Implement Strict Mixed Content Checking
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Dec 2016 23:54:13 +0000 (23:54 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Dec 2016 23:54:13 +0000 (23:54 +0000)
https://bugs.webkit.org/show_bug.cgi?id=165438
<rdar://problem/26103867>

Reviewed by Brent Fulgham and Andy Estes.

Source/WebCore:

Add support for the CSP directive block-all-mixed-content to enable strict mixed content checking
as per <https://www.w3.org/TR/2016/CR-mixed-content-20160802/#strict-checking> (2 August 2016).

Currently WebKit only blocks blockable content as such content can contaminate the security origin
that loaded it. Optionally-blockable content, including images, would be allowed to load as mixed
content. When strict mixed content checking is enabled all mixed content is blocked. That is, both
blockable and optionally-blockable content will be blocked. A web site can opt into strict mixed
content checking by adding the directive block-all-mixed-content to their content security policy.

Tests: http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html
       http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html

* dom/Document.cpp:
(WebCore::Document::initSecurityContext): Inherit strict mixed content checking mode from parent document.
* dom/SecurityContext.h:
(WebCore::SecurityContext::isStrictMixedContentMode): Added.
(WebCore::SecurityContext::setStrictMixedContentMode): Added.
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest): Check mixed content policy with respect to the current frame.
The document in the current frame may have opted into strict mixed content checking or inherited it from
its parent document.
* loader/DocumentWriter.cpp:
(WebCore::DocumentWriter::begin): Inherit the strict mixed content checking mode from the owner document
when loading a JavaScript URL in a frame (e.g. <iframe src="javascript:...">) because such URLs inherit
the security origin of their parent document.
* loader/MixedContentChecker.cpp:
(WebCore::MixedContentChecker::canDisplayInsecureContent): Check the content security policy of the document
and the strict mixed content checking mode bit on the document (in that order) to determine if we are in
strict mode. Block display of insecure content when in strict mode. Modified to take enum AlwaysDisplayInNonStrictMode (defaults
to AlwaysDisplayInNonStrictMode::No) as to whether to allow our current relaxed behavior of displaying insecure
content in non-strict mode.
(WebCore::MixedContentChecker::canRunInsecureContent): Check the content security policy of the document
and the strict mixed content checking mode bit on the document (in that order) to determine if we are in
strict mode. Block running of insecure content when in strict mode.
* loader/MixedContentChecker.h:
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::checkInsecureContent): Always check mixed content policy with respect to
the current frame. The document in the current frame may have opted into strict mixed content checking or
inherited it from its parent document. Also renamed a local variable f to frame to better describe its
purpose.
* page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent): Added. Iterate through all the
policies and report violations with respect to policies that have directive block-all-mixed-content.
(WebCore::ContentSecurityPolicy::didReceiveHeader): Move logic to set eval() error message from here...
(WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): ...to here so that we only perform
it once we are ready to apply the CSP policy to the script execution context. Additionally, enable
strict mixed content checking on the script execution context if applicable.
(WebCore::ContentSecurityPolicy::reportViolation): Added overrides that take a string and a directive list
object (ContentSecurityPolicyDirectiveList) for the effective violated directive and its associated directive
list, respectively. We make use of these overrides so as to support reporting block-all-mixed-content
violations, which are not implemented using a ContentSecurityPolicyDirective object as it seemed sufficient
to implement it as a boolean on ContentSecurityPolicyDirectiveList.
* page/csp/ContentSecurityPolicy.h:
* page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::setBlockAllMixedContentEnabled): Added.
(WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the directive block-all-mixed-content.
* page/csp/ContentSecurityPolicyDirectiveList.h:
(WebCore::ContentSecurityPolicyDirectiveList::hasBlockAllMixedContentDirective): Added.
* page/csp/ContentSecurityPolicyDirectiveNames.cpp:
* page/csp/ContentSecurityPolicyDirectiveNames.h: Add constant for "block-all-mixed-content".

LayoutTests:

Add tests to ensure that we do not regress strict mixed content checking.

* http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js: Added.
(logMessage):
(securityPolicyViolationToString):
(checkNotify):
(recordSecurityPolicyViolation):
(window.onload):
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html: Added.
