[Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Apr 2017 20:26:13 +0000 (20:26 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Apr 2017 20:26:13 +0000 (20:26 +0000)
commitca02a214fe3029715b3f3c9bc8385e4bc102b0af
tree35275719ec44b0ef1de688e7c338c74ee7021ad3
parentad1d9507ecd8c77c0a12e9af3e7acb182aa5e0cd
[Cocoa][Win] Enable of X-Content-Type-Options: nosniff header
https://bugs.webkit.org/show_bug.cgi?id=136452
<rdar://problem/23412620>

Reviewed by Brent Fulgham.

.:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

* Source/cmake/OptionsMac.cmake:
* Source/cmake/OptionsWin.cmake:

LayoutTests/imported/w3c:

Update expected results now we support X-Content-Type-Options: nosniff.

* web-platform-tests/fetch/nosniff/parsing-nosniff-expected.txt:
* web-platform-tests/fetch/nosniff/script-expected.txt:
* web-platform-tests/fetch/nosniff/stylesheet-expected.txt:

Source/JavaScriptCore:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

* Configurations/FeatureDefines.xcconfig:

Source/WebCore:

Enable support for X-Content-Type-Options: nosniff on Mac, iOS and Windows.

Additionally, honor X-Content-Type-Options: nosniff header for stylesheets as per
<https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff%3F> (30 March 2017).

Test: http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html

* Configurations/FeatureDefines.xcconfig:
* css/StyleSheetContents.cpp:
(WebCore::StyleSheetContents::parseAuthorStyleSheet): Log an error if the stylesheet
has the nosniff header and does not have a valid MIME type. Also update code for
renaming of MIMETypeCheck to MIMETypeCheckHint.
(WebCore::StyleSheetContents::notifyLoadedSheet): If the stylesheet is blocked by
nosniff then consider it analogous to a load error so that we dispatch a DOM error
event at the <style>/<link> element.
* dom/LoadableClassicScript.cpp:
(WebCore::LoadableClassicScript::notifyFinished): Modified the wording of the error
message when a script is disallowed by nosniff so as to more closely match the
wording used when a stylesheet is disallowed by nonsniff.
* loader/cache/CachedCSSStyleSheet.cpp:
(WebCore::CachedCSSStyleSheet::sheetText): Update for renaming of MIMETypeCheck
to MIMETypeCheckHint.
(WebCore::CachedCSSStyleSheet::responseMIMEType): Added.
(WebCore::CachedCSSStyleSheet::mimeTypeAllowedByNosniff): Added.
(WebCore::CachedCSSStyleSheet::canUseSheet): Modified to check if the X-Content-Type-Options: nosniff
header is in the HTTP response for the stylesheet. If it is then we can only use the stylesheet
if its content-type is "text/css". Otherwise, apply the existing criterion for determining whether
to to use the stylesheet.
* loader/cache/CachedCSSStyleSheet.h: Rename MIMETypeCheck to MIMETypeCheckHint to better
describe its purpose as a hint as to whether to enforce MIME type checking for the stylesheet.
Processing of the HTTP header X-Content-Type-Options takes precedence over this hint.
* loader/cache/CachedScript.h: Make mimeType() private.

Source/WebCore/PAL:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

* Configurations/FeatureDefines.xcconfig:

Source/WebKit/mac:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

* Configurations/FeatureDefines.xcconfig:

Source/WebKit2:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

* Configurations/FeatureDefines.xcconfig:

Tools:

Enable X-Content-Type-Options: nosniff on Mac, iOS and Windows platforms.

* Scripts/webkitperl/FeatureList.pm: Also do not enable nosniff on EFL
as the EFL port is no longer in the WebKit OpenSource repository.
* TestWebKitAPI/Configurations/FeatureDefines.xcconfig:

LayoutTests:

Unskip nosniff tests on Mac, iOS and Windows and update expected results now that
we support X-Content-Type-Options: nosniff.

Merge Blink test from <https://src.chromium.org/viewvc/blink?revision=168570&view=revision>.

* TestExpectations: Unskip all nosniff tests except imported/w3c/web-platform-tests/fetch/nosniff/importscripts.html.
We need to fix <https://bugs.webkit.org/show_bug.cgi?id=171248> before we can unskip it.
When running the nosniff Web Platform Tests (WPT) dump console messages to standard error
to avoid a difference of console message ordering due to the non-determinism of the WPT
tests from affecting the matching of the expected result.
* http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt: Added.
* http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html: Copied from LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked.html.
* http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt: Update expected result.
* http/tests/security/contentTypeOptions/nosniff-script-blocked.html: Substitute the not executable
MIME type "text/xx-javascript" for "text/x-javascript" as the latter is an acceptable MIME type for
JavaScript scripts as per the Fetch standard, <https://html.spec.whatwg.org/multipage/scripting.html#javascript-mime-type> (30 March 2017).
* http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt: Update
expected result.
* platform/gtk/TestExpectations: Skip the nosniff tests as GTK does not enable ENABLE(NOSNIFF).
* platform/ios/TestExpectations: Unskip nosniff tests.
* platform/mac/TestExpectations: Ditto.
* platform/win/TestExpectations: Ditto.
* platform/wk2/TestExpectations: Ditto.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@215753 268f45cc-cd09-0410-ab3c-d52691b4dbfc
37 files changed:
ChangeLog
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentTypeOptions/nosniff-dynamic-script-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked-expected.txt
LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-blocked.html
LayoutTests/http/tests/security/contentTypeOptions/nosniff-script-without-content-type-blocked-expected.txt
LayoutTests/imported/w3c/ChangeLog
LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/parsing-nosniff-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/script-expected.txt
LayoutTests/imported/w3c/web-platform-tests/fetch/nosniff/stylesheet-expected.txt
LayoutTests/platform/gtk/TestExpectations
LayoutTests/platform/ios/TestExpectations
LayoutTests/platform/mac/TestExpectations
LayoutTests/platform/win/TestExpectations
LayoutTests/platform/wk2/TestExpectations
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/Configurations/FeatureDefines.xcconfig
Source/WebCore/ChangeLog
Source/WebCore/Configurations/FeatureDefines.xcconfig
Source/WebCore/PAL/ChangeLog
Source/WebCore/PAL/Configurations/FeatureDefines.xcconfig
Source/WebCore/css/StyleSheetContents.cpp
Source/WebCore/dom/LoadableClassicScript.cpp
Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp
Source/WebCore/loader/cache/CachedCSSStyleSheet.h
Source/WebCore/loader/cache/CachedScript.h
Source/WebKit/mac/ChangeLog
Source/WebKit/mac/Configurations/FeatureDefines.xcconfig
Source/WebKit2/ChangeLog
Source/WebKit2/Configurations/FeatureDefines.xcconfig
Source/cmake/OptionsMac.cmake
Source/cmake/OptionsWin.cmake
Tools/ChangeLog
Tools/Scripts/webkitperl/FeatureList.pm
Tools/TestWebKitAPI/Configurations/FeatureDefines.xcconfig