CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Mar 2016 05:39:26 +0000 (05:39 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Mar 2016 05:39:26 +0000 (05:39 +0000)
https://bugs.webkit.org/show_bug.cgi?id=154122
<rdar://problem/24613336>

Reviewed by Brent Fulgham.

Source/WebCore:

Restrict matching of source expression * to HTTP or HTTPS URLs for all directives except
img-src and media-src. This policy is more restrictive than the policy described in section
Matching Source Expressions of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721>,
which restricts matching * to schemes that are not blob, data, or filesystem.

For directive img-src we restrict matching of * to HTTP, HTTPS, and data URLs. For directive
media-src we restrict matching of * to HTTP, HTTPS, data URLs and blob URLs. We use a
more lenient interpretation of * for directives img-src and media-src than required by
the spec. to mitigate web compatibility issues.

Tests: fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
       fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html
       fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html
       fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html
       fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html
       fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html
       http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html
       http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html
       http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html
       http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html
       http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html
       http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html
       http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html
       media/video-with-blob-url-allowed-by-csp-media-src-star.html
       media/video-with-data-url-allowed-by-csp-media-src-star.html
       media/video-with-file-url-blocked-by-csp-media-src-star.html

* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar): Added.
(WebCore::ContentSecurityPolicySourceList::matches): Modified to only match * if ContentSecurityPolicySourceList::isProtocolAllowedByStar().
evaluates to true.
* page/csp/ContentSecurityPolicySourceList.h:

LayoutTests:

Add tests to ensure that we do not regress our interpretation of * with respect to directives
img-src, media-src, style-src, and default-src.

When running in WebKitTestRunner, skip the tests fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
and media/video-with-blob-url-allowed-by-csp-media-src-star.html as they make use of eventSender.beginDragWithFiles(),
which is not implement. We will need to fix <https://bugs.webkit.org/show_bug.cgi?id=64285>
before we can run these tests in WebKitTestRunner.

* TestExpectations:
* fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html: Added.
* fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html: Added.
* fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html: Added.
* fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html: Added.
* fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html: Added.
* fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html: Added.
* fast/dom/HTMLImageElement/resources/green.png: Added.
* fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html: Added.
* fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html: Added.
* fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html: Added.
* fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html: Added.
* fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html: Added.
* fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html: Added.
* fast/dom/HTMLLinkElement/resources/red-background-color.css: Added.
(#test):
* http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html: Added.
* http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html: Added.
* media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html: Added.
* media/video-with-blob-url-allowed-by-csp-media-src-star.html: Added.
* media/video-with-data-url-allowed-by-csp-media-src-star-expected.html: Added.
* media/video-with-data-url-allowed-by-csp-media-src-star.html: Added.
* media/video-with-file-url-blocked-by-csp-media-src-star-expected.html: Added.
* media/video-with-file-url-blocked-by-csp-media-src-star.html: Added.
* platform/wk2/TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@197724 268f45cc-cd09-0410-ab3c-d52691b4dbfc

40 files changed:
LayoutTests/ChangeLog
LayoutTests/TestExpectations
LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLImageElement/resources/green.png [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html [new file with mode: 0644]
LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html [new file with mode: 0644]
LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html [new file with mode: 0644]
LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html [new file with mode: 0644]
LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html [new file with mode: 0644]
LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html [new file with mode: 0644]
LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html [new file with mode: 0644]
LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html [new file with mode: 0644]
LayoutTests/platform/wk2/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp
Source/WebCore/page/csp/ContentSecurityPolicySourceList.h

index 6300bd6..7cb4be7 100644 (file)
@@ -1,3 +1,57 @@
+2016-03-07  Daniel Bates  <dabates@apple.com>
+
+        CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
+        https://bugs.webkit.org/show_bug.cgi?id=154122
+        <rdar://problem/24613336>
+
+        Reviewed by Brent Fulgham.
+
+        Add tests to ensure that we do not regress our interpretation of * with respect to directives
+        img-src, media-src, style-src, and default-src.
+
+        When running in WebKitTestRunner, skip the tests fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
+        and media/video-with-blob-url-allowed-by-csp-media-src-star.html as they make use of eventSender.beginDragWithFiles(),
+        which is not implement. We will need to fix <https://bugs.webkit.org/show_bug.cgi?id=64285>
+        before we can run these tests in WebKitTestRunner.
+
+        * TestExpectations:
+        * fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html: Added.
+        * fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html: Added.
+        * fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html: Added.
+        * fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html: Added.
+        * fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html: Added.
+        * fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html: Added.
+        * fast/dom/HTMLImageElement/resources/green.png: Added.
+        * fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html: Added.
+        * fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html: Added.
+        * fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html: Added.
+        * fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html: Added.
+        * fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html: Added.
+        * fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html: Added.
+        * fast/dom/HTMLLinkElement/resources/red-background-color.css: Added.
+        (#test):
+        * http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html: Added.
+        * http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html: Added.
+        * media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html: Added.
+        * media/video-with-blob-url-allowed-by-csp-media-src-star.html: Added.
+        * media/video-with-data-url-allowed-by-csp-media-src-star-expected.html: Added.
+        * media/video-with-data-url-allowed-by-csp-media-src-star.html: Added.
+        * media/video-with-file-url-blocked-by-csp-media-src-star-expected.html: Added.
+        * media/video-with-file-url-blocked-by-csp-media-src-star.html: Added.
+        * platform/wk2/TestExpectations:
+
 2016-03-07  Alex Christensen  <achristensen@webkit.org>
 
         Fix cookies with private browsing and NetworkSession
index 9af83af..f510245 100644 (file)
@@ -854,6 +854,7 @@ webkit.org/b/153161 http/tests/security/contentSecurityPolicy/register-bypassing
 webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-01.html [ Failure ]
 webkit.org/b/153162 http/tests/security/contentSecurityPolicy/report-multiple-violations-02.html [ Failure ]
 webkit.org/b/154522 http/tests/security/contentSecurityPolicy/1.1/securitypolicyviolation-base-uri-deny.html
+webkit.org/b/155132 http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html [ Failure ]
 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
 
 # These state object tests purposefully stress a resource limit, and take multiple seconds to run.
diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star-expected.html
new file mode 100644 (file)
index 0000000..32b3784
--- /dev/null
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading image with a blob URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. To run this test by hand, select an image file. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
+<img width="128" height="128" alt="PASS">
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
new file mode 100644 (file)
index 0000000..66a2a00
--- /dev/null
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+</head>
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+var fileInput;
+
+function testFinished()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+function loadImage(event)
+{
+    var image = document.createElement("img");
+    image.height = "128";
+    image.width = "128";
+    image.alt = "PASS";
+    image.onload = testFinished;
+    image.onerror = testFinished;
+    image.src = window.URL.createObjectURL(event.target.files[0]);
+
+    document.body.removeChild(fileInput);
+    document.body.appendChild(image);
+}
+
+function runTest()
+{
+    if (!window.eventSender)
+        return;
+
+    var x = fileInput.offsetLeft + fileInput.offsetWidth / 2;
+    var y = fileInput.offsetTop + fileInput.offsetHeight / 2;
+
+    eventSender.beginDragWithFiles(["../resources/abe.png"]);
+    eventSender.mouseMoveTo(x, y);
+    eventSender.mouseUp();
+}
+
+window.onload = function ()
+{
+    fileInput = document.getElementById("file");
+    fileInput.onchange = loadImage;
+    runTest();
+}
+</script>
+<body>
+<p>This tests that loading image with a blob URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. To run this test by hand, select an image file. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
+<input type="file" id="file" accept="image/*">
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star-expected.html
new file mode 100644 (file)
index 0000000..cdf4d16
--- /dev/null
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading image with a data URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAA8CAIAAAC1nk4lAAAAAXNSR0IArs4c6QAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oFFQg4GNq2yCEAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAAR0lEQVRo3u3OQQ0AAAgEoNPkRjeFDzdIQGXyTifS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0vcWUo0A+IZA5H8AAAAASUVORK5CYII=" width="128" height="128">
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html
new file mode 100644 (file)
index 0000000..0dff4c3
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+</head>
+<body>
+<p>This tests that loading image with a data URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADwAAAA8CAIAAAC1nk4lAAAAAXNSR0IArs4c6QAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9oFFQg4GNq2yCEAAAAZdEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIEdJTVBXgQ4XAAAAR0lEQVRo3u3OQQ0AAAgEoNPkRjeFDzdIQGXyTifS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0vcWUo0A+IZA5H8AAAAASUVORK5CYII=" width="128" height="128">
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star-expected.html
new file mode 100644 (file)
index 0000000..5a394e3
--- /dev/null
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading image with a file URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
+<img src="" width="128" height="128" alt="PASS">
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html b/LayoutTests/fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html
new file mode 100644 (file)
index 0000000..1dbeeda
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+</head>
+<body>
+<p>This tests that loading image with a file URL is blocked when the page has Content Security Policy &quot;image-src *&quot;. This test PASSED if you see the word PASS below. Otherwise, it FAILED.</p>
+<img src="resources/green.png" width="128" height="128" alt="PASS">
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLImageElement/resources/green.png b/LayoutTests/fast/dom/HTMLImageElement/resources/green.png
new file mode 100644 (file)
index 0000000..b3c8cf3
Binary files /dev/null and b/LayoutTests/fast/dom/HTMLImageElement/resources/green.png differ
diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star-expected.html
new file mode 100644 (file)
index 0000000..874bed4
--- /dev/null
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading a stylesheet with a blob URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div style="background-color: green; height: 128px; width: 128px"></div>
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html
new file mode 100644 (file)
index 0000000..c9d228f
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test {
+    background-color: green;
+    height: 128px;
+    width: 128px;
+}
+</style>
+<meta http-equiv="Content-Security-Policy" content="style-src *">
+<script>
+function createLinkElementWithStylesheet(stylesheetURL)
+{
+    var link = document.createElement("link");
+    link.rel = "stylesheet";
+    link.href = stylesheetURL;
+    return link;
+}
+
+var blobURL = window.URL.createObjectURL(new Blob(["#test { background-color: red !important; }"], {type: "text/css"}));
+document.head.appendChild(createLinkElementWithStylesheet(blobURL));
+</script>
+</head>
+<body>
+<p>This tests that loading a stylesheet with a blob URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div id="test"></div>
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star-expected.html
new file mode 100644 (file)
index 0000000..b4c59c7
--- /dev/null
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading a stylesheet with a data URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div style="background-color: green; height: 128px; width: 128px"></div>
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html
new file mode 100644 (file)
index 0000000..129d357
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test {
+    background-color: green;
+    height: 128px;
+    width: 128px;
+}
+</style>
+<meta http-equiv="Content-Security-Policy" content="style-src *">
+<link rel="stylesheet" href="data:text/css, #test { background-color: red !important; }">
+</head>
+<body>
+<p>This tests that loading a stylesheet with a data URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div id="test"></div>
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star-expected.html
new file mode 100644 (file)
index 0000000..4384846
--- /dev/null
@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This tests that loading a stylesheet with a file URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div style="background-color: green; height: 128px; width: 128px"></div>
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html b/LayoutTests/fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html
new file mode 100644 (file)
index 0000000..d35c994
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#test {
+    background-color: green;
+    height: 128px;
+    width: 128px;
+}
+</style>
+<meta http-equiv="Content-Security-Policy" content="style-src *">
+<link rel="stylesheet" href="resources/red-background-color.css">
+</head>
+<body>
+<p>This tests that loading a stylesheet with a file URL is blocked when the page has Content Security Policy &quot;style-src *&quot;. This test PASSED if you see a green square below. Otherwise, it FAILED.</p>
+<div id="test"></div>
+</body>
+</html>
diff --git a/LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css b/LayoutTests/fast/dom/HTMLLinkElement/resources/red-background-color.css
new file mode 100644 (file)
index 0000000..421f9f7
--- /dev/null
@@ -0,0 +1 @@
+#test { background-color: red !important; }
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star-expected.txt
new file mode 100644 (file)
index 0000000..256f7c4
--- /dev/null
@@ -0,0 +1,10 @@
+This tests that loading an image with an HTTP URL is allowed when the page has Content Security Policy "img-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html
new file mode 100644 (file)
index 0000000..999bf0b
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadImage()
+{
+    testPassed("did load image.");
+    finishJSTest();
+}
+
+function failedToLoadImage()
+{
+    testFailed("failed to load image.");
+    finishJSTest();
+}
+</script>
+</head>
+<body>
+<script>
+description("This tests that loading an image with an HTTP URL is allowed when the page has Content Security Policy &quot;img-src *&quot;.");
+</script>
+<img src="http://127.0.0.1:8000/security/resources/abe.png" onload="didLoadImage()" onerror="failedToLoadImage()">
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star-expected.txt
new file mode 100644 (file)
index 0000000..c48ed96
--- /dev/null
@@ -0,0 +1,10 @@
+This tests that loading an image with an HTTPS URL is allowed when the page has Content Security Policy "img-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load image.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html
new file mode 100644 (file)
index 0000000..9b6853f
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="img-src *">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadImage()
+{
+    testPassed("did load image.");
+    finishJSTest();
+}
+
+function failedToLoadImage()
+{
+    testFailed("failed to load image.");
+    finishJSTest();
+}
+</script>
+</head>
