REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it...
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 25 Apr 2016 16:27:34 +0000 (16:27 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 25 Apr 2016 16:27:34 +0000 (16:27 +0000)
commit12b09049e73858456a7c6db4aaf0550f3e223dc5
tree4eb5e94ca0d22272785961ec157a5eafb1436ec9
parent9b00fc4846300e198aec58de0208823557ac9a86
REGRESSION (r196012): Subresource may be blocked by Content Security Policy if it only matches 'self'
https://bugs.webkit.org/show_bug.cgi?id=156935
<rdar://problem/25351286>

Reviewed by Darin Adler.

Source/WebCore:

Fixes an issue where subresource load may be blocked by the Content Security Policy (CSP) if its URL only
matched 'self'. In particular, the load would be blocked if initiated from a document that inherited the
origin of its owner document (e.g. the document contained in <iframe src="about:blank"></iframe>).

Following r196012 we compute and cache 'self' and its protocol on instantiation of a ContentSecurityPolicy
object for use when matching a URL against it. These cached values become out-of-date if the document
subsequently inherits the origin of its owner document. Therefore matches against 'self' will fail and
CSP will block a load if its not otherwise allowed by the policy. Previously we would compute 'self' when
parsing the definition of a source list and compute the protocol for 'self' each time we tried to match a
URL against 'self'. So, 'self' would always be up-to-date with respect to the origin of the document.

Tests: http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html
       http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html

* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::ContentSecurityPolicy): Extract out logic for computing and caching
'self' and its protocol into ContentSecurityPolicy::updateSourceSelf() and make use of this function.
(WebCore::ContentSecurityPolicy::updateSourceSelf): Computes and caches 'self' and its protocol with
respect to the specified SecurityOrigin.
(WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): Call ContentSecurityPolicy::updateSourceSelf()
to ensure that we have an up-to-date representation for 'self' and the protocol of 'self' which can
become out-of-date if the document inherited the origin of its owner document.
* page/csp/ContentSecurityPolicy.h:

LayoutTests:

Add tests to ensure that we match 'self' correctly in an iframe with an about:blank document.

* http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html: Added.
* http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@200030 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/iframe-blank-url-programmatically-add-external-script.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/iframe-srcdoc-external-script.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.h