CSP: object-src and plugin-types directives are not respected for plugin replacements
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Jul 2016 20:33:11 +0000 (20:33 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Jul 2016 20:33:11 +0000 (20:33 +0000)
https://bugs.webkit.org/show_bug.cgi?id=159761
<rdar://problem/27365724>

Reviewed by Brent Fulgham.

Source/WebCore:

Apply the Content Security Policy (CSP) object-src and plugin-types directives to content that will
load with a plugin replacement.

Tests: security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html
       security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html
       security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html
       security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html
       security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html
       security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html
       security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html
       security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html

* html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::allowedToLoadPluginContent): Added.
(WebCore::HTMLPlugInImageElement::requestObject): Only request loading plugin content if we
are allowed to load such content.
* html/HTMLPlugInImageElement.h:
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::pluginIsLoadable): Removed code to check CSP as we will check CSP
earlier in HTMLPlugInImageElement::requestObject().
(WebCore::SubframeLoader::requestPlugin): Ditto.
(WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Deleted; moved implementation
to HTMLPlugInImageElement::allowedToLoadPluginContent().
(WebCore::SubframeLoader::requestObject): Deleted.
* loader/SubframeLoader.h:
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Changed signature from a non-const
function to a const function since these functions do not modify |this|.
* page/csp/ContentSecurityPolicy.h:

LayoutTests:

Add layout tests to ensure that we apply the CSP object-src and plugin-types directives to content
that loads with either the QuickTime plugin replacement or YouTube plugin replacement.

* security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html: Added.
* security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html: Added.
* security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html: Added.
* security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html: Added.
* security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html: Added.
* security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html: Added.
* security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt: Added.
* security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html: Added.
* security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@203611 268f45cc-cd09-0410-ab3c-d52691b4dbfc

24 files changed:
LayoutTests/ChangeLog
LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html [new file with mode: 0644]
LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLPlugInImageElement.cpp
Source/WebCore/html/HTMLPlugInImageElement.h
Source/WebCore/loader/SubframeLoader.cpp
Source/WebCore/loader/SubframeLoader.h
Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.h

index a6fa06a..c9a8ec6 100644 (file)
@@ -1,3 +1,31 @@
+2016-07-22  Daniel Bates  <dabates@apple.com>
+
+        CSP: object-src and plugin-types directives are not respected for plugin replacements
+        https://bugs.webkit.org/show_bug.cgi?id=159761
+        <rdar://problem/27365724>
+
+        Reviewed by Brent Fulgham.
+
+        Add layout tests to ensure that we apply the CSP object-src and plugin-types directives to content
+        that loads with either the QuickTime plugin replacement or YouTube plugin replacement.
+
+        * security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt: Added.
+        * security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html: Added.
+        * security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt: Added.
+        * security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html: Added.
+        * security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt: Added.
+        * security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html: Added.
+        * security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt: Added.
+        * security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html: Added.
+        * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt: Added.
+        * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt: Added.
+        * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html: Added.
+        * security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html: Added.
+        * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt: Added.
+        * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt: Added.
+        * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html: Added.
+        * security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html: Added.
+
 2016-07-22  Chris Dumez  <cdumez@apple.com>
 
         Parameters to Node.replaceChild() / insertBefore() should be mandatory
diff --git a/LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt b/LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement-expected.txt
new file mode 100644 (file)
index 0000000..273c2b4
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to load yellow.mov because it does not appear in the object-src directive of the Content Security Policy.
+
diff --git a/LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html b/LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html
new file mode 100644 (file)
index 0000000..d8f6a82
--- /dev/null
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+if (window.internals)
+    window.internals.settings.setPluginReplacementEnabled(true);
+
+function done()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+document.addEventListener("securitypolicyviolation", done, false);
+</script>
+</head>
+<body>
+<embed id="embed" width="640" height="480" src="../../plugins/resources/yellow.mov" qtsrc="../../plugins/resources/orange.mov">
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt b/LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement-expected.txt
new file mode 100644 (file)
index 0000000..a9551d1
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to load https://www.youtube.com/v/UF8uR6Z6KLc because it does not appear in the object-src directive of the Content Security Policy.
diff --git a/LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html b/LayoutTests/security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html
new file mode 100644 (file)
index 0000000..f34a7e8
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="object-src 'none'">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+if (window.internals)
+    window.internals.settings.setPluginReplacementEnabled(true);
+
+function done()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+document.addEventListener("securitypolicyviolation", done, false);
+</script>
+</head>
+<body>
+<object width="425" height="350" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
+    codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0">
+    <embed width="425" height="350" type="application/x-shockwave-flash" src="https://www.youtube.com/v/UF8uR6Z6KLc">
+</object>
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt b/LayoutTests/security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement-expected.txt
new file mode 100644 (file)
index 0000000..06a3ee9
--- /dev/null
@@ -0,0 +1,2 @@
+ALERT: PASS did load plugin.
+
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html b/LayoutTests/security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html
new file mode 100644 (file)
index 0000000..45ae973
--- /dev/null
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="plugin-types video/quicktime">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+if (window.internals)
+    window.internals.settings.setPluginReplacementEnabled(true);
+</script>
+</head>
+<body>
+<embed id="embed" type="video/quicktime" width="640" height="480" src="../../plugins/resources/yellow.mov" qtsrc="../../plugins/resources/orange.mov" postdomevents=true>
+<script>
+document.getElementById("embed").addEventListener("qt_begin", function () {
+    alert("PASS did load plugin.");
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, true);
+</script>
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt b/LayoutTests/security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement-expected.txt
new file mode 100644 (file)
index 0000000..940bae4
--- /dev/null
@@ -0,0 +1,2 @@
+Blocked access to external URL https://www.youtube.com/embed/UF8uR6Z6KLc?showinfo=0
+
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html b/LayoutTests/security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html
new file mode 100644 (file)
index 0000000..7df0a0f
--- /dev/null
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="plugin-types application/x-shockwave-flash">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+if (window.internals)
+    window.internals.settings.setPluginReplacementEnabled(true);
+
+// Waiting at least 100ms seems to ensure that YouTube plugin replacement has loaded.
+window.setTimeout(function () {
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, 100);
+</script>
+</head>
+<body>
+<object width="425" height="350" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
+    codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0">
+    <embed width="425" height="350" type="application/x-shockwave-flash" src="https://www.youtube.com/v/UF8uR6Z6KLc">
+</object>
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt b/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-expected.txt
new file mode 100644 (file)
index 0000000..28fe1b6
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to load yellow.mov because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
+
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt b/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type-expected.txt
new file mode 100644 (file)
index 0000000..28fe1b6
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to load yellow.mov because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
+
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html b/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html
new file mode 100644 (file)
index 0000000..48d3a91
--- /dev/null
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="plugin-types text/html">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+if (window.internals)
+    window.internals.settings.setPluginReplacementEnabled(true);
+
+function done()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+document.addEventListener("securitypolicyviolation", done, false);
