CSP: Enable base-uri directive by default
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 24 Feb 2016 00:53:29 +0000 (00:53 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 24 Feb 2016 00:53:29 +0000 (00:53 +0000)
commit44ade1d0910eb34458c5f886e97779dff0beb89e
tree2561aa7b492306a41607f101f68467d817ec36a7
parent03dd6b0fd37d3926920f7ca87be83514ad83be93
CSP: Enable base-uri directive by default
https://bugs.webkit.org/show_bug.cgi?id=154521
<rdar://problem/24762032>

Reviewed by Brent Fulgham.

Source/WebCore:

Tests: http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html
       http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html

* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::isExperimentalDirectiveName): Move base-uri from the directives considered
experimental to...
(WebCore::isCSPDirectiveName): ...the list of standard directives.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Move logic to parse the base-uri
directive outside the ENABLE(CSP_NEXT) macro guarded section/experimental feature runtime flag.

LayoutTests:

Copy test http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html to
http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html,
making some minor stylistic changes, and update TestExpectations to skip it because it depends
on the firing of event SecurityPolicyViolationEvent, which is disabled as of the time of writing.
We will enable the firing of this event in <https://bugs.webkit.org/show_bug.cgi?id=154522>.
Repurpose test name base-uri-deny.html to test that the base-uri directive prevents the use of
document base URL without depending on the firing of event SecurityPolicyViolationEvent.

Additionally, add test http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html
to ensure that we do not fall back to enforcing the default-src directive in absence of
a base-uri directive as per section base-uri of the Content Security Policy 2.0 spec.,
<https://www.w3.org/TR/2015/CR-CSP2-20150721/>.

* TestExpectations:
* http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html: Added.
* http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt:
* http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html: Repurpose test.
* http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js: Added.
* http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js: Added.
* http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt.
* http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html.
* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt: Update expected result based on change to test (below).
* http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html: Modified to test that we emit
a console warning when base-uri is used as a source expression.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@197007 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-default-ignored.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/base-uri-deny.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/base-href/resources/safe-script.js [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/resources/safe-script.js [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-no-semicolon.html
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp