<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[209577] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/209577">209577</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-12-08 15:54:13 -0800 (Thu, 08 Dec 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Implement Strict Mixed Content Checking
https://bugs.webkit.org/show_bug.cgi?id=165438
<rdar://problem/26103867>
Reviewed by Brent Fulgham and Andy Estes.
Source/WebCore:
Add support for the CSP directive block-all-mixed-content to enable strict mixed content checking
as per <https://www.w3.org/TR/2016/CR-mixed-content-20160802/#strict-checking> (2 August 2016).
Currently WebKit only blocks blockable content as such content can contaminate the security origin
that loaded it. Optionally-blockable content, including images, would be allowed to load as mixed
content. When strict mixed content checking is enabled all mixed content is blocked. That is, both
blockable and optionally-blockable content will be blocked. A web site can opt into strict mixed
content checking by adding the directive block-all-mixed-content to their content security policy.
Tests: http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html
http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html
* dom/Document.cpp:
(WebCore::Document::initSecurityContext): Inherit strict mixed content checking mode from parent document.
* dom/SecurityContext.h:
(WebCore::SecurityContext::isStrictMixedContentMode): Added.
(WebCore::SecurityContext::setStrictMixedContentMode): Added.
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest): Check mixed content policy with respect to the current frame.
The document in the current frame may have opted into strict mixed content checking or inherited it from
its parent document.
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin): Inherit the strict mixed content checking mode from the owner document
when loading a JavaScript URL in a frame (e.g. <iframe src="javascript:...">) because such URLs inherit
the security origin of their parent document.
* loader/MixedContentChecker.cpp:
(WebCore::MixedContentChecker::canDisplayInsecureContent): Check the content security policy of the document
and the strict mixed content checking mode bit on the document (in that order) to determine if we are in
strict mode. Block display of insecure content when in strict mode. Modified to take enum AlwaysDisplayInNonStrictMode (defaults
to AlwaysDisplayInNonStrictMode::No) as to whether to allow our current relaxed behavior of displaying insecure
content in non-strict mode.
(WebCore::MixedContentChecker::canRunInsecureContent): Check the content security policy of the document
and the strict mixed content checking mode bit on the document (in that order) to determine if we are in
strict mode. Block running of insecure content when in strict mode.
* loader/MixedContentChecker.h:
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::checkInsecureContent): Always check mixed content policy with respect to
the current frame. The document in the current frame may have opted into strict mixed content checking or
inherited it from its parent document. Also renamed a local variable f to frame to better describe its
purpose.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent): Added. Iterate through all the
policies and report violations with respect to policies that have directive block-all-mixed-content.
(WebCore::ContentSecurityPolicy::didReceiveHeader): Move logic to set eval() error message from here...
(WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): ...to here so that we only perform
it once we are ready to apply the CSP policy to the script execution context. Additionally, enable
strict mixed content checking on the script execution context if applicable.
(WebCore::ContentSecurityPolicy::reportViolation): Added overrides that take a string and a directive list
object (ContentSecurityPolicyDirectiveList) for the effective violated directive and its associated directive
list, respectively. We make use of these overrides so as to support reporting block-all-mixed-content
violations, which are not implemented using a ContentSecurityPolicyDirective object as it seemed sufficient
to implement it as a boolean on ContentSecurityPolicyDirectiveList.
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::setBlockAllMixedContentEnabled): Added.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the directive block-all-mixed-content.
* page/csp/ContentSecurityPolicyDirectiveList.h:
(WebCore::ContentSecurityPolicyDirectiveList::hasBlockAllMixedContentDirective): Added.
* page/csp/ContentSecurityPolicyDirectiveNames.cpp:
* page/csp/ContentSecurityPolicyDirectiveNames.h: Add constant for "block-all-mixed-content".
LayoutTests:
Add tests to ensure that we do not regress strict mixed content checking.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js: Added.
(logMessage):
(securityPolicyViolationToString):
(checkNotify):
(recordSecurityPolicyViolation):
(window.onload):
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html: Added.
* platform/ios-simulator/TestExpectations: Skip plugin tests as plugins are not supported on iOS.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsplatformiossimulatorTestExpectations">trunk/LayoutTests/platform/ios-simulator/TestExpectations</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoredomDocumentcpp">trunk/Source/WebCore/dom/Document.cpp</a></li>
<li><a href="#trunkSourceWebCoredomSecurityContexth">trunk/Source/WebCore/dom/SecurityContext.h</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentLoadercpp">trunk/Source/WebCore/loader/DocumentLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentWritercpp">trunk/Source/WebCore/loader/DocumentWriter.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderMixedContentCheckercpp">trunk/Source/WebCore/loader/MixedContentChecker.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderMixedContentCheckerh">trunk/Source/WebCore/loader/MixedContentChecker.h</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoadercpp">trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamescpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamesh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h</a></li>
<li><a href="#trunkSourceWebCorexmlXSLTProcessorcpp">trunk/Source/WebCore/xml/XSLTProcessor.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li>trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/</li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentdataurliframeinmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentdataurliframeinmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentduplicatedirectiveexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentduplicatedirectivehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssiniframereportonlyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssiniframereportonlyhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssinmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssinmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureiframeiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureiframeiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureiframeinmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureiframeinmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinbloburliframeiniframeexpectedhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinbloburliframeiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframewithenforcedandreportpoliciesexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframewithenforcedandreportpolicieshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframewithinheritedpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframewithinheritedpolicyhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinjavascripturliframeiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinjavascripturliframeiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinxsltdocumentiniframewithinheritedpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinxsltdocumentiniframewithinheritedpolicyhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureplugininiframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureplugininiframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureplugininmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureplugininmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptiniframewithinheritedpolicyexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptiniframewithinheritedpolicyhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptinmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptinmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrasynchronousiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrasynchronousiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrasynchronousinmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrasynchronousinmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrsynchronousiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrsynchronousiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrsynchronousinmainframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrsynchronousinmainframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html</a></li>
<li>trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/</li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesdumpsecuritypolicyviolationandnotifydonejs">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesfailhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithdataurliframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecurecssreportonlyphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecurecsshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureiframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimageandwithoutpolicyhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimageinbloburliframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimageinjavascripturliframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimageinxsltdocumentxml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimagewithenforcedandreportpoliciesphp">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimagehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecurepluginhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecurescripthtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecurexhrhtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithsecureimageafterupgraderedirecthtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithsecureimageafterupgradehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesredsquarepng">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcestransformfunctionsxsl">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentsecureimageafterupgradeiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentsecureimageafterupgradeiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentsecureimageafterupgraderedirectiniframeexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentsecureimageafterupgraderedirectiniframehtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/LayoutTests/ChangeLog 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -1,3 +1,88 @@
</span><ins>+2016-12-08 Daniel Bates <dabates@apple.com>
+
+ Implement Strict Mixed Content Checking
+ https://bugs.webkit.org/show_bug.cgi?id=165438
+ <rdar://problem/26103867>
+
+ Reviewed by Brent Fulgham and Andy Estes.
+
+ Add tests to ensure that we do not regress strict mixed content checking.
+
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js: Added.
+ (logMessage):
+ (securityPolicyViolationToString):
+ (checkNotify):
+ (recordSecurityPolicyViolation):
+ (window.onload):
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html: Added.
+ * platform/ios-simulator/TestExpectations: Skip plugin tests as plugins are not supported on iOS.
+
</ins><span class="cx"> 2016-12-08 Sam Weinig <sam@webkit.org>
</span><span class="cx">
</span><span class="cx"> [WebIDL] Remove custom bindings for Geolocation
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentdataurliframeinmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads an insecure iframe using a data URL. We should *not* trigger a mixed content block because the data URL cannot be corrupted by an active network attacker.
+
+PASS did load data URL iframe.
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentdataurliframeinmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,30 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+ testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+ document.getElementById("console").textContent = messageEvent.data + "\n";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure iframe using a data URL. We should *not*
+trigger a mixed content block because the data URL cannot be corrupted by an active network
+attacker.</p>
+<pre id="console"></pre>
+<script>
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentduplicatedirectiveexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+CONSOLE MESSAGE: Ignoring duplicate Content-Security-Policy directive 'block-all-mixed-content'.
+
+This tests that we emit a console warning when block-all-mixed-content is listed more than once.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentduplicatedirectivehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content; block-all-mixed-content">
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<p>This tests that we emit a console warning when block-all-mixed-content is listed more than once.</p>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,30 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure stylesheet. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+This background color should be white.
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile:
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssiniframereportonlyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,32 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: [Report Only] Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: line 9: [blocked] The page at https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php was not allowed to run insecure content from http://127.0.0.1:8000/security/mixedContent/resources/style.css.
+
+frame "<!--framePath //<!--frame0-->-->" - willPerformClientRedirectToURL: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCancelClientRedirectForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure stylesheet. We should trigger a mixed content block even though the child frame has a report only CSP block-all-mixed-content directive because an active network attacker can use CSS3 to breach the confidentiality of the HTTPS security origin.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+CSP report received:
+CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8443
+HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
+=== POST DATA ===
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html","violated-directive":"block-all-mixed-content","effective-directive":"block-all-mixed-content","original-policy":"block-all-mixed-content; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php","blocked-uri":"http://127.0.0.1:8000","status-code":0}}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssiniframereportonlyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure stylesheet. We should trigger a
+mixed content block even though the child frame has a report only CSP block-all-mixed-content
+directive because an active network attacker can use CSS3 to breach the confidentiality of
+the HTTPS security origin.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure stylesheet. We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssinmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads an insecure stylesheet. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile:
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurecssinmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+ testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+ document.getElementById("console").textContent = messageEvent.data + "\n";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure stylesheet. We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureiframeiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didStartProvisionalLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didFailProvisionalLoadWithError
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure iframe. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureiframeiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+
+ // FIXME: For some reason a SecurityPolicyViolation event is not dispatched in frame-with-insecure-iframe.html (why?).
+ // So, dump-securitypolicyviolation-and-notify-done.js loaded by frame-with-insecure-iframe.html will never call
+ // testRunner.notifyDone(). For now we do not call testRunner.waitUntilDone().
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure iframe. We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureiframeinmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFailProvisionalLoadWithError
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads an insecure iframe. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureiframeinmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,37 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+ testRunner.waitUntilDone();
+
+ // FIXME: For some reason a SecurityPolicyViolation event is not dispatched in frame-with-insecure-iframe.html (why?).
+ // So, dump-securitypolicyviolation-and-notify-done.js loaded by frame-with-insecure-iframe.html will never call
+ // testRunner.notifyDone(). For now we do not call testRunner.waitUntilDone() and instead wait a fixed timeout :(
+ window.setTimeout(function () {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 500);
+}
+
+window.addEventListener("message", function (messageEvent) {
+ document.getElementById("console").textContent = messageEvent.data + "\n";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure iframe. We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinbloburliframeiniframeexpectedhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<body>
+<p>This test loads a secure iframe that loads an insecure image inside a blob URL iframe.
+A blob URL created in a secure context is considered secure. We should trigger a mixed content
+block because the blob URL grandchild iframe inherited the CSP directive block-all-mixed-content
+from the child frame. This test PASSED if the grandchild iframe is filled solid green.
+Otherwise, it FAILED.</p>
+<iframe srcdoc="<iframe srcdoc='<style>body { background: green }</style>'></iframe>" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinbloburliframeiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.waitUntilDone();
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image inside a blob URL iframe.
+A blob URL created in a secure context is considered secure. We should trigger a mixed content
+block because the blob URL grandchild iframe inherited the CSP directive block-all-mixed-content
+from the child frame. This test PASSED if the grandchild iframe is filled solid green.
+Otherwise, it FAILED.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile:
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframewithenforcedandreportpoliciesexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,31 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+CONSOLE MESSAGE: The Content Security Policy 'block-all-mixed-content' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: [Report Only] Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image. We should trigger a mixed content block because the child frame has an CSP directive block-all-mixed-content in an enforced policy.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile:
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframewithenforcedandreportpolicieshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image. We should trigger a
+mixed content block because the child frame has an CSP directive block-all-mixed-content
+in an enforced policy.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframewithinheritedpolicyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: line 1: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html was not allowed to display insecure content from http://127.0.0.1:8080/security/resources/compass.jpg.
+
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image. We should trigger a mixed content block because the child frame inherited the CSP directive block-all-mixed-content from the main frame.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframewithinheritedpolicyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image. We should trigger a
+mixed content block because the child frame inherited the CSP directive block-all-mixed-content
+from the main frame.</p>
+<iframe src="https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image. We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinjavascripturliframeiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didStartProvisionalLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didFinishLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image inside a JavaScript URL iframe. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content and a JavaScript URL executes in the same origin as its embedding document.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinjavascripturliframeiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+
+ // FIXME: For some reason a SecurityPolicyViolation event is not dispatched in frame-with-insecure-iframe.html (why?).
+ // So, dump-securitypolicyviolation-and-notify-done.js loaded by frame-with-insecure-iframe.html will never call
+ // testRunner.notifyDone(). For now we do not call testRunner.waitUntilDone().
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image inside a JavaScript URL iframe.
+We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content
+and a JavaScript URL executes in the same origin as its embedding document.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads an insecure image. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile:
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+ testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+ document.getElementById("console").textContent = messageEvent.data + "\n";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure image. We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinxsltdocumentiniframewithinheritedpolicyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+CONSOLE MESSAGE: line 2: [blocked] The page at https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml was not allowed to display insecure content from http://127.0.0.1:8000/security/resources/compass.jpg.
+
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image from an XSLT transformed document. We should trigger a mixed content block because the child frame inherited the CSP directive block-all-mixed-content from the main frame.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureimageinxsltdocumentiniframewithinheritedpolicyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image from an XSLT transformed document.
+We should trigger a mixed content block because the child frame inherited the CSP directive block-all-mixed-content
+from the main frame.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureplugininiframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/dummy.swf because 'block-all-mixed-content' appears in the Content Security Policy.
+This test loads a secure iframe that loads an insecure plugin. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile:
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureplugininiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure plugin. We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureplugininmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/dummy.swf because 'block-all-mixed-content' appears in the Content Security Policy.
+This test opens a window and loads an insecure plugin. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile:
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecureplugininmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,30 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true)
+ testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+ document.getElementById("console").textContent = messageEvent.data + "\n";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure plugin. We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<!-- FIXME: For some reason this test times out (why?). -->
+<script>
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/script.js because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure external script. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile:
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptiniframewithinheritedpolicyexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script.html was not allowed to run insecure content from http://127.0.0.1:8080/security/mixedContent/resources/script.js.
+
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure external script. We should trigger a mixed content block because the child frame inherited the CSP directive block-all-mixed-content from the main frame.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptiniframewithinheritedpolicyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure external script. We should trigger a
+mixed content block because the child frame inherited the CSP directive block-all-mixed-content
+from the main frame.</p>
+<iframe src="https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure external script. We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptinmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/script.js because 'block-all-mixed-content' appears in the Content Security Policy.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads an insecure external script. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile:
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurescriptinmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+ testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+ document.getElementById("console").textContent = messageEvent.data + "\n";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure external script. We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrasynchronousiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads insecure data via asynchronous XHR. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous
+lineNumber: 30
+columnNumber: 9
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrasynchronousiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads insecure data via asynchronous XHR. We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrasynchronousinmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,24 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads insecure data via asynchronous XHR. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous
+lineNumber: 30
+columnNumber: 9
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrasynchronousinmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+ testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+ document.getElementById("console").textContent = messageEvent.data + "\n";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads insecure data via asynchronous XHR. We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrsynchronousiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads insecure data via synchronous XHR. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html
+lineNumber: 30
+columnNumber: 9
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrsynchronousiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads insecure data via synchronous XHR. We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html" width="100%" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrsynchronousinmainframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi because 'block-all-mixed-content' appears in the Content Security Policy.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads insecure data via synchronous XHR. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html
+lineNumber: 30
+columnNumber: 9
+statusCode: 0
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentinsecurexhrsynchronousinmainframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,29 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.setCanOpenWindows();
+ testRunner.setCloseRemainingWindowsWhenComplete(true);
+ testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+ document.getElementById("console").textContent = messageEvent.data + "\n";
+ if (window.testRunner)
+ testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads insecure data via synchronous XHR. We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+ window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html");
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesdumpsecuritypolicyviolationandnotifydonejs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,67 @@
</span><ins>+var consoleElement; // Only used if !window.opener.
+var recordedSecurityPolicyViolation;
+var didFireLoad = false;
+
+function logMessage(message)
+{
+ console.assert(consoleElement);
+ consoleElement.appendChild(document.createTextNode(message + "\n"));
+}
+
+function securityPolicyViolationToString()
+{
+ let lines = [];
+ for (let key in recordedSecurityPolicyViolation)
+ lines.push(key + ": " + recordedSecurityPolicyViolation[key]);
+ lines.push("");
+ return lines.join("\n");
+}
+
+function checkNotify()
+{
+ if (!didFireLoad || !recordedSecurityPolicyViolation)
+ return;
+ if (window.opener) {
+ // window.opener is responsible for calling testRunner.notifyDone().
+ opener.postMessage(securityPolicyViolationToString(), "*");
+ } else {
+ logMessage(securityPolicyViolationToString());
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+}
+
+function recordSecurityPolicyViolation(e)
+{
+ document.removeEventListener("securitypolicyviolation", recordSecurityPolicyViolation, false);
+
+ let keysToDump = [
+ "documentURI",
+ "referrer",
+ "blockedURI",
+ "violatedDirective",
+ "effectiveDirective",
+ "originalPolicy",
+ "sourceFile",
+ "lineNumber",
+ "columnNumber",
+ "statusCode",
+ ];
+ let result = { };
+ for (let key of keysToDump)
+ result[key] = e[key];
+ recordedSecurityPolicyViolation = result;
+ checkNotify();
+}
+
+document.addEventListener("securitypolicyviolation", recordSecurityPolicyViolation, false);
+
+window.onload = function ()
+{
+ if (!window.opener) {
+ consoleElement = document.createElement("pre");
+ document.body.appendChild(consoleElement);
+ }
+ didFireLoad = true;
+ checkNotify();
+}
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesfailhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+<p>FAIL</p>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithdataurliframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+</head>
+<body>
+<script>
+function frameLoaded() {
+ if (window.opener)
+ window.opener.postMessage("PASS did load data URL iframe.", "*");
+}
+</script>
+<iframe onload="frameLoaded()" src="data:text/html,This is a boring HTML document."></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecurecssreportonlyphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<?php
+ header("Content-Security-Policy-Report-Only: block-all-mixed-content; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php");
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+body {
+ background-color: white;
+}
+</style>
+<link rel="stylesheet" href="http://127.0.0.1:8000/security/mixedContent/resources/style.css">
+</head>
+<body>
+This background color should be white.
+<script>
+ window.location.href = "/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php";
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecurecsshtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+<style>
+body {
+ background-color: white;
+}
+</style>
+<link rel="stylesheet" href="http://127.0.0.1:8000/security/mixedContent/resources/style.css">
+</head>
+<body>
+This background color should be white.
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureiframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<!-- FIXME: For some reason a SecurityPolicyViolation event is not dispatched (why?) when the child frame load is blocked. -->
+<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimageandwithoutpolicyhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<img src="http://127.0.0.1:8000/security/resources/compass.jpg">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimageinbloburliframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,23 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+</head>
+<body>
+<iframe id="iframe"></iframe>
+<script>
+var iframe = document.getElementById("iframe");
+var markup = [
+ "<style>body { background: green }</style>",
+ '<img src="http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png">',
+ '<script>',
+ 'if (window.testRunner)',
+ ' testRunner.notifyDone();',
+ '</' + 'script>',
+];
+
+var blob = new Blob([markup.join("\n")], { type: "text/html" });
+iframe.src = URL.createObjectURL(blob);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimageinjavascripturliframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,11 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<!-- FIXME: For some reason a SecurityPolicyViolation event is not dispatched (why?) when the child frame load is blocked. -->
+<iframe src="javascript:document.write('<img src=%22http://127.0.0.1:8000/security/resources/compass.jpg%22>');"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimageinxsltdocumentxml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,6 @@
</span><ins>+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="transform-functions.xsl"?>
+<doc>
+<image>http://127.0.0.1:8000/security/resources/compass.jpg</image>
+<notifyDone />
+</doc>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimagewithenforcedandreportpoliciesphp"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+<?php
+ header("Content-Security-Policy-Report-Only: block-all-mixed-content");
+ header("Content-Security-Policy: block-all-mixed-content");
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<img src="http://127.0.0.1:8000/security/resources/compass.jpg">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecureimagehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<img src="http://127.0.0.1:8000/security/resources/compass.jpg">
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecurepluginhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<object name="plugin" type="application/x-webkit-test-netscape">
+ <param name="movie" value="http://127.0.0.1:8000/security/mixedContent/resources/dummy.swf">
+</object>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecurescripthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<script src="http://127.0.0.1:8000/security/mixedContent/resources/script.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithinsecurexhrhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,33 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<script>
+function done()
+{
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+var xhr = new XMLHttpRequest;
+xhr.onload = function () {
+ alert("FAIL: load was not blocked");
+ done()
+};
+
+window.setTimeout(done, 2000);
+
+try {
+ var isAsynchronous = document.location.search.startsWith("?asynchronous");
+ xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi", isAsynchronous);
+} catch (ex) {
+ // Firefox raises an exception, which is one way to make this detectable.
+ done();
+}
+xhr.send(null);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithsecureimageafterupgraderedirecthtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; block-all-mixed-content">
+<script>
+function writeResultAndNotifyDone(result)
+{
+ document.getElementById("result").textContent = result;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function testPassed()
+{
+ writeResultAndNotifyDone("PASS did load image.");
+}
+
+function testFailed()
+{
+ writeResultAndNotifyDone("FAIL did not load image.");
+}
+</script>
+</head>
+<body>
+<img src="https://127.0.0.1:8443/resources/redirect.php?url=http://127.0.0.1:8443/security/resources/compass.jpg" onload="testPassed()" onerror="testFailed()">
+<pre id="result"></pre>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesframewithsecureimageafterupgradehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; block-all-mixed-content">
+<script>
+function writeResultAndNotifyDone(result)
+{
+ document.getElementById("result").textContent = result;
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+
+function testPassed()
+{
+ writeResultAndNotifyDone("PASS did load image.");
+}
+
+function testFailed()
+{
+ writeResultAndNotifyDone("FAIL did not load image.");
+}
+</script>
+</head>
+<body>
+<img src="http://127.0.0.1:8443/security/resources/compass.jpg" onload="testPassed()" onerror="testFailed()">
+<pre id="result"></pre>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcesredsquarepng"></a>
<div class="binary"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png</h4>
<pre class="diff"><span>
<span class="cx">(Binary files differ)
</span></span></pre></div>
<span class="cx">Index: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png
</span><span class="cx">===================================================================
</span><del>--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png 2016-12-08 22:57:12 UTC (rev 209576)
</del><ins>+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png 2016-12-08 23:54:13 UTC (rev 209577)
</ins><span class="cx">Property changes on: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png
</span><span class="cx">___________________________________________________________________
</span><a id="svnmimetype"></a>
<div class="addfile"><h4>Added: svn:mime-type</h4></div>
<ins>+image/png
</ins><span class="cx">\ No newline at end of property
</span><a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentresourcestransformfunctionsxsl"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0"
+xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:output method="html" />
+
+<xsl:template match="image">
+ <img src="{.}" />
+</xsl:template>
+
+<xsl:template match="notifyDone">
+ <script>
+ if (window.testRunner)
+ testRunner.notifyDone();
+ </script>
+</xsl:template>
+
+</xsl:stylesheet>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentsecureimageafterupgradeiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image. We should *not* trigger a mixed content block even though the child frame has CSP directive block-all-mixed-content because the insecure image is upgraded to a secure image as the child frame has CSP directive upgrade-insecure-requests.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+PASS did load image.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentsecureimageafterupgradeiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image. We should *not* trigger a
+mixed content block even though the child frame has CSP directive block-all-mixed-content
+because the insecure image is upgraded to a secure image as the child frame has CSP directive
+upgrade-insecure-requests.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentsecureimageafterupgraderedirectiniframeexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image via a redirect. We should *not* trigger a mixed content block even though the child frame has CSP directive block-all-mixed-content because the redirected insecure image is upgraded to a secure image as the child frame has CSP directive upgrade-insecure-requests.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+PASS did load image.
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyblockallmixedcontentsecureimageafterupgraderedirectiniframehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html (0 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+ testRunner.dumpFrameLoadCallbacks();
+ testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image via a redirect. We should *not* trigger
+a mixed content block even though the child frame has CSP directive block-all-mixed-content because the
+redirected insecure image is upgraded to a secure image as the child frame has CSP directive upgrade-insecure-requests.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html" height="300"></iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsplatformiossimulatorTestExpectations"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/platform/ios-simulator/TestExpectations (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/platform/ios-simulator/TestExpectations 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/LayoutTests/platform/ios-simulator/TestExpectations 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -123,6 +123,8 @@
</span><span class="cx"> http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html
</span><span class="cx"> http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html
</span><span class="cx"> http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html
</span><ins>+http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
+http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html
</ins><span class="cx">
</span><span class="cx"> # Pointer-lock not supported on iOS
</span><span class="cx"> pointer-lock
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/ChangeLog 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -1,3 +1,95 @@
</span><ins>+2016-12-08 Daniel Bates <dabates@apple.com>
+
+ Implement Strict Mixed Content Checking
+ https://bugs.webkit.org/show_bug.cgi?id=165438
+ <rdar://problem/26103867>
+
+ Reviewed by Brent Fulgham and Andy Estes.
+
+ Add support for the CSP directive block-all-mixed-content to enable strict mixed content checking
+ as per <https://www.w3.org/TR/2016/CR-mixed-content-20160802/#strict-checking> (2 August 2016).
+
+ Currently WebKit only blocks blockable content as such content can contaminate the security origin
+ that loaded it. Optionally-blockable content, including images, would be allowed to load as mixed
+ content. When strict mixed content checking is enabled all mixed content is blocked. That is, both
+ blockable and optionally-blockable content will be blocked. A web site can opt into strict mixed
+ content checking by adding the directive block-all-mixed-content to their content security policy.
+
+ Tests: http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html
+ http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html
+
+ * dom/Document.cpp:
+ (WebCore::Document::initSecurityContext): Inherit strict mixed content checking mode from parent document.
+ * dom/SecurityContext.h:
+ (WebCore::SecurityContext::isStrictMixedContentMode): Added.
+ (WebCore::SecurityContext::setStrictMixedContentMode): Added.
+ * loader/DocumentLoader.cpp:
+ (WebCore::DocumentLoader::willSendRequest): Check mixed content policy with respect to the current frame.
+ The document in the current frame may have opted into strict mixed content checking or inherited it from
+ its parent document.
+ * loader/DocumentWriter.cpp:
+ (WebCore::DocumentWriter::begin): Inherit the strict mixed content checking mode from the owner document
+ when loading a JavaScript URL in a frame (e.g. <iframe src="javascript:...">) because such URLs inherit
+ the security origin of their parent document.
+ * loader/MixedContentChecker.cpp:
+ (WebCore::MixedContentChecker::canDisplayInsecureContent): Check the content security policy of the document
+ and the strict mixed content checking mode bit on the document (in that order) to determine if we are in
+ strict mode. Block display of insecure content when in strict mode. Modified to take enum AlwaysDisplayInNonStrictMode (defaults
+ to AlwaysDisplayInNonStrictMode::No) as to whether to allow our current relaxed behavior of displaying insecure
+ content in non-strict mode.
+ (WebCore::MixedContentChecker::canRunInsecureContent): Check the content security policy of the document
+ and the strict mixed content checking mode bit on the document (in that order) to determine if we are in
+ strict mode. Block running of insecure content when in strict mode.
+ * loader/MixedContentChecker.h:
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::CachedResourceLoader::checkInsecureContent): Always check mixed content policy with respect to
+ the current frame. The document in the current frame may have opted into strict mixed content checking or
+ inherited it from its parent document. Also renamed a local variable f to frame to better describe its
+ purpose.
+ * page/csp/ContentSecurityPolicy.cpp:
+ (WebCore::ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent): Added. Iterate through all the
+ policies and report violations with respect to policies that have directive block-all-mixed-content.
+ (WebCore::ContentSecurityPolicy::didReceiveHeader): Move logic to set eval() error message from here...
+ (WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): ...to here so that we only perform
+ it once we are ready to apply the CSP policy to the script execution context. Additionally, enable
+ strict mixed content checking on the script execution context if applicable.
+ (WebCore::ContentSecurityPolicy::reportViolation): Added overrides that take a string and a directive list
+ object (ContentSecurityPolicyDirectiveList) for the effective violated directive and its associated directive
+ list, respectively. We make use of these overrides so as to support reporting block-all-mixed-content
+ violations, which are not implemented using a ContentSecurityPolicyDirective object as it seemed sufficient
+ to implement it as a boolean on ContentSecurityPolicyDirectiveList.
+ * page/csp/ContentSecurityPolicy.h:
+ * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+ (WebCore::ContentSecurityPolicyDirectiveList::setBlockAllMixedContentEnabled): Added.
+ (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the directive block-all-mixed-content.
+ * page/csp/ContentSecurityPolicyDirectiveList.h:
+ (WebCore::ContentSecurityPolicyDirectiveList::hasBlockAllMixedContentDirective): Added.
+ * page/csp/ContentSecurityPolicyDirectiveNames.cpp:
+ * page/csp/ContentSecurityPolicyDirectiveNames.h: Add constant for "block-all-mixed-content".
+
</ins><span class="cx"> 2016-12-08 Sam Weinig <sam@webkit.org>
</span><span class="cx">
</span><span class="cx"> [WebIDL] Remove custom bindings for Geolocation
</span></span></pre></div>
<a id="trunkSourceWebCoredomDocumentcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/Document.cpp (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/Document.cpp 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/dom/Document.cpp 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -5161,6 +5161,8 @@
</span><span class="cx"> m_isSrcdocDocument = true;
</span><span class="cx"> setBaseURLOverride(parentDocument->baseURL());
</span><span class="cx"> }
</span><ins>+ if (parentDocument)
+ setStrictMixedContentMode(parentDocument->isStrictMixedContentMode());
</ins><span class="cx">
</span><span class="cx"> if (!shouldInheritSecurityOriginFromOwner(m_url))
</span><span class="cx"> return;
</span><span class="lines">@@ -5178,7 +5180,7 @@
</span><span class="cx"> didFailToInitializeSecurityOrigin();
</span><span class="cx"> return;
</span><span class="cx"> }
</span><del>-
</del><ins>+
</ins><span class="cx"> Document* openerDocument = openerFrame ? openerFrame->document() : nullptr;
</span><span class="cx">
</span><span class="cx"> // Per <http://www.w3.org/TR/upgrade-insecure-requests/>, new browsing contexts must inherit from an
</span></span></pre></div>
<a id="trunkSourceWebCoredomSecurityContexth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/dom/SecurityContext.h (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/dom/SecurityContext.h 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/dom/SecurityContext.h 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -81,6 +81,9 @@
</span><span class="cx"> bool geolocationAccessed() const { return m_geolocationAccessed; }
</span><span class="cx"> void setGeolocationAccessed() { m_geolocationAccessed = true; }
</span><span class="cx">
</span><ins>+ bool isStrictMixedContentMode() const { return m_isStrictMixedContentMode; }
+ void setStrictMixedContentMode(bool strictMixedContentMode) { m_isStrictMixedContentMode = strictMixedContentMode; }
+
</ins><span class="cx"> protected:
</span><span class="cx"> SecurityContext();
</span><span class="cx"> virtual ~SecurityContext();
</span><span class="lines">@@ -97,6 +100,7 @@
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicy> m_contentSecurityPolicy;
</span><span class="cx"> bool m_foundMixedContent { false };
</span><span class="cx"> bool m_geolocationAccessed { false };
</span><ins>+ bool m_isStrictMixedContentMode { false };
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentLoader.cpp 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -565,6 +565,10 @@
</span><span class="cx"> newRequest.setCachePolicy(ReloadIgnoringCacheData);
</span><span class="cx">
</span><span class="cx"> if (&topFrame != m_frame) {
</span><ins>+ if (!m_frame->loader().mixedContentChecker().canDisplayInsecureContent(m_frame->document()->securityOrigin(), MixedContentChecker::ContentType::Active, newRequest.url(), MixedContentChecker::AlwaysDisplayInNonStrictMode::Yes)) {
+ cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
+ return;
+ }
</ins><span class="cx"> if (!frameLoader()->mixedContentChecker().canDisplayInsecureContent(topFrame.document()->securityOrigin(), MixedContentChecker::ContentType::Active, newRequest.url())) {
</span><span class="cx"> cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
</span><span class="cx"> return;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentWritercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentWriter.cpp (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentWriter.cpp 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/loader/DocumentWriter.cpp 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -174,6 +174,7 @@
</span><span class="cx"> if (ownerDocument) {
</span><span class="cx"> document->setCookieURL(ownerDocument->cookieURL());
</span><span class="cx"> document->setSecurityOriginPolicy(ownerDocument->securityOriginPolicy());
</span><ins>+ document->setStrictMixedContentMode(ownerDocument->isStrictMixedContentMode());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> m_frame->loader().didBeginDocument(dispatch);
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderMixedContentCheckercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/MixedContentChecker.cpp (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/MixedContentChecker.cpp 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/loader/MixedContentChecker.cpp 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -29,6 +29,7 @@
</span><span class="cx"> #include "config.h"
</span><span class="cx"> #include "MixedContentChecker.h"
</span><span class="cx">
</span><ins>+#include "ContentSecurityPolicy.h"
</ins><span class="cx"> #include "Document.h"
</span><span class="cx"> #include "Frame.h"
</span><span class="cx"> #include "FrameLoader.h"
</span><span class="lines">@@ -60,12 +61,19 @@
</span><span class="cx"> return !SecurityOrigin::isSecure(url);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrigin, ContentType type, const URL& url) const
</del><ins>+bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrigin, ContentType type, const URL& url, AlwaysDisplayInNonStrictMode alwaysDisplayInNonStrictMode) const
</ins><span class="cx"> {
</span><span class="cx"> if (!isMixedContent(securityOrigin, url))
</span><span class="cx"> return true;
</span><span class="cx">
</span><del>- bool allowed = (m_frame.settings().allowDisplayOfInsecureContent() || type == ContentType::ActiveCanWarn) && !m_frame.document()->geolocationAccessed();
</del><ins>+ if (!m_frame.document()->contentSecurityPolicy()->allowRunningOrDisplayingInsecureContent(url))
+ return false;
+
+ bool isStrictMode = m_frame.document()->isStrictMixedContentMode();
+ if (!isStrictMode && alwaysDisplayInNonStrictMode == AlwaysDisplayInNonStrictMode::Yes)
+ return true;
+
+ bool allowed = !isStrictMode && (m_frame.settings().allowDisplayOfInsecureContent() || type == ContentType::ActiveCanWarn) && !m_frame.document()->geolocationAccessed();
</ins><span class="cx"> logWarning(allowed, "display", url);
</span><span class="cx">
</span><span class="cx"> if (allowed) {
</span><span class="lines">@@ -81,7 +89,10 @@
</span><span class="cx"> if (!isMixedContent(securityOrigin, url))
</span><span class="cx"> return true;
</span><span class="cx">
</span><del>- bool allowed = m_frame.settings().allowRunningOfInsecureContent() && !m_frame.document()->geolocationAccessed();
</del><ins>+ if (!m_frame.document()->contentSecurityPolicy()->allowRunningOrDisplayingInsecureContent(url))
+ return false;
+
+ bool allowed = !m_frame.document()->isStrictMixedContentMode() && m_frame.settings().allowRunningOfInsecureContent() && !m_frame.document()->geolocationAccessed();
</ins><span class="cx"> logWarning(allowed, "run", url);
</span><span class="cx">
</span><span class="cx"> if (allowed) {
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderMixedContentCheckerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/MixedContentChecker.h (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/MixedContentChecker.h 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/loader/MixedContentChecker.h 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -50,7 +50,12 @@
</span><span class="cx">
</span><span class="cx"> MixedContentChecker(Frame&);
</span><span class="cx">
</span><del>- bool canDisplayInsecureContent(SecurityOrigin*, ContentType, const URL&) const;
</del><ins>+ enum class AlwaysDisplayInNonStrictMode {
+ No,
+ Yes,
+ };
+
+ bool canDisplayInsecureContent(SecurityOrigin*, ContentType, const URL&, AlwaysDisplayInNonStrictMode = AlwaysDisplayInNonStrictMode::No) const;
</ins><span class="cx"> bool canRunInsecureContent(SecurityOrigin*, const URL&) const;
</span><span class="cx"> void checkFormForMixedContent(SecurityOrigin*, const URL&) const;
</span><span class="cx"> static bool isMixedContent(SecurityOrigin*, const URL&);
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -344,11 +344,11 @@
</span><span class="cx"> case CachedResource::CSSStyleSheet:
</span><span class="cx"> // These resource can inject script into the current document (Script,
</span><span class="cx"> // XSL) or exfiltrate the content of the current document (CSS).
</span><del>- if (Frame* f = frame()) {
- if (!f->loader().mixedContentChecker().canRunInsecureContent(m_document->securityOrigin(), url))
</del><ins>+ if (Frame* frame = this->frame()) {
+ if (!frame->loader().mixedContentChecker().canRunInsecureContent(m_document->securityOrigin(), url))
</ins><span class="cx"> return false;
</span><del>- Frame& top = f->tree().top();
- if (&top != f && !top.loader().mixedContentChecker().canRunInsecureContent(top.document()->securityOrigin(), url))
</del><ins>+ Frame& top = frame->tree().top();
+ if (&top != frame && !top.loader().mixedContentChecker().canRunInsecureContent(top.document()->securityOrigin(), url))
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx"> break;
</span><span class="lines">@@ -363,8 +363,10 @@
</span><span class="cx"> #endif
</span><span class="cx"> case CachedResource::FontResource: {
</span><span class="cx"> // These resources can corrupt only the frame's pixels.
</span><del>- if (Frame* f = frame()) {
- Frame& topFrame = f->tree().top();
</del><ins>+ if (Frame* frame = this->frame()) {
+ if (!frame->loader().mixedContentChecker().canDisplayInsecureContent(m_document->securityOrigin(), contentTypeFromResourceType(type), url, MixedContentChecker::AlwaysDisplayInNonStrictMode::Yes))
+ return false;
+ Frame& topFrame = frame->tree().top();
</ins><span class="cx"> if (!topFrame.loader().mixedContentChecker().canDisplayInsecureContent(topFrame.document()->securityOrigin(), contentTypeFromResourceType(type), url))
</span><span class="cx"> return false;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -123,6 +123,31 @@
</span><span class="cx"> m_insecureNavigationRequestsToUpgrade.add(other.m_insecureNavigationRequestsToUpgrade.begin(), other.m_insecureNavigationRequestsToUpgrade.end());
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent(const URL& url)
+{
+ bool allow = true;
+ bool isReportOnly = false;
+ for (auto& policy : m_policies) {
+ if (!policy->hasBlockAllMixedContentDirective())
+ continue;
+
+ isReportOnly = policy->isReportOnly();
+
+ StringBuilder consoleMessage;
+ if (isReportOnly)
+ consoleMessage.appendLiteral("[Report Only] ");
+ consoleMessage.append("Blocked mixed content ");
+ consoleMessage.append(url.stringCenterEllipsizedToLength());
+ consoleMessage.appendLiteral(" because ");
+ consoleMessage.append("'block-all-mixed-content' appears in the Content Security Policy.");
+ reportViolation(ContentSecurityPolicyDirectiveNames::blockAllMixedContent, ContentSecurityPolicyDirectiveNames::blockAllMixedContent, *policy, url, consoleMessage.toString());
+
+ if (!isReportOnly)
+ allow = false;
+ }
+ return allow;
+}
+
</ins><span class="cx"> void ContentSecurityPolicy::didCreateWindowShell(JSDOMWindowShell& windowShell) const
</span><span class="cx"> {
</span><span class="cx"> JSDOMWindow* window = windowShell.window();
</span><span class="lines">@@ -166,13 +191,8 @@
</span><span class="cx">
</span><span class="cx"> // header1,header2 OR header1
</span><span class="cx"> // ^ ^
</span><del>- std::unique_ptr<ContentSecurityPolicyDirectiveList> policy = ContentSecurityPolicyDirectiveList::create(*this, String(begin, position - begin), type, policyFrom);
- const ContentSecurityPolicyDirective* violatedDirective = policy->violatedDirectiveForUnsafeEval();
- if (violatedDirective && !violatedDirective->directiveList().isReportOnly())
- m_lastPolicyEvalDisabledErrorMessage = policy->evalDisabledErrorMessage();
</del><ins>+ m_policies.append(ContentSecurityPolicyDirectiveList::create(*this, String(begin, position - begin), type, policyFrom));
</ins><span class="cx">
</span><del>- m_policies.append(policy.release());
-
</del><span class="cx"> // Skip the comma, and begin the next header from the current position.
</span><span class="cx"> ASSERT(position == end || *position == ',');
</span><span class="cx"> skipExactly<UChar>(position, end, ',');
</span><span class="lines">@@ -199,10 +219,21 @@
</span><span class="cx"> ASSERT(m_scriptExecutionContext->securityOrigin());
</span><span class="cx"> updateSourceSelf(*m_scriptExecutionContext->securityOrigin());
</span><span class="cx">
</span><ins>+ bool enableStrictMixedContentMode = false;
+ for (auto& policy : m_policies) {
+ const ContentSecurityPolicyDirective* violatedDirective = policy->violatedDirectiveForUnsafeEval();
+ if (violatedDirective && !violatedDirective->directiveList().isReportOnly())
+ m_lastPolicyEvalDisabledErrorMessage = policy->evalDisabledErrorMessage();
+ if (policy->hasBlockAllMixedContentDirective() && !policy->isReportOnly())
+ enableStrictMixedContentMode = true;
+ }
+
</ins><span class="cx"> if (!m_lastPolicyEvalDisabledErrorMessage.isNull())
</span><span class="cx"> m_scriptExecutionContext->disableEval(m_lastPolicyEvalDisabledErrorMessage);
</span><span class="cx"> if (m_sandboxFlags != SandboxNone && is<Document>(m_scriptExecutionContext))
</span><span class="cx"> m_scriptExecutionContext->enforceSandboxFlags(m_sandboxFlags);
</span><ins>+ if (enableStrictMixedContentMode)
+ m_scriptExecutionContext->setStrictMixedContentMode(true);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value)
</span><span class="lines">@@ -569,11 +600,22 @@
</span><span class="cx"> void ContentSecurityPolicy::reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::ExecState* state) const
</span><span class="cx"> {
</span><span class="cx"> // FIXME: Extract source file and source position from JSC::ExecState.
</span><del>- return reportViolation(violatedDirective, effectiveViolatedDirective, blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
</del><ins>+ return reportViolation(violatedDirective, effectiveViolatedDirective.text(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, JSC::ExecState* state) const
+{
+ // FIXME: Extract source file and source position from JSC::ExecState.
+ return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
+}
+
</ins><span class="cx"> void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::ExecState* state) const
</span><span class="cx"> {
</span><ins>+ return reportViolation(effectiveViolatedDirective, violatedDirective.text(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state);
+}
+
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::ExecState* state) const
+{
</ins><span class="cx"> logToConsole(consoleMessage, sourceURL, sourcePosition.m_line, state);
</span><span class="cx">
</span><span class="cx"> if (!m_isReportingEnabled)
</span><span class="lines">@@ -602,8 +644,8 @@
</span><span class="cx"> documentURI = blockedURL;
</span><span class="cx"> blockedURI = blockedURL;
</span><span class="cx"> }
</span><del>- String violatedDirectiveText = violatedDirective.text();
- String originalPolicy = violatedDirective.directiveList().header();
</del><ins>+ String violatedDirectiveText = violatedDirective;
+ String originalPolicy = violatedDirectiveList.header();
</ins><span class="cx"> String referrer = document.referrer();
</span><span class="cx"> ASSERT(document.loader());
</span><span class="cx"> unsigned short statusCode = document.url().protocolIs("http") && document.loader() ? document.loader()->response().httpStatusCode() : 0;
</span><span class="lines">@@ -625,7 +667,7 @@
</span><span class="cx"> document.enqueueDocumentEvent(SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, canBubble, cancelable, documentURI, referrer, blockedURI, violatedDirectiveText, effectiveViolatedDirective, originalPolicy, sourceFile, statusCode, lineNumber, columnNumber));
</span><span class="cx">
</span><span class="cx"> // 2. Send violation report (if applicable).