+</script>
+</head>
+<body>
+<embed width="640" height="480" src="../../plugins/resources/yellow.mov" qtsrc="../../plugins/resources/orange.mov">
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html b/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html
new file mode 100644 (file)
index 0000000..6e2a0e5
--- /dev/null
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="plugin-types text/html">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+if (window.internals)
+    window.internals.settings.setPluginReplacementEnabled(true);
+
+function done()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+document.addEventListener("securitypolicyviolation", done, false);
+</script>
+</head>
+<body>
+<embed type="video/quicktime" width="640" height="480" src="../../plugins/resources/yellow.mov" qtsrc="../../plugins/resources/orange.mov">
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt b/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-expected.txt
new file mode 100644 (file)
index 0000000..b7c42ae
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to load https://www.youtube.com/v/UF8uR6Z6KLc because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt b/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type-expected.txt
new file mode 100644 (file)
index 0000000..b7c42ae
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: Refused to load https://www.youtube.com/v/UF8uR6Z6KLc because its MIME type does not appear in the plugin-types directive of the Content Security Policy.
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html b/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html
new file mode 100644 (file)
index 0000000..6527e76
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="plugin-types text/html">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+if (window.internals)
+    window.internals.settings.setPluginReplacementEnabled(true);
+
+function done()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+document.addEventListener("securitypolicyviolation", done, false);
+</script>
+</head>
+<body>
+<object width="425" height="350" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
+    codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0">
+    <embed width="425" height="350" src="https://www.youtube.com/v/UF8uR6Z6KLc">
+</object>
+</body>
+</html>
diff --git a/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html b/LayoutTests/security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html
new file mode 100644 (file)
index 0000000..8865ad9
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="plugin-types text/html">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+if (window.internals)
+    window.internals.settings.setPluginReplacementEnabled(true);
+
+function done()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+document.addEventListener("securitypolicyviolation", done, false);
+</script>
+</head>
+<body>
+<object width="425" height="350" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
+    codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0">
+    <embed width="425" height="350" type="application/x-shockwave-flash" src="https://www.youtube.com/v/UF8uR6Z6KLc">
+</object>
+</body>
+</html>
index 8b40c70..f8f462c 100644 (file)
@@ -1,3 +1,41 @@
+2016-07-22  Daniel Bates  <dabates@apple.com>
+
+        CSP: object-src and plugin-types directives are not respected for plugin replacements
+        https://bugs.webkit.org/show_bug.cgi?id=159761
+        <rdar://problem/27365724>
+
+        Reviewed by Brent Fulgham.
+
+        Apply the Content Security Policy (CSP) object-src and plugin-types directives to content that will
+        load with a plugin replacement.
+
+        Tests: security/contentSecurityPolicy/object-src-none-blocks-quicktime-plugin-replacement.html
+               security/contentSecurityPolicy/object-src-none-blocks-youtube-plugin-replacement.html
+               security/contentSecurityPolicy/plugins-types-allows-quicktime-plugin-replacement.html
+               security/contentSecurityPolicy/plugins-types-allows-youtube-plugin-replacement.html
+               security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement-without-mime-type.html
+               security/contentSecurityPolicy/plugins-types-blocks-quicktime-plugin-replacement.html
+               security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement-without-mime-type.html
+               security/contentSecurityPolicy/plugins-types-blocks-youtube-plugin-replacement.html
+
+        * html/HTMLPlugInImageElement.cpp:
+        (WebCore::HTMLPlugInImageElement::allowedToLoadPluginContent): Added.
+        (WebCore::HTMLPlugInImageElement::requestObject): Only request loading plugin content if we
+        are allowed to load such content.
+        * html/HTMLPlugInImageElement.h:
+        * loader/SubframeLoader.cpp:
+        (WebCore::SubframeLoader::pluginIsLoadable): Removed code to check CSP as we will check CSP
+        earlier in HTMLPlugInImageElement::requestObject().
+        (WebCore::SubframeLoader::requestPlugin): Ditto.
+        (WebCore::SubframeLoader::isPluginContentAllowedByContentSecurityPolicy): Deleted; moved implementation
+        to HTMLPlugInImageElement::allowedToLoadPluginContent().
+        (WebCore::SubframeLoader::requestObject): Deleted.
+        * loader/SubframeLoader.h:
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::upgradeInsecureRequestIfNeeded): Changed signature from a non-const
+        function to a const function since these functions do not modify |this|.
+        * page/csp/ContentSecurityPolicy.h: 
+
 2016-07-22  Chris Dumez  <cdumez@apple.com>
 
         Parameters to Node.replaceChild() / insertBefore() should be mandatory
index 1228e21..8b444db 100644 (file)
@@ -23,6 +23,7 @@
 
 #include "Chrome.h"
 #include "ChromeClient.h"
+#include "ContentSecurityPolicy.h"
 #include "Event.h"
 #include "EventHandler.h"
 #include "EventNames.h"
@@ -770,8 +771,33 @@ void HTMLPlugInImageElement::defaultEventHandler(Event* event)
     HTMLPlugInElement::defaultEventHandler(event);
 }
 
+bool HTMLPlugInImageElement::allowedToLoadPluginContent(const String& url, const String& mimeType) const
+{
+    URL completedURL;
+    if (!url.isEmpty())
+        completedURL = document().completeURL(url);
+
+    ASSERT(document().contentSecurityPolicy());
+    const ContentSecurityPolicy& contentSecurityPolicy = *document().contentSecurityPolicy();
+
+    contentSecurityPolicy.upgradeInsecureRequestIfNeeded(completedURL, ContentSecurityPolicy::InsecureRequestType::Load);
+
+    String declaredMimeType = document().isPluginDocument() && document().ownerElement() ?
+        document().ownerElement()->attributeWithoutSynchronization(HTMLNames::typeAttr) : attributeWithoutSynchronization(HTMLNames::typeAttr);
+    bool isInUserAgentShadowTree = this->isInUserAgentShadowTree();
+    return contentSecurityPolicy.allowObjectFromSource(completedURL, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, completedURL, isInUserAgentShadowTree);
+}
+
 bool HTMLPlugInImageElement::requestObject(const String& url, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues)
 {
+    if (url.isEmpty() && mimeType.isEmpty())
+        return false;
+
+    if (!allowedToLoadPluginContent(url, mimeType)) {
+        renderEmbeddedObject()->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
+        return false;
+    }
+
     if (HTMLPlugInElement::requestObject(url, mimeType, paramNames, paramValues))
         return true;
     
index c6040bc..d33eeeb 100644 (file)
@@ -111,6 +111,8 @@ private:
     bool isPlugInImageElement() const final { return true; }
     bool isRestartedPlugin() const final { return m_isRestartedPlugin; }
 
+    bool allowedToLoadPluginContent(const String& url, const String& mimeType) const;
+
     void finishParsingChildren() final;
     void didAddUserAgentShadowRoot(ShadowRoot*) final;
 
index b6ecda7..08a84a4 100644 (file)
@@ -108,21 +108,7 @@ bool SubframeLoader::resourceWillUsePlugin(const String& url, const String& mime
     return shouldUsePlugin(completedURL, mimeType, false, useFallback);
 }
 
-bool SubframeLoader::isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType) const
-{
-    if (!document())
-        return true;
-
-    ASSERT(document()->contentSecurityPolicy());
-    const ContentSecurityPolicy& contentSecurityPolicy = *document()->contentSecurityPolicy();
-
-    String declaredMimeType = document()->isPluginDocument() && document()->ownerElement() ?
-        document()->ownerElement()->attributeWithoutSynchronization(HTMLNames::typeAttr) : pluginElement.attributeWithoutSynchronization(HTMLNames::typeAttr);
-    bool isInUserAgentShadowTree = pluginElement.isInUserAgentShadowTree();
-    return contentSecurityPolicy.allowObjectFromSource(url, isInUserAgentShadowTree) && contentSecurityPolicy.allowPluginType(mimeType, declaredMimeType, url, isInUserAgentShadowTree);
-}
-
-bool SubframeLoader::pluginIsLoadable(HTMLPlugInImageElement& pluginElement, const URL& url, const String& mimeType)
+bool SubframeLoader::pluginIsLoadable(const URL& url, const String& mimeType)
 {
     if (MIMETypeRegistry::isJavaAppletMIMEType(mimeType)) {
         if (!m_frame.settings().isJavaEnabled())
@@ -140,12 +126,6 @@ bool SubframeLoader::pluginIsLoadable(HTMLPlugInImageElement& pluginElement, con
             return false;
         }
 
