CSP: Fix parsing of 'host/path' source expressions
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 16 Feb 2016 21:18:19 +0000 (21:18 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 16 Feb 2016 21:18:19 +0000 (21:18 +0000)
https://bugs.webkit.org/show_bug.cgi?id=153170
<rdar://problem/24383407>

Reviewed by Brent Fulgham.

Source/WebCore:

Merged from Blink (patch by Mike West):
<https://src.chromium.org/viewvc/blink?revision=154875&view=revision>

Fixes an issue where a source of the form example.com/A/ was incorrectly considered
invalid and hence such a requested resource would be blocked. A source of this form
is valid by the definition of host-source in section Source List Syntax of the Content
Security Policy 2.0 spec., <http://www.w3.org/TR/2015/CR-CSP2-20150721/>.

* page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::parseSource):

LayoutTests:

Remove entry for test http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html
as it now passes.

* TestExpectations:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196655 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp

index 742010c..0cf1266 100644 (file)
@@ -1,3 +1,16 @@
+2016-02-16  Daniel Bates  <dabates@apple.com>
+
+        CSP: Fix parsing of 'host/path' source expressions
+        https://bugs.webkit.org/show_bug.cgi?id=153170
+        <rdar://problem/24383407>
+
+        Reviewed by Brent Fulgham.
+
+        Remove entry for test http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html
+        as it now passes.
+
+        * TestExpectations:
+
 2016-02-16  Joseph Pecoraro  <pecoraro@apple.com>
 
         JSContext Inspector: Support for inline source maps
index 44ab2cb..227f747 100644 (file)
@@ -833,7 +833,6 @@ webkit.org/b/153166 http/tests/security/contentSecurityPolicy/report-uri-from-ja
 webkit.org/b/153166 http/tests/security/contentSecurityPolicy/report-uri.html [ Failure ]
 webkit.org/b/153166 webkit.org/b/153242 http/tests/security/contentSecurityPolicy/report-and-enforce.html [ Failure ]
 webkit.org/b/153166 webkit.org/b/153242 http/tests/security/contentSecurityPolicy/report-blocked-data-uri.html [ Failure ]
-webkit.org/b/153170 http/tests/security/contentSecurityPolicy/source-list-parsing-paths-03.html [ Failure ]
 http/tests/security/contentSecurityPolicy/script-src-blocked-error-event.html [ Pass Failure ]
 
 # These state object tests purposefully stress a resource limit, and take multiple seconds to run.
index ed3dbe2..ac4a11f 100644 (file)
@@ -1,5 +1,24 @@
 2016-02-16  Daniel Bates  <dabates@apple.com>
 
+        CSP: Fix parsing of 'host/path' source expressions
+        https://bugs.webkit.org/show_bug.cgi?id=153170
+        <rdar://problem/24383407>
+
+        Reviewed by Brent Fulgham.
+
+        Merged from Blink (patch by Mike West):
+        <https://src.chromium.org/viewvc/blink?revision=154875&view=revision>
+
+        Fixes an issue where a source of the form example.com/A/ was incorrectly considered
+        invalid and hence such a requested resource would be blocked. A source of this form
+        is valid by the definition of host-source in section Source List Syntax of the Content
+        Security Policy 2.0 spec., <http://www.w3.org/TR/2015/CR-CSP2-20150721/>.
+
+        * page/csp/ContentSecurityPolicySourceList.cpp:
+        (WebCore::ContentSecurityPolicySourceList::parseSource):
+
+2016-02-16  Daniel Bates  <dabates@apple.com>
+
         CSP: Disallow an empty host in a host-source source expression
         https://bugs.webkit.org/show_bug.cgi?id=153168
         <rdar://problem/24383366>
index ba5b341..f3dac7b 100644 (file)
@@ -198,11 +198,7 @@ bool ContentSecurityPolicySourceList::parseSource(const UChar* begin, const UCha
     if (position < end && *position == '/') {
         // host/path || host/ || /
         //     ^            ^    ^
-        if (!parseHost(beginHost, position, host, hostHasWildcard)
-            || !parsePath(position, end, path)
-            || position != end)
-            return false;
-        return true;
+        return parseHost(beginHost, position, host, hostHasWildcard) && parsePath(position, end, path);
     }
 
     if (position < end && *position == ':') {