https://bugs.webkit.org/show_bug.cgi?id=155509
<rdar://problem/
10234844>
Reviewed by Alex Christensen.
Source/WebCore:
Fixes an issue where the Content Security Policy of the page was not enforced
on redirects when loading a media subresource via an HTML video or HTML audio
element.
Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html
http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html
http/tests/security/contentSecurityPolicy/font-redirect-allowed.html
http/tests/security/contentSecurityPolicy/font-redirect-blocked.html
http/tests/security/contentSecurityPolicy/image-redirect-allowed.html
http/tests/security/contentSecurityPolicy/image-redirect-blocked.html
http/tests/security/contentSecurityPolicy/script-redirect-allowed.html
http/tests/security/contentSecurityPolicy/script-redirect-blocked.html
http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html
http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html
http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html
http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html
http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html
http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html
http/tests/security/contentSecurityPolicy/track-redirect-allowed.html
http/tests/security/contentSecurityPolicy/track-redirect-blocked.html
http/tests/security/contentSecurityPolicy/video-redirect-allowed.html
http/tests/security/contentSecurityPolicy/video-redirect-blocked.html
http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html
http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html
* inspector/InspectorPageAgent.cpp:
(WebCore::InspectorPageAgent::cachedResourceContent): Treat media resources as raw resources just as we do currently.
(WebCore::InspectorPageAgent::cachedResourceType): Ditto.
* loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::requestResource): Modified to use CachedResourceLoader::requestMedia() instead
of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
more details.
* loader/ResourceLoadInfo.cpp:
(WebCore::toResourceType): Treat media resources as raw resources just as we do currently. Also, add cases for
CachedResource::LinkPrefetch and CachedResource::LinkSubresource (when ENABLE(LINK_PREFETCH) is enabled) and
remove the default statement to force a compile-time error when a new CachedResource enumerator is added and
the switch block in this function is not updated.
* loader/SubresourceLoader.cpp:
(WebCore::logResourceLoaded): Ditto.
* loader/cache/CachedRawResource.cpp:
(WebCore::CachedRawResource::CachedRawResource): Substitute CachedResource::isMainOrMediaOrRawResource() for
CachedResource::isMainOrRawResource() as the latter was renamed to the former.
* loader/cache/CachedRawResource.h:
(isType): Ditto.
* loader/cache/CachedResource.cpp:
(WebCore::defaultPriorityForResourceType): Use priority ResourceLoadPriority::Medium for media resources just as
we do currently.
* loader/cache/CachedResource.h:
(WebCore::CachedResource::isMainOrMediaOrRawResource): Formerly named isMainOrRawResource. Returns true if the type
of this resource is a main resource, media resource, or raw resource.
(WebCore::CachedResource::isMainOrRawResource): Deleted.
* loader/cache/CachedResourceLoader.cpp:
(WebCore::createResource): Treat media resources as raw resources just as we do currently.
(WebCore::CachedResourceLoader::requestMedia): Added.
(WebCore::contentTypeFromResourceType): Consider media resources as MixedContentChecker::ContentType::Active
just as we do currently.
(WebCore::CachedResourceLoader::checkInsecureContent): Apply the mixed content policy to media resources
just as we do currently.
(WebCore::CachedResourceLoader::canRequest): Apply the Same Origin Policy to media resources just as we
do currently. Query the Content Security Policy of the page to determine if the media resource can be
requested.
(WebCore::CachedResourceLoader::determineRevalidationPolicy): Substitute CachedResource::isMainOrMediaOrRawResource()
for CachedResource::isMainOrRawResource() as the latter was renamed to the former.
* loader/cache/CachedResourceLoader.h:
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::startLoading): Modified to use CachedResourceLoader::requestMedia() instead
of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
more details. Additionally, simplified code that determined whether to request the media resource or error out
by coalescing two conditional expressions into one conditional on whether we have a loader and substituted
nullptr for 0.
Source/WebKit2:
Use 0ms as the maximum buffering time for media resource just as we do currently.
* WebProcess/Network/WebLoaderStrategy.cpp:
(WebKit::maximumBufferingTime):
LayoutTests:
Add tests to ensure that the Content Security Policy is enforced on redirects when
loading a subresource, including a video or audio file.
* http/tests/resources/redirect.php: Fix PHP "undefined index" warnings when either query
parameter code or refresh (or both) are not specified.
* http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/font-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/resources/ABCFont.svg: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg.
* http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl: Added.
* http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl: Added.
* http/tests/security/contentSecurityPolicy/resources/green-square.svg: Added.
* http/tests/security/contentSecurityPolicy/resources/red-square.svg: Added.
* http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php: Added.
* http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/script-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/track-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html:
* http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-redirect-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html: Added.
* platform/efl/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. We will also need to fix
<https://bugs.webkit.org/show_bug.cgi?id=153866> before we can unskip test http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
As far as I can tell the functionality exercised by these tests is not being using by the EFL port.
* platform/gtk/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. As far as I can tell the functionality
exercised by these tests is not being using by the GTK port.
* platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added expected failure result as
AV Foundation is responsible for loading media on iOS. That is, WebCore is not responsible for loading media.
* platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Ditto.
* platform/mac/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. The functionality exercised by these
tests is not used on OS X. Additionally, mark as Failure on Yosemite and ElCapitan the added tests
http/tests/security/contentSecurityPolicy/{video, audio}-redirect-blocked.html as we do not support
Content Security Policy for media redirects in these versions of OS X.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198292
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2016-03-16 Daniel Bates <dabates@apple.com>
+
+ <video> and <audio> elements do not obey Content Security Policy on redirect
+ https://bugs.webkit.org/show_bug.cgi?id=155509
+ <rdar://problem/10234844>
+
+ Reviewed by Alex Christensen.
+
+ Add tests to ensure that the Content Security Policy is enforced on redirects when
+ loading a subresource, including a video or audio file.
+
+ * http/tests/resources/redirect.php: Fix PHP "undefined index" warnings when either query
+ parameter code or refresh (or both) are not specified.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/font-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/image-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/resources/ABCFont.svg: Renamed from LayoutTests/http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg.
+ * http/tests/security/contentSecurityPolicy/resources/alert-fail.xsl: Added.
+ * http/tests/security/contentSecurityPolicy/resources/alert-pass.xsl: Added.
+ * http/tests/security/contentSecurityPolicy/resources/green-square.svg: Added.
+ * http/tests/security/contentSecurityPolicy/resources/red-square.svg: Added.
+ * http/tests/security/contentSecurityPolicy/resources/xsl-redirect-allowed.php: Added.
+ * http/tests/security/contentSecurityPolicy/resources/xsl-redirect-blocked.php: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/script-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/track-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html:
+ * http/tests/security/contentSecurityPolicy/video-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/video-redirect-blocked.html: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html: Added.
+ * platform/efl/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+ until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. We will also need to fix
+ <https://bugs.webkit.org/show_bug.cgi?id=153866> before we can unskip test http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
+ As far as I can tell the functionality exercised by these tests is not being using by the EFL port.
+ * platform/gtk/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+ until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. As far as I can tell the functionality
+ exercised by these tests is not being using by the GTK port.
+ * platform/ios-simulator/http/tests/security/contentSecurityPolicy/audio-redirect-blocked-expected.txt: Added expected failure result as
+ AV Foundation is responsible for loading media on iOS. That is, WebCore is not responsible for loading media.
+ * platform/ios-simulator/http/tests/security/contentSecurityPolicy/video-redirect-blocked-expected.txt: Ditto.
+ * platform/mac/TestExpectations: For now skip tests http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-{audio, video}.html
+ until we fix <https://bugs.webkit.org/show_bug.cgi?id=155505>. The functionality exercised by these
+ tests is not used on OS X. Additionally, mark as Failure on Yosemite and ElCapitan the added tests
+ http/tests/security/contentSecurityPolicy/{video, audio}-redirect-blocked.html as we do not support
+ Content Security Policy for media redirects in these versions of OS X.
+
2016-03-16 Jiewen Tan <jiewen_tan@apple.com>
URL Parsing should signal failure for illegal IDN
}
$url = $_GET['url'];
- $refresh = $_GET['refresh'];
-
- if (isset($refresh)) {
+
+ if (isset($_GET['refresh'])) {
header("HTTP/1.1 200");
- header("Refresh: $refresh; url=$url");
+ header("Refresh: " . $_GET['refresh'] . "; url=$url");
addCacheControl();
return;
}
- $code = $_GET['code'];
- if (!isset($code))
+ if (!isset($_GET['code']))
header("HTTP/1.1 302 Found");
- elseif ($code == 308) {
+ elseif ($_GET['code'] == 308) {
# Apache 2.2 (and possibly some newer versions) cannot generate a reason string for code 308, and sends a 500 error instead.
header("HTTP/1.1 308 Permanent Redirect");
} else
- header("HTTP/1.1 $code");
+ header("HTTP/1.1 " . $_GET['code']);
header("Location: $url");
addCacheControl();
?>
--- /dev/null
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<audio src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/balls-of-the-orient.aif" onloadedmetadata="alertAndDone('PASS')" onerror="alertAndDone('FAIL')"></audio>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/resources/balls-of-the-orient.aif' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<audio src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/balls-of-the-orient.aif" onloadedmetadata="alertAndDone('FAIL')" onerror="alertAndDone('PASS')"></audio>
+</body>
+</html>
--- /dev/null
+Tests that a cross-origin CSS font loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+<style>
+@font-face {
+ font-family: "Ahem";
+ src: url("http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/Ahem.woff") format("woff");
+}
+</style>
+</head>
+<body>
+<p>Tests that a cross-origin CSS font loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
+<script>
+// Use a zero timer to wait until the font loaded.
+if (window.testRunner)
+ window.setTimeout("window.testRunner.notifyDone();", 0);
+</script>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Refused to load the font 'http://localhost:8000/resources/Ahem.woff' because it violates the following Content Security Policy directive: "font-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+.
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php">
+<style>
+@font-face {
+ font-family: "Ahem";
+ src: url("http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/Ahem.woff") format("woff");
+}
+</style>
+</head>
+<body>
+<p>Tests that a cross-origin CSS font loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<p style="font-family: 'Ahem'">.</p> <!-- Intentional period character to force font to load -->
+<script>
+// Use a zero timer to wait until the font loaded.
+if (window.testRunner)
+ window.setTimeout("window.testRunner.notifyDone();", 0);
+</script>
+</body>
+</html>
--- /dev/null
+Tests that a cross-origin image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a cross-origin image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/resources/abe.png" width="128" height="128">
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/resources/abe.png" width="128" height="128">
+</body>
+</html>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+ <html xml:lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+ <script type="text/javascript">
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ alert("FAIL");
+ </script>
+ </body>
+ </html>
+</xsl:template>
+</xsl:stylesheet>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+ <html xml:lang="en-us" xmlns="http://www.w3.org/1999/xhtml">
+ <body>
+ <script type="text/javascript">
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ alert("PASS");
+ </script>
+ </body>
+ </html>
+</xsl:template>
+</xsl:stylesheet>
--- /dev/null
+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <rect x="0" y="0" width="100px" height="100px" fill="green"/>
+</svg>
--- /dev/null
+<svg width="200" height="200" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+ <rect x="0" y="0" width="100px" height="100px" fill="red"/>
+</svg>
--- /dev/null
+<?php
+header("Content-Type: application/xhtml+xml");
+header("Content-Security-Policy: script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000 'unsafe-inline'");
+echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
+echo '<?xml-stylesheet type="text/xsl" href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass.xsl"?>' . "\n";
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+</head>
+<body>
+</body>
+</html>
--- /dev/null
+<?php
+header("Content-Type: application/xhtml+xml");
+header("Content-Security-Policy: script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'");
+echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
+echo '<?xml-stylesheet type="text/xsl" href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-fail.xsl"?>' . "\n";
+?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+</head>
+<body>
+<script type="text/javascript">
+//<![CDATA[
+if (window.testRunner)
+ testRunner.dumpAsText();
+alert("PASS");
+//]]>
+</script>
+</body>
+</html>
--- /dev/null
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000 'unsafe-inline'">
+<script src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-pass-and-notify-done.js" onerror="alertAndDone('FAIL')"></script>
+</head>
+<body>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.js' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'".
