Implement the canonical "Content-Security-Policy" header.
authormkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 31 Oct 2012 23:41:27 +0000 (23:41 +0000)
committermkwst@chromium.org <mkwst@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 31 Oct 2012 23:41:27 +0000 (23:41 +0000)
https://bugs.webkit.org/show_bug.cgi?id=96765

Reviewed by Adam Barth.

Source/WebCore:

The CSP 1.0 specification defines the "Content-Security-Policy" header
as the canonical mechanism of defining a resource's security policy. Up
through this patch, we've implemented the functionality behind a prefix
in order to ensure compatibility with the standard once it's released as
a recommendation. Both the specification and WebKit's implementation are
far enough along in that process that it makes sense to support the
unprefixed header for sites that wish to opt-in to CSP 1.0.

As discussed on public-webappsec[1], we'll keep the experimental 1.1
features behind the prefixed header ('X-WebKit-CSP') until that standard
is far enough along to justify moving them out to the canonical header.

This patch defines the 'Content-Security-Policy' header for all ports,
just as the 'X-WebKit-CSP' header is currently supported on all ports.
Ports that have not opted-in to the CSP_NEXT flag will see exactly the
same behavior with both headers. Ports that have opted-in will see much
of CSP 1.1's current definition on the prefixed header, and CSP 1.0 on
the canonical header.

The functionality in this change is covered by the changes made to
existing tests. No expectations changed, only the headers that are sent.

* dom/Document.cpp:
(WebCore::Document::processHttpEquiv):
    Add canonical header support to 'meta' element definitions.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument):
    Add canonical header support to FrameLoader.
* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirectiveList::headerType):
    The ContentSecurityPolicy::HeaderType enum now has four values:
    prefixed/report-only, unprefixed/report-only, prefixed/enforce, and
    unprefixed/enforce. Instead of creating logic to output the proper
    type based on internal flags, CSPDirectiveList now saves the value
    provided at creation time, and returns it via this method.
(CSPDirectiveList):
(WebCore::CSPDirectiveList::CSPDirectiveList):
    The constructor now accepts a type, which is stored on the object.
    It also stores a new internal variable, 'm_experimental', which
    defines whether or not experimental features ought to be available.
    These features are still locked behind the CSP_NEXT flag, but that
    might not be the case forever.
(WebCore::CSPDirectiveList::create):
    The static constructor wrapper now passes the type into the real
    constructor, which also now handles setting its internal variables.
(WebCore::CSPDirectiveList::parse):
    'parse()' is given the header, so it makes sense to store it here as
    well, rather than in the create wrapper.
(WebCore::CSPDirectiveList::addDirective):
    1.1 directives remain locked behind CSP_NEXT, but now also require
    that 'm_experimental' is set, signaling usage of the prefixed header
    and an implicit opt-in to 1.1.
* page/ContentSecurityPolicy.h:
    Added two new types to the HeaderTypes enum: PrefixedReportOnly, and
    PrefixedEnforcePolicy. These map to 'X-WebKitCSP-Report-Only' and
    'X-WebKit-CSP', respectively.

LayoutTests:

* http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html:
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html:
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html:
    Updating these 1.1 tests along with the multiple-iframe-*.js test
    "framework" to ensure that the experimental prefixed header is sent.
* http/tests/security/contentSecurityPolicy/blob-urls-match-self.html:
* http/tests/security/contentSecurityPolicy/combine-multiple-policies.html:
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html:
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html:
* http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html:
* http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html:
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html:
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html:
* http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html:
* http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html:
* http/tests/security/contentSecurityPolicy/duplicate-directive.html:
* http/tests/security/contentSecurityPolicy/eval-allowed.html:
* http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html:
* http/tests/security/contentSecurityPolicy/eval-blocked.html:
* http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html:
* http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html:
* http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html:
* http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html:
* http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html:
* http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html:
* http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-scheme.html:
* http/tests/security/contentSecurityPolicy/frame-src-allowed.html:
* http/tests/security/contentSecurityPolicy/frame-src-blocked.html:
* http/tests/security/contentSecurityPolicy/function-constructor-allowed.html:
* http/tests/security/contentSecurityPolicy/function-constructor-blocked.html:
* http/tests/security/contentSecurityPolicy/iframe-inside-csp.html:
* http/tests/security/contentSecurityPolicy/image-allowed.html:
* http/tests/security/contentSecurityPolicy/image-blocked.html:
* http/tests/security/contentSecurityPolicy/image-full-host-wildcard-allowed.html:
* http/tests/security/contentSecurityPolicy/image-host-wildcard-allowed.html:
* http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html:
* http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html:
* http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html:
* http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html:
* http/tests/security/contentSecurityPolicy/inline-script-allowed.html:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html:
* http/tests/security/contentSecurityPolicy/inline-script-blocked.html:
* http/tests/security/contentSecurityPolicy/inline-style-allowed.html:
* http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html:
* http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html:
* http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html:
* http/tests/security/contentSecurityPolicy/inline-style-blocked.html:
* http/tests/security/contentSecurityPolicy/media-src-allowed.html:
* http/tests/security/contentSecurityPolicy/media-src-blocked.html:
* http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html:
* http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html:
* http/tests/security/contentSecurityPolicy/object-src-url-allowed.html:
* http/tests/security/contentSecurityPolicy/object-src-url-blocked.html:
* http/tests/security/contentSecurityPolicy/policy-does-not-affect-child.html:
* http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html:
* http/tests/security/contentSecurityPolicy/report-and-enforce.html:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html:
* http/tests/security/contentSecurityPolicy/report-blocked-uri.html:
* http/tests/security/contentSecurityPolicy/report-only-from-header.php:
* http/tests/security/contentSecurityPolicy/report-only.html:
* http/tests/security/contentSecurityPolicy/report-uri.html:
* http/tests/security/contentSecurityPolicy/resources/echo-iframe.pl:
* http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl:
    s/X-WebKit-CSP/Content-Security-Policy/g
* http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl:
* http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl:
    Reworking these two scripts in order to support sending both
    the experimental header and the canonical header, as required.
* http/tests/security/contentSecurityPolicy/resources/event-handler.pl:
* http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html:
* http/tests/security/contentSecurityPolicy/resources/javascript-url.pl:
* http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html:
    s/X-WebKit-CSP/Content-Security-Policy/g
* http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js:
(testExperimentalPolicy):
(test):
(testImpl.iframe.onload):
(testImpl):
* http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:
(testPreescapedPolicy):
(testExperimentalPolicy):
(test):
(testImpl.iframe.onload):
(testImpl):
    Reworking these two "frameworks" in order to support sending both
    the experimental header and the canonical header, as required.
* http/tests/security/contentSecurityPolicy/resources/sandbox.php:
* http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html:
* http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html:
* http/tests/security/contentSecurityPolicy/sandbox-empty.html:
* http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html:
* http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed.html:
* http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked.html:
* http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html:
* http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src.html:
* http/tests/security/contentSecurityPolicy/style-allowed.html:
* http/tests/security/contentSecurityPolicy/style-blocked.html:
* http/tests/security/contentSecurityPolicy/worker-connect-src-allowed.html:
* http/tests/security/contentSecurityPolicy/worker-connect-src-blocked.html:
* http/tests/security/contentSecurityPolicy/worker-eval-blocked.html:
* http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html:
* http/tests/security/contentSecurityPolicy/worker-script-src.html:
* http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html:
* http/tests/security/contentSecurityPolicy/xsl-allowed.php:
* http/tests/security/contentSecurityPolicy/xsl-blocked.php:
* http/tests/security/contentSecurityPolicy/xsl-img-blocked.php:
* http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php:
* http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php:
    s/X-WebKit-CSP/Content-Security-Policy/g

