Skip to content
Permalink
Browse files
CSP: Fix script-src-elem policies in workers
https://bugs.webkit.org/show_bug.cgi?id=239840

Reviewed by Kate Cheney.

Source/WebCore:

Test: http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem.html

* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript const):

LayoutTests:

CSP: Fix script-src-elem policies in workers

* http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem.html: Added.

Canonical link: https://commits.webkit.org/250386@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@293940 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
TingPing committed May 7, 2022
1 parent e4eee4b commit e40c1e30bd615d24d1635e29f3556625fe626e6a
Showing 5 changed files with 55 additions and 1 deletion.
@@ -1,3 +1,15 @@
2022-05-06 Patrick Griffis <pgriffis@igalia.com>

CSP: Fix script-src-elem policies in workers
https://bugs.webkit.org/show_bug.cgi?id=239840

Reviewed by Kate Cheney.

CSP: Fix script-src-elem policies in workers

* http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem.html: Added.

2022-05-06 Karl Rackler <rackler@apple.com>

[Gardening] REGRESSION (r293117): [ iOS ] fast/innerHTML/001.html is a flaky image failure
@@ -0,0 +1,2 @@
ALERT: importScripts allowed

@@ -0,0 +1,28 @@
<!DOCTYPE html>
<html>
<head>
<script>
if (window.testRunner) {
testRunner.waitUntilDone();
testRunner.dumpAsText();
}
</script>
</head>
<body>
<script>
try {
var worker = new Worker('http://127.0.0.1:8000/security/contentSecurityPolicy/resources/worker.py?type=importscripts&csp=' +
encodeURIComponent("script-src 'strict-dynamic'; script-src-elem localhost:8000"));
worker.onmessage = function (event) {
alert(event.data);
if (window.testRunner)
testRunner.notifyDone();
};
} catch (e) {
alert(e);
if (window.testRunner)
testRunner.notifyDone();
}
</script>
</body>
</html>
@@ -1,3 +1,15 @@
2022-05-06 Patrick Griffis <pgriffis@igalia.com>

CSP: Fix script-src-elem policies in workers
https://bugs.webkit.org/show_bug.cgi?id=239840

Reviewed by Kate Cheney.

Test: http/tests/security/contentSecurityPolicy/script-src-strict-dynamic-and-script-src-elem.html

* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::violatedDirectiveForScript const):

2022-05-06 Tim Nguyen <ntim@apple.com>

Use dynamicDowncast in getPathFromPathOperation()
@@ -408,7 +408,7 @@ const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violat

const ContentSecurityPolicyDirective* ContentSecurityPolicyDirectiveList::violatedDirectiveForScript(const URL& url, bool didReceiveRedirectResponse, const Vector<ResourceCryptographicDigest>& subResourceIntegrityDigests, const String& nonce) const
{
auto* operativeDirective = this->operativeDirective(m_scriptSrc.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);
auto* operativeDirective = this->operativeDirectiveScript(m_scriptSrcElem.get(), ContentSecurityPolicyDirectiveNames::scriptSrcElem);

if (!operativeDirective
|| operativeDirective->containsAllHashes(subResourceIntegrityDigests)

0 comments on commit e40c1e3

Please sign in to comment.