<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[286853] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/286853">286853</a></dd>
<dt>Author</dt> <dd>pgriffis@igalia.com</dd>
<dt>Date</dt> <dd>2021-12-10 08:56:55 -0800 (Fri, 10 Dec 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>CSP: Allow external scripts with SRI hashes matching CSP
https://bugs.webkit.org/show_bug.cgi?id=233911

Reviewed by Kate Cheney.

LayoutTests/imported/w3c:

Update expectations with more passes.

* web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt:
* web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt:

Source/WebCore:

This is a change in CSP3 that allows loading external
scripts that have SRI hashes matching CSP hashes.
https://www.w3.org/TR/CSP3/#external-hash

ResourceCryptographicDigest was changed to not validate padding
during base64 decoding which is harmless and fixes parsing the
hashes used in WPT's script-src-sri_hash.sub.html.

* loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
* loader/ResourceCryptographicDigest.cpp:
(WebCore::parseCryptographicDigestImpl):
(WebCore::decodeEncodedResourceCryptographicDigest):
* loader/SubresourceIntegrity.cpp:
(WebCore::parseIntegrityMetadata):
* loader/SubresourceIntegrity.h:
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const):
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allScriptPoliciesAllow const):
(WebCore::parseSubResourceIntegrityIntoDigests):
(WebCore::ContentSecurityPolicy::allowResourceFromSource const):
(WebCore::ContentSecurityPolicy::allowScriptFromSource const):
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript const):
* page/csp/ContentSecurityPolicyDirectiveList.h:
* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::matchesAll const):
* page/csp/ContentSecurityPolicySourceList.h:
* page/csp/ContentSecurityPolicySourceListDirective.cpp:
(WebCore::ContentSecurityPolicySourceListDirective::containsAllHashes const):
* page/csp/ContentSecurityPolicySourceListDirective.h:

LayoutTests:

Update tests to accept base64 with extra padding.

* http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashtestsexpectedtxt">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt</a></li>
<li><a href="#trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashtestshtml">trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html</a></li>
<li><a href="#trunkLayoutTestsimportedw3cChangeLog">trunk/LayoutTests/imported/w3c/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestscontentsecuritypolicyscriptsrcscriptsrcreportonlypolicyworkswithexternalhashpolicyexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt</a></li>
<li><a href="#trunkLayoutTestsimportedw3cwebplatformtestscontentsecuritypolicyscriptsrcscriptsrcsri_hashsubexpectedtxt">trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreloaderDocumentThreadableLoadercpp">trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderResourceCryptographicDigestcpp">trunk/Source/WebCore/loader/ResourceCryptographicDigest.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderSubresourceIntegritycpp">trunk/Source/WebCore/loader/SubresourceIntegrity.cpp</a></li>
<li><a href="#trunkSourceWebCoreloaderSubresourceIntegrityh">trunk/Source/WebCore/loader/SubresourceIntegrity.h</a></li>
<li><a href="#trunkSourceWebCoreloadercacheCachedResourceLoadercpp">trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicycpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyh">trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListh">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectivecpp">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp</a></li>
<li><a href="#trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectiveh">trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog      2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/LayoutTests/ChangeLog 2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2021-12-10  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Allow external scripts with SRI hashes matching CSP
+        https://bugs.webkit.org/show_bug.cgi?id=233911
+
+        Reviewed by Kate Cheney.
+
+        Update tests to accept base64 with extra padding.
+
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt:
+        * http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html:
+
</ins><span class="cx"> 2021-12-10  Alan Bujtas  <zalan@apple.com>
</span><span class="cx"> 
</span><span class="cx">         [LFC][IFC] Enable bidi handling for content with inline boxes
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashtestsexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt    2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests-expected.txt       2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -12,8 +12,6 @@
</span><span class="cx"> CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-/Vet2Rva6wwsny8xybL+=bQal0Gtf0FZW7EOVqqg+Hna=''. It will be ignored.
</span><span class="cx"> CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</span><del>-CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA==''. It will be ignored.
-CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</del><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA===''. It will be ignored.
</span><span class="cx"> CONSOLE MESSAGE: Refused to execute a script because its hash, its nonce, or 'unsafe-inline' does not appear in the script-src directive of the Content Security Policy.
</span><span class="cx"> CONSOLE MESSAGE: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''sha256-'. It will be ignored.
</span><span class="lines">@@ -53,7 +51,7 @@
</span><span class="cx"> PASS "SHA-256 hash with SHA-384 prefix" did not run inline script.
</span><span class="cx"> PASS "SHA-256 hash with SHA-512 prefix" did not run inline script.
</span><span class="cx"> PASS "Malformed SHA-256 hash (equal sign in disallowed position)" did not run inline script.
</span><del>-PASS "SHA-256 hash with one extraneous equal sign" did not run inline script.
</del><ins>+PASS "SHA-256 hash with one extraneous equal sign" did run inline script.
</ins><span class="cx"> PASS "SHA-256 hash with two extraneous equal signs" did not run inline script.
</span><span class="cx"> PASS "Malformed hash source" did not run inline script.
</span><span class="cx"> PASS "Hash source without hash" did not run inline script.
</span></span></pre></div>
<a id="trunkLayoutTestshttptestssecuritycontentSecurityPolicy11scripthashtestshtml"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html    2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-tests.html       2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -159,7 +159,7 @@
</span><span class="cx">     charset: "UTF8",
</span><span class="cx">     script: encodeURIComponent("didRunInlineScript = true;"),
</span><span class="cx">     hashSource: "'sha256-/vET2rVA6WWSNY8XYBl+BqAL0gTF0fzw7eovQQG+hNA=='",
</span><del>-    expectedResult: DoNotRunInlineScript,
</del><ins>+    expectedResult: RunInlineScript,
</ins><span class="cx"> },
</span><span class="cx"> {
</span><span class="cx">     name: "SHA-256 hash with two extraneous equal signs",
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/ChangeLog (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/ChangeLog 2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/LayoutTests/imported/w3c/ChangeLog    2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2021-12-10  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Allow external scripts with SRI hashes matching CSP
+        https://bugs.webkit.org/show_bug.cgi?id=233911
+
+        Reviewed by Kate Cheney.
+
+        Update expectations with more passes.
+
+        * web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt:
+        * web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt:
+
</ins><span class="cx"> 2021-12-10  Manuel Rego Casasnovas  <rego@igalia.com>
</span><span class="cx"> 
</span><span class="cx">         [WPT] Import resources/accesskey.js
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestscontentsecuritypolicyscriptsrcscriptsrcreportonlypolicyworkswithexternalhashpolicyexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt  2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-report-only-policy-works-with-external-hash-policy-expected.txt     2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -1,4 +1,4 @@
</span><span class="cx"> 
</span><del>-FAIL Should fire securitypolicyviolation event assert_equals: expected "report" but got "enforce"
-FAIL External script in a script tag with matching SRI hash should run. assert_true: External script ran. expected true got false
</del><ins>+PASS Should fire securitypolicyviolation event
+PASS External script in a script tag with matching SRI hash should run.
</ins><span class="cx"> 
</span></span></pre></div>
<a id="trunkLayoutTestsimportedw3cwebplatformtestscontentsecuritypolicyscriptsrcscriptsrcsri_hashsubexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt        2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/LayoutTests/imported/w3c/web-platform-tests/content-security-policy/script-src/script-src-sri_hash.sub-expected.txt   2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -2,14 +2,14 @@
</span><span class="cx"> 
</span><span class="cx"> 
</span><span class="cx"> PASS Load all the tests.
</span><del>-FAIL matching integrity assert_unreached: Script should load! http://localhost:8800/content-security-policy/script-src/simpleSourcedScript.js Reached unreachable code
-FAIL multiple matching integrity assert_unreached: Script should load! http://localhost:8800/content-security-policy/script-src/simpleSourcedScript.js Reached unreachable code
</del><ins>+PASS matching integrity
+PASS multiple matching integrity
</ins><span class="cx"> PASS no integrity
</span><del>-FAIL matching plus unsupported integrity assert_unreached: Script should load! http://localhost:8800/content-security-policy/script-src/simpleSourcedScript.js Reached unreachable code
</del><ins>+PASS matching plus unsupported integrity
</ins><span class="cx"> PASS mismatched integrity
</span><span class="cx"> PASS multiple mismatched integrity
</span><span class="cx"> PASS partially matching integrity
</span><span class="cx"> FAIL crossorigin no integrity but allowed host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code
</span><span class="cx"> FAIL crossorigin mismatched integrity but allowed host assert_unreached: Script should load! http://127.0.0.1:8800/content-security-policy/script-src/crossoriginScript.js Reached unreachable code
</span><del>-FAIL External script in a script tag with matching SRI hash should run. assert_true: External script ran. expected true got false
</del><ins>+PASS External script in a script tag with matching SRI hash should run.
</ins><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog   2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/ChangeLog      2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -1,3 +1,44 @@
</span><ins>+2021-12-10  Patrick Griffis  <pgriffis@igalia.com>
+
+        CSP: Allow external scripts with SRI hashes matching CSP
+        https://bugs.webkit.org/show_bug.cgi?id=233911
+
+        Reviewed by Kate Cheney.
+
+        This is a change in CSP3 that allows loading external
+        scripts that have SRI hashes matching CSP hashes.
+        https://www.w3.org/TR/CSP3/#external-hash
+
+        ResourceCryptographicDigest was changed to not validate padding
+        during base64 decoding which is harmless and fixes parsing the
+        hashes used in WPT's script-src-sri_hash.sub.html.
+
+        * loader/DocumentThreadableLoader.cpp:
+        (WebCore::DocumentThreadableLoader::isAllowedByContentSecurityPolicy):
+        * loader/ResourceCryptographicDigest.cpp:
+        (WebCore::parseCryptographicDigestImpl):
+        (WebCore::decodeEncodedResourceCryptographicDigest):
+        * loader/SubresourceIntegrity.cpp:
+        (WebCore::parseIntegrityMetadata):
+        * loader/SubresourceIntegrity.h:
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const):
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allScriptPoliciesAllow const):
+        (WebCore::parseSubResourceIntegrityIntoDigests):
+        (WebCore::ContentSecurityPolicy::allowResourceFromSource const):
+        (WebCore::ContentSecurityPolicy::allowScriptFromSource const):
+        * page/csp/ContentSecurityPolicy.h:
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript const):
+        * page/csp/ContentSecurityPolicyDirectiveList.h:
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::matchesAll const):
+        * page/csp/ContentSecurityPolicySourceList.h:
+        * page/csp/ContentSecurityPolicySourceListDirective.cpp:
+        (WebCore::ContentSecurityPolicySourceListDirective::containsAllHashes const):
+        * page/csp/ContentSecurityPolicySourceListDirective.h:
+
</ins><span class="cx"> 2021-12-10  Alan Bujtas  <zalan@apple.com>
</span><span class="cx"> 
</span><span class="cx">         [LFC][IFC] Replace Vector<std::unique_ptr<DisplayBoxNode> with Vector<DisplayBoxTree::Node>
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderDocumentThreadableLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp 2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/loader/DocumentThreadableLoader.cpp    2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -685,7 +685,7 @@
</span><span class="cx">     case ContentSecurityPolicyEnforcement::EnforceConnectSrcDirective:
</span><span class="cx">         return contentSecurityPolicy().allowConnectToSource(url, redirectResponseReceived, preRedirectURL);
</span><span class="cx">     case ContentSecurityPolicyEnforcement::EnforceScriptSrcDirective:
</span><del>-        return contentSecurityPolicy().allowScriptFromSource(url, redirectResponseReceived, preRedirectURL);
</del><ins>+        return contentSecurityPolicy().allowScriptFromSource(url, redirectResponseReceived, preRedirectURL, m_options.integrity);
</ins><span class="cx">     }
</span><span class="cx">     ASSERT_NOT_REACHED();
</span><span class="cx">     return false;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderResourceCryptographicDigestcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/ResourceCryptographicDigest.cpp (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/ResourceCryptographicDigest.cpp      2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/loader/ResourceCryptographicDigest.cpp 2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -71,7 +71,7 @@
</span><span class="cx"> 
</span><span class="cx">     StringView hashValue(beginHashValue, buffer.position() - beginHashValue);
</span><span class="cx"> 
</span><del>-    if (auto digest = base64Decode(hashValue, Base64DecodeOptions::ValidatePadding))
</del><ins>+    if (auto digest = base64Decode(hashValue))
</ins><span class="cx">         return ResourceCryptographicDigest { *algorithm, WTFMove(*digest) };
</span><span class="cx"> 
</span><span class="cx">     if (auto digest = base64URLDecode(hashValue))
</span><span class="lines">@@ -125,7 +125,7 @@
</span><span class="cx"> 
</span><span class="cx"> std::optional<ResourceCryptographicDigest> decodeEncodedResourceCryptographicDigest(const EncodedResourceCryptographicDigest& encodedDigest)
</span><span class="cx"> {
</span><del>-    if (auto digest = base64Decode(encodedDigest.digest, Base64DecodeOptions::ValidatePadding))
</del><ins>+    if (auto digest = base64Decode(encodedDigest.digest))
</ins><span class="cx">         return ResourceCryptographicDigest { encodedDigest.algorithm, WTFMove(*digest) };
</span><span class="cx"> 
</span><span class="cx">     if (auto digest = base64URLDecode(encodedDigest.digest))
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderSubresourceIntegritycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/SubresourceIntegrity.cpp (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/SubresourceIntegrity.cpp     2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/loader/SubresourceIntegrity.cpp        2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -96,7 +96,7 @@
</span><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-static std::optional<Vector<EncodedResourceCryptographicDigest>> parseIntegrityMetadata(const String& integrityMetadata)
</del><ins>+std::optional<Vector<EncodedResourceCryptographicDigest>> parseIntegrityMetadata(const String& integrityMetadata)
</ins><span class="cx"> {
</span><span class="cx">     if (integrityMetadata.isEmpty())
</span><span class="cx">         return std::nullopt;
</span></span></pre></div>
<a id="trunkSourceWebCoreloaderSubresourceIntegrityh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/SubresourceIntegrity.h (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/SubresourceIntegrity.h       2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/loader/SubresourceIntegrity.h  2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -33,5 +33,6 @@
</span><span class="cx"> 
</span><span class="cx"> bool matchIntegrityMetadata(const CachedResource&, const String& integrityMetadata);
</span><span class="cx"> String integrityMismatchDescription(const CachedResource&, const String& integrityMetadata);
</span><ins>+std::optional<Vector<EncodedResourceCryptographicDigest>> parseIntegrityMetadata(const String& integrityMetadata);
</ins><span class="cx"> 
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceWebCoreloadercacheCachedResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp       2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp  2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -501,7 +501,7 @@
</span><span class="cx">     case CachedResource::Type::XSLStyleSheet:
</span><span class="cx"> #endif
</span><span class="cx">     case CachedResource::Type::Script:
</span><del>-        if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, redirectResponseReceived, preRedirectURL))
</del><ins>+        if (!m_document->contentSecurityPolicy()->allowScriptFromSource(url, redirectResponseReceived, preRedirectURL, options.integrity))
</ins><span class="cx">             return false;
</span><span class="cx">         break;
</span><span class="cx">     case CachedResource::Type::CSSStyleSheet:
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp  2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.cpp     2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -52,6 +52,7 @@
</span><span class="cx"> #include "SecurityOrigin.h"
</span><span class="cx"> #include "SecurityPolicyViolationEvent.h"
</span><span class="cx"> #include "Settings.h"
</span><ins>+#include "SubresourceIntegrity.h"
</ins><span class="cx"> #include <JavaScriptCore/ScriptCallStack.h>
</span><span class="cx"> #include <JavaScriptCore/ScriptCallStackFactory.h>
</span><span class="cx"> #include <pal/crypto/CryptoDigest.h>
</span><span class="lines">@@ -339,7 +340,7 @@
</span><span class="cx">     for (auto& policy : m_policies) {
</span><span class="cx">         auto violatedDirectiveForNonParserInsertedScript = policy.get()->violatedDirectiveForParserInsertedScript(parserInserted);
</span><span class="cx">         auto violatedDirectiveForScriptNonce = policy.get()->violatedDirectiveForScriptNonce(nonce);
</span><del>-        auto violatedDirectiveForScriptSrc = policy.get()->violatedDirectiveForScript(url, false);
</del><ins>+        auto violatedDirectiveForScriptSrc = policy.get()->violatedDirectiveForScript(url, false, { });
</ins><span class="cx">         auto [foundHashInEnforcedPolicies, foundHashInReportOnlyPolicies] = findHashOfContentInPolicies(&ContentSecurityPolicyDirectiveList::violatedDirectiveForScriptHash, scriptContent, m_hashAlgorithmsForInlineScripts);
</span><span class="cx"> 
</span><span class="cx">         if (violatedDirectiveForNonParserInsertedScript && violatedDirectiveForScriptNonce && violatedDirectiveForScriptSrc && !foundHashInEnforcedPolicies) {
</span><span class="lines">@@ -640,12 +641,40 @@
</span><span class="cx">     return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::childSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForChildContext, preRedirectURL);
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
</del><ins>+static Vector<ResourceCryptographicDigest> parseSubResourceIntegrityIntoDigests(const String& subResourceIntegrity)
</ins><span class="cx"> {
</span><ins>+    auto encodedDigests = parseIntegrityMetadata(subResourceIntegrity);
+    Vector<ResourceCryptographicDigest> decodedDigests;
+
+    if (!encodedDigests.has_value())
+        return { };
+
+    for (const auto& encodedDigest : encodedDigests.value()) {
+        auto decodedDigest = decodeEncodedResourceCryptographicDigest(encodedDigest);
+        if (decodedDigest.has_value())
+            decodedDigests.append(decodedDigest.value());
+    }
+
+    return decodedDigests;
+}
+
+bool ContentSecurityPolicy::allowScriptFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL, const String& subResourceIntegrity) const
+{
</ins><span class="cx">     if (shouldPerformEarlyCSPCheck())
</span><span class="cx">         return true;
</span><ins>+    if (LegacySchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol().toStringWithoutCopying()))
+        return true;
</ins><span class="cx"> 
</span><del>-    return allowResourceFromSource(url, redirectResponseReceived, ContentSecurityPolicyDirectiveNames::scriptSrc, &ContentSecurityPolicyDirectiveList::violatedDirectiveForScript, preRedirectURL);
</del><ins>+    String sourceURL;
+    const auto& blockedURL = !preRedirectURL.isNull() ? preRedirectURL : url;
+    TextPosition sourcePosition(OrdinalNumber::beforeFirst(), OrdinalNumber());
+    auto handleViolatedDirective = [&] (const ContentSecurityPolicyDirective& violatedDirective) {
+        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, blockedURL, "Refused to load");
+        reportViolation(ContentSecurityPolicyDirectiveNames::scriptSrc, violatedDirective, blockedURL.string(), consoleMessage, sourceURL, StringView(), sourcePosition);
+    };
+
+    auto subResourceIntegrityDigests = parseSubResourceIntegrityIntoDigests(subResourceIntegrity);
+    return allPoliciesAllow(WTFMove(handleViolatedDirective), &ContentSecurityPolicyDirectiveList::violatedDirectiveForScript, url, redirectResponseReceived == RedirectResponseReceived::Yes, subResourceIntegrityDigests);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool ContentSecurityPolicy::allowImageFromSource(const URL& url, RedirectResponseReceived redirectResponseReceived, const URL& preRedirectURL) const
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h    2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicy.h       2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -113,7 +113,7 @@
</span><span class="cx">     WEBCORE_EXPORT bool overridesXFrameOptions() const;
</span><span class="cx"> 
</span><span class="cx">     enum class RedirectResponseReceived { No, Yes };
</span><del>-    WEBCORE_EXPORT bool allowScriptFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
</del><ins>+    WEBCORE_EXPORT bool allowScriptFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL(), const String& = nullString()) const;
</ins><span class="cx">     bool allowImageFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
</span><span class="cx">     bool allowStyleFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
</span><span class="cx">     bool allowFontFromSource(const URL&, RedirectResponseReceived = RedirectResponseReceived::No, const URL& preRedirectURL = URL()) const;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp     2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp        2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -387,9 +387,13 @@
</span><span class="cx">     return m_pluginTypes.get();
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse) const
</del><ins>+const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse, const Vector<ResourceCryptographicDigest>& subResourceIntegrityDigests) const
</ins><span class="cx"> {
</span><span class="cx">     auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
</span><ins>+
+    if (operativeDirective->containsAllHashes(subResourceIntegrityDigests))
+        return nullptr;
+
</ins><span class="cx">     if (checkSource(operativeDirective, url, didReceiveRedirectResponse))
</span><span class="cx">         return nullptr;
</span><span class="cx">     return operativeDirective;
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicyDirectiveListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h       2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h  2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -75,7 +75,7 @@
</span><span class="cx">     const ContentSecurityPolicyDirective* violatedDirectiveForMedia(const URL&, bool didReceiveRedirectResponse) const;
</span><span class="cx">     const ContentSecurityPolicyDirective* violatedDirectiveForObjectSource(const URL&, bool didReceiveRedirectResponse, ContentSecurityPolicySourceListDirective::ShouldAllowEmptyURLIfSourceListIsNotNone) const;
</span><span class="cx">     const ContentSecurityPolicyDirective* violatedDirectiveForPluginType(const String& type, const String& typeAttribute) const;
</span><del>-    const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&, bool didReceiveRedirectResponse) const;
</del><ins>+    const ContentSecurityPolicyDirective* violatedDirectiveForScript(const URL&, bool didReceiveRedirectResponse, const Vector<ResourceCryptographicDigest>&) const;
</ins><span class="cx">     const ContentSecurityPolicyDirective* violatedDirectiveForStyle(const URL&, bool didReceiveRedirectResponse) const;
</span><span class="cx"> 
</span><span class="cx">     const ContentSecurityPolicyDirective* defaultSrc() const { return m_defaultSrc.get(); }
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp        2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp   2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -155,6 +155,19 @@
</span><span class="cx">     return false;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+bool ContentSecurityPolicySourceList::matchesAll(const Vector<ContentSecurityPolicyHash>& hashes) const
+{
+    if (hashes.isEmpty())
+        return false;
+
+    for (auto& hash : hashes) {
+        if (!m_hashes.contains(hash))
+            return false;
+    }
+
+    return true;
+}
+
</ins><span class="cx"> bool ContentSecurityPolicySourceList::matches(const String& nonce) const
</span><span class="cx"> {
</span><span class="cx">     if (nonce.isEmpty())
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h  2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceList.h     2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -45,6 +45,7 @@
</span><span class="cx"> 
</span><span class="cx">     bool matches(const URL&, bool didReceiveRedirectResponse) const;
</span><span class="cx">     bool matches(const Vector<ContentSecurityPolicyHash>&) const;
</span><ins>+    bool matchesAll(const Vector<ContentSecurityPolicyHash>&) const;
</ins><span class="cx">     bool matches(const String& nonce) const;
</span><span class="cx"> 
</span><span class="cx">     OptionSet<ContentSecurityPolicyHashAlgorithm> hashAlgorithmsUsed() const { return m_hashAlgorithmsUsed; }
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectivecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp       2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.cpp  2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -52,6 +52,11 @@
</span><span class="cx">     return m_sourceList.matches(nonce);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+bool ContentSecurityPolicySourceListDirective::containsAllHashes(const Vector<ContentSecurityPolicyHash>& hashes) const
+{
+    return m_sourceList.matchesAll(hashes);
+}
+
</ins><span class="cx"> bool ContentSecurityPolicySourceListDirective::allows(const Vector<ContentSecurityPolicyHash>& hashes) const
</span><span class="cx"> {
</span><span class="cx">     return m_sourceList.matches(hashes);
</span></span></pre></div>
<a id="trunkSourceWebCorepagecspContentSecurityPolicySourceListDirectiveh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h (286852 => 286853)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h 2021-12-10 16:33:19 UTC (rev 286852)
+++ trunk/Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h    2021-12-10 16:56:55 UTC (rev 286853)
</span><span class="lines">@@ -40,6 +40,7 @@
</span><span class="cx">     enum class ShouldAllowEmptyURLIfSourceListIsNotNone { No, Yes };
</span><span class="cx">     bool allows(const URL&, bool didReceiveRedirectResponse, ShouldAllowEmptyURLIfSourceListIsNotNone);
</span><span class="cx">     bool allows(const Vector<ContentSecurityPolicyHash>&) const;
</span><ins>+    bool containsAllHashes(const Vector<ContentSecurityPolicyHash>&) const;
</ins><span class="cx">     bool allowUnsafeHashes(const Vector<ContentSecurityPolicyHash>&) const;
</span><span class="cx">     bool allows(const String& nonce) const;
</span><span class="cx">     bool allowInline() const { return m_sourceList.allowInline(); }
</span></span></pre>
</div>
</div>

</body>
</html>