<video> and <audio> elements do not obey Content Security Policy on redirect
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 Mar 2016 19:46:49 +0000 (19:46 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 Mar 2016 19:46:49 +0000 (19:46 +0000)
commit022cf8d60168696cf42e3af1a2abd6150795b135
tree468effe7f7d46c5f77a5538ac97409a811536cae
parent9d074ab325bff720ebde2b2d5e4ec2b9e172a0da
<video> and <audio> elements do not obey Content Security Policy on redirect
https://bugs.webkit.org/show_bug.cgi?id=155509
<rdar://problem/10234844>

Reviewed by Alex Christensen.

Source/WebCore:

Fixes an issue where the Content Security Policy of the page was not enforced
on redirects when loading a media subresource via an HTML video or HTML audio
element.

Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/font-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/font-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/image-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/image-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/script-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/script-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/track-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/track-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/video-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/video-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html

* inspector/InspectorPageAgent.cpp:
(WebCore::InspectorPageAgent::cachedResourceContent): Treat media resources as raw resources just as we do currently.
(WebCore::InspectorPageAgent::cachedResourceType): Ditto.
* loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::requestResource): Modified to use CachedResourceLoader::requestMedia() instead
of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
more details.
* loader/ResourceLoadInfo.cpp:
(WebCore::toResourceType): Treat media resources as raw resources just as we do currently. Also, add cases for
CachedResource::LinkPrefetch and CachedResource::LinkSubresource (when ENABLE(LINK_PREFETCH) is enabled) and
remove the default statement to force a compile-time error when a new CachedResource enumerator is added and
the switch block in this function is not updated.
* loader/SubresourceLoader.cpp:
(WebCore::logResourceLoaded): Ditto.
* loader/cache/CachedRawResource.cpp:
(WebCore::CachedRawResource::CachedRawResource): Substitute CachedResource::isMainOrMediaOrRawResource() for
CachedResource::isMainOrRawResource() as the latter was renamed to the former.
* loader/cache/CachedRawResource.h:
(isType): Ditto.
* loader/cache/CachedResource.cpp:
(WebCore::defaultPriorityForResourceType): Use priority ResourceLoadPriority::Medium for media resources just as
we do currently.
* loader/cache/CachedResource.h:
(WebCore::CachedResource::isMainOrMediaOrRawResource): Formerly named isMainOrRawResource. Returns true if the type
of this resource is a main resource, media resource, or raw resource.
(WebCore::CachedResource::isMainOrRawResource): Deleted.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::createResource): Treat media resources as raw resources just as we do currently.
(WebCore::CachedResourceLoader::requestMedia): Added.
(WebCore::contentTypeFromResourceType): Consider media resources as MixedContentChecker::ContentType::Active
just as we do currently.
(WebCore::CachedResourceLoader::checkInsecureContent): Apply the mixed content policy to media resources
just as we do currently.
(WebCore::CachedResourceLoader::canRequest): Apply the Same Origin Policy to media resources just as we
do currently. Query the Content Security Policy of the page to determine if the media resource can be
requested.
(WebCore::CachedResourceLoader::determineRevalidationPolicy): Substitute CachedResource::isMainOrMediaOrRawResource()
for CachedResource::isMainOrRawResource() as the latter was renamed to the former.
* loader/cache/CachedResourceLoader.h:
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::startLoading): Modified to use CachedResourceLoader::requestMedia() instead
of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
more details. Additionally, simplified code that determined whether to request the media resource or error out
by coalescing two conditional expressions into one conditional on whether we have a loader and substituted
nullptr for 0.

Source/WebKit2:

Use 0ms as the maximum buffering time for media resource just as we do currently.

* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::maximumBufferingTime):

LayoutTests:

Add tests to ensure that the Content Security Policy is enforced on redirects when
loading a subresource, including a video or audio file.

* http/tests/resources/redirect.php: Fix PHP "undefined index" warnings when either query
parameter code or refresh (or both) are not specified.
* http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/resources/ABCFont.svg: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg.
* http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl: Added.
* http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl: Added.
* http/tests/security/contentSecurityPolicy/resources/green-square.svg: Added.
* http/tests/security/contentSecurityPolicy/resources/red-square.svg: Added.
* http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php: Added.
* http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html:
* http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html: Added.
* platform/efl/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. We will also need to fix
<https://bugs.webkit.org/show_bug.cgi?id=153866> before we can unskip test http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
As far as I can tell the functionality exercised by these tests is not being using by the EFL port.
* platform/gtk/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. As far as I can tell the functionality
exercised by these tests is not being using by the GTK port.
* platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added expected failure result as
AV Foundation is responsible for loading media on iOS. That is, WebCore is not responsible for loading media.
* platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Ditto.
* platform/mac/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. The functionality exercised by these
tests is not used on OS X. Additionally, mark as Failure on Yosemite and ElCapitan the added tests
http/tests/security/contentSecurityPolicy/{video, audio}-redirect-blocked.html as we do not support
Content Security Policy for media redirects in these versions of OS X.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198292 268f45cc-cd09-0410-ab3c-d52691b4dbfc
69 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/resources/redirect.php
LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/ABCFont.svg [moved from LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg with 100% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html
LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html [new file with mode: 0644]
LayoutTests/platform/efl/TestExpectations
LayoutTests/platform/gtk/TestExpectations
LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/platform/mac/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/inspector/InspectorPageAgent.cpp
Source/WebCore/loader/MediaResourceLoader.cpp
Source/WebCore/loader/ResourceLoadInfo.cpp
Source/WebCore/loader/SubresourceLoader.cpp
Source/WebCore/loader/cache/CachedRawResource.cpp
Source/WebCore/loader/cache/CachedRawResource.h
Source/WebCore/loader/cache/CachedResource.cpp
Source/WebCore/loader/cache/CachedResource.h
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/loader/cache/CachedResourceLoader.h
Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp