CSP: Perform case sensitive match against path portion of source expression URL that...
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 5 May 2016 00:32:36 +0000 (00:32 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 5 May 2016 00:32:36 +0000 (00:32 +0000)
https://bugs.webkit.org/show_bug.cgi?id=157275

Reviewed by Darin Adler.

Source/WebCore:

Merged from Blink:
<https://chromium.googlesource.com/chromium/src/+/7bd0a75e3f71a10e71ded31ea5905d5ee3d992eb>

Perform a case-sensitive prefix match of the path portion a source expression that ends in '/'
against the path portion of a request URL as per step 8.5.4 of section Does url match expression
in origin with redirect count of the Content Security Policy Level 3 spec., <https://w3c.github.io/webappsec-csp>
(Editor's Draft, 27 April 2016).

* page/csp/ContentSecurityPolicySource.cpp:
(WebCore::ContentSecurityPolicySource::pathMatches):

LayoutTests:

Add test to ensure that the path portion of a request URL is case-sensitively
matched against the path portion of a source expression that ends in '/'.

* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt:
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@200445 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt
LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicySource.cpp

index ce7f368..10584e5 100644 (file)
@@ -1,3 +1,16 @@
+2016-05-04  Daniel Bates  <dabates@apple.com>
+
+        CSP: Perform case sensitive match against path portion of source expression URL that ends in '/'
+        https://bugs.webkit.org/show_bug.cgi?id=157275
+
+        Reviewed by Darin Adler.
+
+        Add test to ensure that the path portion of a request URL is case-sensitively
+        matched against the path portion of a source expression that ends in '/'.
+
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt:
+        * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html:
+
 2016-05-04  Aaron Chu  <aaron_chu@apple.com>
 
         AX: Nonfunctional controls appear before every HTML5 video when using VoiceOver
index b04d8cf..7f3bfc0 100644 (file)
@@ -2,6 +2,7 @@ CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityP
 CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
 CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/RESOURCES/script.js because it does not appear in the script-src directive of the Content Security Policy.
 Resources should be rejected unless they match a whitelisted path.
 
 
@@ -40,3 +41,8 @@ PASS
 Frame: '<!--framePath //<!--frame6-->-->'
 --------
 PASS
+
+--------
+Frame: '<!--framePath //<!--frame7-->-->'
+--------
+PASS
index a8459d3..a3b6bbe 100644 (file)
@@ -10,6 +10,7 @@ var tests = [
     ['no', 'script-src 127.0.0.1:*/sec/', 'resources/script.js'],
     ['no', 'script-src 127.0.0.1:8000/not-security', 'resources/script.js'],
     ['no', 'script-src 127.0.0.1:8000/security%3bnot-contentSecurityPolicy', 'resources/script.js'],
+    ['no', 'script-src 127.0.0.1:8000/security/contentSecurityPolicy/resources/', 'http://127.0.0.1:8000/security/contentSecurityPolicy/RESOURCES/script.js'],
     ['yes', 'script-src 127.0.0.1:*/' + security + '/', 'resources/script.js'],
     ['yes', 'script-src 127.0.0.1:*/security/', resources + '/script.js'],
     ['yes', 'script-src 127.0.0.1:*/' + security + '/', resources + '/script.js'],
index 2e604c1..ae90247 100644 (file)
@@ -1,3 +1,21 @@
+2016-05-04  Daniel Bates  <dabates@apple.com>
+
+        CSP: Perform case sensitive match against path portion of source expression URL that ends in '/'
+        https://bugs.webkit.org/show_bug.cgi?id=157275
+
+        Reviewed by Darin Adler.
+
+        Merged from Blink:
+        <https://chromium.googlesource.com/chromium/src/+/7bd0a75e3f71a10e71ded31ea5905d5ee3d992eb>
+
+        Perform a case-sensitive prefix match of the path portion a source expression that ends in '/'
+        against the path portion of a request URL as per step 8.5.4 of section Does url match expression
+        in origin with redirect count of the Content Security Policy Level 3 spec., <https://w3c.github.io/webappsec-csp>
+        (Editor's Draft, 27 April 2016).
+
+        * page/csp/ContentSecurityPolicySource.cpp:
+        (WebCore::ContentSecurityPolicySource::pathMatches):
+
 2016-05-04  Aaron Chu  <aaron_chu@apple.com>
 
         AX: Nonfunctional controls appear before every HTML5 video when using VoiceOver
index 5d5b166..ef91b26 100644 (file)
@@ -76,7 +76,7 @@ bool ContentSecurityPolicySource::pathMatches(const URL& url) const
     String path = decodeURLEscapeSequences(url.path());
 
     if (m_path.endsWith("/"))
-        return path.startsWith(m_path, false);
+        return path.startsWith(m_path);
 
     return path == m_path;
 }