+<body>
+<script>
+description("This tests that loading an image with an HTTPS URL is allowed when the page has Content Security Policy &quot;img-src *&quot;.");
+</script>
+<img src="https://127.0.0.1:8443/security/resources/abe.png" onload="didLoadImage()" onerror="failedToLoadImage()">
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star-expected.txt
new file mode 100644 (file)
index 0000000..99f1c09
--- /dev/null
@@ -0,0 +1,7 @@
+CONSOLE MESSAGE: line 1: Refused to execute JavaScript URL because it violates the following Content Security Policy directive: "default-src *". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.
+
+CONSOLE MESSAGE: Refused to load plugin data from 'javascript:alert('FAIL');' because it violates the following Content Security Policy directive: "default-src *". Note that 'object-src' was not explicitly set, so 'default-src' is used as a fallback.
+
+CONSOLE MESSAGE: Refused to load plugin data from 'javascript:alert('FAIL');' because it violates the following Content Security Policy directive: "default-src *". Note that 'object-src' was not explicitly set, so 'default-src' is used as a fallback.
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html
new file mode 100644 (file)
index 0000000..827367d
--- /dev/null
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+    <iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/javascript-url.pl?should_run=no&csp=default-src *"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star-expected.txt
new file mode 100644 (file)
index 0000000..1237b7c
--- /dev/null
@@ -0,0 +1,10 @@
+This tests that loading a stylesheet with an HTTP URL is allowed when the page has Content Security Policy "style-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load stylesheet.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html
new file mode 100644 (file)
index 0000000..42a6766
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="style-src * 'unsafe-inline'">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadStylesheet()
+{
+    testPassed("did load stylesheet.");
+    finishJSTest();
+}
+
+function failedToLoadStylesheet()
+{
+    testFailed("failed to load stylesheet.");
+    finishJSTest();
+}
+</script>
+<link rel="stylesheet" href="http://127.0.0.1:8000/security/contentSecurityPolicy/resources/style-set-red.css" onload="didLoadStylesheet()" onerror="failedToLoadStylesheet()">
+</head>
+<body>
+<script>
+description("This tests that loading a stylesheet with an HTTP URL is allowed when the page has Content Security Policy &quot;style-src *&quot;.");
+</script>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star-expected.txt
new file mode 100644 (file)
index 0000000..f6e56fc
--- /dev/null
@@ -0,0 +1,10 @@
+This tests that loading a stylesheet with an HTTPS URL is allowed when the page has Content Security Policy "style-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load stylesheet.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html
new file mode 100644 (file)
index 0000000..85bc106
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="style-src * 'unsafe-inline'">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadStylesheet()
+{
+    testPassed("did load stylesheet.");
+    finishJSTest();
+}
+
+function failedToLoadStylesheet()
+{
+    testFailed("failed to load stylesheet.");
+    finishJSTest();
+}
+</script>
+<link rel="stylesheet" href="https://127.0.0.1:8443/security/contentSecurityPolicy/resources/style-set-red.css" onload="didLoadStylesheet()" onerror="failedToLoadStylesheet()">
+</head>
+<body>
+<script>
+description("This tests that loading a stylesheet with an HTTPS URL is allowed when the page has Content Security Policy &quot;style-src *&quot;.");
+</script>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star-expected.txt
new file mode 100644 (file)
index 0000000..ce75872
--- /dev/null
@@ -0,0 +1,10 @@
+This tests that loading a video with an HTTP URL is allowed when the page has Content Security Policy "media-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load video.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html
new file mode 100644 (file)
index 0000000..3826f3f
--- /dev/null
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="media-src *">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script src="/media-resources/media-file.js"></script>
+<style>
+video {
+    background-color: red;
+    width: 128px;
+    height: 128px;
+}
+</style>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadVideo()
+{
+    testPassed("did load video.");
+    finishJSTest();
+}
+
+function failedToLoadVideo()
+{
+    testFailed("failed to load video.");
+    finishJSTest();
+}
+
+window.onload = function ()
+{
+    var video = document.getElementById("video");
+    video.oncanplay = didLoadVideo;
+    video.onerror = failedToLoadVideo;
+    video.src = "http://127.0.0.1:8000/media-resources/" + findMediaFile("video", "content/test");
+}
+</script>
+</head>
+<body>
+<script>