* platform/ios-simulator/TestExpectations: Skip plugin tests as plugins are not supported on iOS.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@209577 268f45cc-cd09-0410-ab3c-d52691b4dbfc

86 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html [new file with mode: 0644]
LayoutTests/platform/ios-simulator/TestExpectations
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp
Source/WebCore/dom/SecurityContext.h
Source/WebCore/loader/DocumentLoader.cpp
Source/WebCore/loader/DocumentWriter.cpp
Source/WebCore/loader/MixedContentChecker.cpp
Source/WebCore/loader/MixedContentChecker.h
Source/WebCore/loader/cache/CachedResourceLoader.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.cpp
Source/WebCore/page/csp/ContentSecurityPolicy.h
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.cpp
Source/WebCore/page/csp/ContentSecurityPolicyDirectiveNames.h
Source/WebCore/xml/XSLTProcessor.cpp

index 00b3cca..eb28165 100644 (file)
@@ -1,3 +1,88 @@
+2016-12-08  Daniel Bates  <dabates@apple.com>
+
+        Implement Strict Mixed Content Checking
+        https://bugs.webkit.org/show_bug.cgi?id=165438
+        <rdar://problem/26103867>
+
+        Reviewed by Brent Fulgham and Andy Estes.
+
+        Add tests to ensure that we do not regress strict mixed content checking.
+
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js: Added.
+        (logMessage):
+        (securityPolicyViolationToString):
+        (checkNotify):
+        (recordSecurityPolicyViolation):
+        (window.onload):
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html: Added.
+        * platform/ios-simulator/TestExpectations: Skip plugin tests as plugins are not supported on iOS.
+
 2016-12-08  Sam Weinig  <sam@webkit.org>
 
         [WebIDL] Remove custom bindings for Geolocation
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame-expected.txt
new file mode 100644 (file)
index 0000000..2c77637
--- /dev/null
@@ -0,0 +1,17 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads an insecure iframe using a data URL. We should *not* trigger a mixed content block because the data URL cannot be corrupted by an active network attacker.
+
+PASS did load data URL iframe.
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html
new file mode 100644 (file)
index 0000000..9b6d9b9
--- /dev/null
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+    document.getElementById("console").textContent = messageEvent.data + "\n";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure iframe using a data URL.  We should *not*
+trigger a mixed content block because the data URL cannot be corrupted by an active network
+attacker.</p>
+<pre id="console"></pre>
+<script>
+    window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive-expected.txt
new file mode 100644 (file)
index 0000000..f6ffd09
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Ignoring duplicate Content-Security-Policy directive 'block-all-mixed-content'.
+
+This tests that we emit a console warning when block-all-mixed-content is listed more than once.
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html
new file mode 100644 (file)
index 0000000..a70edd8
--- /dev/null
@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content; block-all-mixed-content">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+</head>
+<body>
+<p>This tests that we emit a console warning when block-all-mixed-content is listed more than once.</p>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..d40ac1a
--- /dev/null
@@ -0,0 +1,30 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure stylesheet. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+This background color should be white.
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: 
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only-expected.txt
new file mode 100644 (file)
index 0000000..5a43bb3
--- /dev/null
@@ -0,0 +1,32 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: [Report Only] Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: line 9: [blocked] The page at https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php was not allowed to run insecure content from http://127.0.0.1:8000/security/mixedContent/resources/style.css.
+
+frame "<!--framePath //<!--frame0-->-->" - willPerformClientRedirectToURL: https://127.0.0.1:8443/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php 
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCancelClientRedirectForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure stylesheet. We should trigger a mixed content block even though the child frame has a report only CSP block-all-mixed-content directive because an active network attacker can use CSS3 to breach the confidentiality of the HTTPS security origin.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+CSP report received:
+CONTENT_TYPE: application/csp-report
+HTTP_HOST: 127.0.0.1:8443
+HTTP_REFERER: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
+REQUEST_METHOD: POST
+REQUEST_URI: /security/contentSecurityPolicy/resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
+=== POST DATA ===
+{"csp-report":{"document-uri":"https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php","referrer":"http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html","violated-directive":"block-all-mixed-content","effective-directive":"block-all-mixed-content","original-policy":"block-all-mixed-content; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php","blocked-uri":"http://127.0.0.1:8000","status-code":0}}
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html
new file mode 100644 (file)
index 0000000..b3ca660
--- /dev/null
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure stylesheet.  We should trigger a
+mixed content block even though the child frame has a report only CSP block-all-mixed-content
+directive because an active network attacker can use CSS3 to breach the confidentiality of
+the HTTPS security origin.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html
new file mode 100644 (file)
index 0000000..888dfc6
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure stylesheet.  We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame-expected.txt
new file mode 100644 (file)
index 0000000..effc711
--- /dev/null
@@ -0,0 +1,23 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/style.css because 'block-all-mixed-content' appears in the Content Security Policy.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads an insecure stylesheet. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: 
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html
new file mode 100644 (file)
index 0000000..eaef2ec
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+    document.getElementById("console").textContent = messageEvent.data + "\n";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure stylesheet.  We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+    window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..2d9745a
--- /dev/null
@@ -0,0 +1,25 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didStartProvisionalLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didFailProvisionalLoadWithError
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure iframe. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
+--------
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html
new file mode 100644 (file)
index 0000000..7267913
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+
+    // FIXME: For some reason a SecurityPolicyViolation event is not dispatched in frame-with-insecure-iframe.html (why?).
+    // So, dump-securitypolicyviolation-and-notify-done.js loaded by frame-with-insecure-iframe.html will never call
+    // testRunner.notifyDone(). For now we do not call testRunner.waitUntilDone().
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure iframe.  We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame-expected.txt
new file mode 100644 (file)
index 0000000..352aa4d
--- /dev/null
@@ -0,0 +1,14 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFailProvisionalLoadWithError
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads an insecure iframe. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html
new file mode 100644 (file)
index 0000000..58e2f79
--- /dev/null
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.waitUntilDone();
+
+    // FIXME: For some reason a SecurityPolicyViolation event is not dispatched in frame-with-insecure-iframe.html (why?).
+    // So, dump-securitypolicyviolation-and-notify-done.js loaded by frame-with-insecure-iframe.html will never call
+    // testRunner.notifyDone(). For now we do not call testRunner.waitUntilDone() and instead wait a fixed timeout :(
+    window.setTimeout(function () {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }, 500);
+}
+
+window.addEventListener("message", function (messageEvent) {
+    document.getElementById("console").textContent = messageEvent.data + "\n";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure iframe.  We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+    window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe-expected.html
new file mode 100644 (file)
index 0000000..0643c5e
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>This test loads a secure iframe that loads an insecure image inside a blob URL iframe.
+A blob URL created in a secure context is considered secure.  We should trigger a mixed content
+block because the blob URL grandchild iframe inherited the CSP directive block-all-mixed-content
+from the child frame. This test PASSED if the grandchild iframe is filled solid green.
+Otherwise, it FAILED.</p>
+<iframe srcdoc="<iframe srcdoc='<style>body { background: green }</style>'></iframe>" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html
new file mode 100644 (file)
index 0000000..bdf7bb7
--- /dev/null
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner)
+    testRunner.waitUntilDone();
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image inside a blob URL iframe.
+A blob URL created in a secure context is considered secure.  We should trigger a mixed content
+block because the blob URL grandchild iframe inherited the CSP directive block-all-mixed-content
+from the child frame. This test PASSED if the grandchild iframe is filled solid green.
+Otherwise, it FAILED.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..07fc393
--- /dev/null
@@ -0,0 +1,29 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: 
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies-expected.txt
new file mode 100644 (file)
index 0000000..fc9ba5f
--- /dev/null
@@ -0,0 +1,31 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+CONSOLE MESSAGE: The Content Security Policy 'block-all-mixed-content' was delivered in report-only mode, but does not specify a 'report-uri'; the policy will have no effect. Please either add a 'report-uri' directive, or deliver the policy via the 'Content-Security-Policy' header.
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: [Report Only] Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image. We should trigger a mixed content block because the child frame has an CSP directive block-all-mixed-content in an enforced policy.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: 
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html
new file mode 100644 (file)
index 0000000..d7a501b
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image.  We should trigger a
+mixed content block because the child frame has an CSP directive block-all-mixed-content
+in an enforced policy.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy-expected.txt
new file mode 100644 (file)
index 0000000..17472ee
--- /dev/null
@@ -0,0 +1,18 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: line 1: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html was not allowed to display insecure content from http://127.0.0.1:8080/security/resources/compass.jpg.
+
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image. We should trigger a mixed content block because the child frame inherited the CSP directive block-all-mixed-content from the main frame.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html
new file mode 100644 (file)
index 0000000..25657c9
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image.  We should trigger a
+mixed content block because the child frame inherited the CSP directive block-all-mixed-content
+from the main frame.</p>
+<iframe src="https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-image.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html
new file mode 100644 (file)
index 0000000..a9ebb7f
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image.  We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..27c59b1
--- /dev/null
@@ -0,0 +1,25 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didStartProvisionalLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->/<!--frame0-->-->" - didFinishLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image inside a JavaScript URL iframe. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content and a JavaScript URL executes in the same origin as its embedding document.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->/<!--frame0-->-->'
+--------
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html
new file mode 100644 (file)
index 0000000..bb95301
--- /dev/null
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+
+    // FIXME: For some reason a SecurityPolicyViolation event is not dispatched in frame-with-insecure-iframe.html (why?).
+    // So, dump-securitypolicyviolation-and-notify-done.js loaded by frame-with-insecure-iframe.html will never call
+    // testRunner.notifyDone(). For now we do not call testRunner.waitUntilDone().
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image inside a JavaScript URL iframe.
+We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content
+and a JavaScript URL executes in the same origin as its embedding document.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame-expected.txt
new file mode 100644 (file)
index 0000000..35e61af
--- /dev/null
@@ -0,0 +1,23 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/resources/compass.jpg because 'block-all-mixed-content' appears in the Content Security Policy.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads an insecure image. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: 
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html
new file mode 100644 (file)
index 0000000..d0e0e87
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+    document.getElementById("console").textContent = messageEvent.data + "\n";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure image.  We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+    window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy-expected.txt
new file mode 100644 (file)
index 0000000..2a13345
--- /dev/null
@@ -0,0 +1,19 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+CONSOLE MESSAGE: line 2: [blocked] The page at https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml was not allowed to display insecure content from http://127.0.0.1:8000/security/resources/compass.jpg.
+
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image from an XSLT transformed document. We should trigger a mixed content block because the child frame inherited the CSP directive block-all-mixed-content from the main frame.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html
new file mode 100644 (file)
index 0000000..8abf784
--- /dev/null
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image from an XSLT transformed document.
+We should trigger a mixed content block because the child frame inherited the CSP directive block-all-mixed-content
+from the main frame.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..74420af
--- /dev/null
@@ -0,0 +1,29 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/dummy.swf because 'block-all-mixed-content' appears in the Content Security Policy.
+This test loads a secure iframe that loads an insecure plugin. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: 
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
new file mode 100644 (file)
index 0000000..5955eb8
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure plugin.  We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame-expected.txt
new file mode 100644 (file)
index 0000000..e0b2fdd
--- /dev/null
@@ -0,0 +1,23 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/dummy.swf because 'block-all-mixed-content' appears in the Content Security Policy.
+This test opens a window and loads an insecure plugin. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: 
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html
new file mode 100644 (file)
index 0000000..e2f06dc
--- /dev/null
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true)
+    testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+    document.getElementById("console").textContent = messageEvent.data + "\n";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure plugin.  We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<!-- FIXME: For some reason this test times out (why?). -->
+<script>
+    window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..0b4ff6b
--- /dev/null
@@ -0,0 +1,28 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/script.js because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure external script. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: 
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy-expected.txt
new file mode 100644 (file)
index 0000000..860be8a
--- /dev/null
@@ -0,0 +1,18 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: [blocked] The page at https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script.html was not allowed to run insecure content from http://127.0.0.1:8080/security/mixedContent/resources/script.js.
