CSP: 'sandbox' should be ignored in report-only mode
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 15 Feb 2016 18:54:30 +0000 (18:54 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 15 Feb 2016 18:54:30 +0000 (18:54 +0000)
https://bugs.webkit.org/show_bug.cgi?id=153167
<rdar://problem/22708669>

Reviewed by Brent Fulgham.

Source/WebCore:

Merged from Blink (patch by Mike West):
<https://src.chromium.org/viewvc/blink?revision=165322&view=revision>

* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::reportInvalidDirectiveInReportOnlyMode): Added. Logs a
console message to the console to explain that the specified directive is invalid in
report-only mode.
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::applySandboxPolicy): Do not apply sandbox
policy when in report-only mode and call ContentSecurityPolicy::reportInvalidDirectiveInReportOnlyMode()
to log a message to the console.

LayoutTests:

Remove the entry from the TestExpectations file for the test
http/tests/security/contentSecurityPolicy/sandbox-report-only.html as it now passes.

* TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196582 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.h
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp

index 9c12a71..254725c 100644 (file)
@@ -1,5 +1,18 @@
 2016-02-15  Daniel Bates  <dabates@apple.com>
 
+        CSP: 'sandbox' should be ignored in report-only mode
+        https://bugs.webkit.org/show_bug.cgi?id=153167
+        <rdar://problem/22708669>
+
+        Reviewed by Brent Fulgham.
+
+        Remove the entry from the TestExpectations file for the test
+        http/tests/security/contentSecurityPolicy/sandbox-report-only.html as it now passes.
+
+        * TestExpectations:
+
+2016-02-15  Daniel Bates  <dabates@apple.com>
+
         CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource
         https://bugs.webkit.org/show_bug.cgi?id=154177
         <rdar://problem/22708772>
index 2622397..c518444 100644 (file)
@@ -833,7 +833,6 @@ webkit.org/b/153166 http/tests/security/contentSecurityPolicy/report-uri-from-ja
 webkit.org/b/153166 http/tests/security/contentSecurityPolicy/report-uri.html [ Failure ]
 webkit.org/b/153166 webkit.org/b/153242 http/tests/security/contentSecurityPolicy/report-and-enforce.html [ Failure ]
 webkit.org/b/153166 webkit.org/b/153242 http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html [ Failure ]
-webkit.org/b/153167 http/tests/security/contentSecurityPolicy/sandbox-report-only.html [ Failure ]
 webkit.org/b/153168 http/tests/security/contentSecurityPolicy/source-list-parsing-07.html [ Failure ]
 webkit.org/b/153170 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html [ Failure ]
 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
index 51b88ce..86d886a 100644 (file)
@@ -1,5 +1,26 @@
 2016-02-15  Daniel Bates  <dabates@apple.com>
 
+        CSP: 'sandbox' should be ignored in report-only mode
+        https://bugs.webkit.org/show_bug.cgi?id=153167
+        <rdar://problem/22708669>
+
+        Reviewed by Brent Fulgham.
+
+        Merged from Blink (patch by Mike West):
+        <https://src.chromium.org/viewvc/blink?revision=165322&view=revision>
+
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::reportInvalidDirectiveInReportOnlyMode): Added. Logs a
+        console message to the console to explain that the specified directive is invalid in
+        report-only mode.
+        * page/csp/ContentSecurityPolicy.h:
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::ContentSecurityPolicyDirectiveList::applySandboxPolicy): Do not apply sandbox
+        policy when in report-only mode and call ContentSecurityPolicy::reportInvalidDirectiveInReportOnlyMode()
+        to log a message to the console.
+
+2016-02-15  Daniel Bates  <dabates@apple.com>
+
         CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource
         https://bugs.webkit.org/show_bug.cgi?id=154177
         <rdar://problem/22708772>
index 3d1551d..a069d21 100644 (file)
@@ -452,6 +452,11 @@ void ContentSecurityPolicy::reportInvalidReflectedXSS(const String& invalidValue
     logToConsole("The 'reflected-xss' Content Security Policy directive has the invalid value \"" + invalidValue + "\". Value values are \"allow\", \"filter\", and \"block\".");
 }
 
+void ContentSecurityPolicy::reportInvalidDirectiveInReportOnlyMode(const String& directiveName) const
+{
+    logToConsole("The Content Security Policy directive '" + directiveName + "' is ignored when delivered in a report-only policy.");
+}
+
 void ContentSecurityPolicy::reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const
 {
     String message = makeString("The value for Content Security Policy directive '", directiveName, "' contains an invalid character: '", value, "'. Non-whitespace characters outside ASCII 0x21-0x7E must be percent-encoded, as described in RFC 3986, section 2.1: http://tools.ietf.org/html/rfc3986#section-2.1.");
index e490537..fc884fb 100644 (file)
@@ -122,6 +122,7 @@ public:
     void reportInvalidDirectiveValueCharacter(const String& directiveName, const String& value) const;
     void reportInvalidSandboxFlags(const String&) const;
     void reportInvalidReflectedXSS(const String&) const;
+    void reportInvalidDirectiveInReportOnlyMode(const String&) const;
     void reportMissingReportURI(const String&) const;
     void reportUnsupportedDirective(const String&) const;
     void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const URL& blockedURL, const Vector<String>& reportURIs, const String& header, const String& contextURL = String(), const WTF::OrdinalNumber& contextLine = WTF::OrdinalNumber::beforeFirst(), JSC::ExecState* = nullptr) const;
index 74895f1..681fd85 100644 (file)
@@ -504,6 +504,10 @@ void ContentSecurityPolicyDirectiveList::setCSPDirective(const String& name, con
 
 void ContentSecurityPolicyDirectiveList::applySandboxPolicy(const String& name, const String& sandboxPolicy)
 {
+    if (m_reportOnly) {
+        m_policy.reportInvalidDirectiveInReportOnlyMode(name);
+        return;
+    }
     if (m_haveSandboxPolicy) {
         m_policy.reportDuplicateDirective(name);
         return;