CSP: Content Security Policy should allow '*' to match the originating page's scheme
authorjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 17 Jun 2016 03:51:00 +0000 (03:51 +0000)
committerjiewen_tan@apple.com <jiewen_tan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 17 Jun 2016 03:51:00 +0000 (03:51 +0000)
https://bugs.webkit.org/show_bug.cgi?id=158811
<rdar://problem/26819568>

Reviewed by Daniel Bates.

Source/WebCore:

Tests: security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star.html
       security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star.html
       security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star.html
       security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star.html

* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar):

LayoutTests:

* security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star-expected.html: Added.
* security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star.html: Added.
* security/contentSecurityPolicy/image-with-file-url-blocked-by-img-src-star-expected.html: Removed.
* security/contentSecurityPolicy/image-with-file-url-blocked-by-img-src-star.html: Removed.
* security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star-expected.html: Added.
* security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star.html: Added.
* security/contentSecurityPolicy/link-with-file-url-blocked-by-style-src-star-expected.html: Removed.
* security/contentSecurityPolicy/link-with-file-url-blocked-by-style-src-star.html: Removed.
* security/contentSecurityPolicy/resources/alert-pass.js: Added.
* security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star-expected.txt: Added.
* security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star.html: Added.
* security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star-expected.html: Copied from LayoutTests/security/contentSecurityPolicy/video-with-file-url-blocked-by-media-src-star.html.
* security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star.html: Renamed from LayoutTests/security/contentSecurityPolicy/video-with-file-url-blocked-by-media-src-star.html.
* security/contentSecurityPolicy/video-with-file-url-blocked-by-media-src-star-expected.html: Removed.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202155 268f45cc-cd09-0410-ab3c-d52691b4dbfc

17 files changed:
LayoutTests/ChangeLog
LayoutTests/security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star-expected.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/image-with-file-url-blocked-by-img-src-star-expected.html [deleted file]
LayoutTests/security/contentSecurityPolicy/image-with-file-url-blocked-by-img-src-star.html [deleted file]
LayoutTests/security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star-expected.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/link-with-file-url-blocked-by-style-src-star-expected.html [deleted file]
LayoutTests/security/contentSecurityPolicy/link-with-file-url-blocked-by-style-src-star.html [deleted file]
LayoutTests/security/contentSecurityPolicy/resources/alert-pass.js [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star-expected.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star.html [moved from LayoutTests/security/contentSecurityPolicy/video-with-file-url-blocked-by-media-src-star.html with 69% similarity]
LayoutTests/security/contentSecurityPolicy/video-with-file-url-blocked-by-media-src-star-expected.html [deleted file]
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