+
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure external script. We should trigger a mixed content block because the child frame inherited the CSP directive block-all-mixed-content from the main frame.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html
new file mode 100644 (file)
index 0000000..4a4309c
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure external script.  We should trigger a
+mixed content block because the child frame inherited the CSP directive block-all-mixed-content
+from the main frame.</p>
+<iframe src="https://127.0.0.1:8443/security/mixedContent/resources/frame-with-insecure-script.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html
new file mode 100644 (file)
index 0000000..743b2f0
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure external script.  We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame-expected.txt
new file mode 100644 (file)
index 0000000..fea03a3
--- /dev/null
@@ -0,0 +1,23 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/security/mixedContent/resources/script.js because 'block-all-mixed-content' appears in the Content Security Policy.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads an insecure external script. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: 
+lineNumber: 0
+columnNumber: 0
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html
new file mode 100644 (file)
index 0000000..d9b0faf
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+    document.getElementById("console").textContent = messageEvent.data + "\n";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads an insecure external script.  We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+    window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..5d3fbb7
--- /dev/null
@@ -0,0 +1,29 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads insecure data via asynchronous XHR. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous
+lineNumber: 30
+columnNumber: 9
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html
new file mode 100644 (file)
index 0000000..236163b
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads insecure data via asynchronous XHR.  We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame-expected.txt
new file mode 100644 (file)
index 0000000..c8e65e2
--- /dev/null
@@ -0,0 +1,24 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi because 'block-all-mixed-content' appears in the Content Security Policy.
+CONSOLE MESSAGE: line 30: XMLHttpRequest cannot load http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi due to access control checks.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads insecure data via asynchronous XHR. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous
+lineNumber: 30
+columnNumber: 9
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html
new file mode 100644 (file)
index 0000000..1d96645
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+    document.getElementById("console").textContent = messageEvent.data + "\n";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads insecure data via asynchronous XHR.  We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+    window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html?asynchronous");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..137b39c
--- /dev/null
@@ -0,0 +1,28 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi because 'block-all-mixed-content' appears in the Content Security Policy.
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads insecure data via synchronous XHR. We should trigger a mixed content block because the child frame has CSP directive block-all-mixed-content.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html
+lineNumber: 30
+columnNumber: 9
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html
new file mode 100644 (file)
index 0000000..c54730d
--- /dev/null
@@ -0,0 +1,18 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads insecure data via synchronous XHR.  We should trigger a
+mixed content block because the child frame has CSP directive block-all-mixed-content.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html" width="100%" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame-expected.txt
new file mode 100644 (file)
index 0000000..51cdc3e
--- /dev/null
@@ -0,0 +1,23 @@
+main frame - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+main frame - didCommitLoadForFrame
+CONSOLE MESSAGE: Blocked mixed content http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi because 'block-all-mixed-content' appears in the Content Security Policy.
+main frame - didFinishDocumentLoadForFrame
+main frame - didHandleOnloadEventsForFrame
+main frame - didFinishLoadForFrame
+This test opens a window and loads insecure data via synchronous XHR. We should trigger a mixed content block because the main frame in the window has CSP directive block-all-mixed-content.
+
+documentURI: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html
+referrer: http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html
+blockedURI: http://127.0.0.1:8000
+violatedDirective: block-all-mixed-content
+effectiveDirective: block-all-mixed-content
+originalPolicy: block-all-mixed-content
+sourceFile: https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html
+lineNumber: 30
+columnNumber: 9
+statusCode: 0
+
+
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html
new file mode 100644 (file)
index 0000000..364e45d
--- /dev/null
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.setCanOpenWindows();
+    testRunner.setCloseRemainingWindowsWhenComplete(true);
+    testRunner.waitUntilDone();
+}
+
+window.addEventListener("message", function (messageEvent) {
+    document.getElementById("console").textContent = messageEvent.data + "\n";
+    if (window.testRunner)
+        testRunner.notifyDone();
+}, false);
+</script>
+</head>
+<body>
+<p>This test opens a window and loads insecure data via synchronous XHR.  We should trigger a
+mixed content block because the main frame in the window has CSP directive block-all-mixed-content.</p>
+<pre id="console"></pre>
+<script>
+    window.open("https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/dump-securitypolicyviolation-and-notify-done.js
new file mode 100644 (file)
index 0000000..5a65171
--- /dev/null
@@ -0,0 +1,67 @@
+var consoleElement; // Only used if !window.opener.
+var recordedSecurityPolicyViolation;
+var didFireLoad = false;
+
+function logMessage(message)
+{
+    console.assert(consoleElement);
+    consoleElement.appendChild(document.createTextNode(message + "\n"));
+}
+
+function securityPolicyViolationToString()
+{
+    let lines = [];
+    for (let key in recordedSecurityPolicyViolation)
+        lines.push(key + ": " + recordedSecurityPolicyViolation[key]);
+    lines.push("");
+    return lines.join("\n");
+}
+
+function checkNotify()
+{
+    if (!didFireLoad || !recordedSecurityPolicyViolation)
+        return;
+    if (window.opener) {
+        // window.opener is responsible for calling testRunner.notifyDone().