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@133095 268f45cc-cd09-0410-ab3c-d52691b4dbfc

105 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/blob-urls-match-self.html
LayoutTests/http/tests/security/contentSecurityPolicy/combine-multiple-policies.html
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/duplicate-directive.html
LayoutTests/http/tests/security/contentSecurityPolicy/eval-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html
LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html
LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html
LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-scheme.html
LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/frame-src-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/function-constructor-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/function-constructor-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/iframe-inside-csp.html
LayoutTests/http/tests/security/contentSecurityPolicy/image-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/image-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/image-full-host-wildcard-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/image-host-wildcard-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html
LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html
LayoutTests/http/tests/security/contentSecurityPolicy/inline-script-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html
LayoutTests/http/tests/security/contentSecurityPolicy/inline-style-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/media-src-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/media-src-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/object-src-url-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/policy-does-not-affect-child.html
LayoutTests/http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html
LayoutTests/http/tests/security/contentSecurityPolicy/report-and-enforce.html
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html
LayoutTests/http/tests/security/contentSecurityPolicy/report-blocked-uri.html
LayoutTests/http/tests/security/contentSecurityPolicy/report-only-from-header.php
LayoutTests/http/tests/security/contentSecurityPolicy/report-only.html
LayoutTests/http/tests/security/contentSecurityPolicy/report-uri.html
LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-iframe.pl
LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl
LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl
LayoutTests/http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl
LayoutTests/http/tests/security/contentSecurityPolicy/resources/event-handler.pl
LayoutTests/http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html
LayoutTests/http/tests/security/contentSecurityPolicy/resources/javascript-url.pl
LayoutTests/http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html
LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js
LayoutTests/http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js
LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandbox.php
LayoutTests/http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php
LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html
LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html
LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html
LayoutTests/http/tests/security/contentSecurityPolicy/sandbox-empty.html
LayoutTests/http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html
LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html
LayoutTests/http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src.html
LayoutTests/http/tests/security/contentSecurityPolicy/style-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/style-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-allowed.html
LayoutTests/http/tests/security/contentSecurityPolicy/worker-connect-src-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/worker-eval-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src.html
LayoutTests/http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-allowed.php
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-blocked.php
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-img-blocked.php
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/loader/FrameLoader.cpp
Source/WebCore/page/ContentSecurityPolicy.cpp
Source/WebCore/page/ContentSecurityPolicy.h
Source/WebKit/chromium/public/WebContentSecurityPolicy.h
Source/WebKit/chromium/src/AssertMatchingEnums.cpp

index 692bd08..1b3bf5c 100644 (file)
@@ -1,3 +1,126 @@
+2012-10-31  Mike West  <mkwst@chromium.org>
+
+        Implement the canonical "Content-Security-Policy" header.
+        https://bugs.webkit.org/show_bug.cgi?id=96765
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html:
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html:
+        * http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html:
+        * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html:
+            Updating these 1.1 tests along with the multiple-iframe-*.js test
+            "framework" to ensure that the experimental prefixed header is sent.
+        * http/tests/security/contentSecurityPolicy/blob-urls-match-self.html:
+        * http/tests/security/contentSecurityPolicy/combine-multiple-policies.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html:
+        * http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html:
+        * http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html:
+        * http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html:
+        * http/tests/security/contentSecurityPolicy/duplicate-directive.html:
+        * http/tests/security/contentSecurityPolicy/eval-allowed.html:
+        * http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html:
+        * http/tests/security/contentSecurityPolicy/eval-blocked.html:
+        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html:
+        * http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html:
+        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html:
+        * http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html:
+        * http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html:
+        * http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html:
+        * http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-scheme.html:
+        * http/tests/security/contentSecurityPolicy/frame-src-allowed.html:
+        * http/tests/security/contentSecurityPolicy/frame-src-blocked.html:
+        * http/tests/security/contentSecurityPolicy/function-constructor-allowed.html:
+        * http/tests/security/contentSecurityPolicy/function-constructor-blocked.html:
+        * http/tests/security/contentSecurityPolicy/iframe-inside-csp.html:
+        * http/tests/security/contentSecurityPolicy/image-allowed.html:
+        * http/tests/security/contentSecurityPolicy/image-blocked.html:
+        * http/tests/security/contentSecurityPolicy/image-full-host-wildcard-allowed.html:
+        * http/tests/security/contentSecurityPolicy/image-host-wildcard-allowed.html:
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html:
+        * http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html:
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html:
+        * http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html:
+        * http/tests/security/contentSecurityPolicy/inline-script-allowed.html:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html:
+        * http/tests/security/contentSecurityPolicy/inline-script-blocked.html:
+        * http/tests/security/contentSecurityPolicy/inline-style-allowed.html:
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html:
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html:
+        * http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html:
+        * http/tests/security/contentSecurityPolicy/inline-style-blocked.html:
+        * http/tests/security/contentSecurityPolicy/media-src-allowed.html:
+        * http/tests/security/contentSecurityPolicy/media-src-blocked.html:
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html:
+        * http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html:
+        * http/tests/security/contentSecurityPolicy/object-src-url-allowed.html:
+        * http/tests/security/contentSecurityPolicy/object-src-url-blocked.html:
+        * http/tests/security/contentSecurityPolicy/policy-does-not-affect-child.html:
+        * http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html:
+        * http/tests/security/contentSecurityPolicy/report-and-enforce.html:
+        * http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html:
+        * http/tests/security/contentSecurityPolicy/report-blocked-uri.html:
+        * http/tests/security/contentSecurityPolicy/report-only-from-header.php:
+        * http/tests/security/contentSecurityPolicy/report-only.html:
+        * http/tests/security/contentSecurityPolicy/report-uri.html:
+        * http/tests/security/contentSecurityPolicy/resources/echo-iframe.pl:
+        * http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl:
+            s/X-WebKit-CSP/Content-Security-Policy/g
+        * http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl:
+        * http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl:
+            Reworking these two scripts in order to support sending both
+            the experimental header and the canonical header, as required.
+        * http/tests/security/contentSecurityPolicy/resources/event-handler.pl:
+        * http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html:
+        * http/tests/security/contentSecurityPolicy/resources/javascript-url.pl:
+        * http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html:
+            s/X-WebKit-CSP/Content-Security-Policy/g
+        * http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js:
+        (testExperimentalPolicy):
+        (test):
+        (testImpl.iframe.onload):
+        (testImpl):
+        * http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:
+        (testPreescapedPolicy):
+        (testExperimentalPolicy):
+        (test):
+        (testImpl.iframe.onload):
+        (testImpl):
+            Reworking these two "frameworks" in order to support sending both
+            the experimental header and the canonical header, as required.
+        * http/tests/security/contentSecurityPolicy/resources/sandbox.php:
+        * http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php:
+        * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html:
+        * http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html:
+        * http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html:
+        * http/tests/security/contentSecurityPolicy/sandbox-empty.html:
+        * http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html:
+        * http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed.html:
+        * http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked.html:
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html:
+        * http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src.html:
+        * http/tests/security/contentSecurityPolicy/style-allowed.html:
+        * http/tests/security/contentSecurityPolicy/style-blocked.html:
+        * http/tests/security/contentSecurityPolicy/worker-connect-src-allowed.html:
+        * http/tests/security/contentSecurityPolicy/worker-connect-src-blocked.html:
+        * http/tests/security/contentSecurityPolicy/worker-eval-blocked.html:
+        * http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html:
+        * http/tests/security/contentSecurityPolicy/worker-script-src.html:
+        * http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html:
+        * http/tests/security/contentSecurityPolicy/xsl-allowed.php:
+        * http/tests/security/contentSecurityPolicy/xsl-blocked.php:
+        * http/tests/security/contentSecurityPolicy/xsl-img-blocked.php:
+        * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php:
+        * http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php:
+            s/X-WebKit-CSP/Content-Security-Policy/g
+
 2012-10-31  Otto Derek Cheung  <otcheung@rim.com>
 
         [BlackBerry] Adding window.external to our port
index c9a397f..8253e32 100644 (file)
@@ -15,7 +15,7 @@ var tests = [
 ];
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
     <p>
         This tests our handling of invalid `plugin-types` CSP directives.
         Consider this test passing if each of the following frames contains
index 7fc5aa7..b3070ff 100644 (file)
@@ -11,7 +11,7 @@ var tests = [
 ];
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
     <p>
         This tests our handling of `data:` URLs, given a `plugin-types` CSP
         directive. Consider this test passing if each of the following frames
index 4d80d9d..5c066c5 100644 (file)
@@ -10,7 +10,7 @@ var tests = [
 ];
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
     <p>
         This tests our handling of non-`data:` URLs, given a `plugin-types` CSP
         directive. Consider this test passing if none of the following frames
index 71757ca..92573f3 100644 (file)
@@ -11,7 +11,7 @@ var tests = [
 ];
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
   <p>
       None of these scripts should execute, as all the nonces are invalid.
   </p>
index 2cf69ef..b5ba011 100644 (file)
@@ -11,7 +11,7 @@ var tests = [
 ];
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
   <p>
     None of these scripts should execute even though there are parse errors in the policy.
   </p>
index c726bd1..205a80e 100644 (file)
@@ -10,7 +10,7 @@ var tests = [
 ];
 </script>
 </head>
-<body onload="test()">
+<body onload="testExperimentalPolicy()">
   <p>
       All of these scripts should execute, as all the nonces are valid.
   </p>
index d7354f2..155823b 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
     <head>
-        <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'self'">
+        <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'">
     </head>
     <body>
         <p>
index f0b052f..95ee916 100644 (file)
@@ -1,8 +1,8 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'">
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body>
index 84a211d..3931f25 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index b07d2ff..6a37bc1 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://localhost:8000">
+<meta http-equiv="Content-Security-Policy" content="connect-src http://localhost:8000">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 9a6e04d..349460b 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src ws://127.0.0.1:8880">
+<meta http-equiv="Content-Security-Policy" content="connect-src ws://127.0.0.1:8880">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index b2235dd..3cada73 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src ws://127.0.0.1:8880">
+<meta http-equiv="Content-Security-Policy" content="connect-src ws://127.0.0.1:8880">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 053c6f7..738fee4 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 3e9d12f..57c6b08 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000">
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 4956a8d..e7e8627 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="default-src 'self' about: 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="default-src 'self' about: 'unsafe-inline'">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body onload="alert('PASS 3 of 3')">
index 2bd020b..2e8ef4e 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="default-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body>
index 2a093aa..814501b 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
     <head>
-        <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'; script-src 'none'">
+        <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'; script-src 'none'">
         <script>
         if (window.testRunner) {
             testRunner.dumpAsText();
index 11d1ffa..de070b8 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'unsafe-eval'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 94a6d71..2952a06 100644 (file)
@@ -2,7 +2,7 @@
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
 <iframe src="about:blank"></iframe>
 Eval should be blocked in the iframe, but inline script should be allowed.
 <script>
index 7dc2492..27b26da 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 82d33d3..d90dcb5 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'unsafe-eval'">
 </head>
 <pre>
 <script>
index ca8895d..a18e3c8 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
 </head>
 <pre>
 <script>
index 2b0e4cd..6d83ac3 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'unsafe-eval'">
 </head>
 <pre>
 <script>
index 78167b4..1c5fbba 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
 </head>
 <pre>
 <script>
index ef94bfe..72232c4 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
     <head>
-        <meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'self'">
+        <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'">
     </head>
     <body>
         <p>
index 2cafbd3..f51e510 100644 (file)
@@ -2,7 +2,7 @@
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="frame-src 'none'; object-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'; object-src 'none'">
 These frames should not be blocked by Content-Security-Policy.  It's pointless
 to block about:blank iframes because blocking a frame just results in
 displaying about:blank anyway!
index a9aeca8..2e5e062 100644 (file)
@@ -2,6 +2,6 @@
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="frame-src about:">
+<meta http-equiv="Content-Security-Policy" content="frame-src about:">
 This iframe should not be blocked by Content-Security-Policy:
 <iframe src="about:blank"></iframe>
index a4b9ee4..bf09919 100644 (file)
@@ -1,3 +1,3 @@
-<meta http-equiv="X-WebKit-CSP" content="frame-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="frame-src 'self'">
 <script src="resources/dump-as-text.js"></script>
 <iframe src="resources/alert-pass.html"></iframe>
index ba3665f..208e5fe 100644 (file)
@@ -1,3 +1,3 @@
-<meta http-equiv="X-WebKit-CSP" content="frame-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="frame-src 'none'">
 <script src="resources/dump-as-text.js"></script>
 <iframe src="resources/alert-fail.html"></iframe>
index 74c3a9e..9e95b8e 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline' 'unsafe-eval'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'unsafe-eval'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 4655294..ab33534 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 941a3dd..7614094 100644 (file)
@@ -1,3 +1,3 @@
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
 <script src="resources/dump-as-text.js"></script>
 <iframe src="resources/sandboxed-eval.php"></iframe>
index b66cb48..406c054 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="img-src *; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="img-src *; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 83c8639..3b9d061 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="img-src 'none'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 95b9d6a..d05f167 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="img-src *.127.0.0.1:8000; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="img-src *.127.0.0.1:8000; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index fae3af9..f060e0f 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="img-src *.0.1:8000; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="img-src *.0.1:8000; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index ceb27d5..3472aae 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:* 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:* 'unsafe-inline'">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body>