+
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'">
+<script src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/alert-fail.js" onerror="alertAndDone('PASS')"></script>
+</head>
+<body>
+</body>
+</html>
--- /dev/null
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="style-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+<link rel="stylesheet" href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/blue.css" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+</head>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Refused to load the stylesheet 'http://localhost:8000/security/contentSecurityPolicy/resources/blue.css' because it violates the following Content Security Policy directive: "style-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="style-src http://127.0.0.1:8000/resources/redirect.php">
+<link rel="stylesheet" href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/blue.css" onload="alertAndDone('FAIL')" onerror="alertAndDone('PASS')">
+</head>
+</html>
--- /dev/null
+Tests that a SVG font-face element is allowed to load a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a SVG font-face element is allowed to load a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<svg viewBox="0 0 100 100">
+ <font-face>
+ <font-face-src>
+ <font-face-uri font-family="ABCFont" xlink:href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/ABCFont.svg#ABCFont"></font-face-uri>
+ </font-face-src>
+ </font-face>
+</svg>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Refused to load the font 'http://localhost:8000/security/contentSecurityPolicy/resources/ABCFont.svg' because it violates the following Content Security Policy directive: "font-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="font-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a SVG font-face element is blocked from loading a cross-origin external SVG font via a redirect by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<svg viewBox="0 0 100 100">
+ <font-face>
+ <font-face-src>
+ <font-face-uri font-family="ABCFont" xlink:href="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/ABCFont.svg"></font-face-uri>
+ </font-face-src>
+ </font-face>
+</svg>
+</body>
+</html>
--- /dev/null
+Tests that a cross-origin SVG image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.
+
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<p>Tests that a cross-origin SVG image loaded via a redirect is allowed by the Content Security Policy. This test PASSED if there are no console warning messages.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/green-square.svg" width="128" height="128">
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Refused to load the image 'http://localhost:8000/security/contentSecurityPolicy/resources/red-square.svg' because it violates the following Content Security Policy directive: "img-src http://127.0.0.1:8000/resources/redirect.php".
+
+Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.
+
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<p>Tests that a cross-origin SVG image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p>
+<img src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/red-square.svg" width="128" height="128">
+</body>
+</html>
--- /dev/null
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<video>
+ <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('PASS')" onerror="alertAndDone('FAIL')">
+</video>
+<script>
+document.querySelector("track").track.mode = "hidden"; // Load the track
+</script>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/security/contentSecurityPolicy/resources/track.vtt' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<video>
+ <track src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/security/contentSecurityPolicy/resources/track.vtt" kind="captions" onload="alertAndDone('FAIL')" onerror="alertAndDone('PASS')">
+</video>
+<script>
+document.querySelector("track").track.mode = "hidden"; // Load the track
+</script>
+</body>
+</html>
fontFaceSrc.appendChild(fontFaceURI);
fontFace.setAttributeNS(null, "font-family", "ABCFont");
- fontFaceURI.setAttributeNS("http://www.w3.org/1999/xlink", "href", "resources/ABCFont.svg#ABCFont");
+ fontFaceURI.setAttributeNS("http://www.w3.org/1999/xlink", "href", "../resources/ABCFont.svg#ABCFont");
}
runTest();
--- /dev/null
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000">
+</head>
+<body>
+<video src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/test.mp4" onloadedmetadata="alertAndDone('PASS')" onerror="alertAndDone('FAIL')"></video>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Refused to load media from 'http://localhost:8000/resources/test.mp4' because it violates the following Content Security Policy directive: "media-src http://127.0.0.1:8000/resources/redirect.php".
+
+ALERT: PASS
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script src="resources/dump-as-text.js"></script>
+<script src="resources/wait-until-done.js"></script>
+<meta http-equiv="Content-Security-Policy" content="media-src http://127.0.0.1:8000/resources/redirect.php">
+</head>
+<body>
+<video src="http://127.0.0.1:8000/resources/redirect.php?code=307&url=http%3A%2F%2Flocalhost%3A8000/resources/test.mp4" onloadedmetadata="alertAndDone('FAIL')" onerror="alertAndDone('PASS')"></video>
+</body>
+</html>
--- /dev/null
+ALERT: PASS
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+
+ // This is a contrived test. We normally do not allow cross-origin XML Stylesheets.