+        opener.postMessage(securityPolicyViolationToString(), "*");
+    } else {
+        logMessage(securityPolicyViolationToString());
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }
+}
+
+function recordSecurityPolicyViolation(e)
+{
+    document.removeEventListener("securitypolicyviolation", recordSecurityPolicyViolation, false);
+
+    let keysToDump = [
+        "documentURI",
+        "referrer",
+        "blockedURI",
+        "violatedDirective",
+        "effectiveDirective",
+        "originalPolicy",
+        "sourceFile",
+        "lineNumber",
+        "columnNumber",
+        "statusCode",
+    ];
+    let result = { };
+    for (let key of keysToDump)
+        result[key] = e[key];
+    recordedSecurityPolicyViolation = result;
+    checkNotify();
+}
+
+document.addEventListener("securitypolicyviolation", recordSecurityPolicyViolation, false);
+
+window.onload = function ()
+{
+    if (!window.opener) {
+        consoleElement = document.createElement("pre");
+        document.body.appendChild(consoleElement);
+    }
+    didFireLoad = true;
+    checkNotify();
+}
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html
new file mode 100644 (file)
index 0000000..bacf37d
--- /dev/null
@@ -0,0 +1 @@
+<p>FAIL</p>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-data-url-iframe.html
new file mode 100644 (file)
index 0000000..4015e33
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+</head>
+<body>
+<script>
+function frameLoaded() {
+    if (window.opener)
+        window.opener.postMessage("PASS did load data URL iframe.", "*");
+}
+</script>
+<iframe onload="frameLoaded()" src="data:text/html,This is a boring HTML document."></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php
new file mode 100644 (file)
index 0000000..e612ee8
--- /dev/null
@@ -0,0 +1,20 @@
+<?php
+    header("Content-Security-Policy-Report-Only: block-all-mixed-content; report-uri ../../resources/save-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php");
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+body {
+    background-color: white;
+}
+</style>
+<link rel="stylesheet" href="http://127.0.0.1:8000/security/mixedContent/resources/style.css">
+</head>
+<body>
+This background color should be white.
+<script>
+    window.location.href = "/security/contentSecurityPolicy/resources/echo-report.php?test=/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css-report-only.php";
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-css.html
new file mode 100644 (file)
index 0000000..7505bca
--- /dev/null
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+<style>
+body {
+    background-color: white;
+}
+</style>
+<link rel="stylesheet" href="http://127.0.0.1:8000/security/mixedContent/resources/style.css">
+</head>
+<body>
+This background color should be white.
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-iframe.html
new file mode 100644 (file)
index 0000000..5cf843e
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<!-- FIXME: For some reason a SecurityPolicyViolation event is not dispatched (why?) when the child frame load is blocked. -->
+<iframe src="http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/resources/fail.html"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-and-without-policy.html
new file mode 100644 (file)
index 0000000..068c172
--- /dev/null
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<img src="http://127.0.0.1:8000/security/resources/compass.jpg">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-blob-url-iframe.html
new file mode 100644 (file)
index 0000000..8bda5d7
--- /dev/null
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+</head>
+<body>
+<iframe id="iframe"></iframe>
+<script>
+var iframe = document.getElementById("iframe");
+var markup = [
+    "<style>body { background: green }</style>",
+    '<img src="http://127.0.0.1:8000/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png">',
+    '<script>',
+    'if (window.testRunner)',
+    '   testRunner.notifyDone();',
+    '</' + 'script>',
+];
+
+var blob = new Blob([markup.join("\n")], { type: "text/html" });
+iframe.src = URL.createObjectURL(blob);
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-javascript-url-iframe.html
new file mode 100644 (file)
index 0000000..ffc3619
--- /dev/null
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<!-- FIXME: For some reason a SecurityPolicyViolation event is not dispatched (why?) when the child frame load is blocked. -->
+<iframe src="javascript:document.write('<img src=%22http://127.0.0.1:8000/security/resources/compass.jpg%22>');"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-in-xslt-document.xml
new file mode 100644 (file)
index 0000000..dac5345
--- /dev/null
@@ -0,0 +1,6 @@
+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl" href="transform-functions.xsl"?>
+<doc>
+<image>http://127.0.0.1:8000/security/resources/compass.jpg</image>
