CSP: Content Security Policy directive, upgrade-insecure-requests (UIR)
authorbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 4 Jun 2016 07:20:17 +0000 (07:20 +0000)
committerbfulgham@apple.com <bfulgham@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 4 Jun 2016 07:20:17 +0000 (07:20 +0000)
commit13e061b2d0ca8c3688c4bef479746d56fd197e6b
treef1a8f6fccab033c829983e8a564867ea1f4f688c
parente0ec459893f6ba90177be47ef0e325ecb6db81da
CSP: Content Security Policy directive, upgrade-insecure-requests (UIR)
https://bugs.webkit.org/show_bug.cgi?id=143653
<rdar://problem/23032067>

Reviewed by Andy Estes.

Source/WebCore:

Modify our loading logic so that we recognize and upgrade insecure requests to secure
requests if the Content Security Policy directive 'upgrade-insecure-requests' is
present.

Add a static helper function to ContentSecurityPolicy to upgrade insecure URLs so
that we don't have to sprinkle the same code all over the loader system.

Tests: http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-simple-ws.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html
       http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html
       http/tests/ssl/iframe-upgrade.https.html
       http/tests/ssl/upgrade-origin-usage.html
       http/tests/websocket/tests/hybi/upgrade-simple-ws.html

* Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect): Upgrade insecure requests if the CSP
indicates we should.
* dom/Document.cpp:
(WebCore::Document::initSecurityContext): Populate new document CSP with sets of upgrade host and port combinations.
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestScript): Upgrade insecure requests if
the CSP indicates we should.
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::loadResource): Ditto.
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin): Ditto.
* loader/FormSubmission.cpp:
(WebCore::FormSubmission::create): Ditto.
(WebCore::FormSubmission::populateFrameLoadRequest): Add "Upgrade-Insecure-Requests"
header to frame load requests.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::addExtraFieldsToMainResourceRequest): Add the
'Update-Insecure-Requests' header field if necessary.
(WebCore::FrameLoader::addHTTPUpgradeInsecureRequestsIfNeeded): Added helper function.
(WebCore::FrameLoader::loadPostRequest): Upgrade insecure requests if the CSP
indicates we should.
(WebCore::FrameLoader::loadResourceSynchronously): Ditto.
(WebCore::FrameLoader::loadDifferentDocumentItem): If loading a form, add the
'Update-Insecure-Requests' header field if necessary.
(WebCore::createWindow): Upgrade insecure requests if the CSP
indicates we should.
* loader/FrameLoader.h:
* loader/PingLoader.cpp:
(WebCore::PingLoader::loadImage): Upgrade insecure requests if the CSP
indicates we should.
(WebCore::PingLoader::sendPing): Ditto.
(WebCore::PingLoader::sendViolationReport): Ditto.
* loader/ResourceLoader.cpp:
(WebCore::ResourceLoader::willSendRequestInternal): Ditto.
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::requestFrame): Ditto.
(WebCore::SubframeLoader::requestObject): Ditto.
* loader/appcache/ApplicationCacheHost.cpp:
(WebCore::ApplicationCacheHost::shouldLoadResourceFromApplicationCache): Ditto.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestImage): Ditto.
(WebCore::CachedResourceLoader::requestResource): Ditto.
* page/DOMWindow.cpp:
(WebCore::DOMWindow::createWindow): Add the 'Update-Insecure-Requests' header
field if necessary.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::copyStateFrom): Populate upgraded resource set
from other context.
(WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Added helper function
to upgrade requests when the upgrade-insecure-requests CSP policy is present, or if
the host and port combination have previously been upgraded.
(WebCore::ContentSecurityPolicy::upgradeInsecureNavigationRequestIfNeeded): Added
helper function to upgrade requests that have been previously upgraded. Cross-site
navigations only get upgraded when they have been previously upgraded.
(WebCore::ContentSecurityPolicy::addInsecureNavigationRequestsToUpgrade): Added.
(WebCore::ContentSecurityPolicy::populateInsecureNavigationRequestsToUpgradeFromOther): Added.
* page/csp/ContentSecurityPolicy.h:
(WebCore::ContentSecurityPolicy::setUpgradeInsecureRequests): Added.
(WebCore::ContentSecurityPolicy::upgradeInsecureRequests): Added.
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::ContentSecurityPolicyDirectiveList): Use
more C++11 initializations.
(WebCore::ContentSecurityPolicyDirectiveList::setUpgradeInsecureRequests): Added.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Teach this function to
recognize the new directive.
* page/csp/ContentSecurityPolicyDirectiveList.h:
* page/csp/ContentSecurityPolicyDirectiveNames.cpp:
* page/csp/ContentSecurityPolicyDirectiveNames.h:
* platform/network/HTTPHeaderNames.in: Add new 'Upgrade-Insecure-Requests' header field.
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::open): Upgrade insecure requests if the CSP if needed.

LayoutTests:

Some of these tests are based on a set of Blink patches by Mike West <mkwst@chromium.org>.
<https://src.chromium.org/viewvc/blink?revision=192607&view=revision>,
<https://codereview.chromium.org/1178093002>, <https://codereview.chromium.org/1964303003>

The rest of them are based on our own mixedContent tests, revised for upgraded requests.

Note that WebSockets are not part of this testing at present due to https://bugs.webkit.org/show_bug.cgi?id=157884.

* http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html: Added.
* http/tests/security/resources/post-origin-to-parent.html: Added.
* http/tests/ssl/iframe-upgrade.https-expected.txt: Added.
* http/tests/ssl/iframe-upgrade.https.html: Added.
* http/tests/ssl/upgrade-origin-usage-expected.txt: Added.
* http/tests/ssl/upgrade-origin-usage.html: Added.
* http/tests/ssl/resources/origin-usage-iframe-1.html: Added.
* http/tests/ssl/resources/origin-usage-iframe-1.manifest: Added.
* http/tests/ssl/resources/origin-usage-iframe-2.html: Added.
* http/tests/ssl/resources/origin-usage-iframe-2.manifest: Added.
* http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt: Added.
* http/tests/websocket/tests/hybi/upgrade-simple-ws.html: Added.
* TestExpectations: Skip http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-simple-ws.html since the
WebSocket server does not currently support wss sockets.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201679 268f45cc-cd09-0410-ab3c-d52691b4dbfc
84 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-upgrade-insecure.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade-cors.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/basic-upgrade.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/form-upgrade.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-auxiliary.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-nested.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-subresource.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/https-header-top-level.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/iframe-upgrade.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-open-window-upgrades.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/basic-upgrade-cors.https.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/check-https-header.pl [new file with mode: 0755]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/echo-https-header.pl [new file with mode: 0755]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-audio-video.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-css.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-insecure-image.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-http-to-https-script.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/frame-with-redirect-https-to-http-script.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/insecure-xhr-in-main-frame-window.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/mixed-content-with-upgrade.html [new file with mode: 0755]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-nested-window.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/nested-window.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/resources/post-https-header.pl [new file with mode: 0755]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-audio-video-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-css-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-image-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-insecure-xhr-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-http-to-https-script-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrade-redirect-https-to-http-script-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content.html [new file with mode: 0644]
LayoutTests/http/tests/security/resources/post-origin-to-parent.html [new file with mode: 0644]
LayoutTests/http/tests/ssl/iframe-upgrade.https-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/ssl/iframe-upgrade.https.html [new file with mode: 0644]
LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.html [new file with mode: 0644]
LayoutTests/http/tests/ssl/resources/origin-usage-iframe-1.manifest [new file with mode: 0644]
LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.html [new file with mode: 0644]
LayoutTests/http/tests/ssl/resources/origin-usage-iframe-2.manifest [new file with mode: 0644]
LayoutTests/http/tests/ssl/upgrade-origin-usage-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/ssl/upgrade-origin-usage.html [new file with mode: 0644]
LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/websocket/tests/hybi/upgrade-simple-ws.html [new file with mode: 0644]
LayoutTests/platform/mac/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/Modules/websockets/WebSocket.cpp
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/ScriptElement.cpp
Source/WebCore/loader/DocumentWriter.cpp
Source/WebCore/loader/FormSubmission.cpp
Source/WebCore/loader/FrameLoader.cpp
Source/WebCore/loader/FrameLoader.h
Source/WebCore/loader/PingLoader.cpp
Source/WebCore/loader/SubframeLoader.cpp
Source/WebCore/loader/appcache/ApplicationCacheHost.cpp
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.h
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h
Source/WebCore/platform/network/HTTPHeaderNames.in
Source/WebCore/xml/XMLHttpRequest.cpp