<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[209759] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/209759">209759</a></dd>
<dt>Author</dt> <dd>dbates@webkit.org</dd>
<dt>Date</dt> <dd>2016-12-13 10:21:37 -0800 (Tue, 13 Dec 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CSP: Teach the preload scanner about the 'nonce' attribute
https://bugs.webkit.org/show_bug.cgi?id=161192
<rdar://problem/28010354>
Reviewed by Darin Adler.
Source/WebCore:
This patch was inspired by a similar Blink change:
<https://chromium.googlesource.com/chromium/src/+/dde5487f380cf774e4c0e96ba7f88ea68e723907>
Preload external scripts and stylesheets whose HTML script and link elements have a nonce
attribute that is listed in the Content Security Policy (CSP) of the page.
Currently the preload scanner ignores the nonce attribute on HTML script and link elements.
So, WebKit does not preload their associated subresources unless the value of the src
attribute or href attribute is whitelisted in the CSP of the page for script and link
elements, respectively. Instead the preload scanner should recognize the nonce attribute on
script and link elements and query the CSP of the page with it. If the nonce attribute is
whitelisted then the request should be preloaded.
Tests: http/tests/loading/do-not-preload-css-blocked-by-csp.html
http/tests/loading/do-not-preload-script-src-blocked-by-csp.html
http/tests/loading/preload-css-with-csp-nonce.html
http/tests/loading/preload-script-src-with-csp-nonce.html
* html/parser/HTMLPreloadScanner.cpp:
(WebCore::TokenPreloadScanner::StartTagScanner::createPreloadRequest): Set the nonce on the
PreloadRequest to the nonce that we found during the scan.
(WebCore::TokenPreloadScanner::StartTagScanner::processAttribute): For script and link tag names,
save the value of the nonce attribute (if it has one).
* html/parser/HTMLResourcePreloader.cpp:
(WebCore::PreloadRequest::resourceRequest): Skip CSP policy check if the nonce is listed in
the CSP of the page.
* html/parser/HTMLResourcePreloader.h:
(WebCore::PreloadRequest::setNonce): Added.
LayoutTests:
Add tests to ensure that we preload <script>s and <link>s whose nonce is allowed by the
Content Security Policy of the page.
* http/tests/loading/do-not-preload-css-blocked-by-csp-expected.txt: Added.
* http/tests/loading/do-not-preload-css-blocked-by-csp.html: Added.
* http/tests/loading/do-not-preload-script-src-blocked-by-csp-expected.txt: Added.
* http/tests/loading/do-not-preload-script-src-blocked-by-csp.html: Added.
* http/tests/loading/preload-css-with-csp-nonce-expected.txt: Added.
* http/tests/loading/preload-css-with-csp-nonce.html: Added.
* http/tests/loading/preload-script-src-with-csp-nonce-expected.txt: Added.
* http/tests/loading/preload-script-src-with-csp-nonce.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorehtmlparserHTMLPreloadScannercpp">trunk/Source/WebCore/html/parser/HTMLPreloadScanner.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlparserHTMLResourcePreloadercpp">trunk/Source/WebCore/html/parser/HTMLResourcePreloader.cpp</a></li>
<li><a href="#trunkSourceWebCorehtmlparserHTMLResourcePreloaderh">trunk/Source/WebCore/html/parser/HTMLResourcePreloader.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestsloadingdonotpreloadcssblockedbycspexpectedtxt">trunk/LayoutTests/http/tests/loading/do-not-preload-css-blocked-by-csp-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsloadingdonotpreloadcssblockedbycsphtml">trunk/LayoutTests/http/tests/loading/do-not-preload-css-blocked-by-csp.html</a></li>
<li><a href="#trunkLayoutTestshttptestsloadingdonotpreloadscriptsrcblockedbycspexpectedtxt">trunk/LayoutTests/http/tests/loading/do-not-preload-script-src-blocked-by-csp-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsloadingdonotpreloadscriptsrcblockedbycsphtml">trunk/LayoutTests/http/tests/loading/do-not-preload-script-src-blocked-by-csp.html</a></li>
<li><a href="#trunkLayoutTestshttptestsloadingpreloadcsswithcspnonceexpectedtxt">trunk/LayoutTests/http/tests/loading/preload-css-with-csp-nonce-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsloadingpreloadcsswithcspnoncehtml">trunk/LayoutTests/http/tests/loading/preload-css-with-csp-nonce.html</a></li>
<li><a href="#trunkLayoutTestshttptestsloadingpreloadscriptsrcwithcspnonceexpectedtxt">trunk/LayoutTests/http/tests/loading/preload-script-src-with-csp-nonce-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestsloadingpreloadscriptsrcwithcspnoncehtml">trunk/LayoutTests/http/tests/loading/preload-script-src-with-csp-nonce.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (209758 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2016-12-13 17:39:27 UTC (rev 209758)
+++ trunk/LayoutTests/ChangeLog 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2016-12-13 Daniel Bates <dabates@apple.com>
+
+ CSP: Teach the preload scanner about the 'nonce' attribute
+ https://bugs.webkit.org/show_bug.cgi?id=161192
+ <rdar://problem/28010354>
+
+ Reviewed by Darin Adler.
+
+ Add tests to ensure that we preload <script>s and <link>s whose nonce is allowed by the
+ Content Security Policy of the page.
+
+ * http/tests/loading/do-not-preload-css-blocked-by-csp-expected.txt: Added.
+ * http/tests/loading/do-not-preload-css-blocked-by-csp.html: Added.
+ * http/tests/loading/do-not-preload-script-src-blocked-by-csp-expected.txt: Added.
+ * http/tests/loading/do-not-preload-script-src-blocked-by-csp.html: Added.
+ * http/tests/loading/preload-css-with-csp-nonce-expected.txt: Added.
+ * http/tests/loading/preload-css-with-csp-nonce.html: Added.
+ * http/tests/loading/preload-script-src-with-csp-nonce-expected.txt: Added.
+ * http/tests/loading/preload-script-src-with-csp-nonce.html: Added.
+
</ins><span class="cx"> 2016-12-13 Antti Koivisto <antti@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION (r198990): Safari - Cannot edit content inside <details> in wysiwyg editor
</span></span></pre></div>
<a id="trunkLayoutTestshttptestsloadingdonotpreloadcssblockedbycspexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/loading/do-not-preload-css-blocked-by-csp-expected.txt (0 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/loading/do-not-preload-css-blocked-by-csp-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/loading/do-not-preload-css-blocked-by-csp-expected.txt 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/loading/resources/small_mq.css because it does not appear in the style-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/loading/resources/small_mq.css because it does not appear in the style-src directive of the Content Security Policy.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test makes sure that the Preload scanner does not preload a stylesheet resource that is blocked by the Content Security Policy of the page.
+PASS
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsloadingdonotpreloadcssblockedbycsphtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/loading/do-not-preload-css-blocked-by-csp.html (0 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/loading/do-not-preload-css-blocked-by-csp.html (rev 0)
+++ trunk/LayoutTests/http/tests/loading/do-not-preload-css-blocked-by-csp.html 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/slow-script.pl http://127.0.0.1:8000/resources/checkPreload.js 'nonce-check-for-preload'; style-src 'none'">
+<script src="http://127.0.0.1:8000/resources/slow-script.pl?delay=1000"></script>
+<script src="http://127.0.0.1:8000/resources/checkPreload.js"></script>
+<link rel="stylesheet" href="resources/small_mq.css" nonce="dummy">
+</head>
+<body>
+This test makes sure that the Preload scanner does not preload a stylesheet resource that is blocked by the Content Security Policy of the page.
+<br>
+<script nonce="check-for-preload">
+checkForPreload("resources/small_mq.css", false);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsloadingdonotpreloadscriptsrcblockedbycspexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/loading/do-not-preload-script-src-blocked-by-csp-expected.txt (0 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/loading/do-not-preload-script-src-blocked-by-csp-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/loading/do-not-preload-script-src-blocked-by-csp-expected.txt 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -0,0 +1,9 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/loading/resources/zero-length.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/loading/resources/zero-length.js because it does not appear in the script-src directive of the Content Security Policy.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test makes sure that the Preload scanner does not preload a script resource that is blocked by the Content Security Policy of the page.
+PASS
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsloadingdonotpreloadscriptsrcblockedbycsphtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/loading/do-not-preload-script-src-blocked-by-csp.html (0 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/loading/do-not-preload-script-src-blocked-by-csp.html (rev 0)
+++ trunk/LayoutTests/http/tests/loading/do-not-preload-script-src-blocked-by-csp.html 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/slow-script.pl http://127.0.0.1:8000/resources/checkPreload.js 'nonce-check-for-preload'">
+<script src="http://127.0.0.1:8000/resources/slow-script.pl?delay=1000"></script>
+<script src="http://127.0.0.1:8000/resources/checkPreload.js"></script>
+</head>
+<body>
+This test makes sure that the Preload scanner does not preload a script resource that is blocked by the Content Security Policy of the page.
+<br>
+<script nonce="check-for-preload">
+checkForPreload("resources/zero-length.js", false);
+</script>
+<script src="resources/zero-length.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsloadingpreloadcsswithcspnonceexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/loading/preload-css-with-csp-nonce-expected.txt (0 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/loading/preload-css-with-csp-nonce-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/loading/preload-css-with-csp-nonce-expected.txt 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test makes sure that the Preload scanner preloads a stylesheet resource with a nonce attribute.
+PASS
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsloadingpreloadcsswithcspnoncehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/loading/preload-css-with-csp-nonce.html (0 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/loading/preload-css-with-csp-nonce.html (rev 0)
+++ trunk/LayoutTests/http/tests/loading/preload-css-with-csp-nonce.html 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/slow-script.pl http://127.0.0.1:8000/resources/checkPreload.js 'nonce-check-for-preload'; style-src 'nonce-dummy'">
+<script src="http://127.0.0.1:8000/resources/slow-script.pl?delay=1000"></script>
+<script src="http://127.0.0.1:8000/resources/checkPreload.js"></script>
+<link rel="stylesheet" href="resources/small_mq.css" nonce="dummy">
+</head>
+<body>
+This test makes sure that the Preload scanner preloads a stylesheet resource with a nonce attribute.
+<br>
+<script nonce="check-for-preload">
+checkForPreload("resources/small_mq.css", true);
+</script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsloadingpreloadscriptsrcwithcspnonceexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/loading/preload-script-src-with-csp-nonce-expected.txt (0 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/loading/preload-script-src-with-csp-nonce-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/loading/preload-script-src-with-csp-nonce-expected.txt 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+main frame - didStartProvisionalLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test makes sure that the Preload scanner preloads a script resource with a nonce attribute.
+PASS
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestsloadingpreloadscriptsrcwithcspnoncehtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/loading/preload-script-src-with-csp-nonce.html (0 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/loading/preload-script-src-with-csp-nonce.html (rev 0)
+++ trunk/LayoutTests/http/tests/loading/preload-script-src-with-csp-nonce.html 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/slow-script.pl http://127.0.0.1:8000/resources/checkPreload.js 'nonce-check-for-preload' 'nonce-dummy'">
+<script src="http://127.0.0.1:8000/resources/slow-script.pl?delay=1000"></script>
+<script src="http://127.0.0.1:8000/resources/checkPreload.js"></script>
+</head>
+<body>
+This test makes sure that the Preload scanner preloads a script resource with a nonce attribute.
+<br>
+<script nonce="check-for-preload">
+checkForPreload("resources/zero-length.js", true);
+</script>
+<script src="resources/zero-length.js" nonce="dummy"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (209758 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-12-13 17:39:27 UTC (rev 209758)
+++ trunk/Source/WebCore/ChangeLog 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -1,3 +1,40 @@
</span><ins>+2016-12-13 Daniel Bates <dabates@apple.com>
+
+ CSP: Teach the preload scanner about the 'nonce' attribute
+ https://bugs.webkit.org/show_bug.cgi?id=161192
+ <rdar://problem/28010354>
+
+ Reviewed by Darin Adler.
+
+ This patch was inspired by a similar Blink change:
+ <https://chromium.googlesource.com/chromium/src/+/dde5487f380cf774e4c0e96ba7f88ea68e723907>
+
+ Preload external scripts and stylesheets whose HTML script and link elements have a nonce
+ attribute that is listed in the Content Security Policy (CSP) of the page.
+
+ Currently the preload scanner ignores the nonce attribute on HTML script and link elements.
+ So, WebKit does not preload their associated subresources unless the value of the src
+ attribute or href attribute is whitelisted in the CSP of the page for script and link
+ elements, respectively. Instead the preload scanner should recognize the nonce attribute on
+ script and link elements and query the CSP of the page with it. If the nonce attribute is
+ whitelisted then the request should be preloaded.
+
+ Tests: http/tests/loading/do-not-preload-css-blocked-by-csp.html
+ http/tests/loading/do-not-preload-script-src-blocked-by-csp.html
+ http/tests/loading/preload-css-with-csp-nonce.html
+ http/tests/loading/preload-script-src-with-csp-nonce.html
+
+ * html/parser/HTMLPreloadScanner.cpp:
+ (WebCore::TokenPreloadScanner::StartTagScanner::createPreloadRequest): Set the nonce on the
+ PreloadRequest to the nonce that we found during the scan.
+ (WebCore::TokenPreloadScanner::StartTagScanner::processAttribute): For script and link tag names,
+ save the value of the nonce attribute (if it has one).
+ * html/parser/HTMLResourcePreloader.cpp:
+ (WebCore::PreloadRequest::resourceRequest): Skip CSP policy check if the nonce is listed in
+ the CSP of the page.
+ * html/parser/HTMLResourcePreloader.h:
+ (WebCore::PreloadRequest::setNonce): Added.
+
</ins><span class="cx"> 2016-12-13 Dave Hyatt <hyatt@apple.com>
</span><span class="cx">
</span><span class="cx"> [CSS Parser] Rename CSSPrimitiveValue::UnitTypes to CSSPrimitiveValue::UnitType
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlparserHTMLPreloadScannercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/parser/HTMLPreloadScanner.cpp (209758 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/parser/HTMLPreloadScanner.cpp 2016-12-13 17:39:27 UTC (rev 209758)
+++ trunk/Source/WebCore/html/parser/HTMLPreloadScanner.cpp 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -147,6 +147,7 @@
</span><span class="cx">
</span><span class="cx"> auto request = std::make_unique<PreloadRequest>(initiatorFor(m_tagId), m_urlToLoad, predictedBaseURL, resourceType(), m_mediaAttribute, m_moduleScript);
</span><span class="cx"> request->setCrossOriginMode(m_crossOriginMode);
</span><ins>+ request->setNonce(m_nonceAttribute);
</ins><span class="cx">
</span><span class="cx"> // According to the spec, the module tag ignores the "charset" attribute as the same to the worker's
</span><span class="cx"> // importScript. But WebKit supports the "charset" for importScript intentionally. So to be consistent,
</span><span class="lines">@@ -216,7 +217,8 @@
</span><span class="cx"> m_moduleScript = equalLettersIgnoringASCIICase(attributeValue, "module") ? PreloadRequest::ModuleScript::Yes : PreloadRequest::ModuleScript::No;
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- }
</del><ins>+ } else if (match(attributeName, nonceAttr))
+ m_nonceAttribute = attributeValue;