+<notifyDone />
+</doc>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image-with-enforced-and-report-policies.php
new file mode 100644 (file)
index 0000000..da02351
--- /dev/null
@@ -0,0 +1,13 @@
+<?php
+    header("Content-Security-Policy-Report-Only: block-all-mixed-content");
+    header("Content-Security-Policy: block-all-mixed-content");
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<img src="http://127.0.0.1:8000/security/resources/compass.jpg">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-image.html
new file mode 100644 (file)
index 0000000..1819aef
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<img src="http://127.0.0.1:8000/security/resources/compass.jpg">
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-plugin.html
new file mode 100644 (file)
index 0000000..e4902fd
--- /dev/null
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<object name="plugin" type="application/x-webkit-test-netscape">
+    <param name="movie" value="http://127.0.0.1:8000/security/mixedContent/resources/dummy.swf">
+</object>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-script.html
new file mode 100644 (file)
index 0000000..73db6aa
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<script src="http://127.0.0.1:8000/security/mixedContent/resources/script.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-insecure-xhr.html
new file mode 100644 (file)
index 0000000..a77a3b8
--- /dev/null
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
+<script src="dump-securitypolicyviolation-and-notify-done.js"></script>
+</head>
+<body>
+<script>
+function done()
+{
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+var xhr = new XMLHttpRequest;
+xhr.onload = function () {
+    alert("FAIL: load was not blocked");
+    done()
+};
+
+window.setTimeout(done, 2000);
+
+try {
+    var isAsynchronous = document.location.search.startsWith("?asynchronous");
+    xhr.open("GET", "http://127.0.0.1:8000/xmlhttprequest/resources/access-control-basic-allow-star.cgi", isAsynchronous);
+} catch (ex) {
+    // Firefox raises an exception, which is one way to make this detectable.
+    done();
+}
+xhr.send(null);
+</script>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html
new file mode 100644 (file)
index 0000000..446de82
--- /dev/null
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; block-all-mixed-content">
+<script>
+function writeResultAndNotifyDone(result)
+{
+    document.getElementById("result").textContent = result;
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+function testPassed()
+{
+    writeResultAndNotifyDone("PASS did load image.");
+}
+
+function testFailed()
+{
+    writeResultAndNotifyDone("FAIL did not load image.");
+}
+</script>
+</head>
+<body>
+<img src="https://127.0.0.1:8443/resources/redirect.php?url=http://127.0.0.1:8443/security/resources/compass.jpg" onload="testPassed()" onerror="testFailed()">
+<pre id="result"></pre>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html
new file mode 100644 (file)
index 0000000..7950e3a
--- /dev/null
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; block-all-mixed-content">
+<script>
+function writeResultAndNotifyDone(result)
+{
+    document.getElementById("result").textContent = result;
+    if (window.testRunner)
+        testRunner.notifyDone();
+}
+
+function testPassed()
+{
+    writeResultAndNotifyDone("PASS did load image.");
+}
+
+function testFailed()
+{
+    writeResultAndNotifyDone("FAIL did not load image.");
+}
+</script>
+</head>
+<body>
+<img src="http://127.0.0.1:8443/security/resources/compass.jpg" onload="testPassed()" onerror="testFailed()">
+<pre id="result"></pre>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png
new file mode 100644 (file)
index 0000000..782e18e
Binary files /dev/null and b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/red-square.png differ
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/resources/transform-functions.xsl
new file mode 100644 (file)
index 0000000..09864ec
--- /dev/null
@@ -0,0 +1,18 @@
+<?xml version="1.0"?>
+<xsl:stylesheet version="1.0"
+xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+
+<xsl:output method="html" />
+
+<xsl:template match="image">
+    <img src="{.}" />
+</xsl:template>
+
+<xsl:template match="notifyDone">
+    <script>
+    if (window.testRunner)
+        testRunner.notifyDone();
+    </script>
+</xsl:template>
+
+</xsl:stylesheet>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..967c371
--- /dev/null
@@ -0,0 +1,17 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image. We should *not* trigger a mixed content block even though the child frame has CSP directive block-all-mixed-content because the insecure image is upgraded to a secure image as the child frame has CSP directive upgrade-insecure-requests.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+PASS did load image.
