CSP: object-src and plugin-types directives are not respected for plugin replacements
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Jul 2016 20:33:11 +0000 (20:33 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Jul 2016 20:33:11 +0000 (20:33 +0000)
commit29328364b0a8be05aa677afbd9d54c02ede5d719
tree5f82b0340029d1c7314c64138a4241dc3b77588d
parent0124b8e82182b1083c899c92d46bd219872876d5
CSP: object-src and plugin-types directives are not respected for plugin replacements
https://bugs.webkit.org/show_bug.cgi?id=159761
<rdar://problem/27365724>

Reviewed by Brent Fulgham.

Source/WebCore:

Apply the Content Security Policy (CSP) object-src and plugin-types directives to content that will
load with a plugin replacement.

Tests: security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html
       security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html
       security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html
       security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html
       security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html
       security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html
       security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html
       security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html

* html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::allowedToLoadPluginContent): Added.
(WebCore::HTMLPlugInImageElement::requestObject): Only request loading plugin content if we
are allowed to load such content.
* html/HTMLPlugInImageElement.h:
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::pluginIsLoadable): Removed code to check CSP as we will check CSP
earlier in HTMLPlugInImageElement::requestObject().
(WebCore::SubframeLoader::requestPlugin): Ditto.
(WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Deleted; moved implementation
to HTMLPlugInImageElement::allowedToLoadPluginContent().
(WebCore::SubframeLoader::requestObject): Deleted.
* loader/SubframeLoader.h:
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Changed signature from a non-const
function to a const function since these functions do not modify |this|.
* page/csp/ContentSecurityPolicy.h:

LayoutTests:

Add layout tests to ensure that we apply the CSP object-src and plugin-types directives to content
that loads with either the QuickTime plugin replacement or YouTube plugin replacement.

* security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html: Added.
* security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html: Added.
* security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html: Added.
* security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html: Added.
* security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html: Added.
* security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html: Added.
* security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html: Added.
* security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@203611 268f45cc-cd09-0410-ab3c-d52691b4dbfc
24 files changed:
LayoutTests/ChangeLog
LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLPlugInImageElement.cpp
Source/WebCore/html/HTMLPlugInImageElement.h
Source/WebCore/loader/SubframeLoader.cpp
Source/WebCore/loader/SubframeLoader.h
Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.h