CSP: Should only execute <script> or apply <style> if its hash appears in all policies
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Mar 2016 21:27:07 +0000 (21:27 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 22 Mar 2016 21:27:07 +0000 (21:27 +0000)
commit0e9196a79c337e8b23917a57c4eb9c0e1f6c047e
treeb75a24ebe9598338f29a382557ab370c2120eb9c
parent43f2caf10803002bd37cc5dd3ea38942302c55c4
CSP: Should only execute <script> or apply <style> if its hash appears in all policies
https://bugs.webkit.org/show_bug.cgi?id=155709
<rdar://problem/25263368>

Reviewed by Darin Adler.

Source/WebCore:

Fixes an issue where a <script>/<style> was allowed to execute/be applied if its hash is listed
in at least one Content Security Policy (CSP) delivered with the page. We should only execute/apply
such a script/stylesheet if its hash is listed in all CSPs delivered with the page.

Tests: http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies.html
       http/tests/security/contentSecurityPolicy/1.1/stylehash-multiple-policies.html

* page/csp/ContentSecurityPolicy.cpp:
(WebCore::isAllowedByAllWithHash): Added. Checks if the specified hash is allowed by all policies.
(WebCore::isAllowedByAllWithHashFromContent): Modified to call WebCore::isAllowedByAllWithHash()
to determine if the <script>/<style> is allowed by all CSPs delivered with the page.

LayoutTests:

Add tests to ensure that we only execute/apply a <script>/<style> if its hash is listed in all CSPs
delivered with the page.

* TestExpectations: Mark added tests as PASS so that we run them.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/stylehash-multiple-policies-expected.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/stylehash-multiple-policies.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198551 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-multiple-policies.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-multiple-policies-expected.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/stylehash-multiple-policies.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicy.cpp