Emit a more informative message when a script is blocked due to "X-Content-Type:...
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 6 Apr 2018 19:15:34 +0000 (19:15 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 6 Apr 2018 19:15:34 +0000 (19:15 +0000)
commit249b946181831b3622f21249971bf1e155a63740
treebb1f91f5badf8d8be6f91bc3fcea6f525bdfab8a
parentebfe7cf61fe71505b0746ff78c8b4558de701a7e
Emit a more informative message when a script is blocked due to "X-Content-Type: nosniff"
https://bugs.webkit.org/show_bug.cgi?id=184359

Reviewed by Per Arne Vollan.

Source/WebCore:

Emphasize in the message that the script was blocked from executing.

Test: http/tests/security/contentTypeOptions/nosniff-importScript-blocked.html

* dom/LoadableClassicScript.cpp:
(WebCore::LoadableClassicScript::notifyFinished):
* workers/WorkerScriptLoader.cpp:
(WebCore::WorkerScriptLoader::didReceiveResponse):

LayoutTests:

Adds a test to ensure we block importing scripts into a Web Worker whose HTTP responses
include "X-Content-Type: nosniff" and have a non script MIME type.

Also update existing expected results.

* http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt:
* http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt:
* http/tests/security/contentTypeOptions/nosniff-importScript-blocked-expected.txt: Added.
* http/tests/security/contentTypeOptions/nosniff-importScript-blocked.html: Added.
* http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt:
* http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt:
* http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt:
* http/tests/security/contentTypeOptions/resources/nosniff-importScript-blocked.js: Added.
(let.mimeType.of.unscriptyMIMETypes.catch):
* http/tests/security/contentTypeOptions/resources/script-with-header.pl:
* http/tests/security/module-correct-mime-types-expected.txt:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230346 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentTypeOptions/invalid-content-type-options-allowed-expected.txt
LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt
LayoutTests/http/tests/security/contentTypeOptions/nosniff-importScript-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentTypeOptions/nosniff-importScript-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-allowed-expected.txt
LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt
LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt
LayoutTests/http/tests/security/contentTypeOptions/resources/nosniff-importScript-blocked.js [new file with mode: 0644]
LayoutTests/http/tests/security/contentTypeOptions/resources/script-with-header.pl
LayoutTests/http/tests/security/module-correct-mime-types-expected.txt
Source/WebCore/ChangeLog
Source/WebCore/dom/LoadableClassicScript.cpp
Source/WebCore/workers/WorkerScriptLoader.cpp