index 42a4b8e..beedf33 100644 (file)
@@ -1,3 +1,26 @@
+2016-06-16  Jiewen Tan  <jiewen_tan@apple.com>
+
+        CSP: Content Security Policy should allow '*' to match the originating page's scheme
+        https://bugs.webkit.org/show_bug.cgi?id=158811
+        <rdar://problem/26819568>
+
+        Reviewed by Daniel Bates.
+
+        * security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star-expected.html: Added.
+        * security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star.html: Added.
+        * security/contentSecurityPolicy/image-with-file-url-blocked-by-img-src-star-expected.html: Removed.
+        * security/contentSecurityPolicy/image-with-file-url-blocked-by-img-src-star.html: Removed.
+        * security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star-expected.html: Added.
+        * security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star.html: Added.
+        * security/contentSecurityPolicy/link-with-file-url-blocked-by-style-src-star-expected.html: Removed.
+        * security/contentSecurityPolicy/link-with-file-url-blocked-by-style-src-star.html: Removed.
+        * security/contentSecurityPolicy/resources/alert-pass.js: Added.
+        * security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star-expected.txt: Added.
+        * security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star.html: Added.
+        * security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star-expected.html: Copied from LayoutTests/security/contentSecurityPolicy/video-with-file-url-blocked-by-media-src-star.html.
+        * security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star.html: Renamed from LayoutTests/security/contentSecurityPolicy/video-with-file-url-blocked-by-media-src-star.html.
+        * security/contentSecurityPolicy/video-with-file-url-blocked-by-media-src-star-expected.html: Removed.
+
 2016-06-16  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: console.profile should use the new Sampling Profiler
diff --git a/LayoutTests/security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star-expected.html b/LayoutTests/security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star-expected.html
new file mode 100644 (file)
index 0000000..497bc95
--- /dev/null
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading image with a file URL is allowed when the page that is loaded from file URL has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<img src="../../fast/dom/HTMLImageElement/resources/green.png" width="128" height="128">
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star.html b/LayoutTests/security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star.html
new file mode 100644 (file)
index 0000000..c37b99b
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+</head>
+<body>
+<p>This tests that loading image with a file URL is allowed when the page that is loaded from file URL has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<img src="../../fast/dom/HTMLImageElement/resources/green.png" width="128" height="128">
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/image-with-file-url-blocked-by-img-src-star-expected.html b/LayoutTests/security/contentSecurityPolicy/image-with-file-url-blocked-by-img-src-star-expected.html
deleted file mode 100644 (file)
index 5a394e3..0000000
+++ /dev/null
@@ -1,7 +0,0 @@
-<!DOCTYPE html>
-<html>
-<body>
-<p>This tests that loading image with a file URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
-<img src="" width="128" height="128" alt="PASS">
-</body>
-</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/image-with-file-url-blocked-by-img-src-star.html b/LayoutTests/security/contentSecurityPolicy/image-with-file-url-blocked-by-img-src-star.html
deleted file mode 100644 (file)
index 1dbeeda..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<meta http-equiv="Content-Security-Policy" content="img-src *">
-</head>
-<body>
-<p>This tests that loading image with a file URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
-<img src="resources/green.png" width="128" height="128" alt="PASS">
-</body>
-</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star-expected.html b/LayoutTests/security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star-expected.html
new file mode 100644 (file)
index 0000000..980d534
--- /dev/null
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading a stylesheet with a file URL is allowed when the page that is loaded from file URL has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div style="background-color: green; height: 128px; width: 128px"></div>
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star.html b/LayoutTests/security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star.html
new file mode 100644 (file)
index 0000000..1676432
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test {
+    background-color: red;
+    height: 128px;
+    width: 128px;
+}
+</style>
+<meta http-equiv="Content-Security-Policy" content="style-src *">
+<link rel="stylesheet" href="../../fast/dom/HTMLLinkElement/resources/green-background-color.css">
+</head>
+<body>
+<p>This tests that loading a stylesheet with a file URL is allowed when the page that is loaded from file URL has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div id="test"></div>
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/link-with-file-url-blocked-by-style-src-star-expected.html b/LayoutTests/security/contentSecurityPolicy/link-with-file-url-blocked-by-style-src-star-expected.html
deleted file mode 100644 (file)
index 4384846..0000000
+++ /dev/null
@@ -1,7 +0,0 @@
-<!DOCTYPE html>
-<html>
-<body>
-<p>This tests that loading a stylesheet with a file URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
-<div style="background-color: green; height: 128px; width: 128px"></div>
-</body>
-</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/link-with-file-url-blocked-by-style-src-star.html b/LayoutTests/security/contentSecurityPolicy/link-with-file-url-blocked-by-style-src-star.html
deleted file mode 100644 (file)
index d35c994..0000000
+++ /dev/null
@@ -1,18 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<style>
-#test {
-    background-color: green;
-    height: 128px;
-    width: 128px;
-}
-</style>
-<meta http-equiv="Content-Security-Policy" content="style-src *">
-<link rel="stylesheet" href="resources/red-background-color.css">
-</head>
-<body>
-<p>This tests that loading a stylesheet with a file URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
-<div id="test"></div>
-</body>
-</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/resources/alert-pass.js b/LayoutTests/security/contentSecurityPolicy/resources/alert-pass.js
new file mode 100644 (file)
index 0000000..4494579
--- /dev/null
@@ -0,0 +1 @@
+alert("PASS");
diff --git a/LayoutTests/security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star-expected.txt b/LayoutTests/security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star-expected.txt
new file mode 100644 (file)
index 0000000..13ea8e2
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: PASS
+Test passes if the JavaScript script is loaded.
diff --git a/LayoutTests/security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star.html b/LayoutTests/security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star.html
new file mode 100644 (file)
index 0000000..3697dd9
--- /dev/null
@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<meta http-equiv="Content-Security-Policy" content="script-src *">
+</head>
+<body>
+<p>Test passes if the JavaScript script is loaded.</p>
+<script src="resources/alert-pass.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star-expected.html b/LayoutTests/security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star-expected.html
new file mode 100644 (file)
index 0000000..d953e36
--- /dev/null
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+video {
+    background-color: red;
+    width: 128px;
+    height: 128px;
+}
+</style>
+<script src="../../media/media-file.js"></script>
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+ function testFinished()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+ window.onload = function ()
+{
+    var video = document.getElementById("video");
+    video.oncanplaythrough = function () {
+        // Use a zero timer to ensure that the first frame of the video is drawn.
+        window.setTimeout(testFinished, 0);
+    }
+    video.onerror = testFinished;
+    video.src = "../../media/" + findMediaFile("video", "content/test");
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a file URL is allowed when the page that is loaded from file URL has Content Security Policy &quot;media-src *&quot;. This test PASSED if you don't see a solid red square. Otherwise, it FAILED.</p>
+<video id="video"></video>
@@ -4,7 +4,7 @@
 <meta http-equiv="Content-Security-Policy" content="media-src *">
 <style>
 video {
-    background-color: green;
+    background-color: red;
     width: 128px;
     height: 128px;
 }
@@ -14,13 +14,13 @@ video {
 if (window.testRunner)
     testRunner.waitUntilDone();
 