-        if (!isPluginContentAllowedByContentSecurityPolicy(pluginElement, url, mimeType)) {
-            RenderEmbeddedObject* renderer = pluginElement.renderEmbeddedObject();
-            renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
-            return false;
-        }
-
         if (!m_frame.loader().mixedContentChecker().canRunInsecureContent(document()->securityOrigin(), url))
             return false;
     }
@@ -161,7 +141,7 @@ bool SubframeLoader::requestPlugin(HTMLPlugInImageElement& ownerElement, const U
     if ((!allowPlugins() && !MIMETypeRegistry::isApplicationPluginMIMEType(mimeType)))
         return false;
 
-    if (!pluginIsLoadable(ownerElement, url, mimeType))
+    if (!pluginIsLoadable(url, mimeType))
         return false;
 
     ASSERT(ownerElement.hasTagName(objectTag) || ownerElement.hasTagName(embedTag));
@@ -242,12 +222,6 @@ bool SubframeLoader::requestObject(HTMLPlugInImageElement& ownerElement, const S
         return success;
     }
 
-    if (!isPluginContentAllowedByContentSecurityPolicy(ownerElement, completedURL, mimeType)) {
-        RenderEmbeddedObject* renderer = ownerElement.renderEmbeddedObject();
-        renderer->setPluginUnavailabilityReason(RenderEmbeddedObject::PluginBlockedByContentSecurityPolicy);
-        return false;
-    }
-
     // If the plug-in element already contains a subframe, loadOrRedirectSubframe will re-use it. Otherwise,
     // it will create a new frame and set it as the RenderWidget's Widget, causing what was previously 
     // in the widget to be torn down.
index 92ee9e6..e38aa47 100644 (file)
@@ -77,10 +77,8 @@ private:
     Frame* loadSubframe(HTMLFrameOwnerElement&, const URL&, const String& name, const String& referrer);
     bool loadPlugin(HTMLPlugInImageElement&, const URL&, const String& mimeType, const Vector<String>& paramNames, const Vector<String>& paramValues, bool useFallback);
 
-    bool isPluginContentAllowedByContentSecurityPolicy(HTMLPlugInImageElement&, const URL&, const String& mimeType) const;
-
     bool shouldUsePlugin(const URL&, const String& mimeType, bool hasFallback, bool& useFallback);
-    bool pluginIsLoadable(HTMLPlugInImageElement&, const URL&, const String& mimeType);
+    bool pluginIsLoadable(const URL&, const String& mimeType);
 
     Document* document() const;
 
index cbec763..746ba0c 100644 (file)
@@ -829,14 +829,14 @@ bool ContentSecurityPolicy::experimentalFeaturesEnabled() const
 #endif
 }
 
-void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(ResourceRequest& request, InsecureRequestType requestType)
+void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(ResourceRequest& request, InsecureRequestType requestType) const
 {
     URL url = request.url();
     upgradeInsecureRequestIfNeeded(url, requestType);
     request.setURL(url);
 }
 
-void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(URL& url, InsecureRequestType requestType)
+void ContentSecurityPolicy::upgradeInsecureRequestIfNeeded(URL& url, InsecureRequestType requestType) const
 {
     if (!url.protocolIs("http") && !url.protocolIs("ws"))
         return;
index fe030e4..6aa4554 100644 (file)
@@ -155,8 +155,8 @@ public:
     void setUpgradeInsecureRequests(bool);
     bool upgradeInsecureRequests() const { return m_upgradeInsecureRequests; }
     enum class InsecureRequestType { Load, FormSubmission, Navigation };
-    void upgradeInsecureRequestIfNeeded(ResourceRequest&, InsecureRequestType);
-    void upgradeInsecureRequestIfNeeded(URL&, InsecureRequestType);
+    void upgradeInsecureRequestIfNeeded(ResourceRequest&, InsecureRequestType) const;
+    void upgradeInsecureRequestIfNeeded(URL&, InsecureRequestType) const;
 
     HashSet<RefPtr<SecurityOrigin>>&& takeNavigationRequestsToUpgrade();
     void inheritInsecureNavigationRequestsToUpgradeFromOpener(const ContentSecurityPolicy&);