+ testRunner.addOriginAccessWhitelistEntry("http://127.0.0.1:8000", "http", "localhost", false);
+}
+</script>
+</head>
+<body>
+<iframe src="resources/xsl-redirect-allowed.php"></iframe>
+</body>
+</html>
--- /dev/null
+CONSOLE MESSAGE: Refused to load the script 'http://localhost:8000/security/contentSecurityPolicy/resources/alert-fail.xsl' because it violates the following Content Security Policy directive: "script-src http://127.0.0.1:8000/resources/redirect.php 'unsafe-inline'".
+
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.dumpChildFramesAsText();
+
+ // This is a contrived test. We normally do not allow cross-origin XML Stylesheets.
+ testRunner.addOriginAccessWhitelistEntry("http://127.0.0.1:8000", "http", "localhost", false);
+}
+</script>
+</head>
+<body>
+<iframe src="resources/xsl-redirect-blocked.php"></iframe>
+</body>
+</html>
webkit.org/b/153866 http/tests/media/video-served-as-text.html [ Crash ]
webkit.org/b/153866 http/tests/media/video-throttled-load-metadata.html [ Crash ]
webkit.org/b/153866 http/tests/media/video-useragent.html [ Crash ]
-webkit.org/b/153866 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Crash ]
webkit.org/b/153866 http/tests/security/inactive-document-with-empty-security-origin.html [ Crash ]
webkit.org/b/153866 http/tests/security/isolatedWorld/userGestureEvents.html [ Crash ]
webkit.org/b/153866 http/tests/security/local-video-source-from-remote.html [ Crash ]
fast/scrolling/rtl-scrollbars-overflow-padding.html [ ImageOnlyFailure ]
fast/scrolling/rtl-scrollbars-overflow-simple.html [ ImageOnlyFailure ]
fast/scrolling/rtl-scrollbars-overflow.html [ ImageOnlyFailure ]
+
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 webkit.org/b/153866 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
webkit.org/b/154390 http/tests/media/hls/hls-accessiblity-describes-video.html [ Timeout Failure ]
webkit.org/b/154390 http/tests/media/hls/video-cookie.html [ Failure ]
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
#////////////////////////////////////////////////////////////////////////////////////////
# End of Expected failures
--- /dev/null
+ALERT: FAIL
+
--- /dev/null
+ALERT: FAIL
+
[ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow-padding.html [ ImageOnlyFailure ]
[ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow-simple.html [ ImageOnlyFailure ]
[ Yosemite ElCapitan ] fast/scrolling/rtl-scrollbars-overflow.html [ ImageOnlyFailure ]
+
+# Content Security Policy for media redirects is not supported on some OSes.
+[ Yosemite ElCapitan ] http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html [ Failure ]
+[ Yosemite ElCapitan ] http/tests/security/contentSecurityPolicy/video-redirect-blocked.html [ Failure ]
+
+webkit.org/b/155505 [ ElCapitan+ ] http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html [ Skip ]
+webkit.org/b/155505 [ ElCapitan+ ] http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html [ Skip ]
+2016-03-16 Daniel Bates <dabates@apple.com>
+
+ <video> and <audio> elements do not obey Content Security Policy on redirect
+ https://bugs.webkit.org/show_bug.cgi?id=155509
+ <rdar://problem/10234844>
+
+ Reviewed by Alex Christensen.
+
+ Fixes an issue where the Content Security Policy of the page was not enforced
+ on redirects when loading a media subresource via an HTML video or HTML audio
+ element.
+
+ Tests: http/tests/security/contentSecurityPolicy/audio-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/audio-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/font-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/font-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/image-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/image-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/script-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/script-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/stylesheet-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/stylesheet-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/svg-font-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/svg-font-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/svg-image-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/svg-image-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/track-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/track-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/video-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/video-redirect-blocked.html
+ http/tests/security/contentSecurityPolicy/xsl-redirect-allowed.html
+ http/tests/security/contentSecurityPolicy/xsl-redirect-blocked.html
+
+ * inspector/InspectorPageAgent.cpp:
+ (WebCore::InspectorPageAgent::cachedResourceContent): Treat media resources as raw resources just as we do currently.
+ (WebCore::InspectorPageAgent::cachedResourceType): Ditto.
+ * loader/MediaResourceLoader.cpp:
+ (WebCore::MediaResourceLoader::requestResource): Modified to use CachedResourceLoader::requestMedia() instead
+ of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
+ resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
+ initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
+ more details.
+ * loader/ResourceLoadInfo.cpp:
+ (WebCore::toResourceType): Treat media resources as raw resources just as we do currently. Also, add cases for
+ CachedResource::LinkPrefetch and CachedResource::LinkSubresource (when ENABLE(LINK_PREFETCH) is enabled) and
+ remove the default statement to force a compile-time error when a new CachedResource enumerator is added and
+ the switch block in this function is not updated.
+ * loader/SubresourceLoader.cpp:
+ (WebCore::logResourceLoaded): Ditto.
+ * loader/cache/CachedRawResource.cpp:
+ (WebCore::CachedRawResource::CachedRawResource): Substitute CachedResource::isMainOrMediaOrRawResource() for
+ CachedResource::isMainOrRawResource() as the latter was renamed to the former.
+ * loader/cache/CachedRawResource.h:
+ (isType): Ditto.
+ * loader/cache/CachedResource.cpp:
+ (WebCore::defaultPriorityForResourceType): Use priority ResourceLoadPriority::Medium for media resources just as
+ we do currently.
+ * loader/cache/CachedResource.h:
+ (WebCore::CachedResource::isMainOrMediaOrRawResource): Formerly named isMainOrRawResource. Returns true if the type
+ of this resource is a main resource, media resource, or raw resource.
+ (WebCore::CachedResource::isMainOrRawResource): Deleted.
+ * loader/cache/CachedResourceLoader.cpp:
+ (WebCore::createResource): Treat media resources as raw resources just as we do currently.
+ (WebCore::CachedResourceLoader::requestMedia): Added.
+ (WebCore::contentTypeFromResourceType): Consider media resources as MixedContentChecker::ContentType::Active
+ just as we do currently.
+ (WebCore::CachedResourceLoader::checkInsecureContent): Apply the mixed content policy to media resources
+ just as we do currently.
+ (WebCore::CachedResourceLoader::canRequest): Apply the Same Origin Policy to media resources just as we
+ do currently. Query the Content Security Policy of the page to determine if the media resource can be
+ requested.
+ (WebCore::CachedResourceLoader::determineRevalidationPolicy): Substitute CachedResource::isMainOrMediaOrRawResource()
+ for CachedResource::isMainOrRawResource() as the latter was renamed to the former.
+ * loader/cache/CachedResourceLoader.h:
+ * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+ (WebCore::WebCoreAVFResourceLoader::startLoading): Modified to use CachedResourceLoader::requestMedia() instead
+ of CachedResourceLoader::requestRawResource() so that we can differentiate between a media resource and a raw
+ resource in CachedResourceLoader. Added FIXME comment to skip checking the Content Security Policy for loads
+ initiated by an element in a user agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505> for
+ more details. Additionally, simplified code that determined whether to request the media resource or error out
+ by coalescing two conditional expressions into one conditional on whether we have a loader and substituted
+ nullptr for 0.
+
2016-03-16 Chris Dumez <cdumez@apple.com>
Unreviewed, rolling out r198235, r198240, r198241, and
case CachedResource::Script:
*result = downcast<CachedScript>(*cachedResource).script().toString();
return true;
+ case CachedResource::MediaResource:
case CachedResource::RawResource: {
auto* buffer = cachedResource->resourceBuffer();
if (!buffer)
return InspectorPageAgent::StylesheetResource;
case CachedResource::Script:
return InspectorPageAgent::ScriptResource;
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
return InspectorPageAgent::XHRResource;
case CachedResource::MainResource:
RequestOriginPolicy corsPolicy = !m_crossOriginMode.isNull() ? PotentiallyCrossOriginEnabled : UseDefaultOriginRestrictionsForType;
StoredCredentials allowCredentials = m_crossOriginMode.isNull() || equalLettersIgnoringASCIICase(m_crossOriginMode, "use-credentials") ? AllowStoredCredentials : DoNotAllowStoredCredentials;
- // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
+ // FIXME: Skip Content Security Policy check if the element that inititated this request
+ // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
CachedResourceRequest cacheRequest(request, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, bufferingPolicy, allowCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, corsPolicy, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::AllowCaching));
if (!m_crossOriginMode.isNull())
updateRequestForAccessControl(cacheRequest.mutableResourceRequest(), m_document.securityOrigin(), allowCredentials);
- CachedResourceHandle<CachedRawResource> resource = m_document.cachedResourceLoader().requestRawResource(cacheRequest);
+ CachedResourceHandle<CachedRawResource> resource = m_document.cachedResourceLoader().requestMedia(cacheRequest);
if (!resource)
return nullptr;
#endif
return ResourceType::Font;
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
return ResourceType::Raw;
case CachedResource::TextTrackResource:
return ResourceType::Media;
#endif
- default:
+#if ENABLE(LINK_PREFETCH)
+ case CachedResource::LinkPrefetch:
+ case CachedResource::LinkSubresource:
ASSERT_NOT_REACHED();
+#endif
};
}
#endif
resourceType = DiagnosticLoggingKeys::fontKey();
break;
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
resourceType = DiagnosticLoggingKeys::rawKey();
break;
, m_identifier(0)
, m_allowEncodedDataReplacement(true)
{
- ASSERT(isMainOrRawResource());
+ ASSERT(isMainOrMediaOrRawResource());
}
const char* CachedRawResource::calculateIncrementalDataChunk(SharedBuffer* data, unsigned& incrementalDataLength)
} // namespace WebCore
SPECIALIZE_TYPE_TRAITS_BEGIN(WebCore::CachedRawResource)
- static bool isType(const WebCore::CachedResource& resource) { return resource.isMainOrRawResource(); }
+ static bool isType(const WebCore::CachedResource& resource) { return resource.isMainOrMediaOrRawResource(); }
SPECIALIZE_TYPE_TRAITS_END()
#endif // CachedRawResource_h
#if ENABLE(SVG_FONTS)
case CachedResource::SVGFontResource:
#endif
+ case CachedResource::MediaResource:
case CachedResource::FontResource:
case CachedResource::RawResource:
return ResourceLoadPriority::Medium;
#if ENABLE(SVG_FONTS)
SVGFontResource,
#endif
+ MediaResource,
RawResource,
SVGDocumentResource
#if ENABLE(XSLT)
bool areAllClientsXMLHttpRequests() const;
bool isImage() const { return type() == ImageResource; }
- // FIXME: CachedRawResource could be either a main resource or a raw XHR resource.
- bool isMainOrRawResource() const { return type() == MainResource || type() == RawResource; }
+ // FIXME: CachedRawResource could be a main resource, an audio/video resource, or a raw XHR/icon resource.
+ bool isMainOrMediaOrRawResource() const { return type() == MainResource || type() == MediaResource || type() == RawResource; }
bool ignoreForRequestCount() const
{
return type() == MainResource
#endif
case CachedResource::FontResource:
return new CachedFont(request, sessionID);
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
case CachedResource::MainResource:
return new CachedRawResource(request, type, sessionID);
}
#endif
+CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestMedia(CachedResourceRequest& request)
+{
+ return downcast<CachedRawResource>(requestResource(CachedResource::MediaResource, request).get());
+}
+
CachedResourceHandle<CachedRawResource> CachedResourceLoader::requestRawResource(CachedResourceRequest& request)
{
return downcast<CachedRawResource>(requestResource(CachedResource::RawResource, request).get());
return MixedContentChecker::ContentType::Active;
#endif
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
case CachedResource::SVGDocumentResource:
return MixedContentChecker::ContentType::Active;
#if ENABLE(VIDEO_TRACK)
case CachedResource::TextTrackResource:
#endif
+ case CachedResource::MediaResource:
case CachedResource::RawResource:
case CachedResource::ImageResource:
#if ENABLE(SVG_FONTS)
#if ENABLE(SVG_FONTS)
case CachedResource::SVGFontResource:
#endif
+ case CachedResource::MediaResource:
case CachedResource::FontResource:
case CachedResource::RawResource:
#if ENABLE(LINK_PREFETCH)
case CachedResource::LinkSubresource:
#endif
break;
+ case CachedResource::MediaResource:
#if ENABLE(VIDEO_TRACK)
case CachedResource::TextTrackResource:
+#endif
if (!m_document->contentSecurityPolicy()->allowMediaFromSource(url, skipContentSecurityPolicyCheck))
return false;
break;
-#endif
}
// SVG Images have unique security rules that prevent all subresource requests except for data urls.
