Implement Strict Mixed Content Checking
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Dec 2016 23:54:13 +0000 (23:54 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Dec 2016 23:54:13 +0000 (23:54 +0000)
commit2abec1b9d4713166d71dad751ee2c98c92c81552
tree0cb361c6091eba889544f3465ecd438d4b70399b
parentb7d2a175887b03a34713bd86e545f3133f616018
Implement Strict Mixed Content Checking
https://bugs.webkit.org/show_bug.cgi?id=165438
<rdar://problem/26103867>

Reviewed by Brent Fulgham and Andy Estes.

Source/WebCore:

Add support for the CSP directive block-all-mixed-content to enable strict mixed content checking
as per <https://www.w3.org/TR/2016/CR-mixed-content-20160802/#strict-checking> (2 August 2016).

Currently WebKit only blocks blockable content as such content can contaminate the security origin
that loaded it. Optionally-blockable content, including images, would be allowed to load as mixed
content. When strict mixed content checking is enabled all mixed content is blocked. That is, both
blockable and optionally-blockable content will be blocked. A web site can opt into strict mixed
content checking by adding the directive block-all-mixed-content to their content security policy.

Tests: http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html

* dom/Document.cpp:
(WebCore::Document::initSecurityContext): Inherit strict mixed content checking mode from parent document.
* dom/SecurityContext.h:
(WebCore::SecurityContext::isStrictMixedContentMode): Added.
(WebCore::SecurityContext::setStrictMixedContentMode): Added.
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest): Check mixed content policy with respect to the current frame.
The document in the current frame may have opted into strict mixed content checking or inherited it from
its parent document.
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin): Inherit the strict mixed content checking mode from the owner document
when loading a JavaScript URL in a frame (e.g. <iframe src="javascript:...">) because such URLs inherit
the security origin of their parent document.
* loader/MixedContentChecker.cpp:
(WebCore::MixedContentChecker::canDisplayInsecureContent): Check the content security policy of the document
and the strict mixed content checking mode bit on the document (in that order) to determine if we are in
strict mode. Block display of insecure content when in strict mode. Modified to take enum AlwaysDisplayInNonStrictMode (defaults
to AlwaysDisplayInNonStrictMode::No) as to whether to allow our current relaxed behavior of displaying insecure
content in non-strict mode.
(WebCore::MixedContentChecker::canRunInsecureContent): Check the content security policy of the document
and the strict mixed content checking mode bit on the document (in that order) to determine if we are in
strict mode. Block running of insecure content when in strict mode.
* loader/MixedContentChecker.h:
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::checkInsecureContent): Always check mixed content policy with respect to
the current frame. The document in the current frame may have opted into strict mixed content checking or
inherited it from its parent document. Also renamed a local variable f to frame to better describe its
purpose.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent): Added. Iterate through all the
policies and report violations with respect to policies that have directive block-all-mixed-content.
(WebCore::ContentSecurityPolicy::didReceiveHeader): Move logic to set eval() error message from here...
(WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): ...to here so that we only perform
it once we are ready to apply the CSP policy to the script execution context. Additionally, enable
strict mixed content checking on the script execution context if applicable.
(WebCore::ContentSecurityPolicy::reportViolation): Added overrides that take a string and a directive list
object (ContentSecurityPolicyDirectiveList) for the effective violated directive and its associated directive
list, respectively. We make use of these overrides so as to support reporting block-all-mixed-content
violations, which are not implemented using a ContentSecurityPolicyDirective object as it seemed sufficient
to implement it as a boolean on ContentSecurityPolicyDirectiveList.
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::setBlockAllMixedContentEnabled): Added.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the directive block-all-mixed-content.
* page/csp/ContentSecurityPolicyDirectiveList.h:
(WebCore::ContentSecurityPolicyDirectiveList::hasBlockAllMixedContentDirective): Added.
* page/csp/ContentSecurityPolicyDirectiveNames.cpp:
* page/csp/ContentSecurityPolicyDirectiveNames.h: Add constant for "block-all-mixed-content".

LayoutTests:

Add tests to ensure that we do not regress strict mixed content checking.

* http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js: Added.
(logMessage):
(securityPolicyViolationToString):
(checkNotify):
(recordSecurityPolicyViolation):
(window.onload):
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html: Added.
* platform/ios-simulator/TestExpectations: Skip plugin tests as plugins are not supported on iOS.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@209577 268f45cc-cd09-0410-ab3c-d52691b4dbfc
86 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html [new file with mode: 0644]
LayoutTests/platform/ios-simulator/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/SecurityContext.h
Source/WebCore/loader/DocumentLoader.cpp
Source/WebCore/loader/DocumentWriter.cpp
Source/WebCore/loader/MixedContentChecker.cpp
Source/WebCore/loader/MixedContentChecker.h
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.h
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h
Source/WebCore/xml/XSLTProcessor.cpp