index 610868b..6c53c5a 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:*">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:*">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body>
index d72fd36..ce7ad4f 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body>
index a0c8f82..0d7f932 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body>
index 45fbf6c..4f3c7da 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:* 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:* 'unsafe-inline'">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body onload="alert('PASS 3 of 3')">
index c82263a..2f07085 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:*; options goofy">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:*; options goofy">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body onload="alert('FAIL 2 of 2')">
index 3b2c3ee..41b656d 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:*; options goofy">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:*; options goofy">
 <script src="resources/dump-as-text.js"></script>
 </head>
 This test passes if it doesn't alert fail.
index 1dbadef..7bbf9ab 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src http://127.0.0.1:*">
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:*">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body>
index 7c2900a..7d990e9 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'unsafe-inline'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'unsafe-inline'">
 <style>
 .target {
     background-color: blue;
index a296849..ebd9e16 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'unsafe-inline'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline'; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 8621abd..aa475b6 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index 9289f61..48ea428 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html style="background-color: blue;">
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'unsafe-inline'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index f055ac6..c2f6b80 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'unsafe-inline'">
 <style>
 .target {
     background-color: blue;
index 10bc068..c17fa9b 100644 (file)
@@ -1,4 +1,4 @@
-<meta http-equiv="X-WebKit-CSP" content="media-src http://127.0.0.1:8000">
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000">
 <video></video>
 <script src=../../../media-resources/media-file.js></script>
 <script src=../../../media-resources/video-test.js></script>
index 33015f5..2f288f7 100644 (file)
@@ -1,4 +1,4 @@
-<meta http-equiv="X-WebKit-CSP" content="media-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="media-src 'none'">
 <video></video>
 <script src=../../../media-resources/media-file.js></script>
 <script src=../../../media-resources/video-test.js></script>
index bfe917b..2c06d1f 100644 (file)
@@ -5,7 +5,7 @@
 if (window.testRunner)
   testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="object-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="object-src 'self'">
 </head>
 <body>
 This test passes if there isn't a console message saying the plugin was blocked.
index 3f22ef3..6135915 100644 (file)
@@ -5,7 +5,7 @@
 if (window.testRunner)
   testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="object-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
 </head>
 <body>
 This test passes if there is a console message saying the plugin was blocked.
index c7401b3..1344241 100644 (file)
@@ -5,7 +5,7 @@
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="object-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="object-src 'self'">
 </head>
 <body>
 This test passes if there is no console message saying the plugin was blocked.
index d9b9cb9..3dfb150 100644 (file)
@@ -5,7 +5,7 @@
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="object-src 'none'">
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
 </head>
 <body>
 This test passes if there is a console message saying the plugin was blocked.
index a128900..324233a 100644 (file)
@@ -1,3 +1,3 @@
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
 <script src="resources/dump-as-text.js"></script>
 <iframe src="resources/alert-pass.html"></iframe>
index e156d67..5b986e0 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="img-src https:; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="img-src https:; script-src 'unsafe-inline'">
 <script>
     if (window.testRunner) {
         testRunner.waitUntilDone();
index b62e89f..3740816 100644 (file)
@@ -1,5 +1,5 @@
-<meta http-equiv="X-WebKit-CSP" content="img-src 'none'">
-<meta http-equiv="X-WebKit-CSP-Report-Only" content="script-src 'self'; report-uri resources/save-report.php">
+<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
+<meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'self'; report-uri resources/save-report.php">
 <script>
 // This script block will trigger a violation report but shouldn't be blocked.
 alert('PASS');
index 60eff69..de93ef7 100644 (file)
@@ -1,4 +1,4 @@
-<meta http-equiv="X-WebKit-CSP-Report-Only" content="img-src 'none'; report-uri resources/save-report.php">
+<meta http-equiv="Content-Security-Policy-Report-Only" content="img-src 'none'; report-uri resources/save-report.php">
 The origin of this image should show up in the violation report.
 <img src="http://localhost:8080/security/resources/abe.png">
 <script src="resources/go-to-echo-report.js"></script>
index e6d5ed4..f7d8610 100644 (file)
@@ -1,4 +1,4 @@
-<meta http-equiv="X-WebKit-CSP-Report-Only" content="img-src 'none'; report-uri resources/save-report.php">
+<meta http-equiv="Content-Security-Policy-Report-Only" content="img-src 'none'; report-uri resources/save-report.php">
 The URI of this image should show up in the violation report.
 <img src="../resources/abe.png#the-fragment-should-not-be-in-report">
 <script src="resources/go-to-echo-report.js"></script>
index cf20a4f..2f5fd6f 100644 (file)
@@ -1,5 +1,5 @@
 <?php
-header("X-WebKit-CSP-Report-Only: script-src 'self'; report-uri resources/save-report.php");
+header("Content-Security-Policy-Report-Only: script-src 'self'; report-uri resources/save-report.php");
 ?>
 <script>
 // This script block will trigger a violation report but shouldn't be blocked.
index 70ce742..424d7ad 100644 (file)
@@ -1,4 +1,4 @@
-<meta http-equiv="X-WebKit-CSP-Report-Only" content="script-src 'self'; report-uri resources/save-report.php">
+<meta http-equiv="Content-Security-Policy-Report-Only" content="script-src 'self'; report-uri resources/save-report.php">
 <script>
 // This script block will trigger a violation report but shouldn't be blocked.
 alert('PASS');
index 2ae0165..9e530e6 100644 (file)
@@ -1,4 +1,4 @@
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'; report-uri resources/save-report.php">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri resources/save-report.php">
 <script>
 // This script block will trigger a violation report.
 alert('FAIL');
index b2bb2ef..ca71532 100755 (executable)
@@ -5,7 +5,7 @@ use CGI;
 my $cgi = new CGI;
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+print "Content-Security-Policy: ".$cgi->param('csp')."\n\n";
 
 print "<!DOCTYPE html>\n";
 print "<html>\n";
index 93c0604..a0d55e9 100755 (executable)
@@ -5,8 +5,8 @@ use CGI;
 my $cgi = new CGI;
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp1')."\n";
-print "X-WebKit-CSP: ".$cgi->param('csp2')."\n\n";
+print "Content-Security-Policy: ".$cgi->param('csp1')."\n";
+print "Content-Security-Policy: ".$cgi->param('csp2')."\n\n";
 
 my ($text, $replacement) = ("FAIL", "PASS");
 ($text, $replacement) = ($replacement, $text) if $cgi->param('should_run') eq 'no';
index ada7cc1..d6e140b 100755 (executable)
@@ -5,7 +5,11 @@ use CGI;
 my $cgi = new CGI;
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+if ($cgi->param('experimental') eq 'true') {
+    print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+} else {
+    print "Content-Security-Policy: ".$cgi->param('csp')."\n\n";
+}
 
 print "<!DOCTYPE html>\n";
 print "<html>\n";
index e6467e4..6b8bff3 100755 (executable)
@@ -5,7 +5,11 @@ use CGI;
 my $cgi = new CGI;
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+if ($cgi->param('experimental') eq 'true') {
+    print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+} else {
+    print "Content-Security-Policy: ".$cgi->param('csp')."\n\n";
+}
 
 my ($text, $replacement) = ("FAIL", "PASS");
 ($text, $replacement) = ($replacement, $text) if $cgi->param('should_run') eq 'no';
index c489c58..ba1b2a6 100755 (executable)
@@ -5,7 +5,7 @@ use CGI;
 my $cgi = new CGI;
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+print "Content-Security-Policy: ".$cgi->param('csp')."\n\n";
 
 my ($text, $replacement) = ("FAIL", "PASS");
 ($text, $replacement) = ($replacement, $text) if $cgi->param('should_run') eq 'no';
index 535ca49..26e40c6 100644 (file)
@@ -1,4 +1,4 @@
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'; report-uri save-report.php">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'; report-uri save-report.php">
 <script>
 // This script block will trigger a violation report.
 alert('FAIL');
index 5fd585b..0f29646 100755 (executable)
@@ -5,7 +5,7 @@ use CGI;
 my $cgi = new CGI;
 
 print "Content-Type: text/html; charset=UTF-8\n";
-print "X-WebKit-CSP: ".$cgi->param('csp')."\n\n";
+print "Content-Security-Policy: ".$cgi->param('csp')."\n\n";
 
 my $text = "PASS";
 $text = "FAIL" if $cgi->param('should_run') eq 'no';
index 5ef5b1f..2b7dbdc 100644 (file)
@@ -1,3 +1,3 @@
-<meta http-equiv="X-WebKit-CSP" content="default-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
 This page includes an insecure script that alerts "FAIL", but that script is blocked by CSP.
 <script src="http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js"></script>
index 5fe6bb9..0420b3e 100644 (file)
@@ -4,13 +4,22 @@ if (window.testRunner) {
     testRunner.dumpChildFramesAsText();
 }
 
+function testExperimentalPolicy() {
+    testImpl(true);
+}
+
 function test() {
+    testImpl(false);
+}
+
+function testImpl(experimental) {
     if (tests.length === 0)
         return finishTesting();
-    var baseURL = "http://127.0.0.1:8000/security/contentSecurityPolicy/";
+    var baseURL = "/security/contentSecurityPolicy/";
     var current = tests.shift();
     var iframe = document.createElement("iframe");
     iframe.src = baseURL + "resources/echo-object-data.pl?" +
+                 "experimental=" + (experimental ? "true" : "false") +
                  "&csp=" + escape(current[1]);
 
     if (current[0])
@@ -29,7 +38,7 @@ function test() {
     else
         iframe.src += "&type=application/x-webkit-test-netscape";
 
-    iframe.onload = test;
+    iframe.onload = function() { testImpl(experimental); };
     document.body.appendChild(iframe);
 }
 
index 732ea99..5583323 100644 (file)
@@ -5,18 +5,22 @@ if (window.testRunner) {
 }
 
 function testPreescapedPolicy() {
-    testImpl(true);
+    testImpl(false, true);
+}
+
+function testExperimentalPolicy() {
+    testImpl(true, false);
 }
 
 function test() {
-    testImpl(false);
+    testImpl(false, false);
 }
 
-function testImpl(preescapedPolicy) {
+function testImpl(experimental, preescapedPolicy) {
     if (tests.length === 0)
         return finishTesting();
 
-    var baseURL = "http://127.0.0.1:8000/security/contentSecurityPolicy/";
+    var baseURL = "/security/contentSecurityPolicy/";
     var current = tests.shift();
     var iframe = document.createElement("iframe");
 
@@ -29,12 +33,13 @@ function testImpl(preescapedPolicy) {
         scriptToLoad = encodeURIComponent(current[2]);
 
     iframe.src = baseURL + "resources/echo-script-src.pl?" +
-                 "should_run=" + encodeURIComponent(current[0]) +
+                 "experimental=" + (experimental ? "true" : "false") +
+                 "&should_run=" + encodeURIComponent(current[0]) +
                  "&csp=" + policy + "&q=" + scriptToLoad;
     if (current[3])
       iframe.src += "&nonce=" + encodeURIComponent(current[3]);
 
-    iframe.onload = test;
+    iframe.onload = function() { testImpl(experimental, preescapedPolicy); };
     document.body.appendChild(iframe);
 }
 
index 0c5f94a..d20196e 100644 (file)
@@ -1,5 +1,5 @@
 <?php
-header("X-WebKit-CSP: sandbox " . $_GET["sandbox"]);
+header("Content-Security-Policy: sandbox " . $_GET["sandbox"]);
 ?>
 <!DOCTYPE html>
 <p>Ready</p>
index 7434f23..f379700 100644 (file)
@@ -1,5 +1,5 @@
 <?php
-header("X-WebKit-CSP: sandbox allow-scripts");
+header("Content-Security-Policy: sandbox allow-scripts");
 ?>
 <script>
 alert('PASS (1/2): Script can execute');
index efe4b47..6bbac6d 100644 (file)
@@ -2,6 +2,6 @@
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="sandbox allow-scripts">
+<meta http-equiv="Content-Security-Policy" content="sandbox allow-scripts">
 This test passes if it does alert pass.
 <iframe src="data:text/html,<script>alert('PASS');</script>"></iframe>
index 1161eaf..c148d2f 100644 (file)
@@ -2,7 +2,7 @@
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="sandbox allow-scripts">
+<meta http-equiv="Content-Security-Policy" content="sandbox allow-scripts">
 This test passes if it does alert pass.
 <script>
 alert('PASS');
index 13c612d..51c3e03 100644 (file)
@@ -2,6 +2,6 @@
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="sandbox">
+<meta http-equiv="Content-Security-Policy" content="sandbox">
 This test passes if it doesn't alert fail.
 <iframe src="data:text/html,<script>alert('FAIL');</script>"></iframe>
index 6d42bf5..83a4ab3 100644 (file)
@@ -2,7 +2,7 @@
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
-<meta http-equiv="X-WebKit-CSP" content="sandbox">
+<meta http-equiv="Content-Security-Policy" content="sandbox">
 This test passes if it doesn't alert fail.
 <script>
 alert('FAIL');
index c1ed921..c005754 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="default-src about:; script-src 'self' 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="default-src about:; script-src 'self' 'unsafe-inline'">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body onload="alert('PASS 3 of 3')">
index 67640f2..8174f6d 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000"/>
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000"/>
 <script>
 if (window.testRunner) {
     testRunner.waitUntilDone();
index b764ed5..97412f2 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src 'none'"/>
+<meta http-equiv="Content-Security-Policy" content="connect-src 'none'"/>
 <script>
 if (window.testRunner) {
     testRunner.waitUntilDone();
index 6179a27..90b125d 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://localhost:8000"<script>
+<meta http-equiv="Content-Security-Policy" content="connect-src http://localhost:8000"<script>
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
index b3ac82c..07d2440 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self'">
 <script src="resources/dump-as-text.js"></script>
 </head>
 <body>
index dca9f2e..16d59a9 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src *; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src *; script-src 'unsafe-inline'">
 <link rel="stylesheet" href="resources/blue.css">
 <script>
 if (window.testRunner)
index 5bc7bf3..75e152c 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="style-src 'none'; script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="style-src 'none'; script-src 'unsafe-inline'">
 <link rel="stylesheet" href="resources/blue.css">
 <script>
 if (window.testRunner)
index 91c9988..13a4dab 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src http://127.0.0.1:8000"/>
+<meta http-equiv="Content-Security-Policy" content="connect-src http://127.0.0.1:8000"/>
 <script>
 if (window.testRunner) {
     testRunner.waitUntilDone();
index 44e1142..acdea81 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="connect-src 'none'"/>
+<meta http-equiv="Content-Security-Policy" content="connect-src 'none'"/>
 <script>
 if (window.testRunner) {
     testRunner.waitUntilDone();
index 1f1a2e6..2dc295c 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self' 'unsafe-inline'"/>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"/>
 <script>
 if (window.testRunner) {
     testRunner.waitUntilDone();
index a8d9f62..55c936c 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self' 'unsafe-inline'"/>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"/>
 <script>
 if (window.testRunner) {
     testRunner.waitUntilDone();
index 997733f..e6bca40 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'unsafe-inline'"/>
+<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'"/>
 <script>
 if (window.testRunner) {
     testRunner.dumpAsText();
index 0ed6a40..d23b540 100644 (file)
@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="X-WebKit-CSP" content="script-src 'self' 'unsafe-inline'"/>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'"/>
 <script>
 if (window.testRunner) {
     testRunner.waitUntilDone();
index 94a5982..76a50dc 100644 (file)
@@ -1,6 +1,6 @@
 <?php
 header("Content-Type: application/xhtml+xml");
-header("X-WebKit-CSP: script-src * 'unsafe-inline'");
+header("Content-Security-Policy: script-src * 'unsafe-inline'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';
 echo '<?xml-stylesheet type="text/xsl" href="resources/style.xsl"?>';
index e02ae48..4f7da83 100644 (file)
@@ -1,6 +1,6 @@
 <?php
 header("Content-Type: application/xhtml+xml");
-header("X-WebKit-CSP: script-src 'unsafe-inline'");
+header("Content-Security-Policy: script-src 'unsafe-inline'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';
 echo '<?xml-stylesheet type="text/xsl" href="resources/style.xsl"?>';
index 981d11f..b2de640 100644 (file)
@@ -1,6 +1,6 @@
 <?php
 header("Content-Type: text/xml");
-header("X-WebKit-CSP: img-src 'none'");
+header("Content-Security-Policy: img-src 'none'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';
 echo '<?xml-stylesheet type="text/xsl" href="resources/transform-to-img.xsl"?>';
index efb417b..633c32a 100644 (file)
@@ -1,6 +1,6 @@
 <?php
 header("Content-Type: application/xhtml+xml");
-header("X-WebKit-CSP: style-src *; script-src 'unsafe-inline'");
+header("Content-Security-Policy: style-src *; script-src 'unsafe-inline'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';
 echo '<?xml-stylesheet type="text/xsl" href="resources/style.xsl"?>';
index 4b5e28a..1b99f7f 100644 (file)
@@ -1,6 +1,6 @@
 <?php
 header("Content-Type: application/xhtml+xml");
-header("X-WebKit-CSP: style-src 'none'; script-src * 'unsafe-inline'");
+header("Content-Security-Policy: style-src 'none'; script-src * 'unsafe-inline'");
 
 echo '<?xml version="1.0" encoding="UTF-8"?>';
 echo '<?xml-stylesheet type="text/xsl" href="resources/style.xsl"?>';
index 7a94467..30fce6b 100644 (file)
@@ -1,3 +1,67 @@
+2012-10-31  Mike West  <mkwst@chromium.org>
+
+        Implement the canonical "Content-Security-Policy" header.
+        https://bugs.webkit.org/show_bug.cgi?id=96765
+
+        Reviewed by Adam Barth.
+
+        The CSP 1.0 specification defines the "Content-Security-Policy" header
+        as the canonical mechanism of defining a resource's security policy. Up
+        through this patch, we've implemented the functionality behind a prefix
+        in order to ensure compatibility with the standard once it's released as
+        a recommendation. Both the specification and WebKit's implementation are
+        far enough along in that process that it makes sense to support the
+        unprefixed header for sites that wish to opt-in to CSP 1.0.
+
+        As discussed on public-webappsec[1], we'll keep the experimental 1.1
+        features behind the prefixed header ('X-WebKit-CSP') until that standard
+        is far enough along to justify moving them out to the canonical header.
+
+        This patch defines the 'Content-Security-Policy' header for all ports,
+        just as the 'X-WebKit-CSP' header is currently supported on all ports.
+        Ports that have not opted-in to the CSP_NEXT flag will see exactly the
+        same behavior with both headers. Ports that have opted-in will see much
+        of CSP 1.1's current definition on the prefixed header, and CSP 1.0 on
+        the canonical header.
+
+        The functionality in this change is covered by the changes made to
+        existing tests. No expectations changed, only the headers that are sent.
+
+        * dom/Document.cpp:
+        (WebCore::Document::processHttpEquiv):
+            Add canonical header support to 'meta' element definitions.
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::didBeginDocument):
+            Add canonical header support to FrameLoader.
+        * page/ContentSecurityPolicy.cpp:
+        (WebCore::CSPDirectiveList::headerType):
+            The ContentSecurityPolicy::HeaderType enum now has four values:
+            prefixed/report-only, unprefixed/report-only, prefixed/enforce, and
+            unprefixed/enforce. Instead of creating logic to output the proper
+            type based on internal flags, CSPDirectiveList now saves the value
+            provided at creation time, and returns it via this method.
+        (CSPDirectiveList):
+        (WebCore::CSPDirectiveList::CSPDirectiveList):
+            The constructor now accepts a type, which is stored on the object.
+            It also stores a new internal variable, 'm_experimental', which
+            defines whether or not experimental features ought to be available.
+            These features are still locked behind the CSP_NEXT flag, but that
+            might not be the case forever.
+        (WebCore::CSPDirectiveList::create):
+            The static constructor wrapper now passes the type into the real
+            constructor, which also now handles setting its internal variables.
+        (WebCore::CSPDirectiveList::parse):
+            'parse()' is given the header, so it makes sense to store it here as
+            well, rather than in the create wrapper.
+        (WebCore::CSPDirectiveList::addDirective):
+            1.1 directives remain locked behind CSP_NEXT, but now also require
+            that 'm_experimental' is set, signaling usage of the prefixed header
+            and an implicit opt-in to 1.1.
+        * page/ContentSecurityPolicy.h:
+            Added two new types to the HeaderTypes enum: PrefixedReportOnly, and
+            PrefixedEnforcePolicy. These map to 'X-WebKitCSP-Report-Only' and
+            'X-WebKit-CSP', respectively.
+
 2012-10-31  Roger Fong  <roger_fong@apple.com>
 
         Change PopupMenu positioning on Windows such that behaviour on multiple monitors matches Windows standards.
index 65d99b6..2b4c671 100644 (file)
@@ -2966,10 +2966,14 @@ void Document::processHttpEquiv(const String& equiv, const String& content)
                 addConsoleMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, message, url().string(), 0, 0, requestIdentifier);
             }
         }
-    } else if (equalIgnoringCase(equiv, "x-webkit-csp"))
-        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::EnforcePolicy);
+    } else if (equalIgnoringCase(equiv, "content-security-policy"))
+        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::EnforceStableDirectives);
+    else if (equalIgnoringCase(equiv, "content-security-policy-report-only"))
+        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::ReportStableDirectives);
+    else if (equalIgnoringCase(equiv, "x-webkit-csp"))
+        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::EnforceAllDirectives);
     else if (equalIgnoringCase(equiv, "x-webkit-csp-report-only"))
-        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::ReportOnly);
+        contentSecurityPolicy()->didReceiveHeader(content, ContentSecurityPolicy::ReportAllDirectives);
 }
 
 // Though isspace() considers \t and \v to be whitespace, Win IE doesn't.
index c32a5a4..c1da445 100644 (file)
@@ -660,13 +660,21 @@ void FrameLoader::didBeginDocument(bool dispatch)
         if (!dnsPrefetchControl.isEmpty())
             m_frame->document()->parseDNSPrefetchControlHeader(dnsPrefetchControl);
 
-        String contentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP");
-        if (!contentSecurityPolicy.isEmpty())
-            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(contentSecurityPolicy, ContentSecurityPolicy::EnforcePolicy);
+        String policyValue = m_documentLoader->response().httpHeaderField("Content-Security-Policy");
+        if (!policyValue.isEmpty())
+            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::EnforceStableDirectives);
 
-        String reportOnlyContentSecurityPolicy = m_documentLoader->response().httpHeaderField("X-WebKit-CSP-Report-Only");
-        if (!reportOnlyContentSecurityPolicy.isEmpty())
-            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(reportOnlyContentSecurityPolicy, ContentSecurityPolicy::ReportOnly);
+        policyValue = m_documentLoader->response().httpHeaderField("Content-Security-Policy-Report-Only");
+        if (!policyValue.isEmpty())
+            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::ReportStableDirectives);
+
+        policyValue = m_documentLoader->response().httpHeaderField("X-WebKit-CSP");
+        if (!policyValue.isEmpty())
+            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::EnforceAllDirectives);
+
+        policyValue = m_documentLoader->response().httpHeaderField("X-WebKit-CSP-Report-Only");
+        if (!policyValue.isEmpty())
+            m_frame->document()->contentSecurityPolicy()->didReceiveHeader(policyValue, ContentSecurityPolicy::ReportAllDirectives);
 
         String headerContentLanguage = m_documentLoader->response().httpHeaderField("Content-Language");
         if (!headerContentLanguage.isEmpty()) {
index 14bbc13..d175463 100644 (file)
@@ -772,7 +772,7 @@ public:
     static PassOwnPtr<CSPDirectiveList> create(ContentSecurityPolicy*, const String&, ContentSecurityPolicy::HeaderType);
 
     const String& header() const { return m_header; }
-    ContentSecurityPolicy::HeaderType headerType() const { return m_reportOnly ? ContentSecurityPolicy::ReportOnly : ContentSecurityPolicy::EnforcePolicy; }
+    ContentSecurityPolicy::HeaderType headerType() const { return m_headerType; }
 
     bool allowJavaScriptURLs(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
     bool allowInlineEventHandlers(const String& contextURL, const WTF::OrdinalNumber& contextLine, ContentSecurityPolicy::ReportingStatus) const;
@@ -796,7 +796,7 @@ public:
     const String& evalDisabledErrorMessage() { return m_evalDisabledErrorMessage; }
 
 private:
-    explicit CSPDirectiveList(ContentSecurityPolicy*);
+    CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType);
 
     void parse(const String&);
 
@@ -833,7 +833,9 @@ private:
     ContentSecurityPolicy* m_policy;
 
     String m_header;
+    ContentSecurityPolicy::HeaderType m_headerType;
 
+    bool m_experimental;
     bool m_reportOnly;
     bool m_haveSandboxPolicy;
 
@@ -855,27 +857,21 @@ private:
     String m_evalDisabledErrorMessage;
 };
 
-CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy)
+CSPDirectiveList::CSPDirectiveList(ContentSecurityPolicy* policy, ContentSecurityPolicy::HeaderType type)
     : m_policy(policy)
+    , m_headerType(type)
+    , m_experimental(false)
     , m_reportOnly(false)
     , m_haveSandboxPolicy(false)
 {
+    m_reportOnly = (type == ContentSecurityPolicy::ReportStableDirectives || type == ContentSecurityPolicy::ReportAllDirectives);
+    m_experimental = (type == ContentSecurityPolicy::ReportAllDirectives || type == ContentSecurityPolicy::EnforceAllDirectives);
 }
 
 PassOwnPtr<CSPDirectiveList> CSPDirectiveList::create(ContentSecurityPolicy* policy, const String& header, ContentSecurityPolicy::HeaderType type)
 {
-    OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy));
+    OwnPtr<CSPDirectiveList> directives = adoptPtr(new CSPDirectiveList(policy, type));
     directives->parse(header);
-    directives->m_header = header;
-
-    switch (type) {
-    case ContentSecurityPolicy::ReportOnly:
-        directives->m_reportOnly = true;
-        return directives.release();
-    case ContentSecurityPolicy::EnforcePolicy:
-        ASSERT(!directives->m_reportOnly);
-        break;
-    }
 
     if (!directives->checkEval(directives->operativeDirective(directives->m_scriptSrc.get()))) {
         String message = makeString("Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"", directives->operativeDirective(directives->m_scriptSrc.get())->text(), "\".\n");
@@ -1151,6 +1147,7 @@ bool CSPDirectiveList::allowFormAction(const KURL& url, ContentSecurityPolicy::R
 //
 void CSPDirectiveList::parse(const String& policy)
 {
+    m_header = policy;
     if (policy.isEmpty())
         return;
 
@@ -1297,12 +1294,14 @@ void CSPDirectiveList::addDirective(const String& name, const String& value)
     else if (equalIgnoringCase(name, reportURI))
         parseReportURI(name, value);
 #if ENABLE(CSP_NEXT)
-    else if (equalIgnoringCase(name, formAction))
-        setCSPDirective<SourceListDirective>(name, value, m_formAction);
-    else if (equalIgnoringCase(name, pluginTypes))
-        setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
-    else if (equalIgnoringCase(name, scriptNonce))
-        setCSPDirective<NonceDirective>(name, value, m_scriptNonce);
+    else if (m_experimental) {
+        if (equalIgnoringCase(name, formAction))
+            setCSPDirective<SourceListDirective>(name, value, m_formAction);
+        else if (equalIgnoringCase(name, pluginTypes))
+            setCSPDirective<MediaListDirective>(name, value, m_pluginTypes);
+        else if (equalIgnoringCase(name, scriptNonce))
+            setCSPDirective<NonceDirective>(name, value, m_scriptNonce);
+    }
 #endif
     else
         m_policy->reportUnrecognizedDirective(name);
@@ -1368,7 +1367,7 @@ const String& ContentSecurityPolicy::deprecatedHeader() const
 
 ContentSecurityPolicy::HeaderType ContentSecurityPolicy::deprecatedHeaderType() const
 {
-    return m_policies.isEmpty() ? EnforcePolicy : m_policies[0]->headerType();
+    return m_policies.isEmpty() ? EnforceStableDirectives : m_policies[0]->headerType();
 }
 
 template<bool (CSPDirectiveList::*allowed)(ContentSecurityPolicy::ReportingStatus) const>
index 8c8e867..3e85cf4 100644 (file)
@@ -60,8 +60,10 @@ public:
     void copyStateFrom(const ContentSecurityPolicy*);
 
     enum HeaderType {
-        ReportOnly,
-        EnforcePolicy
+        ReportStableDirectives,
+        EnforceStableDirectives,
+        ReportAllDirectives,
+        EnforceAllDirectives
     };
 
     enum ReportingStatus {
index cafd17a..f178d1a 100644 (file)
 namespace WebKit {
 
 enum WebContentSecurityPolicyType {
-    WebContentSecurityPolicyTypeReportOnly,
-    WebContentSecurityPolicyTypeEnforcePolicy
+    WebContentSecurityPolicyTypeReportStableDirectives,
+    WebContentSecurityPolicyTypeEnforceStableDirectives,
+    WebContentSecurityPolicyTypeReportAllDirectives,
+    WebContentSecurityPolicyTypeEnforceAllDirectives,
 };
 
 } // namespace WebKit
index 200a46e..538d9f1 100644 (file)
@@ -620,8 +620,10 @@ COMPILE_ASSERT_MATCHING_ENUM(WebReferrerPolicyDefault, ReferrerPolicyDefault);
 COMPILE_ASSERT_MATCHING_ENUM(WebReferrerPolicyNever, ReferrerPolicyNever);
 COMPILE_ASSERT_MATCHING_ENUM(WebReferrerPolicyOrigin, ReferrerPolicyOrigin);
 
-COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeReportOnly, ContentSecurityPolicy::ReportOnly);
-COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeEnforcePolicy, ContentSecurityPolicy::EnforcePolicy);
+COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeReportStableDirectives, ContentSecurityPolicy::ReportStableDirectives);
+COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeEnforceStableDirectives, ContentSecurityPolicy::EnforceStableDirectives);
+COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeReportAllDirectives, ContentSecurityPolicy::ReportAllDirectives);
+COMPILE_ASSERT_MATCHING_ENUM(WebContentSecurityPolicyTypeEnforceAllDirectives, ContentSecurityPolicy::EnforceAllDirectives);
 
 COMPILE_ASSERT_MATCHING_ENUM(WebURLResponse::Unknown, ResourceResponse::Unknown);
 COMPILE_ASSERT_MATCHING_ENUM(WebURLResponse::HTTP_0_9, ResourceResponse::HTTP_0_9);