+description("This tests that loading a video with an HTTP URL is allowed when the page has Content Security Policy &quot;media-src *&quot;.");
+</script>
+<video id="video"></video>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star-expected.txt
new file mode 100644 (file)
index 0000000..63bb7d6
--- /dev/null
@@ -0,0 +1,10 @@
+This tests that loading a video with an HTTPS URL is allowed when the page has Content Security Policy "media-src *".
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS did load video.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html b/LayoutTests/http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html
new file mode 100644 (file)
index 0000000..ca8f106
--- /dev/null
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="media-src *">
+<script src="/js-test-resources/js-test-pre.js"></script>
+<script src="/media-resources/media-file.js"></script>
+<style>
+video {
+    background-color: red;
+    width: 128px;
+    height: 128px;
+}
+</style>
+<script>
+window.jsTestIsAsync = true;
+
+function didLoadVideo()
+{
+    testPassed("did load video.");
+    finishJSTest();
+}
+
+function failedToLoadVideo()
+{
+    testFailed("failed to load video.");
+    finishJSTest();
+}
+
+window.onload = function ()
+{
+    var video = document.getElementById("video");
+    video.oncanplay = didLoadVideo;
+    video.onerror = failedToLoadVideo;
+    video.src = "https://127.0.0.1:8443/media-resources/" + findMediaFile("video", "content/test");
+}
+</script>
+</head>
+<body>
+<script>
+description("This tests that loading a video with an HTTPS URL is allowed when the page has Content Security Policy &quot;media-src *&quot;.");
+</script>
+<video id="video"></video>
+<script src="/js-test-resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html b/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star-expected.html
new file mode 100644 (file)
index 0000000..51952f6
--- /dev/null
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="media-file.js"></script>
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+function testFinished()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+window.onload = function ()
+{
+    var video = document.getElementById("video");
+    video.onloadedmetadata = testFinished;
+    video.onerror = testFinished;
+    video.src = findMediaFile("video", "content/test");
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a blob URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. To run this test by hand, select a video file. This test PASSED if the video loads and its first frame is shown below. Otherwise, it FAILED.</p>
+<video id="video"></video>
+</body>
+</html>
diff --git a/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html b/LayoutTests/media/video-with-blob-url-allowed-by-csp-media-src-star.html
new file mode 100644 (file)
index 0000000..5596fec
--- /dev/null
@@ -0,0 +1,54 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="media-src *">
+<script src="media-file.js"></script>
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+var fileInput;
+
+function testFinished()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+function loadVideo(event)
+{
+    var video = document.createElement("video");
+    video.onloadedmetadata = testFinished;
+    video.onerror = testFinished;
+    video.src = window.URL.createObjectURL(event.target.files[0]);
+
+    document.body.removeChild(fileInput);
+    document.body.appendChild(video);
+}
+
+function runTest()
+{
+    if (!window.eventSender)
+        return;
+
+    var x = fileInput.offsetLeft + fileInput.offsetWidth / 2;
+    var y = fileInput.offsetTop + fileInput.offsetHeight / 2;
+
+    eventSender.beginDragWithFiles([findMediaFile("video", "content/test")]);
+    eventSender.mouseMoveTo(x, y);
+    eventSender.mouseUp();
+}
+
+window.onload = function ()
+{
+    fileInput = document.getElementById("file");
+    fileInput.onchange = loadVideo;
+    runTest();
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a blob URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. To run this test by hand, select a video file. This test PASSED if the video loads and its first frame is shown below. Otherwise, it FAILED.</p>
+<input type="file" id="file">
+</body>
+</html>
diff --git a/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html b/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star-expected.html
new file mode 100644 (file)
index 0000000..32c890b
--- /dev/null
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+video {
+    width: 128px;
+    height: 128px;
+}
+</style>
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+function testFinished()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a data URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. This test PASSED if you see a square with a green-to-gray horizontal gradient. Otherwise, it FAILED.</p>
+<video src="data:video/mp4;base64,AAAAGGZ0eXBtcDQyAAAAAW1wNDJtcDQxAAACrW1vb3YAAABsbXZoZAAAAADTABd80wAXfAAAAlgAAAAoAAEAAAEAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAI5dHJhawAAAFx0a2hkAAAAAdMAF3zTABd8AAAAAQAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAyAAAAMgAAAAAAJGVkdHMAAAAcZWxzdAAAAAAAAAABAAAAKAAAAAAAAQAAAAABsW1kaWEAAAAgbWRoZAAAAADTABd80wAXfAAAAlgAAAJYFccAAAAAADpoZGxyAAAAAAAAAAB2aWRlAAAAAAAAAAAAAAAAQXBwbGUgVmlkZW8gTWVkaWEgSGFuZGxlcgAAAAFPbWluZgAAABR2bWhkAAAAAQAAAAAAAAAAAAAAJGRpbmYAAAAcZHJlZgAAAAAAAAABAAAADHVybCAAAAABAAABD3N0YmwAAACrc3RzZAAAAAAAAAABAAAAm21wNHYAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAMgAyAEgAAABIAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY//8AAABFZXNkcwAAAAADNwAAHwQvIBEALuAAAH0AAAB9AAUgAAABsPMAAAG1DuBAwM8AAAEAAAABIACEQPooDKAyox8GAQIAAAAYc3R0cwAAAAAAAAABAAAAAQAAAlgAAAAcc3RzYwAAAAAAAAABAAAAAQAAAAEAAAABAAAAFHN0c3oAAAAAAAACxQAAAAEAAAAUc3RjbwAAAAAAAAABAAAC7QAAAAhmcmVlAAAACGZyZWUAAALdbWRhdAAAAAh3aWRlAAAAAG1kYXQAAAG2EAMJjF7bCAFgRvbfiNzb8MqOhJBwKtkGGQPFwBJgwxJBwKtkGGQPFwBJhh2CkikFCCBi64HxGi1uVcfsItzm5SWWWEAMwPAQHYPB/5YKAHh/9cQgeL/6wGCNbb+PNv4225srB4D+rB4P/DEcHiIBMHi4BkFk2DwH9WDwf+GI4PEQCYPFwDILJwHgILEHg/1sHgIJcHh/4MHgIGUHi/70HwICPB4CCxB4P9bB4CCXB4f+DB4CBlB4v+9B8CAjjbb+Ntv422/ZWDwH9WDwf+GI4PEQCYPFwDILJsHgP6sHg/8MRweIgEweLgGQWTweAgsQeD/WweAglweH/gweAgZQeL/vQfAgI6DwEFPlbB4D9lB4CCN9jP02/B4D+LB4CBdzFbA4raq6DwH+CIUjLUVtK1V+0N8EFhlrsD1r+dx7IOgeB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAiYYMwPA/44KUHhf88A8Hif+Eeg+b/7g3g8D/bg8B/dg8L/hgoweJ/2RJB83/zZGDwP9WDwH+GDwv/GDxUAmOgfNgEWDwP9WDwH+GDwv/GDxUAmOgfNgEW8Hgf8cFKDwv+eAeDxP/CPQfN/98Hgf7cHgP7sHhf8MFGDxP+yJIPm/+bIweB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAi3g8D/jgpQeF/zwDweJ/4R6D5v/vg8D/bg8B/dg8L/hgoweJ/2RJB83/zYSw/H6cS0/y8v+OU7agt+o9nSz09hV6Zg2yRaBW23Hw/H4jD8uEkSC9OOhLHSdUPx0Ox8rbSD8fD9I3GUheXJWLjKZOmZzG1Strcbabyf9ZrjR8Px+Iw/LhJEgvTjoSx0nVD8dDsfK20g/Hw/SNxlIXlyVi4ymTpmcxtUra3G2m8n/Wa5" oncanplay="testFinished()"></video>
+</body>
+</html>
diff --git a/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html b/LayoutTests/media/video-with-data-url-allowed-by-csp-media-src-star.html
new file mode 100644 (file)
index 0000000..ecc9ec2
--- /dev/null
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="media-src *">
+<style>
+video {
+    background-color: red;
+    width: 128px;
+    height: 128px;
+}
+</style>
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+function testFinished()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a data URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. This test PASSED if you see a square with a green-to-gray horizontal gradient. Otherwise, it FAILED.</p>
+<video src="data:video/mp4;base64,AAAAGGZ0eXBtcDQyAAAAAW1wNDJtcDQxAAACrW1vb3YAAABsbXZoZAAAAADTABd80wAXfAAAAlgAAAAoAAEAAAEAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAI5dHJhawAAAFx0a2hkAAAAAdMAF3zTABd8AAAAAQAAAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAQAAAAAAyAAAAMgAAAAAAJGVkdHMAAAAcZWxzdAAAAAAAAAABAAAAKAAAAAAAAQAAAAABsW1kaWEAAAAgbWRoZAAAAADTABd80wAXfAAAAlgAAAJYFccAAAAAADpoZGxyAAAAAAAAAAB2aWRlAAAAAAAAAAAAAAAAQXBwbGUgVmlkZW8gTWVkaWEgSGFuZGxlcgAAAAFPbWluZgAAABR2bWhkAAAAAQAAAAAAAAAAAAAAJGRpbmYAAAAcZHJlZgAAAAAAAAABAAAADHVybCAAAAABAAABD3N0YmwAAACrc3RzZAAAAAAAAAABAAAAm21wNHYAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAMgAyAEgAAABIAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY//8AAABFZXNkcwAAAAADNwAAHwQvIBEALuAAAH0AAAB9AAUgAAABsPMAAAG1DuBAwM8AAAEAAAABIACEQPooDKAyox8GAQIAAAAYc3R0cwAAAAAAAAABAAAAAQAAAlgAAAAcc3RzYwAAAAAAAAABAAAAAQAAAAEAAAABAAAAFHN0c3oAAAAAAAACxQAAAAEAAAAUc3RjbwAAAAAAAAABAAAC7QAAAAhmcmVlAAAACGZyZWUAAALdbWRhdAAAAAh3aWRlAAAAAG1kYXQAAAG2EAMJjF7bCAFgRvbfiNzb8MqOhJBwKtkGGQPFwBJgwxJBwKtkGGQPFwBJhh2CkikFCCBi64HxGi1uVcfsItzm5SWWWEAMwPAQHYPB/5YKAHh/9cQgeL/6wGCNbb+PNv4225srB4D+rB4P/DEcHiIBMHi4BkFk2DwH9WDwf+GI4PEQCYPFwDILJwHgILEHg/1sHgIJcHh/4MHgIGUHi/70HwICPB4CCxB4P9bB4CCXB4f+DB4CBlB4v+9B8CAjjbb+Ntv422/ZWDwH9WDwf+GI4PEQCYPFwDILJsHgP6sHg/8MRweIgEweLgGQWTweAgsQeD/WweAglweH/gweAgZQeL/vQfAgI6DwEFPlbB4D9lB4CCN9jP02/B4D+LB4CBdzFbA4raq6DwH+CIUjLUVtK1V+0N8EFhlrsD1r+dx7IOgeB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAiYYMwPA/44KUHhf88A8Hif+Eeg+b/7g3g8D/bg8B/dg8L/hgoweJ/2RJB83/zZGDwP9WDwH+GDwv/GDxUAmOgfNgEWDwP9WDwH+GDwv/GDxUAmOgfNgEW8Hgf8cFKDwv+eAeDxP/CPQfN/98Hgf7cHgP7sHhf8MFGDxP+yJIPm/+bIweB/qweA/wweF/4weKgEx0D5sAiweB/qweA/wweF/4weKgEx0D5sAi3g8D/jgpQeF/zwDweJ/4R6D5v/vg8D/bg8B/dg8L/hgoweJ/2RJB83/zYSw/H6cS0/y8v+OU7agt+o9nSz09hV6Zg2yRaBW23Hw/H4jD8uEkSC9OOhLHSdUPx0Ox8rbSD8fD9I3GUheXJWLjKZOmZzG1Strcbabyf9ZrjR8Px+Iw/LhJEgvTjoSx0nVD8dDsfK20g/Hw/SNxlIXlyVi4ymTpmcxtUra3G2m8n/Wa5" oncanplay="testFinished()" onerror="testFinished()"></video>
+</body>
+</html>
diff --git a/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html b/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star-expected.html
new file mode 100644 (file)
index 0000000..3799886
--- /dev/null
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+#equivalent-expected-result {
+    background-color: green;
+    width: 128px;
+    height: 128px;
+}
+</style>
+</head>
+<body>
+<p>This tests that loading a video with a file URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. This test PASSED if you see a solid green square. Otherwise, it FAILED.</p>
+<div id="equivalent-expected-result"></div>
+</body>
+</html>
diff --git a/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html b/LayoutTests/media/video-with-file-url-blocked-by-csp-media-src-star.html
new file mode 100644 (file)
index 0000000..63bad1b
--- /dev/null
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="media-src *">
+<style>
+video {
+    background-color: green;
+    width: 128px;
+    height: 128px;
+}
+</style>
+<script src="media-file.js"></script>
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+
+function testFinished()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+window.onload = function ()
+{
+    var video = document.getElementById("video");
+    video.onloadedmetadata = testFinished;
+    video.onerror = testFinished;
+    video.src = findMediaFile("video", "content/test");
+}
+</script>
+</head>
+<body>
+<p>This tests that loading a video with a file URL is allowed when the page has Content Security Policy &quot;media-src *&quot;. This test PASSED if you see a solid green square. Otherwise, it FAILED.</p>
+<video id="video"></video>
+</body>
+</html>
index 3192d8d..06527fc 100644 (file)
@@ -625,6 +625,7 @@ platform/mac/fast/events/objc-event-api.html
 # https://bugs.webkit.org/show_bug.cgi?id=64285
 editing/pasteboard/file-drag-to-editable.html
 editing/pasteboard/file-input-files-access.html
+fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
 fast/dom/Window/window-postmessage-clone-frames.html
 fast/dom/Window/window-postmessage-clone.html
 fast/events/data-transfer-files-attribute-identity.html
@@ -677,6 +678,7 @@ http/tests/local/formdata/send-form-data.html
 http/tests/local/formdata/send-form-data-with-empty-file-filename.html
 http/tests/local/formdata/upload-events.html
 http/tests/security/clipboard/clipboard-file-access.html
+media/video-with-blob-url-allowed-by-csp-media-src-star.html
 media/video-src-blob.html
 storage/indexeddb/noblobs.html
 storage/indexeddb/noblobs-private.html
index ef69b51..92e4da0 100644 (file)
@@ -1,3 +1,44 @@
+2016-03-07  Daniel Bates  <dabates@apple.com>
+
+        CSP: Source '*' should not match URLs with schemes blob, data, or filesystem
+        https://bugs.webkit.org/show_bug.cgi?id=154122
+        <rdar://problem/24613336>
+
+        Reviewed by Brent Fulgham.
+
+        Restrict matching of source expression * to HTTP or HTTPS URLs for all directives except
+        img-src and media-src. This policy is more restrictive than the policy described in section
+        Matching Source Expressions of the Content Security Policy 2.0 spec., <https://www.w3.org/TR/2015/CR-CSP2-20150721>,
+        which restricts matching * to schemes that are not blob, data, or filesystem.
+
+        For directive img-src we restrict matching of * to HTTP, HTTPS, and data URLs. For directive
+        media-src we restrict matching of * to HTTP, HTTPS, data URLs and blob URLs. We use a
+        more lenient interpretation of * for directives img-src and media-src than required by
+        the spec. to mitigate web compatibility issues.
+
+        Tests: fast/dom/HTMLImageElement/image-with-blob-url-blocked-by-csp-img-src-star.html
+               fast/dom/HTMLImageElement/image-with-data-url-allowed-by-csp-img-src-star.html
+               fast/dom/HTMLImageElement/image-with-file-url-blocked-by-csp-img-src-star.html
+               fast/dom/HTMLLinkElement/link-with-blob-url-blocked-by-csp-style-src-star.html
+               fast/dom/HTMLLinkElement/link-with-data-url-blocked-by-csp-style-src-star.html
+               fast/dom/HTMLLinkElement/link-with-file-url-blocked-by-csp-style-src-star.html
+               http/tests/security/contentSecurityPolicy/image-with-http-url-allowed-by-csp-img-src-star.html
+               http/tests/security/contentSecurityPolicy/image-with-https-url-allowed-by-csp-img-src-star.html
+               http/tests/security/contentSecurityPolicy/javascript-url-blocked-by-default-src-star.html
+               http/tests/security/contentSecurityPolicy/link-with-http-url-allowed-by-csp-style-src-star.html
+               http/tests/security/contentSecurityPolicy/link-with-https-url-allowed-by-csp-style-src-star.html
+               http/tests/security/contentSecurityPolicy/video-with-http-url-allowed-by-csp-media-src-star.html
+               http/tests/security/contentSecurityPolicy/video-with-https-url-allowed-by-csp-media-src-star.html
+               media/video-with-blob-url-allowed-by-csp-media-src-star.html
+               media/video-with-data-url-allowed-by-csp-media-src-star.html
+               media/video-with-file-url-blocked-by-csp-media-src-star.html
+
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::isProtocolAllowedByStar): Added.
+        (WebCore::ContentSecurityPolicySourceList::matches): Modified to only match * if ContentSecurityPolicySourceList::isProtocolAllowedByStar().
+        evaluates to true.
+        * page/csp/ContentSecurityPolicySourceList.h:
+
 2016-03-07  Brent Fulgham  <bfulgham@apple.com>
 
         Reduce startup and shutdown cost of resource load statistics
index f3dac7b..408b40e 100644 (file)
@@ -95,13 +95,24 @@ void ContentSecurityPolicySourceList::parse(const String& value)
     parse(characters, characters + value.length());
 }
 
+bool ContentSecurityPolicySourceList::isProtocolAllowedByStar(const URL& url) const
+{
+    // Although not allowed by the Content Security Policy Level 3 spec., we allow a data URL to match
+    // "img-src *" and either a data URL or blob URL to match "media-src *" for web compatibility.
+    // FIXME: We should not hardcode the directive names. We should make use of the constants in ContentSecurityPolicyDirectiveList.cpp.
+    // See <https://bugs.webkit.org/show_bug.cgi?id=155133>.
+    bool isAllowed = url.protocolIsInHTTPFamily();
+    if (equalLettersIgnoringASCIICase(m_directiveName, "img-src"))
+        isAllowed |= url.protocolIsData();
+    else if (equalLettersIgnoringASCIICase(m_directiveName, "media-src"))
+        isAllowed |= url.protocolIsData() || url.protocolIsBlob();
+    return isAllowed;
+}
+
 bool ContentSecurityPolicySourceList::matches(const URL& url)
 {
-    if (m_allowStar) {
-        // FIXME: Should only match for URLs whose scheme is not blob, data or filesystem.
-        // See <https://bugs.webkit.org/show_bug.cgi?id=154122> for more details.
+    if (m_allowStar && isProtocolAllowedByStar(url))
         return true;
-    }
 
     if (m_allowSelf && m_policy.urlMatchesSelf(url))
         return true;
index 0646a9f..fdb9b7e 100644 (file)
@@ -55,6 +55,8 @@ private:
     bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHasWildcard);
     bool parsePath(const UChar* begin, const UChar* end, String& path);
 
+    bool isProtocolAllowedByStar(const URL&) const;
+
     const ContentSecurityPolicy& m_policy;
     Vector<ContentSecurityPolicySource> m_list;
     String m_directiveName;