// FIXME: We should use the same cache policy for all resource types. The raw resource policy is overly strict
// while the normal subresource policy is too loose.
- if (existingResource->isMainOrRawResource()) {
+ if (existingResource->isMainOrMediaOrRawResource()) {
bool strictPolicyDisabled = frame()->loader().isStrictRawResourceValidationPolicyDisabledForTesting();
bool canReuseRawResource = strictPolicyDisabled || downcast<CachedRawResource>(*existingResource).canReuse(request);
if (!canReuseRawResource)
CachedResourceHandle<CachedCSSStyleSheet> requestUserCSSStyleSheet(CachedResourceRequest&);
CachedResourceHandle<CachedScript> requestScript(CachedResourceRequest&);
CachedResourceHandle<CachedFont> requestFont(CachedResourceRequest&, bool isSVG);
+ CachedResourceHandle<CachedRawResource> requestMedia(CachedResourceRequest&);
CachedResourceHandle<CachedRawResource> requestRawResource(CachedResourceRequest&);
CachedResourceHandle<CachedRawResource> requestMainResource(CachedResourceRequest&);
CachedResourceHandle<CachedSVGDocument> requestSVGDocument(CachedResourceRequest&);
NSURLRequest *nsRequest = [m_avRequest.get() request];
- // ContentSecurityPolicyImposition::DoPolicyCheck is a placeholder value. It does not affect the request since Content Security Policy does not apply to raw resources.
+ // FIXME: Skip Content Security Policy check if the element that inititated this request
+ // is in a user-agent shadow tree. See <https://bugs.webkit.org/show_bug.cgi?id=155505>.
CachedResourceRequest request(nsRequest, ResourceLoaderOptions(SendCallbacks, DoNotSniffContent, BufferData, DoNotAllowStoredCredentials, DoNotAskClientForCrossOriginCredentials, ClientDidNotRequestCredentials, DoSecurityCheck, UseDefaultOriginRestrictionsForType, DoNotIncludeCertificateInfo, ContentSecurityPolicyImposition::DoPolicyCheck, DefersLoadingPolicy::AllowDefersLoading, CachingPolicy::DisallowCaching));
request.mutableResourceRequest().setPriority(ResourceLoadPriority::Low);
- CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader();
- m_resource = loader ? loader->requestRawResource(request) : 0;
- if (m_resource)
+ if (CachedResourceLoader* loader = m_parent->player()->cachedResourceLoader()) {
+ m_resource = loader->requestMedia(request);
m_resource->addClient(this);
- else {
+ } else {
+ m_resource = nullptr;
LOG_ERROR("Failed to start load for media at url %s", [[[nsRequest URL] absoluteString] UTF8String]);
[m_avRequest.get() finishLoadingWithError:0];
}
+2016-03-16 Daniel Bates <dabates@apple.com>
+
+ <video> and <audio> elements do not obey Content Security Policy on redirect
+ https://bugs.webkit.org/show_bug.cgi?id=155509
+ <rdar://problem/10234844>
+
+ Reviewed by Alex Christensen.
+
+ Use 0ms as the maximum buffering time for media resource just as we do currently.
+
+ * WebProcess/Network/WebLoaderStrategy.cpp:
+ (WebKit::maximumBufferingTime):
+
2016-03-16 Chris Dumez <cdumez@apple.com>
Unreviewed, rolling out r198235, r198240, r198241, and
return std::chrono::milliseconds::max();
case CachedResource::ImageResource:
return 500_ms;
+ case CachedResource::MediaResource:
case CachedResource::MainResource:
case CachedResource::RawResource:
case CachedResource::SVGDocumentResource: