<video> and <audio> elements do not obey Content Security Policy on redirect
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 Mar 2016 19:46:49 +0000 (19:46 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 16 Mar 2016 19:46:49 +0000 (19:46 +0000)
https://bugs.webkit.org/show_bug.cgi?id=155509
<rdar://problem/10234844>

Reviewed by Alex Christensen.

Source/WebCore:

Fixes an issue where the Content Security Policy of the page was not enforced
on redirects when loading a media subresource via an HTML video or HTML audio
element.

Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/font-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/font-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/image-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/image-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/script-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/script-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/track-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/track-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/video-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/video-redirect-blocked.html
       http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html
       http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html

* inspector/InspectorPageAgent.cpp:
(WebCore::InspectorPageAgent::cachedResourceContent): Treat media resources as raw resources just as we do currently.
(WebCore::InspectorPageAgent::cachedResourceType): Ditto.
* loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::requestResource): Modified to use CachedResourceLoader::requestMedia() instead
of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
more details.
* loader/ResourceLoadInfo.cpp:
(WebCore::toResourceType): Treat media resources as raw resources just as we do currently. Also, add cases for
CachedResource::LinkPrefetch and CachedResource::LinkSubresource (when ENABLE(LINK_PREFETCH) is enabled) and
remove the default statement to force a compile-time error when a new CachedResource enumerator is added and
the switch block in this function is not updated.
* loader/SubresourceLoader.cpp:
(WebCore::logResourceLoaded): Ditto.
* loader/cache/CachedRawResource.cpp:
(WebCore::CachedRawResource::CachedRawResource): Substitute CachedResource::isMainOrMediaOrRawResource() for
CachedResource::isMainOrRawResource() as the latter was renamed to the former.
* loader/cache/CachedRawResource.h:
(isType): Ditto.
* loader/cache/CachedResource.cpp:
(WebCore::defaultPriorityForResourceType): Use priority ResourceLoadPriority::Medium for media resources just as
we do currently.
* loader/cache/CachedResource.h:
(WebCore::CachedResource::isMainOrMediaOrRawResource): Formerly named isMainOrRawResource. Returns true if the type
of this resource is a main resource, media resource, or raw resource.
(WebCore::CachedResource::isMainOrRawResource): Deleted.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::createResource): Treat media resources as raw resources just as we do currently.
(WebCore::CachedResourceLoader::requestMedia): Added.
(WebCore::contentTypeFromResourceType): Consider media resources as MixedContentChecker::ContentType::Active
just as we do currently.
(WebCore::CachedResourceLoader::checkInsecureContent): Apply the mixed content policy to media resources
just as we do currently.
(WebCore::CachedResourceLoader::canRequest): Apply the Same Origin Policy to media resources just as we
do currently. Query the Content Security Policy of the page to determine if the media resource can be
requested.
(WebCore::CachedResourceLoader::determineRevalidationPolicy): Substitute CachedResource::isMainOrMediaOrRawResource()
for CachedResource::isMainOrRawResource() as the latter was renamed to the former.
* loader/cache/CachedResourceLoader.h:
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::startLoading): Modified to use CachedResourceLoader::requestMedia() instead
of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
more details. Additionally, simplified code that determined whether to request the media resource or error out
by coalescing two conditional expressions into one conditional on whether we have a loader and substituted
nullptr for 0.

Source/WebKit2:

Use 0ms as the maximum buffering time for media resource just as we do currently.

* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::maximumBufferingTime):

LayoutTests:

Add tests to ensure that the Content Security Policy is enforced on redirects when
loading a subresource, including a video or audio file.

* http/tests/resources/redirect.php: Fix PHP "undefined index" warnings when either query
parameter code or refresh (or both) are not specified.
* http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/resources/ABCFont.svg: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg.
* http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl: Added.
* http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl: Added.
* http/tests/security/contentSecurityPolicy/resources/green-square.svg: Added.
* http/tests/security/contentSecurityPolicy/resources/red-square.svg: Added.
* http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php: Added.
* http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html:
* http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html: Added.
* platform/efl/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. We will also need to fix
<https://bugs.webkit.org/show_bug.cgi?id=153866> before we can unskip test http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
As far as I can tell the functionality exercised by these tests is not being using by the EFL port.
* platform/gtk/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. As far as I can tell the functionality
exercised by these tests is not being using by the GTK port.
* platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added expected failure result as
AV Foundation is responsible for loading media on iOS. That is, WebCore is not responsible for loading media.
* platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Ditto.
* platform/mac/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. The functionality exercised by these
tests is not used on OS X. Additionally, mark as Failure on Yosemite and ElCapitan the added tests
http/tests/security/contentSecurityPolicy/{video, audio}-redirect-blocked.html as we do not support
Content Security Policy for media redirects in these versions of OS X.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198292 268f45cc-cd09-0410-ab3c-d52691b4dbfc

69 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/resources/redirect.php
LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/ABCFont.svg [moved from LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg with 100% similarity]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html
LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html [new file with mode: 0644]
LayoutTests/platform/efl/TestExpectations
LayoutTests/platform/gtk/TestExpectations
LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt [new file with mode: 0644]
LayoutTests/platform/mac/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/inspector/InspectorPageAgent.cpp
Source/WebCore/loader/MediaResourceLoader.cpp
Source/WebCore/loader/ResourceLoadInfo.cpp
Source/WebCore/loader/SubresourceLoader.cpp
Source/WebCore/loader/cache/CachedRawResource.cpp
Source/WebCore/loader/cache/CachedRawResource.h
Source/WebCore/loader/cache/CachedResource.cpp
Source/WebCore/loader/cache/CachedResource.h
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/loader/cache/CachedResourceLoader.h
Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/Network/WebLoaderStrategy.cpp

index 2736308..1d54c95 100644 (file)
@@ -1,3 +1,80 @@
+2016-03-16  Daniel Bates  <dabates@apple.com>
+
+        <video> and <audio> elements do not obey Content Security Policy on redirect
+        https://bugs.webkit.org/show_bug.cgi?id=155509
+        <rdar://problem/10234844>
+
+        Reviewed by Alex Christensen.
+
+        Add tests to ensure that the Content Security Policy is enforced on redirects when
+        loading a subresource, including a video or audio file.
+
+        * http/tests/resources/redirect.php: Fix PHP "undefined index" warnings when either query
+        parameter code or refresh (or both) are not specified.
+        * http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/font-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/font-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/image-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/image-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/ABCFont.svg: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg.
+        * http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl: Added.
+        * http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl: Added.
+        * http/tests/security/contentSecurityPolicy/resources/green-square.svg: Added.
+        * http/tests/security/contentSecurityPolicy/resources/red-square.svg: Added.
+        * http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php: Added.
+        * http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php: Added.
+        * http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/script-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/script-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/track-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/track-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html:
+        * http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/video-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/video-redirect-blocked.html: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html: Added.
+        * platform/efl/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+        until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. We will also need to fix
+        <https://bugs.webkit.org/show_bug.cgi?id=153866> before we can unskip test http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
+        As far as I can tell the functionality exercised by these tests is not being using by the EFL port.
+        * platform/gtk/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+        until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. As far as I can tell the functionality
+        exercised by these tests is not being using by the GTK port.
+        * platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added expected failure result as
+        AV Foundation is responsible for loading media on iOS. That is, WebCore is not responsible for loading media.
+        * platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Ditto.
+        * platform/mac/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+        until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. The functionality exercised by these
+        tests is not used on OS X. Additionally, mark as Failure on Yosemite and ElCapitan the added tests
+        http/tests/security/contentSecurityPolicy/{video, audio}-redirect-blocked.html as we do not support
+        Content Security Policy for media redirects in these versions of OS X.
+
 2016-03-16  Jiewen Tan  <jiewen_tan@apple.com>
 
         URL Parsing should signal failure for illegal IDN
index b08c8d3..3736070 100644 (file)
@@ -6,23 +6,21 @@
     }
 
     $url = $_GET['url'];
-    $refresh = $_GET['refresh'];
-    
-    if (isset($refresh)) {
+
+    if (isset($_GET['refresh'])) {
         header("HTTP/1.1 200");
-        header("Refresh: $refresh; url=$url");
+        header("Refresh: " . $_GET['refresh'] . "; url=$url");
         addCacheControl();
         return;
     }
 
-    $code = $_GET['code'];
-    if (!isset($code))
+    if (!isset($_GET['code']))
         header("HTTP/1.1 302 Found");
-    elseif ($code == 308) {
+    elseif ($_GET['code'] == 308) {
         # Apache 2.2 (and possibly some newer versions) cannot generate a reason string for code 308, and sends a 500 error instead.
         header("HTTP/1.1 308 Permanent Redirect");
     } else
-        header("HTTP/1.1 $code");
+        header("HTTP/1.1 " . $_GET['code']);
     header("Location: $url");
     addCacheControl();
 ?>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt
new file mode 100644 (file)
index 0000000..9c70321
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html
new file mode 100644 (file)
index 0000000..7cedcfb
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<audio src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/balls-of-the-orient.aif" onloadedmetadata="alertAndDone('PASS')" onerror="alertAndDone('FAIL')"></audio>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..1a71233
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/resources/balls-of-the-orient.aif' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html
new file mode 100644 (file)
index 0000000..8c420c3
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<audio src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/balls-of-the-orient.aif" onloadedmetadata="alertAndDone('FAIL')" onerror="alertAndDone('PASS')"></audio>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt
new file mode 100644 (file)
index 0000000..5bc7d65
--- /dev/null
@@ -0,0 +1,3 @@
+Tests that a cross-origin CSS font loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+.
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-allowed.html
new file mode 100644 (file)
index 0000000..6e7797e
--- /dev/null
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+<style>
+@font-face {
+    font-family: "Ahem";
+    src: url("http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/Ahem.woff") format("woff");
+}
+</style>
+</head>
+<body>
+<p>Tests that a cross-origin CSS font loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
+<script>
+// Use a zero timer to wait until the font loaded.
+if (window.testRunner)
+    window.setTimeout("window.testRunner.notifyDone();", 0);
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..c089f8d
--- /dev/null
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Refused to load the font 'http://localhost:8000/resources/Ahem.woff' because it violates the following Content Security Policy directive: "font-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+.
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/font-redirect-blocked.html
new file mode 100644 (file)
index 0000000..47bcc32
--- /dev/null
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php">
+<style>
+@font-face {
+    font-family: "Ahem";
+    src: url("http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/Ahem.woff") format("woff");
+}
+</style>
+</head>
+<body>
+<p>Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
+<script>
+// Use a zero timer to wait until the font loaded.
+if (window.testRunner)
+    window.setTimeout("window.testRunner.notifyDone();", 0);
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt
new file mode 100644 (file)
index 0000000..2c50688
--- /dev/null
@@ -0,0 +1,3 @@
+Tests that a cross-origin image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-allowed.html
new file mode 100644 (file)
index 0000000..a426d55
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a cross-origin image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/resources/abe.png" width="128" height="128">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..392e1cf
--- /dev/null
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/image-redirect-blocked.html
new file mode 100644 (file)
index 0000000..9f40554
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/resources/abe.png" width="128" height="128">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl
new file mode 100644 (file)
index 0000000..4d44f2a
--- /dev/null
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+    <html xml:lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
+        <body>
+            <script type="text/javascript">
+                if (window.testRunner)
+                    testRunner.dumpAsText();
+                alert("FAIL");
+            </script>
+        </body>
+    </html>
+</xsl:template>
+</xsl:stylesheet>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl
new file mode 100644 (file)
index 0000000..93bf830
--- /dev/null
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+    <html xml:lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
+        <body>
+            <script type="text/javascript">
+                if (window.testRunner)
+                    testRunner.dumpAsText();
+                alert("PASS");
+            </script>
+        </body>
+    </html>
+</xsl:template>
+</xsl:stylesheet>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/green-square.svg
new file mode 100644 (file)
index 0000000..e3fa9b9
--- /dev/null
@@ -0,0 +1,3 @@
+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <rect x="0" y="0" width="100px" height="100px" fill="green"/>
+</svg>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/red-square.svg
new file mode 100644 (file)
index 0000000..0e918f0
--- /dev/null
@@ -0,0 +1,3 @@
+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <rect x="0" y="0" width="100px" height="100px" fill="red"/>
+</svg>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php
new file mode 100644 (file)
index 0000000..86d9006
--- /dev/null
@@ -0,0 +1,13 @@
+<?php
+header("Content-Type: application/xhtml+xml");
+header("Content-Security-Policy: script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000 'unsafe-inline'");
+echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
+echo '<?xml-stylesheet type="text/xsl" href="http://127.0.0.1:8000/resources/redirect.php?code=307&amp;url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.xsl"?>' . "\n";
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+</head>
+<body>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php b/LayoutTests/http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php
new file mode 100644 (file)
index 0000000..4ee4735
--- /dev/null
@@ -0,0 +1,20 @@
+<?php
+header("Content-Type: application/xhtml+xml");
+header("Content-Security-Policy: script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'");
+echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
+echo '<?xml-stylesheet type="text/xsl" href="http://127.0.0.1:8000/resources/redirect.php?code=307&amp;url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-fail.xsl"?>' . "\n";
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+</head>
+<body>
+<script type="text/javascript">
+//<![CDATA[
+if (window.testRunner)
+    testRunner.dumpAsText();
+alert("PASS");
+//]]>
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt
new file mode 100644 (file)
index 0000000..9c70321
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-allowed.html
new file mode 100644 (file)
index 0000000..1832f4a
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000 'unsafe-inline'">
+<script src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass-and-notify-done.js" onerror="alertAndDone('FAIL')"></script>
+</head>
+<body>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..9a2efe2
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'".
+
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/script-redirect-blocked.html
new file mode 100644 (file)
index 0000000..722a7a4
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'">
+<script src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-fail.js" onerror="alertAndDone('PASS')"></script>
+</head>
+<body>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt
new file mode 100644 (file)
index 0000000..9c70321
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html
new file mode 100644 (file)
index 0000000..b49b8ee
--- /dev/null
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="style-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+<link rel="stylesheet" href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/blue.css" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+</head>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..924d7a7
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load the stylesheet 'http://localhost:8000/security/contentSecurityPolicy/resources/blue.css' because it violates the following Content Security Policy directive: "style-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html
new file mode 100644 (file)
index 0000000..00025c7
--- /dev/null
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="style-src http://127.0.0.1:8000/resources/redirect.php">
+<link rel="stylesheet" href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/blue.css" onload="alertAndDone('FAIL')" onerror="alertAndDone('PASS')">
+</head>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt
new file mode 100644 (file)
index 0000000..0bfdb42
--- /dev/null
@@ -0,0 +1,3 @@
+Tests that a SVG font-face element is allowed to load a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html
new file mode 100644 (file)
index 0000000..6aacafd
--- /dev/null
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a SVG font-face element is allowed to load a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<svg viewBox="0 0 100 100">
+    <font-face>
+        <font-face-src>
+            <font-face-uri font-family="ABCFont" xlink:href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/ABCFont.svg#ABCFont"></font-face-uri>
+        </font-face-src>
+    </font-face>
+</svg>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..9cf05f2
--- /dev/null
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Refused to load the font 'http://localhost:8000/security/contentSecurityPolicy/resources/ABCFont.svg' because it violates the following Content Security Policy directive: "font-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html
new file mode 100644 (file)
index 0000000..9441991
--- /dev/null
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<svg viewBox="0 0 100 100">
+    <font-face>
+        <font-face-src>
+            <font-face-uri font-family="ABCFont" xlink:href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/ABCFont.svg"></font-face-uri>
+        </font-face-src>
+    </font-face>
+</svg>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt
new file mode 100644 (file)
index 0000000..99ac35f
--- /dev/null
@@ -0,0 +1,3 @@
+Tests that a cross-origin SVG image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html
new file mode 100644 (file)
index 0000000..e93c86f
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a cross-origin SVG image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/green-square.svg" width="128" height="128">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..e08d7ea
--- /dev/null
@@ -0,0 +1,5 @@
+CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/contentSecurityPolicy/resources/red-square.svg' because it violates the following Content Security Policy directive: "img-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html
new file mode 100644 (file)
index 0000000..9213688
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/red-square.svg" width="128" height="128">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt
new file mode 100644 (file)
index 0000000..9c70321
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-allowed.html
new file mode 100644 (file)
index 0000000..195782e
--- /dev/null
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<video>
+    <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+</video>
+<script>
+document.querySelector("track").track.mode = "hidden"; // Load the track
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..e3264cf
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/track-redirect-blocked.html
new file mode 100644 (file)
index 0000000..aa23efb
--- /dev/null
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<video>
+    <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('FAIL')" onerror="alertAndDone('PASS')">
+</video>
+<script>
+document.querySelector("track").track.mode = "hidden"; // Load the track
+</script>
+</body>
+</html>
index 21e6bbd..e8f07f3 100644 (file)
@@ -24,7 +24,7 @@ function runTest()
     fontFaceSrc.appendChild(fontFaceURI);
 
     fontFace.setAttributeNS(null, "font-family", "ABCFont");
-    fontFaceURI.setAttributeNS("http://www.w3.org/1999/xlink", "href", "resources/ABCFont.svg#ABCFont");
+    fontFaceURI.setAttributeNS("http://www.w3.org/1999/xlink", "href", "../resources/ABCFont.svg#ABCFont");
 }
 
 runTest();
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt
new file mode 100644 (file)
index 0000000..9c70321
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-allowed.html
new file mode 100644 (file)
index 0000000..4d87ff2
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<video src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/test.mp4" onloadedmetadata="alertAndDone('PASS')" onerror="alertAndDone('FAIL')"></video>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..1669cf2
--- /dev/null
@@ -0,0 +1,4 @@
+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/resources/test.mp4' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/video-redirect-blocked.html
new file mode 100644 (file)
index 0000000..f3724b7
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<video src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/test.mp4" onloadedmetadata="alertAndDone('FAIL')" onerror="alertAndDone('PASS')"></video>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt
new file mode 100644 (file)
index 0000000..991e636
--- /dev/null
@@ -0,0 +1,7 @@
+ALERT: PASS
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html b/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html
new file mode 100644 (file)
index 0000000..bb4fe71
--- /dev/null
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+
+    // This is a contrived test. We normally do not allow cross-origin XML Stylesheets.
+    testRunner.addOriginAccessWhitelistEntry("http://127.0.0.1:8000", "http", "localhost", false);
+}
+</script>
+</head>
+<body>
+<iframe src="resources/xsl-redirect-allowed.php"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..08f93cd
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.xsl' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'".
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html b/LayoutTests/http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html
new file mode 100644 (file)
index 0000000..86a6deb
--- /dev/null
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+
+    // This is a contrived test. We normally do not allow cross-origin XML Stylesheets.
+    testRunner.addOriginAccessWhitelistEntry("http://127.0.0.1:8000", "http", "localhost", false);
+}
+</script>
+</head>
+<body>
+<iframe src="resources/xsl-redirect-blocked.php"></iframe>
+</body>
+</html>
index d280c80..df9db6c 100644 (file)
@@ -643,7 +643,6 @@ webkit.org/b/153866 http/tests/media/video-referer.html [ Crash ]
 webkit.org/b/153866 http/tests/media/video-served-as-text.html [ Crash ]
 webkit.org/b/153866 http/tests/media/video-throttled-load-metadata.html [ Crash ]
 webkit.org/b/153866 http/tests/media/video-useragent.html [ Crash ]
-webkit.org/b/153866 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Crash ]
 webkit.org/b/153866 http/tests/security/inactive-document-with-empty-security-origin.html [ Crash ]
 webkit.org/b/153866 http/tests/security/isolatedWorld/userGestureEvents.html [ Crash ]
 webkit.org/b/153866 http/tests/security/local-video-source-from-remote.html [ Crash ]
@@ -2966,3 +2965,6 @@ fast/scrolling/rtl-scrollbars-overflow-dir-rtl.html [ ImageOnlyFailure ]
 fast/scrolling/rtl-scrollbars-overflow-padding.html [ ImageOnlyFailure ]
 fast/scrolling/rtl-scrollbars-overflow-simple.html [ ImageOnlyFailure ]
 fast/scrolling/rtl-scrollbars-overflow.html [ ImageOnlyFailure ]
+
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 webkit.org/b/153866 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
index 411021f..dbff94e 100644 (file)
@@ -691,6 +691,8 @@ webkit.org/b/154390 http/tests/media/hls/hls-audio-tracks-has-audio.html [ Timeo
 webkit.org/b/154390 http/tests/media/hls/hls-accessiblity-describes-video.html [ Timeout Failure ]
 webkit.org/b/154390 http/tests/media/hls/video-cookie.html [ Failure ]
 
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
 
 #////////////////////////////////////////////////////////////////////////////////////////
 # End of Expected failures
diff --git a/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt b/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..7cf2aea
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: FAIL
+
diff --git a/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt b/LayoutTests/platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt
new file mode 100644 (file)
index 0000000..7cf2aea
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: FAIL
+
index f272d32..2bbd29b 100644 (file)
@@ -1342,3 +1342,10 @@ webkit.org/b/155140 js/promises-tests/promises-tests-2-3-3.html [ Pass Failure ]
 [ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow-padding.html [ ImageOnlyFailure ]
 [ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow-simple.html [ ImageOnlyFailure ]
 [ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow.html [ ImageOnlyFailure ]
+
+# Content Security Policy for media redirects is not supported on some OSes.
+[ Yosemite ElCapitan ] http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html [ Failure ]
+[ Yosemite ElCapitan ] http/tests/security/contentSecurityPolicy/video-redirect-blocked.html [ Failure ]
+
+webkit.org/b/155505 [ ElCapitan+ ] http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 [ ElCapitan+ ] http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
index 51c057f..b3b28ed 100644 (file)
@@ -1,3 +1,86 @@
+2016-03-16  Daniel Bates  <dabates@apple.com>
+
+        <video> and <audio> elements do not obey Content Security Policy on redirect
+        https://bugs.webkit.org/show_bug.cgi?id=155509
+        <rdar://problem/10234844>
+
+        Reviewed by Alex Christensen.
+
+        Fixes an issue where the Content Security Policy of the page was not enforced
+        on redirects when loading a media subresource via an HTML video or HTML audio
+        element.
+
+        Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/font-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/font-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/image-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/image-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/script-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/script-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/track-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/track-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/video-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/video-redirect-blocked.html
+               http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html
+               http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html
+
+        * inspector/InspectorPageAgent.cpp:
+        (WebCore::InspectorPageAgent::cachedResourceContent): Treat media resources as raw resources just as we do currently.
+        (WebCore::InspectorPageAgent::cachedResourceType): Ditto.
+        * loader/MediaResourceLoader.cpp:
+        (WebCore::MediaResourceLoader::requestResource): Modified to use CachedResourceLoader::requestMedia() instead
+        of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
+        resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
+        initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
+        more details.
+        * loader/ResourceLoadInfo.cpp:
+        (WebCore::toResourceType): Treat media resources as raw resources just as we do currently. Also, add cases for
+        CachedResource::LinkPrefetch and CachedResource::LinkSubresource (when ENABLE(LINK_PREFETCH) is enabled) and
+        remove the default statement to force a compile-time error when a new CachedResource enumerator is added and
+        the switch block in this function is not updated.
+        * loader/SubresourceLoader.cpp:
+        (WebCore::logResourceLoaded): Ditto.
+        * loader/cache/CachedRawResource.cpp:
+        (WebCore::CachedRawResource::CachedRawResource): Substitute CachedResource::isMainOrMediaOrRawResource() for
+        CachedResource::isMainOrRawResource() as the latter was renamed to the former.
+        * loader/cache/CachedRawResource.h:
+        (isType): Ditto.
+        * loader/cache/CachedResource.cpp:
+        (WebCore::defaultPriorityForResourceType): Use priority ResourceLoadPriority::Medium for media resources just as
+        we do currently.
+        * loader/cache/CachedResource.h:
+        (WebCore::CachedResource::isMainOrMediaOrRawResource): Formerly named isMainOrRawResource. Returns true if the type
+        of this resource is a main resource, media resource, or raw resource.
+        (WebCore::CachedResource::isMainOrRawResource): Deleted.
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::createResource): Treat media resources as raw resources just as we do currently.
+        (WebCore::CachedResourceLoader::requestMedia): Added.
+        (WebCore::contentTypeFromResourceType): Consider media resources as MixedContentChecker::ContentType::Active
+        just as we do currently.
+        (WebCore::CachedResourceLoader::checkInsecureContent): Apply the mixed content policy to media resources
+        just as we do currently.
+        (WebCore::CachedResourceLoader::canRequest): Apply the Same Origin Policy to media resources just as we
+        do currently. Query the Content Security Policy of the page to determine if the media resource can be
+        requested.
+        (WebCore::CachedResourceLoader::determineRevalidationPolicy): Substitute CachedResource::isMainOrMediaOrRawResource()
+        for CachedResource::isMainOrRawResource() as the latter was renamed to the former.
+        * loader/cache/CachedResourceLoader.h:
+        * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+        (WebCore::WebCoreAVFResourceLoader::startLoading): Modified to use CachedResourceLoader::requestMedia() instead
+        of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
+        resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
+        initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
+        more details. Additionally, simplified code that determined whether to request the media resource or error out
+        by coalescing two conditional expressions into one conditional on whether we have a loader and substituted
+        nullptr for 0.
+
 2016-03-16  Chris Dumez  <cdumez@apple.com>
 
         Unreviewed, rolling out r198235, r198240, r198241, and
index 7234c84..6379efa 100644 (file)
@@ -163,6 +163,7 @@ bool InspectorPageAgent::cachedResourceContent(CachedResource* cachedResource, S
         case CachedResource::Script:
             *result = downcast<CachedScript>(*cachedResource).script().toString();
             return true;
+        case CachedResource::MediaResource:
         case CachedResource::RawResource: {
             auto* buffer = cachedResource->resourceBuffer();
             if (!buffer)
@@ -314,6 +315,7 @@ InspectorPageAgent::ResourceType InspectorPageAgent::cachedResourceType(const Ca
         return InspectorPageAgent::StylesheetResource;
     case CachedResource::Script:
         return InspectorPageAgent::ScriptResource;
+    case CachedResource::MediaResource:
     case CachedResource::RawResource:
         return InspectorPageAgent::XHRResource;
     case CachedResource::MainResource:
index 467b1b4..31b0f5c 100644 (file)
@@ -55,13 +55,14 @@ RefPtr<PlatformMediaResource> MediaResourceLoader::requestResource(const Resourc
     RequestOriginPolicy corsPolicy = !m_crossOriginMode.isNull() ? PotentiallyCrossOriginEnabled : UseDefaultOriginRestrictionsForType;
     StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalLettersIgnoringASCIICase(m_crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
 
-    // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
+    // FIXME: Skip Content Security Policy check if the element that inititated this request
+    // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
     CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching));
 
     if (!m_crossOriginMode.isNull())
         updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
 
-    CachedResourceHandle<CachedRawResource> resource = m_document.cachedResourceLoader().requestRawResource(cacheRequest);
+    CachedResourceHandle<CachedRawResource> resource = m_document.cachedResourceLoader().requestMedia(cacheRequest);
     if (!resource)
         return nullptr;
 
index cbd5919..a8beca5 100644 (file)
@@ -55,6 +55,7 @@ ResourceType toResourceType(CachedResource::Type type)
 #endif
         return ResourceType::Font;
 
+    case CachedResource::MediaResource:
     case CachedResource::RawResource:
         return ResourceType::Raw;
 
@@ -62,8 +63,11 @@ ResourceType toResourceType(CachedResource::Type type)
     case CachedResource::TextTrackResource:
         return ResourceType::Media;
 #endif
-    default:
+#if ENABLE(LINK_PREFETCH)
+    case CachedResource::LinkPrefetch:
+    case CachedResource::LinkSubresource:
         ASSERT_NOT_REACHED();
+#endif
     };
 }
 
index 96fe82f..db7c634 100644 (file)
@@ -350,6 +350,7 @@ static void logResourceLoaded(Frame* frame, CachedResource::Type type)
 #endif
         resourceType = DiagnosticLoggingKeys::fontKey();
         break;
+    case CachedResource::MediaResource:
     case CachedResource::RawResource:
         resourceType = DiagnosticLoggingKeys::rawKey();
         break;
index 4dc15c0..709d1ee 100644 (file)
@@ -42,7 +42,7 @@ CachedRawResource::CachedRawResource(ResourceRequest& resourceRequest, Type type
     , m_identifier(0)
     , m_allowEncodedDataReplacement(true)
 {
-    ASSERT(isMainOrRawResource());
+    ASSERT(isMainOrMediaOrRawResource());
 }
 
 const char* CachedRawResource::calculateIncrementalDataChunk(SharedBuffer* data, unsigned& incrementalDataLength)
index 7cd2520..5fb54d8 100644 (file)
@@ -95,7 +95,7 @@ private:
 } // namespace WebCore
 
 SPECIALIZE_TYPE_TRAITS_BEGIN(WebCore::CachedRawResource)
-    static bool isType(const WebCore::CachedResource& resource) { return resource.isMainOrRawResource(); }
+    static bool isType(const WebCore::CachedResource& resource) { return resource.isMainOrMediaOrRawResource(); }
 SPECIALIZE_TYPE_TRAITS_END()
 
 #endif // CachedRawResource_h
index aeaa9a6..671c75b 100644 (file)
@@ -74,6 +74,7 @@ static ResourceLoadPriority defaultPriorityForResourceType(CachedResource::Type
 #if ENABLE(SVG_FONTS)
     case CachedResource::SVGFontResource:
 #endif
+    case CachedResource::MediaResource:
     case CachedResource::FontResource:
     case CachedResource::RawResource:
         return ResourceLoadPriority::Medium;
index eb2acd4..e300192 100644 (file)
@@ -69,6 +69,7 @@ public:
 #if ENABLE(SVG_FONTS)
         SVGFontResource,
 #endif
+        MediaResource,
         RawResource,
         SVGDocumentResource
 #if ENABLE(XSLT)
@@ -159,8 +160,8 @@ public:
     bool areAllClientsXMLHttpRequests() const;
 
     bool isImage() const { return type() == ImageResource; }
-    // FIXME: CachedRawResource could be either a main resource or a raw XHR resource.
-    bool isMainOrRawResource() const { return type() == MainResource || type() == RawResource; }
+    // FIXME: CachedRawResource could be a main resource, an audio/video resource, or a raw XHR/icon resource.
+    bool isMainOrMediaOrRawResource() const { return type() == MainResource || type() == MediaResource || type() == RawResource; }
     bool ignoreForRequestCount() const
     {
         return type() == MainResource
index b1c5969..fdfdd64 100644 (file)
@@ -100,6 +100,7 @@ static CachedResource* createResource(CachedResource::Type type, ResourceRequest
 #endif
     case CachedResource::FontResource:
         return new CachedFont(request, sessionID);
+    case CachedResource::MediaResource:
     case CachedResource::RawResource:
     case CachedResource::MainResource:
         return new CachedRawResource(request, type, sessionID);
@@ -269,6 +270,11 @@ CachedResourceHandle<CachedResource> CachedResourceLoader::requestLinkResource(C
 }
 #endif
 
+CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestMedia(CachedResourceRequest& request)
+{
+    return downcast<CachedRawResource>(requestResource(CachedResource::MediaResource, request).get());
+}
+
 CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestRawResource(CachedResourceRequest& request)
 {
     return downcast<CachedRawResource>(requestResource(CachedResource::RawResource, request).get());
@@ -295,6 +301,7 @@ static MixedContentChecker::ContentType contentTypeFromResourceType(CachedResour
         return MixedContentChecker::ContentType::Active;
 #endif
 
+    case CachedResource::MediaResource:
     case CachedResource::RawResource:
     case CachedResource::SVGDocumentResource:
         return MixedContentChecker::ContentType::Active;
@@ -337,6 +344,7 @@ bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const
 #if ENABLE(VIDEO_TRACK)
     case CachedResource::TextTrackResource:
 #endif
+    case CachedResource::MediaResource:
     case CachedResource::RawResource:
     case CachedResource::ImageResource:
 #if ENABLE(SVG_FONTS)
@@ -384,6 +392,7 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url,
 #if ENABLE(SVG_FONTS)
     case CachedResource::SVGFontResource:
 #endif
+    case CachedResource::MediaResource:
     case CachedResource::FontResource:
     case CachedResource::RawResource:
 #if ENABLE(LINK_PREFETCH)
@@ -446,12 +455,13 @@ bool CachedResourceLoader::canRequest(CachedResource::Type type, const URL& url,
     case CachedResource::LinkSubresource:
 #endif
         break;
+    case CachedResource::MediaResource:
 #if ENABLE(VIDEO_TRACK)
     case CachedResource::TextTrackResource:
+#endif
         if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, skipContentSecurityPolicyCheck))
             return false;
         break;
-#endif
     }
 
     // SVG Images have unique security rules that prevent all subresource requests except for data urls.
@@ -742,7 +752,7 @@ CachedResourceLoader::RevalidationPolicy CachedResourceLoader::determineRevalida
 
     // FIXME: We should use the same cache policy for all resource types. The raw resource policy is overly strict
     //        while the normal subresource policy is too loose.
-    if (existingResource->isMainOrRawResource()) {
+    if (existingResource->isMainOrMediaOrRawResource()) {
         bool strictPolicyDisabled = frame()->loader().isStrictRawResourceValidationPolicyDisabledForTesting();
         bool canReuseRawResource = strictPolicyDisabled || downcast<CachedRawResource>(*existingResource).canReuse(request);
         if (!canReuseRawResource)
index d1bc44e..e633390 100644 (file)
@@ -76,6 +76,7 @@ public:
     CachedResourceHandle<CachedCSSStyleSheet> requestUserCSSStyleSheet(CachedResourceRequest&);
     CachedResourceHandle<CachedScript> requestScript(CachedResourceRequest&);
     CachedResourceHandle<CachedFont> requestFont(CachedResourceRequest&, bool isSVG);
+    CachedResourceHandle<CachedRawResource> requestMedia(CachedResourceRequest&);
     CachedResourceHandle<CachedRawResource> requestRawResource(CachedResourceRequest&);
     CachedResourceHandle<CachedRawResource> requestMainResource(CachedResourceRequest&);
     CachedResourceHandle<CachedSVGDocument> requestSVGDocument(CachedResourceRequest&);
index 2dbcd38..b757189 100644 (file)
@@ -67,15 +67,16 @@ void WebCoreAVFResourceLoader::startLoading()
 
     NSURLRequest *nsRequest = [m_avRequest.get() request];
 
-    // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
+    // FIXME: Skip Content Security Policy check if the element that inititated this request
+    // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
     CachedResourceRequest request(nsRequest, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::DisallowCaching));
 
     request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
-    CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader();
-    m_resource = loader ? loader->requestRawResource(request) : 0;
-    if (m_resource)
+    if (CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader()) {
+        m_resource = loader->requestMedia(request);
         m_resource->addClient(this);
-    else {
+    } else {
+        m_resource = nullptr;
         LOG_ERROR("Failed to start load for media at url %s", [[[nsRequest URL] absoluteString] UTF8String]);
         [m_avRequest.get() finishLoadingWithError:0];
     }
index a16413f..6ad3842 100644 (file)
@@ -1,3 +1,16 @@
+2016-03-16  Daniel Bates  <dabates@apple.com>
+
+        <video> and <audio> elements do not obey Content Security Policy on redirect
+        https://bugs.webkit.org/show_bug.cgi?id=155509
+        <rdar://problem/10234844>
+
+        Reviewed by Alex Christensen.
+
+        Use 0ms as the maximum buffering time for media resource just as we do currently.
+
+        * WebProcess/Network/WebLoaderStrategy.cpp:
+        (WebKit::maximumBufferingTime):
+
 2016-03-16  Chris Dumez  <cdumez@apple.com>
 
         Unreviewed, rolling out r198235, r198240, r198241, and
index c6b16a0..3b4dda4 100644 (file)
@@ -106,6 +106,7 @@ static std::chrono::milliseconds maximumBufferingTime(CachedResource* resource)
         return std::chrono::milliseconds::max();
     case CachedResource::ImageResource:
         return 500_ms;
+    case CachedResource::MediaResource:
     case CachedResource::MainResource:
     case CachedResource::RawResource:
     case CachedResource::SVGDocumentResource: