Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
REGRESSION (r196012): Subresource may be blocked by Content Security …
…Policy if it only matches 'self' https://bugs.webkit.org/show_bug.cgi?id=156935 <rdar://problem/25351286> Reviewed by Darin Adler. Source/WebCore: Fixes an issue where subresource load may be blocked by the Content Security Policy (CSP) if its URL only matched 'self'. In particular, the load would be blocked if initiated from a document that inherited the origin of its owner document (e.g. the document contained in <iframe src="about:blank"></iframe>). Following r196012 we compute and cache 'self' and its protocol on instantiation of a ContentSecurityPolicy object for use when matching a URL against it. These cached values become out-of-date if the document subsequently inherits the origin of its owner document. Therefore matches against 'self' will fail and CSP will block a load if its not otherwise allowed by the policy. Previously we would compute 'self' when parsing the definition of a source list and compute the protocol for 'self' each time we tried to match a URL against 'self'. So, 'self' would always be up-to-date with respect to the origin of the document. Tests: http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html * page/csp/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Extract out logic for computing and caching 'self' and its protocol into ContentSecurityPolicy::updateSourceSelf() and make use of this function. (WebCore::ContentSecurityPolicy::updateSourceSelf): Computes and caches 'self' and its protocol with respect to the specified SecurityOrigin. (WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): Call ContentSecurityPolicy::updateSourceSelf() to ensure that we have an up-to-date representation for 'self' and the protocol of 'self' which can become out-of-date if the document inherited the origin of its owner document. * page/csp/ContentSecurityPolicy.h: LayoutTests: Add tests to ensure that we match 'self' correctly in an iframe with an about:blank document. * http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt: Added. * http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html: Added. * http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt: Added. * http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html: Added. Canonical link: https://commits.webkit.org/175086@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200030 268f45cc-cd09-0410-ab3c-d52691b4dbfc
- Loading branch information
Showing
8 changed files
with
110 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
7 changes: 7 additions & 0 deletions
7
.../contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
ALERT: PASS | ||
|
||
|
||
-------- | ||
Frame: 'frame' | ||
-------- | ||
|
25 changes: 25 additions & 0 deletions
25
...security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"> | ||
</head> | ||
<body> | ||
<iframe src="about:blank" id="frame"></iframe> | ||
<script> | ||
if (window.testRunner) { | ||
testRunner.dumpAsText(); | ||
testRunner.dumpChildFramesAsText(); | ||
testRunner.waitUntilDone(); | ||
} | ||
|
||
function appendTestScriptToDocument(contentDocument) | ||
{ | ||
var script = contentDocument.createElement("script"); | ||
script.src = "resources/alert-pass-and-notify-done.js"; | ||
contentDocument.body.appendChild(script); | ||
} | ||
|
||
appendTestScriptToDocument(document.getElementById("frame").contentDocument); | ||
</script> | ||
</body> | ||
</html> |
2 changes: 2 additions & 0 deletions
2
...ests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
ALERT: PASS | ||
|
13 changes: 13 additions & 0 deletions
13
LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
<!DOCTYPE html> | ||
<html> | ||
<head> | ||
<script> | ||
if (window.testRunner) | ||
testRunner.dumpAsText(); | ||
</script> | ||
<meta http-equiv="Content-Security-Policy" content="script-src 'self'"> | ||
</head> | ||
<body> | ||
<iframe srcdoc='<script src="resources/alert-pass.js"></script>'></iframe> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters