[Mac][WK2] Add SPI to override the Content Security Policy of a page
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 3 Feb 2017 23:14:53 +0000 (23:14 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 3 Feb 2017 23:14:53 +0000 (23:14 +0000)
commit8d002e77608de04e3386b080f5cc388a045fe64e
tree0fed0baa200d3a0337fd60cd778b1154c7146904
parentd5dd5c1b85b1c5c0e35edbe51732ece16537b1b3
[Mac][WK2] Add SPI to override the Content Security Policy of a page
https://bugs.webkit.org/show_bug.cgi?id=167810
<rdar://problem/30102568>

Reviewed by Anders Carlsson.

Source/WebCore:

* dom/Document.cpp:
(WebCore::Document::initSecurityContext): Apply the embedding client's override Content Security
Policy to the document if one exists.
* loader/FrameLoaderClient.h: Add function overrideContentSecurityPolicy() that a FrameLoaderClient
can override to provide a custom Content Security Policy for a document (defaults: null string - no policy).
As its name implies, the policy returned by overrideContentSecurityPolicy() will define the Content
Security Policy for the document, overriding any subsequently received Content Security Policy for
the document.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::copyStateFrom): Only copy policies from the specified ContentSecurityPolicy
object if our policy was not specified by the embedding client.
(WebCore::ContentSecurityPolicy::didReceiveHeader): Set ContentSecurityPolicy::m_hasAPIPolicy to true
when we receive an API policy from the embedding client (ContentSecurityPolicy::PolicyFrom::API). An
API policy must be defined before a policy received from a document. Do not process a received header
if we already have an API policy as the API policy overrides all other policies.
* page/csp/ContentSecurityPolicy.h:

Source/WebKit2:

Add SPI to WKWebViewConfiguration so that an embedding client can define a custom Content Security
Policy that overrides the Content Security Policy of any page loaded in the web view.

* Shared/WebPageCreationParameters.cpp:
(WebKit::WebPageCreationParameters::encode): Encode instance variable overrideContentSecurityPolicy.
(WebKit::WebPageCreationParameters::decode): Decode instance variable overrideContentSecurityPolicy.
* Shared/WebPageCreationParameters.h:
* UIProcess/API/APIPageConfiguration.cpp:
(API::PageConfiguration::copy): Copy instance variable overrideContentSecurityPolicy.
* UIProcess/API/APIPageConfiguration.h:
(API::PageConfiguration::overrideContentSecurityPolicy): Added.
(API::PageConfiguration::setOverrideContentSecurityPolicy): Added.
* UIProcess/API/Cocoa/WKWebView.mm:
(-[WKWebView _initializeWithConfiguration:]): Copy overrideContentSecurityPolicy set on the WKWebViewConfiguration
object to the API::PageConfiguration object if non-nil.
* UIProcess/API/Cocoa/WKWebViewConfiguration.mm:
(-[WKWebViewConfiguration copyWithZone:]):  Copy the instance variable overrideContentSecurityPolicy.
(-[WKWebViewConfiguration _overrideContentSecurityPolicy]): Added.
(-[WKWebViewConfiguration _setOverrideContentSecurityPolicy:]): Added.
* UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h: Define SPI property _overrideContentSecurityPolicy.
* UIProcess/WebPageProxy.cpp:
(WebKit::WebPageProxy::WebPageProxy): Initialize m_overrideContentSecurityPolicy from the passed
page configuration.
(WebKit::WebPageProxy::creationParameters): Set WebPageCreationParameters::overrideContentSecurityPolicy
so that the WebPage object (in the WebProcess) will know the overridden Content Security Policy
to apply to the document.
* UIProcess/WebPageProxy.h:
* WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
(WebKit::WebFrameLoaderClient::overrideContentSecurityPolicy): Added. Returns the custom Content
Security Policy to apply to a new document.
* WebProcess/WebCoreSupport/WebFrameLoaderClient.h:
* WebProcess/WebPage/WebPage.cpp:
* WebProcess/WebPage/WebPage.h:
(WebKit::WebPage::overrideContentSecurityPolicy): Added.

Tools:

Add tests to ensure that we do not regress -[WKWebView _setOverrideContentSecurityPolicy:].

* TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* TestWebKitAPI/Tests/WebKit2Cocoa/OverrideContentSecurityPolicy.mm: Added.
(TEST):
* TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp-iframe.html: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp.html: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp-iframe.html: Added.
* TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@211656 268f45cc-cd09-0410-ab3c-d52691b4dbfc
26 files changed:
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/loader/FrameLoaderClient.h
Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.h
Source/WebKit2/ChangeLog
Source/WebKit2/Shared/WebPageCreationParameters.cpp
Source/WebKit2/Shared/WebPageCreationParameters.h
Source/WebKit2/UIProcess/API/APIPageConfiguration.cpp
Source/WebKit2/UIProcess/API/APIPageConfiguration.h
Source/WebKit2/UIProcess/API/Cocoa/WKWebView.mm
Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfiguration.mm
Source/WebKit2/UIProcess/API/Cocoa/WKWebViewConfigurationPrivate.h
Source/WebKit2/UIProcess/WebPageProxy.cpp
Source/WebKit2/UIProcess/WebPageProxy.h
Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp
Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.h
Source/WebKit2/WebProcess/WebPage/WebPage.cpp
Source/WebKit2/WebProcess/WebPage/WebPage.h
Tools/ChangeLog
Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
Tools/TestWebKitAPI/Tests/WebKit2Cocoa/OverrideContentSecurityPolicy.mm [new file with mode: 0644]
Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp-iframe.html [new file with mode: 0644]
Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-with-csp.html [new file with mode: 0644]
Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp-iframe.html [new file with mode: 0644]
Tools/TestWebKitAPI/Tests/WebKit2Cocoa/page-without-csp.html [new file with mode: 0644]