CSP: Teach the preload scanner about the 'nonce' attribute
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 13 Dec 2016 18:21:37 +0000 (18:21 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 13 Dec 2016 18:21:37 +0000 (18:21 +0000)
commitd98bb0d87cafd2cbad9e2e73a8f3e1db45ef7189
treeacced83e3283c1f2859936472224a6eb94714781
parentbb10ec07c067b440304e288cc1616305661bd904
CSP: Teach the preload scanner about the 'nonce' attribute
https://bugs.webkit.org/show_bug.cgi?id=161192
<rdar://problem/28010354>

Reviewed by Darin Adler.

Source/WebCore:

This patch was inspired by a similar Blink change:
<https://chromium.googlesource.com/chromium/src/+/dde5487f380cf774e4c0e96ba7f88ea68e723907>

Preload external scripts and stylesheets whose HTML script and link elements have a nonce
attribute that is listed in the Content Security Policy (CSP) of the page.

Currently the preload scanner ignores the nonce attribute on HTML script and link elements.
So, WebKit does not preload their associated subresources unless the value of the src
attribute or href attribute is whitelisted in the CSP of the page for script and link
elements, respectively. Instead the preload scanner should recognize the nonce attribute on
script and link elements and query the CSP of the page with it. If the nonce attribute is
whitelisted then the request should be preloaded.

Tests: http/tests/loading/do-not-preload-css-blocked-by-csp.html
       http/tests/loading/do-not-preload-script-src-blocked-by-csp.html
       http/tests/loading/preload-css-with-csp-nonce.html
       http/tests/loading/preload-script-src-with-csp-nonce.html

* html/parser/HTMLPreloadScanner.cpp:
(WebCore::TokenPreloadScanner::StartTagScanner::createPreloadRequest): Set the nonce on the
PreloadRequest to the nonce that we found during the scan.
(WebCore::TokenPreloadScanner::StartTagScanner::processAttribute): For script and link tag names,
save the value of the nonce attribute (if it has one).
* html/parser/HTMLResourcePreloader.cpp:
(WebCore::PreloadRequest::resourceRequest): Skip CSP policy check if the nonce is listed in
the CSP of the page.
* html/parser/HTMLResourcePreloader.h:
(WebCore::PreloadRequest::setNonce): Added.

LayoutTests:

Add tests to ensure that we preload <script>s and <link>s whose nonce is allowed by the
Content Security Policy of the page.

* http/tests/loading/do-not-preload-css-blocked-by-csp-expected.txt: Added.
* http/tests/loading/do-not-preload-css-blocked-by-csp.html: Added.
* http/tests/loading/do-not-preload-script-src-blocked-by-csp-expected.txt: Added.
* http/tests/loading/do-not-preload-script-src-blocked-by-csp.html: Added.
* http/tests/loading/preload-css-with-csp-nonce-expected.txt: Added.
* http/tests/loading/preload-css-with-csp-nonce.html: Added.
* http/tests/loading/preload-script-src-with-csp-nonce-expected.txt: Added.
* http/tests/loading/preload-script-src-with-csp-nonce.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@209759 268f45cc-cd09-0410-ab3c-d52691b4dbfc
13 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/loading/do-not-preload-css-blocked-by-csp-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/loading/do-not-preload-css-blocked-by-csp.html [new file with mode: 0644]
LayoutTests/http/tests/loading/do-not-preload-script-src-blocked-by-csp-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/loading/do-not-preload-script-src-blocked-by-csp.html [new file with mode: 0644]
LayoutTests/http/tests/loading/preload-css-with-csp-nonce-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/loading/preload-css-with-csp-nonce.html [new file with mode: 0644]
LayoutTests/http/tests/loading/preload-script-src-with-csp-nonce-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/loading/preload-script-src-with-csp-nonce.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/HTMLPreloadScanner.cpp
Source/WebCore/html/parser/HTMLResourcePreloader.cpp
Source/WebCore/html/parser/HTMLResourcePreloader.h