="cx"> extern const char* const sandbox;
</span><span class="cx"> extern const char* const scriptSrc;
</span><span class="cx"> extern const char* const styleSrc;
</span><ins>+extern const char* const upgradeInsecureRequests;
</ins><span class="cx">
</span><span class="cx"> } // namespace ContentSecurityPolicyDirectiveNames
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkHTTPHeaderNamesin"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/HTTPHeaderNames.in (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/HTTPHeaderNames.in 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/platform/network/HTTPHeaderNames.in 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -89,6 +89,7 @@
</span><span class="cx"> Trailer
</span><span class="cx"> Transfer-Encoding
</span><span class="cx"> Upgrade
</span><ins>+Upgrade-Insecure-Requests
</ins><span class="cx"> User-Agent
</span><span class="cx"> Vary
</span><span class="cx"> Via
</span></span></pre></div>
<a id="trunkSourceWebCorexmlXMLHttpRequestcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/xml/XMLHttpRequest.cpp (201678 => 201679)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-06-04 03:28:57 UTC (rev 201678)
+++ trunk/Source/WebCore/xml/XMLHttpRequest.cpp 2016-06-04 07:20:17 UTC (rev 201679)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2004, 2006, 2008 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2004-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> * Copyright (C) 2005-2007 Alexey Proskuryakov <ap@webkit.org>
</span><span class="cx"> * Copyright (C) 2007, 2008 Julien Chaffraix <jchaffraix@webkit.org>
</span><span class="cx"> * Copyright (C) 2008, 2011 Google Inc. All rights reserved.
</span><span class="lines">@@ -480,6 +480,7 @@
</span><span class="cx"> m_method = uppercaseKnownHTTPMethod(method);
</span><span class="cx">
</span><span class="cx"> m_url = url;
</span><ins>+ scriptExecutionContext()->contentSecurityPolicy()->upgradeInsecureRequestIfNeeded(m_url, ContentSecurityPolicy::InsecureRequestType::Load);
</ins><span class="cx">
</span><span class="cx"> m_async = async;
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>