-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Cherry-pick 272448.100@safari-7618-branch (7f3ac60). https://bugs.web…
…kit.org/show_bug.cgi?id=264811 Content-Type x-mixed-replace can be abused to bypass CSP https://bugs.webkit.org/show_bug.cgi?id=264811 rdar://118394343 Reviewed by John Wilander and Brent Fulgham. When replacing the document in a multipart/x-mixed-replace response, the DocumentLoader would reset its CSP every time a new response was received. This change makes the CSP persistent across document replacements when loading multipart content. Now the CSP can only become more restrictive as new parts are received. * LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part-expected.txt: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part.py: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part-expected.txt: Added. * LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part.py: Added. * Source/WebCore/loader/DocumentLoader.cpp: (WebCore::DocumentLoader::shouldClearContentSecurityPolicyForResponse const): (WebCore::DocumentLoader::responseReceived): * Source/WebCore/loader/DocumentLoader.h: Canonical link: https://commits.webkit.org/272448.100@safari-7618-branch Canonical link: https://commits.webkit.org/274313.62@webkitglib/2.44
- Loading branch information
Showing
6 changed files
with
53 additions
and
4 deletions.
There are no files selected for viewing
6 changes: 6 additions & 0 deletions
6
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/contentSecurityPolicy/multipart-three-part.py' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. | ||
layer at (0,0) size 800x600 | ||
RenderView at (0,0) size 800x600 | ||
layer at (0,0) size 800x600 | ||
RenderBlock {HTML} at (0,0) size 800x600 | ||
RenderBody {BODY} at (8,8) size 784x584 |
15 changes: 15 additions & 0 deletions
15
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-three-part.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
#!/usr/bin/env python3 | ||
|
||
import sys | ||
|
||
sys.stdout.write( | ||
'Content-Type: multipart/x-mixed-replace; boundary=TEST\r\n' | ||
'Content-Security-Policy: sandbox\r\n\r\n' | ||
'--TEST\r\n' | ||
'Content-Type: text/html\r\n\r\n' | ||
'--TEST\r\n' | ||
'Content-Type: text/html\r\n' | ||
'Content-Security-Policy:\r\n\r\n' | ||
'<script>alert("FAIL")</script>\r\n' | ||
'--TEST--' | ||
) |
6 changes: 6 additions & 0 deletions
6
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
CONSOLE MESSAGE: Blocked script execution in 'http://127.0.0.1:8000/security/contentSecurityPolicy/multipart-two-part.py' because the document's frame is sandboxed and the 'allow-scripts' permission is not set. | ||
layer at (0,0) size 800x600 | ||
RenderView at (0,0) size 800x600 | ||
layer at (0,0) size 800x600 | ||
RenderBlock {HTML} at (0,0) size 800x600 | ||
RenderBody {BODY} at (8,8) size 784x584 |
13 changes: 13 additions & 0 deletions
13
LayoutTests/http/tests/security/contentSecurityPolicy/multipart-two-part.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
#!/usr/bin/env python3 | ||
|
||
import sys | ||
|
||
sys.stdout.write( | ||
'Content-Type: multipart/x-mixed-replace; boundary=TEST\r\n' | ||
'Content-Security-Policy: sandbox\r\n\r\n' | ||
'--TEST\r\n' | ||
'Content-Type: text/html\r\n' | ||
'Content-Security-Policy:\r\n\r\n' | ||
'<script>alert("FAIL")</script>\r\n' | ||
'--TEST--' | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters