Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[CSP] Implement prefetch-src directive
https://bugs.webkit.org/show_bug.cgi?id=185070 rdar://problem/39821187 Reviewed by Brent Fulgham. Implement the prefetch-src CSP directive. <link rel=prefetch> is behind a runtime flag. If a user chooses to enable LinkPrefetch then the prefetch-src directive will apply to any resources that may be prefetched. In the default case, we can parse the directive but will not take any action since we won't perform prefetches. * LayoutTests/http/tests/security/contentSecurityPolicy/prefetch-src: These tests mirror the same behavior being tested by the WPT suite but since we don't support onload/onerror events for prefetched link resources we need to use our own test infrastructure to cover this behavior. * LayoutTests/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-allowed-expected.txt: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-allowed.html: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked-by-default-expected.txt: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked-by-default.html: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked-expected.txt: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked.html: Added. * LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-allowed-expected.txt: Added. * LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked-by-default-expected.txt: Added. * LayoutTests/platform/win/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked-expected.txt: Added. * Source/WebCore/loader/LinkLoader.cpp: (WebCore::LinkLoader::prefetchIfNeeded): * Source/WebCore/loader/cache/CachedResourceLoader.cpp: (WebCore::CachedResourceLoader::allowedByContentSecurityPolicy const): * Source/WebCore/page/csp/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::allowPrefetchFromSource const): * Source/WebCore/page/csp/ContentSecurityPolicy.h: * Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp: (WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForPrefetch const): (WebCore::ContentSecurityPolicyDirectiveList::addDirective): * Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h: * Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp: * Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h: Canonical link: https://commits.webkit.org/255653@main
- Loading branch information
Showing
17 changed files
with
135 additions
and
1 deletion.
There are no files selected for viewing
1 change: 1 addition & 0 deletions
1
...ests/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-allowed-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
PASS |
32 changes: 32 additions & 0 deletions
32
LayoutTests/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-allowed.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="prefetch-src 'self'"> | ||
<script> | ||
if (window.testRunner) { | ||
testRunner.waitUntilDone(); | ||
testRunner.dumpAsText(); | ||
} | ||
function runTest() { | ||
var link = document.createElement("link"); | ||
link.rel = "prefetch"; | ||
link.href = `${window.origin}/cache/resources/prefetched-main-resource.py`; | ||
window.addEventListener("securitypolicyviolation", () => { | ||
document.getElementById("log").innerText = ("FAIL: prefetch was blocked by CSP"); | ||
testRunner.notifyDone(); | ||
}); | ||
if (internals) { | ||
internals.addPrefetchLoadEventListener(link, () => { | ||
document.getElementById("log").innerText = "PASS"; | ||
testRunner.notifyDone(); | ||
}); | ||
} | ||
|
||
document.body.appendChild(link); | ||
} | ||
</script> | ||
</head> | ||
<body onload="runTest()"> | ||
<div id="log"></div> | ||
</body> | ||
</html> |
2 changes: 2 additions & 0 deletions
2
...ests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked-by-default-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/cache/resources/prefetched-main-resource.py because it appears in neither the prefetch-src directive nor the default-src directive of the Content Security Policy. | ||
PASS |
35 changes: 35 additions & 0 deletions
35
...s/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked-by-default.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline' 'self'"> | ||
<script> | ||
if (window.testRunner) { | ||
testRunner.waitUntilDone(); | ||
testRunner.dumpAsText(); | ||
} | ||
|
||
function runTest() { | ||
let link = document.createElement("link"); | ||
link.rel = "prefetch"; | ||
link.href = `${window.origin}/cache/resources/prefetched-main-resource.py`; | ||
|
||
window.addEventListener("securitypolicyviolation", () => { | ||
document.getElementById("log").innerText = "PASS"; | ||
testRunner.notifyDone(); | ||
}); | ||
|
||
if (internals) { | ||
internals.addPrefetchLoadEventListener(link, () => { | ||
document.getElementById("log").innerText = "FAIL: default-src blocked prefetch was allowed."; | ||
testRunner.notifyDone(); | ||
}); | ||
} | ||
|
||
document.body.appendChild(link); | ||
} | ||
</script> | ||
</head> | ||
<body onload="runTest()"> | ||
<div id="log"></div> | ||
</body> | ||
</html> |
2 changes: 2 additions & 0 deletions
2
...ests/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
CONSOLE MESSAGE: Refused to load http://localhost:8000/cache/resources/prefetched-main-resource.py because it does not appear in the prefetch-src directive of the Content Security Policy. | ||
PASS |
32 changes: 32 additions & 0 deletions
32
LayoutTests/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="prefetch-src 'self'"> | ||
<script> | ||
if (window.testRunner) { | ||
testRunner.waitUntilDone(); | ||
testRunner.dumpAsText(); | ||
} | ||
function runTest() { | ||
var link = document.createElement("link"); | ||
link.rel = "prefetch"; | ||
link.href = "http://localhost:8000/cache/resources/prefetched-main-resource.py"; | ||
window.addEventListener("securitypolicyviolation", () => { | ||
document.getElementById("log").innerText = "PASS"; | ||
testRunner.notifyDone(); | ||
}); | ||
if (internals) { | ||
internals.addPrefetchLoadEventListener(link, () => { | ||
document.getElementById("log").innerText = "FAIL: prefetch was not blocked by CSP."; | ||
testRunner.notifyDone(); | ||
}); | ||
} | ||
|
||
document.body.appendChild(link); | ||
} | ||
</script> | ||
</head> | ||
<body onload="runTest()"> | ||
<div id="log"></div> | ||
</body> | ||
</html> |
2 changes: 2 additions & 0 deletions
2
.../win/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-allowed-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
FAIL: Timed out waiting for notifyDone to be called | ||
|
2 changes: 2 additions & 0 deletions
2
...ests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked-by-default-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
FAIL: Timed out waiting for notifyDone to be called | ||
|
2 changes: 2 additions & 0 deletions
2
.../win/http/tests/security/contentSecurityPolicy/prefetch-src/prefetch-blocked-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
FAIL: Timed out waiting for notifyDone to be called | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters