CSP: Nested browsing context created for <object> or <embed> should respect object...
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Apr 2016 02:39:58 +0000 (02:39 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Apr 2016 02:39:58 +0000 (02:39 +0000)
commitd4efd0fd1272886d8f5b01b847d2677db9385f43
tree4a5748c334a59ef4836d3e5335790b6345a0e0b0
parentc786d55a82f37eba0e753f6492ad44553f0fa2cc
CSP: Nested browsing context created for <object> or <embed> should respect object-src directive
https://bugs.webkit.org/show_bug.cgi?id=156563
<rdar://problem/25715713>

Reviewed by Darin Adler.

Source/WebCore:

As per section object-src of the Content Security Policy Level 2 spec.,
<https://w3c.github.io/webappsec-csp/2/> (Editor's Draft, 29 August 2015), a nested browsing
context created for an HTML object or HTML embed element should respect the object-src directive.

Currently a nested browsing context created for an HTML object or HTML embed element respects
the child-src directive or frame-src directive (in that order). Instead such nested browsing
contexts should respect the object-src directive.

Tests: http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src.html
       http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src.html
       http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src.html
       http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src.html
       http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src.html
       http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src.html
       http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src.html
       http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src.html

* loader/PolicyChecker.cpp:
(WebCore::isAllowedByContentSecurityPolicy): Added. Checks whether the specified URL is allowed by the
object-src or the child-src/frame-src directive for a plugin element and non-plugin element, respectively.
(WebCore::PolicyChecker::checkNavigationPolicy): Modified to call isAllowedByContentSecurityPolicy().

LayoutTests:

Add tests to ensure that nested browsing context created for <object> and <embed> respect
the object-src directive.

* http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src.html: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199527 268f45cc-cd09-0410-ab3c-d52691b4dbfc
19 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-child-src.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-embed-blocked-by-frame-src.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-child-src.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-allows-object-blocked-by-frame-src.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-child-src.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-embed-allowed-by-frame-src.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-child-src.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-blocks-object-allowed-by-frame-src.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/loader/PolicyChecker.cpp