-function testFinished()
+ function testFinished()
 {
     if (window.testRunner)
         testRunner.notifyDone();
 }
 
-window.onload = function ()
+ window.onload = function ()
 {
     var video = document.getElementById("video");
     video.oncanplaythrough = function () {
@@ -33,7 +33,7 @@ window.onload = function ()
 </script>
 </head>
 <body>
-<p>This tests that loading a video with a file URL is blocked when the page has Content Security Policy &quot;media-src *&quot;. This test PASSED if you see a solid green square. Otherwise, it FAILED.</p>
+<p>This tests that loading a video with a file URL is allowed when the page that is loaded from file URL has Content Security Policy &quot;media-src *&quot;. This test PASSED if you don't see a solid red square. Otherwise, it FAILED.</p>
 <video id="video"></video>
 </body>
 </html>
diff --git a/LayoutTests/security/contentSecurityPolicy/video-with-file-url-blocked-by-media-src-star-expected.html b/LayoutTests/security/contentSecurityPolicy/video-with-file-url-blocked-by-media-src-star-expected.html
deleted file mode 100644 (file)
index 84a1260..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<style>
-#equivalent-expected-result {
-    background-color: green;
-    width: 128px;
-    height: 128px;
-}
-</style>
-</head>
-<body>
-<p>This tests that loading a video with a file URL is blocked when the page has Content Security Policy &quot;media-src *&quot;. This test PASSED if you see a solid green square. Otherwise, it FAILED.</p>
-<div id="equivalent-expected-result"></div>
-</body>
-</html>
index 5f17fae..642a2c6 100644 (file)
@@ -1,3 +1,19 @@
+2016-06-16  Jiewen Tan  <jiewen_tan@apple.com>
+
+        CSP: Content Security Policy should allow '*' to match the originating page's scheme
+        https://bugs.webkit.org/show_bug.cgi?id=158811
+        <rdar://problem/26819568>
+
+        Reviewed by Daniel Bates.
+
+        Tests: security/contentSecurityPolicy/image-with-file-url-allowed-by-img-src-star.html
+               security/contentSecurityPolicy/link-with-file-url-allowed-by-style-src-star.html
+               security/contentSecurityPolicy/script-with-file-url-allowed-by-script-src-star.html
+               security/contentSecurityPolicy/video-with-file-url-allowed-by-media-src-star.html
+
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar):
+
 2016-06-16  Chris Dumez  <cdumez@apple.com>
 
         Add HTTPHeaderMap::set() overload taking a NSString*
index 0bf6aa2..3a8f3eb 100644 (file)
@@ -123,7 +123,7 @@ bool ContentSecurityPolicySourceList::isProtocolAllowedByStar(const URL& url) co
 
     // Although not allowed by the Content Security Policy Level 3 spec., we allow a data URL to match
     // "img-src *" and either a data URL or blob URL to match "media-src *" for web compatibility.
-    bool isAllowed = url.protocolIsInHTTPFamily();
+    bool isAllowed = url.protocolIsInHTTPFamily() || m_policy.protocolMatchesSelf(url);
     if (equalIgnoringASCIICase(m_directiveName, ContentSecurityPolicyDirectiveNames::imgSrc))
         isAllowed |= url.protocolIsData();
     else if (equalIgnoringASCIICase(m_directiveName, ContentSecurityPolicyDirectiveNames::mediaSrc))