</span><del>- const Vector<String>& reportURIs = violatedDirective.directiveList().reportURIs();
</del><ins>+ const Vector<String>& reportURIs = violatedDirectiveList.reportURIs();
</ins><span class="cx"> if (reportURIs.isEmpty())
</span><span class="cx"> return;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -118,6 +118,8 @@
</span><span class="cx">
</span><span class="cx"> bool experimentalFeaturesEnabled() const;
</span><span class="cx">
</span><ins>+ bool allowRunningOrDisplayingInsecureContent(const URL&);
+
</ins><span class="cx"> // The following functions are used by internal data structures to call back into this object when parsing, validating,
</span><span class="cx"> // and applying a Content Security Policy.
</span><span class="cx"> // FIXME: We should make the various directives serve only as state stores for the parsed policy and remove these functions.
</span><span class="lines">@@ -193,8 +195,10 @@
</span><span class="cx"> using HashInEnforcedAndReportOnlyPoliciesPair = std::pair<bool, bool>;
</span><span class="cx"> template<typename Predicate> HashInEnforcedAndReportOnlyPoliciesPair findHashOfContentInPolicies(Predicate&&, const String& content, OptionSet<ContentSecurityPolicyHashAlgorithm>) const WARN_UNUSED_RETURN;
</span><span class="cx">
</span><del>- void reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::ExecState*) const;
- void reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::ExecState* = nullptr) const;
</del><ins>+ void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::ExecState*) const;
+ void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const URL& blockedURL, const String& consoleMessage, JSC::ExecState* = nullptr) const;
+ void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::ExecState* = nullptr) const;
+ void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::ExecState*) const;
</ins><span class="cx"> void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
</span><span class="cx">
</span><span class="cx"> // We can never have both a script execution context and a frame.
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -446,6 +446,15 @@
</span><span class="cx"> m_policy.setUpgradeInsecureRequests(true);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void ContentSecurityPolicyDirectiveList::setBlockAllMixedContentEnabled(const String& name)
+{
+ if (m_hasBlockAllMixedContentDirective) {
+ m_policy.reportDuplicateDirective(name);
+ return;
+ }
+ m_hasBlockAllMixedContentDirective = true;
+}
+
</ins><span class="cx"> void ContentSecurityPolicyDirectiveList::addDirective(const String& name, const String& value)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(!name.isEmpty());
</span><span class="lines">@@ -494,6 +503,8 @@
</span><span class="cx"> parseReportURI(name, value);
</span><span class="cx"> else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::upgradeInsecureRequests))
</span><span class="cx"> setUpgradeInsecureRequests(name);
</span><ins>+ else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::blockAllMixedContent))
+ setBlockAllMixedContentEnabled(name);
</ins><span class="cx"> else
</span><span class="cx"> m_policy.reportUnsupportedDirective(name);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -71,6 +71,8 @@
</span><span class="cx">
</span><span class="cx"> const ContentSecurityPolicyDirective* defaultSrc() const { return m_defaultSrc.get(); }
</span><span class="cx">
</span><ins>+ bool hasBlockAllMixedContentDirective() const { return m_hasBlockAllMixedContentDirective; }
+
</ins><span class="cx"> const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
</span><span class="cx"> bool isReportOnly() const { return m_reportOnly; }
</span><span class="cx"> const Vector<String>& reportURIs() const { return m_reportURIs; }
</span><span class="lines">@@ -87,6 +89,7 @@
</span><span class="cx"> void addDirective(const String& name, const String& value);
</span><span class="cx"> void applySandboxPolicy(const String& name, const String& sandboxPolicy);
</span><span class="cx"> void setUpgradeInsecureRequests(const String& name);
</span><ins>+ void setBlockAllMixedContentEnabled(const String& name);
</ins><span class="cx">
</span><span class="cx"> template <class CSPDirectiveType>
</span><span class="cx"> void setCSPDirective(const String& name, const String& value, std::unique_ptr<CSPDirectiveType>&);
</span><span class="lines">@@ -104,6 +107,7 @@
</span><span class="cx"> bool m_reportOnly { false };
</span><span class="cx"> bool m_haveSandboxPolicy { false };
</span><span class="cx"> bool m_upgradeInsecureRequests { false };
</span><ins>+ bool m_hasBlockAllMixedContentDirective { false };
</ins><span class="cx">
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicyMediaListDirective> m_pluginTypes;
</span><span class="cx"> std::unique_ptr<ContentSecurityPolicySourceListDirective> m_baseURI;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -47,6 +47,7 @@
</span><span class="cx"> const char* const scriptSrc = "script-src";
</span><span class="cx"> const char* const styleSrc = "style-src";
</span><span class="cx"> const char* const upgradeInsecureRequests = "upgrade-insecure-requests";
</span><ins>+const char* const blockAllMixedContent = "block-all-mixed-content";
</ins><span class="cx">
</span><span class="cx"> } // namespace ContentSecurityPolicyDirectiveNames
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveNamesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -46,6 +46,7 @@
</span><span class="cx"> extern const char* const scriptSrc;
</span><span class="cx"> extern const char* const styleSrc;
</span><span class="cx"> extern const char* const upgradeInsecureRequests;
</span><ins>+extern const char* const blockAllMixedContent;
</ins><span class="cx">
</span><span class="cx"> } // namespace ContentSecurityPolicyDirectiveNames
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebCorexmlXSLTProcessorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/xml/XSLTProcessor.cpp (209576 => 209577)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/xml/XSLTProcessor.cpp 2016-12-08 22:57:12 UTC (rev 209576)
+++ trunk/Source/WebCore/xml/XSLTProcessor.cpp 2016-12-08 23:54:13 UTC (rev 209577)
</span><span class="lines">@@ -92,6 +92,7 @@
</span><span class="cx"> result->setSecurityOriginPolicy(oldDocument->securityOriginPolicy());
</span><span class="cx"> result->setCookieURL(oldDocument->cookieURL());
</span><span class="cx"> result->setFirstPartyForCookies(oldDocument->firstPartyForCookies());
</span><ins>+ result->setStrictMixedContentMode(oldDocument->isStrictMixedContentMode());
</ins><span class="cx"> result->contentSecurityPolicy()->copyStateFrom(oldDocument->contentSecurityPolicy());
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>