CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Mar 2016 05:39:26 +0000 (05:39 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Mar 2016 05:39:26 +0000 (05:39 +0000)
commit70ec6852216702f186d1cbb9347a5cea513d9b38
treebad7efbcdc0add9f1e54c2f663cdec384b916120
parent3b6eb8e26c8d476fda65530311003cd57aac8d66
CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
https://bugs.webkit.org/show_bug.cgi?id=154122
<rdar://problem/24613336>

Reviewed by Brent Fulgham.

Source/WebCore:

Restrict matching of source expression * to HTTP or HTTPS URLs for all directives except
img-src and media-src. This policy is more restrictive than the policy described in section
Matching Source Expressions of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721>,
which restricts matching * to schemes that are not blob, data, or filesystem.

For directive img-src we restrict matching of * to HTTP, HTTPS, and data URLs. For directive
media-src we restrict matching of * to HTTP, HTTPS, data URLs and blob URLs. We use a
more lenient interpretation of * for directives img-src and media-src than required by
the spec. to mitigate web compatibility issues.

Tests: fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
       fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html
       fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html
       fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html
       fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html
       fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html
       http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html
       http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html
       http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html
       http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html
       http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html
       http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html
       http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html
       media/video-with-blob-url-allowed-by-csp-media-src-star.html
       media/video-with-data-url-allowed-by-csp-media-src-star.html
       media/video-with-file-url-blocked-by-csp-media-src-star.html

* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar): Added.
(WebCore::ContentSecurityPolicySourceList::matches): Modified to only match * if ContentSecurityPolicySourceList::isProtocolAllowedByStar().
evaluates to true.
* page/csp/ContentSecurityPolicySourceList.h:

LayoutTests:

Add tests to ensure that we do not regress our interpretation of * with respect to directives
img-src, media-src, style-src, and default-src.

When running in WebKitTestRunner, skip the tests fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
and media/video-with-blob-url-allowed-by-csp-media-src-star.html as they make use of eventSender.beginDragWithFiles(),
which is not implement. We will need to fix <https://bugs.webkit.org/show_bug.cgi?id=64285>
before we can run these tests in WebKitTestRunner.

* TestExpectations:
* fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html: Added.
* fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html: Added.
* fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html: Added.
* fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html: Added.
* fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html: Added.
* fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html: Added.
* fast/dom/HTMLImageElement/resources/green.png: Added.
* fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html: Added.
* fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html: Added.
* fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html: Added.
* fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html: Added.
* fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html: Added.
* fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html: Added.
* fast/dom/HTMLLinkElement/resources/red-background-color.css: Added.
(#test):
* http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html: Added.
* media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html: Added.
* media/video-with-blob-url-allowed-by-csp-media-src-star.html: Added.
* media/video-with-data-url-allowed-by-csp-media-src-star-expected.html: Added.
* media/video-with-data-url-allowed-by-csp-media-src-star.html: Added.
* media/video-with-file-url-blocked-by-csp-media-src-star-expected.html: Added.
* media/video-with-file-url-blocked-by-csp-media-src-star.html: Added.
* platform/wk2/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@197724 268f45cc-cd09-0410-ab3c-d52691b4dbfc
40 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/resources/green.png [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html [new file with mode: 0644]
LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html [new file with mode: 0644]
LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html [new file with mode: 0644]
LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html [new file with mode: 0644]
LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html [new file with mode: 0644]
LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html [new file with mode: 0644]
LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html [new file with mode: 0644]
LayoutTests/platform/wk2/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp
Source/WebCore/page/csp/ContentSecurityPolicySourceList.h