<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[204521] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/204521">204521</a></dd>
<dt>Author</dt> <dd>bfulgham@apple.com</dd>
<dt>Date</dt> <dd>2016-08-16 13:32:57 -0700 (Tue, 16 Aug 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Upgrade-Insecure-Request state is improperly retained between navigations
https://bugs.webkit.org/show_bug.cgi?id=160905
<rdar://problem/27075526>
Reviewed by Andy Estes.
Source/WebCore:
Correct the handling of Upgrade-Insecure-Request state to match the specification, so that
performing top-level navigation to sites that do not have the Upgrade-Insecure-Request header
does not automatically upgrade insecure loads. The same loads performed in an iframe should
be upgraded.
The iframe case was already handled in our tests, but a new test is added that models the top-level
navigation and confirms that an upgrade is not performed.
Tests: http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation.html
* dom/Document.cpp:
(WebCore::Document::initContentSecurityPolicy): Properly inherit Upgrade-Insecure-Request state for children
of existing frames.
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin): Retain the history of upgraded resources (per the specification) so that
we continue to upgrade resources that were upgraded during earlier navigations. Note that we do NOT want to
retain the state of the Upgrade-Insecure-Requests header itself.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::copyStateFrom): Update to use new helper function.
(WebCore::ContentSecurityPolicy::copyUpgradeInsecureRequestStateFrom): New helper function.
* page/csp/ContentSecurityPolicy.h:
LayoutTests:
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-site.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentWritercpp">trunk/Source/WebCore/loader/DocumentWriter.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsproperuironnavigationexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsproperuironnavigationhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesinsecuresitehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-site.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (204520 => 204521)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-08-16 19:57:00 UTC (rev 204520)
+++ trunk/LayoutTests/ChangeLog 2016-08-16 20:32:57 UTC (rev 204521)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2016-08-16 Brent Fulgham <bfulgham@apple.com>
+
+ Upgrade-Insecure-Request state is improperly retained between navigations
+ https://bugs.webkit.org/show_bug.cgi?id=160905
+ <rdar://problem/27075526>
+
+ Reviewed by Andy Estes.
+
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation.html: Added.
+ * http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-site.html: Added.
+
</ins><span class="cx"> 2016-08-16 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> ctx.drawImage should clip source rect if it is outside the source image
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsproperuironnavigationexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation-expected.txt (0 => 204521)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation-expected.txt 2016-08-16 20:32:57 UTC (rev 204521)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+ALERT: PASS
+ALERT: PASS
+This page should be loaded insecurely as a navigation from the secure site 'secure-second-site.html'. The secure domain should have set the Upgrade-Insecure-Requests header, but this new navigation should have cleared this state.
+
+The following script is loaded using 'http', and should NOT be upgraded to 'https'.
+
+If this test passes there should be two PASS messages in the output.
+
+
+
+============== Back Forward List ==============
+ http://127.0.0.1:8000/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation.html **nav target**
+curr-> http://127.0.0.1:8000/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-site.html **nav target**
+===============================================
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsproperuironnavigationhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation.html (0 => 204521)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation.html 2016-08-16 20:32:57 UTC (rev 204521)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+ <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
+</head>
+<body>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ </script>
+ <div>
+ <p>The following script is loaded using 'http', but it should be upgraded to 'https' due to the
+'upgrade-insecure-requests' header.</p>
+ <script src="http://127.0.0.1:8443/security/contentSecurityPolicy/resources/alert-pass.js"></script>
+ <div>
+ <script>
+ if (window.testRunner)
+ testRunner.queueLoad("http://127.0.0.1:8000/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-site.html");
+ </script>
+</body>
+</html>
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyupgradeinsecurerequestsresourcesinsecuresitehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-site.html (0 => 204521)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-site.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-site.html 2016-08-16 20:32:57 UTC (rev 204521)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+ <p>This page should be loaded insecurely as a navigation from the secure site 'secure-second-site.html'. The secure domain should have set the Upgrade-Insecure-Requests header,
+ but this new navigation should have cleared this state.</p>
+ <div>
+ <p>The following script is loaded using 'http', and should NOT be upgraded to 'https'.</p>
+ <script src="http://localhost:8000/security/contentSecurityPolicy/resources/alert-pass.js"></script>
+ <p>If this test passes there should be two PASS messages in the output.</p>
+ <div>
+ <script>
+ if (window.testRunner)
+ testRunner.dumpBackForwardList();
+ </script>
+</body>
+</html>
</ins><span class="cx">\ No newline at end of file
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (204520 => 204521)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-08-16 19:57:00 UTC (rev 204520)
+++ trunk/Source/WebCore/ChangeLog 2016-08-16 20:32:57 UTC (rev 204521)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2016-08-16 Brent Fulgham <bfulgham@apple.com>
+
+ Upgrade-Insecure-Request state is improperly retained between navigations
+ https://bugs.webkit.org/show_bug.cgi?id=160905
+ <rdar://problem/27075526>
+
+ Reviewed by Andy Estes.
+
+ Correct the handling of Upgrade-Insecure-Request state to match the specification, so that
+ performing top-level navigation to sites that do not have the Upgrade-Insecure-Request header
+ does not automatically upgrade insecure loads. The same loads performed in an iframe should
+ be upgraded.
+
+ The iframe case was already handled in our tests, but a new test is added that models the top-level
+ navigation and confirms that an upgrade is not performed.
+
+ Tests: http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-uir-on-navigation.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::initContentSecurityPolicy): Properly inherit Upgrade-Insecure-Request state for children
+ of existing frames.
+ * loader/DocumentWriter.cpp:
+ (WebCore::DocumentWriter::begin): Retain the history of upgraded resources (per the specification) so that
+ we continue to upgrade resources that were upgraded during earlier navigations. Note that we do NOT want to
+ retain the state of the Upgrade-Insecure-Requests header itself.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::copyStateFrom): Update to use new helper function.
+ (WebCore::ContentSecurityPolicy::copyUpgradeInsecureRequestStateFrom): New helper function.
+ * page/csp/ContentSecurityPolicy.h:
+
</ins><span class="cx"> 2016-08-16 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> ctx.drawImage should clip source rect if it is outside the source image
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (204520 => 204521)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp 2016-08-16 19:57:00 UTC (rev 204520)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-08-16 20:32:57 UTC (rev 204521)
</span><span class="lines">@@ -5389,9 +5389,18 @@
</span><span class="cx">
</span><span class="cx"> void Document::initContentSecurityPolicy()
</span><span class="cx"> {
</span><del>- if (!m_frame->tree().parent() || (!shouldInheritSecurityOriginFromOwner(m_url) && !isPluginDocument()))
</del><ins>+ if (!m_frame->tree().parent())
</ins><span class="cx"> return;
</span><span class="cx">
</span><ins>+ if (!shouldInheritSecurityOriginFromOwner(m_url) && !isPluginDocument()) {
+ // Per <http://www.w3.org/TR/upgrade-insecure-requests/>, we need to retain an ongoing set of upgraded
+ // requests in new navigation contexts. Although this information is present when we construct the
+ // Document object, it is discard in the subsequent 'clear' statements below. So, we must capture it
+ ASSERT(m_frame->tree().parent()->document());
+ contentSecurityPolicy()->copyUpgradeInsecureRequestStateFrom(*m_frame->tree().parent()->document()->contentSecurityPolicy());
+ return;
+ }
+
</ins><span class="cx"> contentSecurityPolicy()->copyStateFrom(m_frame->tree().parent()->document()->contentSecurityPolicy());
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentWritercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentWriter.cpp (204520 => 204521)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentWriter.cpp 2016-08-16 19:57:00 UTC (rev 204520)
+++ trunk/Source/WebCore/loader/DocumentWriter.cpp 2016-08-16 20:32:57 UTC (rev 204521)
</span><span class="lines">@@ -1,5 +1,6 @@
</span><span class="cx"> /*
</span><span class="cx"> * Copyright (C) 2010. Adam Barth. All rights reserved.
</span><ins>+ * Copyright (C) 2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -149,11 +150,8 @@
</span><span class="cx"> // Document object, it is discard in the subsequent 'clear' statements below. So, we must capture it
</span><span class="cx"> // so we can restore it.
</span><span class="cx"> HashSet<RefPtr<SecurityOrigin>> insecureNavigationRequestsToUpgrade;
</span><del>- bool upgradeInsecureRequests = false;
- if (auto* existingDocument = m_frame->document()) {
- upgradeInsecureRequests = existingDocument->contentSecurityPolicy()->upgradeInsecureRequests();
</del><ins>+ if (auto* existingDocument = m_frame->document())
</ins><span class="cx"> insecureNavigationRequestsToUpgrade = existingDocument->contentSecurityPolicy()->takeNavigationRequestsToUpgrade();
</span><del>- }
</del><span class="cx">
</span><span class="cx"> m_frame->loader().clear(document.ptr(), !shouldReuseDefaultView, !shouldReuseDefaultView);
</span><span class="cx"> clear();
</span><span class="lines">@@ -169,7 +167,6 @@
</span><span class="cx"> m_frame->loader().setOutgoingReferrer(url);
</span><span class="cx"> m_frame->setDocument(document.copyRef());
</span><span class="cx">
</span><del>- document->contentSecurityPolicy()->setUpgradeInsecureRequests(upgradeInsecureRequests);
</del><span class="cx"> document->contentSecurityPolicy()->setInsecureNavigationRequestsToUpgrade(WTFMove(insecureNavigationRequestsToUpgrade));
</span><span class="cx">
</span><span class="cx"> if (m_decoder)
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (204520 => 204521)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-08-16 19:57:00 UTC (rev 204520)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-08-16 20:32:57 UTC (rev 204521)
</span><span class="lines">@@ -114,10 +114,15 @@
</span><span class="cx"> for (auto& policy : other->m_policies)
</span><span class="cx"> didReceiveHeader(policy->header(), policy->headerType(), ContentSecurityPolicy::PolicyFrom::Inherited);
</span><span class="cx">
</span><del>- m_upgradeInsecureRequests = other->m_upgradeInsecureRequests;
- m_insecureNavigationRequestsToUpgrade.add(other->m_insecureNavigationRequestsToUpgrade.begin(), other->m_insecureNavigationRequestsToUpgrade.end());
</del><ins>+ copyUpgradeInsecureRequestStateFrom(*other);
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+void ContentSecurityPolicy::copyUpgradeInsecureRequestStateFrom(const ContentSecurityPolicy& other)
+{
+ m_upgradeInsecureRequests = other.m_upgradeInsecureRequests;
+ m_insecureNavigationRequestsToUpgrade.add(other.m_insecureNavigationRequestsToUpgrade.begin(), other.m_insecureNavigationRequestsToUpgrade.end());
+}
+
</ins><span class="cx"> void ContentSecurityPolicy::didCreateWindowShell(JSDOMWindowShell& windowShell) const
</span><span class="cx"> {
</span><span class="cx"> JSDOMWindow* window = windowShell.window();
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (204520 => 204521)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-08-16 19:57:00 UTC (rev 204520)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-08-16 20:32:57 UTC (rev 204521)
</span><span class="lines">@@ -69,6 +69,7 @@
</span><span class="cx"> ~ContentSecurityPolicy();
</span><span class="cx">
</span><span class="cx"> void copyStateFrom(const ContentSecurityPolicy*);
</span><ins>+ void copyUpgradeInsecureRequestStateFrom(const ContentSecurityPolicy&);
</ins><span class="cx">
</span><span class="cx"> void didCreateWindowShell(JSDOMWindowShell&) const;
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>