<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[285320] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/285320">285320</a></dd>
<dt>Author</dt> <dd>katherine_cheney@apple.com</dd>
<dt>Date</dt> <dd>2021-11-04 16:46:28 -0700 (Thu, 04 Nov 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>Form action with a redirect should report correct blocked URI
https://bugs.webkit.org/show_bug.cgi?id=232660
<rdar://problem/84969024>

Reviewed by Brent Fulgham.

Source/WebCore:

We currently report the blocked URI as the target of a redirect, per
the spec it should actually be the initiating url.

Test: http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest):
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::checkIfFormActionAllowedByCSP const):
* loader/FrameLoader.h:
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowResourceFromSource const):
(WebCore::ContentSecurityPolicy::allowFormAction const):
* page/csp/ContentSecurityPolicy.h:

LayoutTests:

* http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt:
Update console logging to report the correct URL.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcredirectblockedexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentLoadercpp">trunk/Source/WebCore/loader/DocumentLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoadercpp">trunk/Source/WebCore/loader/FrameLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderFrameLoaderh">trunk/Source/WebCore/loader/FrameLoader.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionredirectwithcorrectblockeduriexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionredirectwithcorrectblockedurihtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (285319 => 285320)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog      2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/LayoutTests/ChangeLog 2021-11-04 23:46:28 UTC (rev 285320)
</span><span class="lines">@@ -1,3 +1,16 @@
</span><ins>+2021-11-04  Kate Cheney  <katherine_cheney@apple.com>
+
+        Form action with a redirect should report correct blocked URI
+        https://bugs.webkit.org/show_bug.cgi?id=232660
+        <rdar://problem/84969024>
+
+        Reviewed by Brent Fulgham.
+
+        * http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html: Added.
+        * http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt:
+        Update console logging to report the correct URL.
+
</ins><span class="cx"> 2021-11-04  Lauro Moura  <lmoura@igalia.com>
</span><span class="cx"> 
</span><span class="cx">         [GLIB] Gardening some timeouts
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11formactionsrcredirectblockedexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt (285319 => 285320)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt    2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/form-action-src-redirect-blocked-expected.txt       2021-11-04 23:46:28 UTC (rev 285320)
</span><span class="lines">@@ -1,3 +1,3 @@
</span><del>-CONSOLE MESSAGE: Refused to load http://localhost:8000/navigation/resources/form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
</del><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/redirection-response.py?host=localhost:8000&status=302&target=form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
</ins><span class="cx"> 
</span><span class="cx"> Tests that blocking form redirect works correctly. If this test passes, you will see a console error, and will not see a page indicating a form was POSTed.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionredirectwithcorrectblockeduriexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt (0 => 285320)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt                           (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri-expected.txt      2021-11-04 23:46:28 UTC (rev 285320)
</span><span class="lines">@@ -0,0 +1,7 @@
</span><ins>+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/navigation/resources/redirection-response.py?host=localhost:8000&status=302&target=form-target.pl because it does not appear in the form-action directive of the Content Security Policy.
+
+Tests that blocking form redirect reports the correct blockedURI.
+
+blockedURI = http://127.0.0.1:8000/navigation/resources/redirection-response.py?host=localhost:8000&status=302&target=form-target.pl
+
+
</ins></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicyformactionredirectwithcorrectblockedurihtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html (0 => 285320)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html                           (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html      2021-11-04 23:46:28 UTC (rev 285320)
</span><span class="lines">@@ -0,0 +1,33 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="form-action 127.0.0.1:8000">
+<script>
+    if (window.testRunner) {
+        testRunner.dumpAsText();
+        testRunner.waitUntilDone();
+    }
+    window.addEventListener('load', function() {
+        setTimeout(function() {
+            document.getElementById('submit').click();
+        }, 0);
+    });
+
+    window.addEventListener('securitypolicyviolation', e => {
+        document.body.innerHTML += `blockedURI = <b>${e.blockedURI}</b><br/><br/>`;
+        testRunner.notifyDone();
+    });
+
+</script>
+</head>
+<body>
+    <form id="form1" action="/navigation/resources/redirection-response.py?host=localhost:8000&status=302&target=form-target.pl" method="post">
+        <input type='text' name='fieldname' value='fieldvalue'>
+        <input type='submit' id='submit' value='submit'>
+    </form>
+
+    <p>
+    Tests that blocking form redirect reports the correct blockedURI.
+    </p>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (285319 => 285320)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog   2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/ChangeLog      2021-11-04 23:46:28 UTC (rev 285320)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2021-11-04  Kate Cheney  <katherine_cheney@apple.com>
+
+        Form action with a redirect should report correct blocked URI
+        https://bugs.webkit.org/show_bug.cgi?id=232660
+        <rdar://problem/84969024>
+
+        Reviewed by Brent Fulgham.
+
+        We currently report the blocked URI as the target of a redirect, per
+        the spec it should actually be the initiating url.
+
+        Test: http/tests/security/contentSecurityPolicy/form-action-redirect-with-correct-blocked-uri.html
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::willSendRequest):
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::checkIfFormActionAllowedByCSP const):
+        * loader/FrameLoader.h:
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowResourceFromSource const):
+        (WebCore::ContentSecurityPolicy::allowFormAction const):
+        * page/csp/ContentSecurityPolicy.h:
+
</ins><span class="cx"> 2021-11-04  Myles C. Maxfield  <mmaxfield@apple.com>
</span><span class="cx"> 
</span><span class="cx">         [Cocoa] Migrate from CTFontCopyVariationAxes() to CTFontCopyVariationAxesInternal() if possible
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentLoader.cpp (285319 => 285320)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentLoader.cpp   2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/loader/DocumentLoader.cpp      2021-11-04 23:46:28 UTC (rev 285320)
</span><span class="lines">@@ -639,7 +639,7 @@
</span><span class="cx">             reportingEndpointsCache->addEndpointsFromResponse(redirectResponse);
</span><span class="cx">     }
</span><span class="cx"> 
</span><del>-    if (!frameLoader()->checkIfFormActionAllowedByCSP(newRequest.url(), didReceiveRedirectResponse)) {
</del><ins>+    if (!frameLoader()->checkIfFormActionAllowedByCSP(newRequest.url(), didReceiveRedirectResponse, redirectResponse.url())) {
</ins><span class="cx">         DOCUMENTLOADER_RELEASE_LOG("willSendRequest: canceling - form action not allowed by CSP");
</span><span class="cx">         cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
</span><span class="cx">         return completionHandler(WTFMove(newRequest));
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (285319 => 285320)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.cpp      2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp 2021-11-04 23:46:28 UTC (rev 285320)
</span><span class="lines">@@ -1021,13 +1021,13 @@
</span><span class="cx">     return m_frame.document()->securityOrigin().toString();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool FrameLoader::checkIfFormActionAllowedByCSP(const URL& url, bool didReceiveRedirectResponse) const
</del><ins>+bool FrameLoader::checkIfFormActionAllowedByCSP(const URL& url, bool didReceiveRedirectResponse, const URL& preRedirectURL) const
</ins><span class="cx"> {
</span><span class="cx">     if (m_submittedFormURL.isEmpty())
</span><span class="cx">         return true;
</span><span class="cx"> 
</span><span class="cx">     auto redirectResponseReceived = didReceiveRedirectResponse ? ContentSecurityPolicy::RedirectResponseReceived::Yes : ContentSecurityPolicy::RedirectResponseReceived::No;
</span><del>-    return m_frame.document()->contentSecurityPolicy()->allowFormAction(url, redirectResponseReceived);
</del><ins>+    return m_frame.document()->contentSecurityPolicy()->allowFormAction(url, redirectResponseReceived, preRedirectURL);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void FrameLoader::setOpener(Frame* opener)
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderFrameLoaderh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/FrameLoader.h (285319 => 285320)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/FrameLoader.h        2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/loader/FrameLoader.h   2021-11-04 23:46:28 UTC (rev 285320)
</span><span class="lines">@@ -241,7 +241,7 @@
</span><span class="cx">     void forceSandboxFlags(SandboxFlags flags) { m_forcedSandboxFlags |= flags; }
</span><span class="cx">     WEBCORE_EXPORT SandboxFlags effectiveSandboxFlags() const;
</span><span class="cx"> 
</span><del>-    bool checkIfFormActionAllowedByCSP(const URL&, bool didReceiveRedirectResponse) const;
</del><ins>+    bool checkIfFormActionAllowedByCSP(const URL&, bool didReceiveRedirectResponse, const URL& preRedirectURL) const;
</ins><span class="cx"> 
</span><span class="cx">     WEBCORE_EXPORT Frame* opener();
</span><span class="cx">     WEBCORE_EXPORT const Frame* opener() const;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (285319 => 285320)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp  2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp     2021-11-04 23:46:28 UTC (rev 285320)
</span><span class="lines">@@ -620,15 +620,16 @@
</span><span class="cx">     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForFrame, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool ContentSecurityPolicy::allowResourceFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const char* name, ResourcePredicate resourcePredicate) const
</del><ins>+bool ContentSecurityPolicy::allowResourceFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const char* name, ResourcePredicate resourcePredicate, const URL& preRedirectURL) const
</ins><span class="cx"> {
</span><span class="cx">     if (LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol().toStringWithoutCopying()))
</span><span class="cx">         return true;
</span><span class="cx">     String sourceURL;
</span><ins>+    const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
</ins><span class="cx">     TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
</span><span class="cx">     auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
</span><del>-        String consoleMessage = consoleMessageForViolation(name, violatedDirective, url, "Refused to load");
-        reportViolation(name, violatedDirective, url.string(), consoleMessage, sourceURL, sourcePosition);
</del><ins>+        String consoleMessage = consoleMessageForViolation(name, violatedDirective, blockedURL, "Refused to load");
+        reportViolation(name, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, sourcePosition);
</ins><span class="cx">     };
</span><span class="cx">     return allPoliciesAllow(WTFMove(handleViolatedDirective), resourcePredicate, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</span><span class="cx"> }
</span><span class="lines">@@ -686,9 +687,9 @@
</span><span class="cx">     return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForConnectSource, url, redirectResponseReceived == RedirectResponseReceived::Yes);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool ContentSecurityPolicy::allowFormAction(const URL& url, RedirectResponseReceived redirectResponseReceived) const
</del><ins>+bool ContentSecurityPolicy::allowFormAction(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
</ins><span class="cx"> {
</span><del>-    return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::formAction, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction);
</del><ins>+    return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::formAction, &ContentSecurityPolicyDirectiveList::violatedDirectiveForFormAction, preRedirectURL);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool ContentSecurityPolicy::allowBaseURI(const URL& url, bool overrideContentSecurityPolicy) const
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (285319 => 285320)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h    2021-11-04 23:29:58 UTC (rev 285319)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h       2021-11-04 23:46:28 UTC (rev 285320)
</span><span class="lines">@@ -121,7 +121,7 @@
</span><span class="cx">     bool allowChildFrameFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
</span><span class="cx">     WEBCORE_EXPORT bool allowChildContextFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
</span><span class="cx">     WEBCORE_EXPORT bool allowConnectToSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& requestedURL = URL()) const;
</span><del>-    bool allowFormAction(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
</del><ins>+    bool allowFormAction(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
</ins><span class="cx"> 
</span><span class="cx">     bool allowObjectFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No) const;
</span><span class="cx">     bool allowBaseURI(const URL&, bool overrideContentSecurityPolicy = false) const;
</span><span class="lines">@@ -213,7 +213,7 @@
</span><span class="cx">     bool shouldPerformEarlyCSPCheck() const;
</span><span class="cx">     
</span><span class="cx">     using ResourcePredicate = const ContentSecurityPolicyDirective *(ContentSecurityPolicyDirectiveList::*)(const URL &, bool) const;
</span><del>-    bool allowResourceFromSource(const URL&, RedirectResponseReceived, const char*, ResourcePredicate) const;
</del><ins>+    bool allowResourceFromSource(const URL&, RedirectResponseReceived, const char*, ResourcePredicate, const URL& preRedirectURL = URL()) const;
</ins><span class="cx"> 
</span><span class="cx">     using HashInEnforcedAndReportOnlyPoliciesPair = std::pair<bool, bool>;
</span><span class="cx">     template<typename Predicate> HashInEnforcedAndReportOnlyPoliciesPair findHashOfContentInPolicies(const Predicate&, StringView content, OptionSet<ContentSecurityPolicyHashAlgorithm>) const WARN_UNUSED_RETURN;
</span></span></pre>
</div>
</div>

</body>
</html>