</ins><span class="cx"> processImageAndScriptAttribute(attributeName, attributeValue);
</span><span class="cx"> break;
</span><span class="cx"> case TagId::Link:
</span><span class="lines">@@ -230,6 +232,8 @@
</span><span class="cx"> m_charset = attributeValue;
</span><span class="cx"> else if (match(attributeName, crossoriginAttr))
</span><span class="cx"> m_crossOriginMode = stripLeadingAndTrailingHTMLSpaces(attributeValue);
</span><ins>+ else if (match(attributeName, nonceAttr))
+ m_nonceAttribute = attributeValue;
</ins><span class="cx"> break;
</span><span class="cx"> case TagId::Input:
</span><span class="cx"> if (match(attributeName, srcAttr))
</span><span class="lines">@@ -326,6 +330,7 @@
</span><span class="cx"> String m_crossOriginMode;
</span><span class="cx"> bool m_linkIsStyleSheet;
</span><span class="cx"> String m_mediaAttribute;
</span><ins>+ String m_nonceAttribute;
</ins><span class="cx"> String m_metaContent;
</span><span class="cx"> bool m_metaIsViewport;
</span><span class="cx"> bool m_inputIsImage;
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlparserHTMLResourcePreloadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/parser/HTMLResourcePreloader.cpp (209758 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/parser/HTMLResourcePreloader.cpp 2016-12-13 17:39:27 UTC (rev 209758)
+++ trunk/Source/WebCore/html/parser/HTMLResourcePreloader.cpp 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -43,7 +43,18 @@
</span><span class="cx"> CachedResourceRequest PreloadRequest::resourceRequest(Document& document)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(isMainThread());
</span><del>- CachedResourceRequest request(completeURL(document), CachedResourceLoader::defaultCachedResourceOptions());
</del><ins>+
+ bool skipContentSecurityPolicyCheck = false;
+ if (m_resourceType == CachedResource::Type::Script)
+ skipContentSecurityPolicyCheck = document.contentSecurityPolicy()->allowScriptWithNonce(m_nonceAttribute);
+ else if (m_resourceType == CachedResource::Type::CSSStyleSheet)
+ skipContentSecurityPolicyCheck = document.contentSecurityPolicy()->allowStyleWithNonce(m_nonceAttribute);
+
+ ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
+ if (skipContentSecurityPolicyCheck)
+ options.contentSecurityPolicyImposition = ContentSecurityPolicyImposition::SkipPolicyCheck;
+
+ CachedResourceRequest request { completeURL(document), options };
</ins><span class="cx"> request.setInitiator(m_initiator);
</span><span class="cx"> String crossOriginMode = m_crossOriginMode;
</span><span class="cx"> if (m_moduleScript == ModuleScript::Yes) {
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlparserHTMLResourcePreloaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/parser/HTMLResourcePreloader.h (209758 => 209759)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/parser/HTMLResourcePreloader.h 2016-12-13 17:39:27 UTC (rev 209758)
+++ trunk/Source/WebCore/html/parser/HTMLResourcePreloader.h 2016-12-13 18:21:37 UTC (rev 209759)
</span><span class="lines">@@ -53,6 +53,7 @@
</span><span class="cx"> const String& media() const { return m_mediaAttribute; }
</span><span class="cx"> void setCharset(const String& charset) { m_charset = charset.isolatedCopy(); }
</span><span class="cx"> void setCrossOriginMode(const String& mode) { m_crossOriginMode = mode; }
</span><ins>+ void setNonce(const String& nonce) { m_nonceAttribute = nonce; }
</ins><span class="cx"> CachedResource::Type resourceType() const { return m_resourceType; }
</span><span class="cx">
</span><span class="cx"> private:
</span><span class="lines">@@ -65,6 +66,7 @@
</span><span class="cx"> CachedResource::Type m_resourceType;
</span><span class="cx"> String m_mediaAttribute;
</span><span class="cx"> String m_crossOriginMode;
</span><ins>+ String m_nonceAttribute;
</ins><span class="cx"> ModuleScript m_moduleScript;
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>