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html
new file mode 100644 (file)
index 0000000..7bb34ed
--- /dev/null
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image.  We should *not* trigger a
+mixed content block even though the child frame has CSP directive block-all-mixed-content
+because the insecure image is upgraded to a secure image as the child frame has CSP directive
+upgrade-insecure-requests.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade.html" height="300"></iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe-expected.txt
new file mode 100644 (file)
index 0000000..a633bdd
--- /dev/null
@@ -0,0 +1,17 @@
+frame "<!--framePath //<!--frame0-->-->" - didStartProvisionalLoadForFrame
+main frame - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didCommitLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishDocumentLoadForFrame
+frame "<!--framePath //<!--frame0-->-->" - didHandleOnloadEventsForFrame
+main frame - didHandleOnloadEventsForFrame
+frame "<!--framePath //<!--frame0-->-->" - didFinishLoadForFrame
+main frame - didFinishLoadForFrame
+This test loads a secure iframe that loads an insecure image via a redirect. We should *not* trigger a mixed content block even though the child frame has CSP directive block-all-mixed-content because the redirected insecure image is upgraded to a secure image as the child frame has CSP directive upgrade-insecure-requests.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+
+PASS did load image.
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html b/LayoutTests/http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html
new file mode 100644 (file)
index 0000000..97614aa
--- /dev/null
@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.dumpChildFramesAsText();
+    testRunner.dumpFrameLoadCallbacks();
+    testRunner.waitUntilDone();
+}
+</script>
+</head>
+<body>
+<p>This test loads a secure iframe that loads an insecure image via a redirect.  We should *not* trigger
+a mixed content block even though the child frame has CSP directive block-all-mixed-content because the
+redirected insecure image is upgraded to a secure image as the child frame has CSP directive upgrade-insecure-requests.</p>
+<iframe src="https://127.0.0.1:8443/security/contentSecurityPolicy/block-all-mixed-content/resources/frame-with-secure-image-after-upgrade-redirect.html" height="300"></iframe>
+</body>
+</html>
index 6881bb5..cb52720 100644 (file)
@@ -123,6 +123,8 @@ http/tests/security/contentSecurityPolicy/object-src-param-src-blocked.html
 http/tests/security/contentSecurityPolicy/object-src-param-url-blocked.html
 http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-default-src-star.html
 http/tests/security/contentSecurityPolicy/object-with-no-url-allowed-by-star.html
+http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
+http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html
 
 # Pointer-lock not supported on iOS
 pointer-lock
index 97dd4f6..495140e 100644 (file)
@@ -1,3 +1,95 @@
+2016-12-08  Daniel Bates  <dabates@apple.com>
+
+        Implement Strict Mixed Content Checking
+        https://bugs.webkit.org/show_bug.cgi?id=165438
+        <rdar://problem/26103867>
+
+        Reviewed by Brent Fulgham and Andy Estes.
+
+        Add support for the CSP directive block-all-mixed-content to enable strict mixed content checking
+        as per <https://www.w3.org/TR/2016/CR-mixed-content-20160802/#strict-checking> (2 August 2016).
+
+        Currently WebKit only blocks blockable content as such content can contaminate the security origin
+        that loaded it. Optionally-blockable content, including images, would be allowed to load as mixed
+        content. When strict mixed content checking is enabled all mixed content is blocked. That is, both
+        blockable and optionally-blockable content will be blocked. A web site can opt into strict mixed
+        content checking by adding the directive block-all-mixed-content to their content security policy.
+
+        Tests: http/tests/security/contentSecurityPolicy/block-all-mixed-content/data-url-iframe-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/duplicate-directive.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe-report-only.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-iframe.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-css-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-iframe.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-iframe-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-blob-url-iframe-in-iframe.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-enforced-and-report-policies.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe-with-inherited-policy.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-iframe.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-javascript-url-iframe-in-iframe.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-image-in-xslt-document-in-iframe-with-inherited-policy.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-iframe.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-plugin-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe-with-inherited-policy.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-iframe.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-script-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-iframe.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-asynchronous-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-iframe.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/insecure-xhr-synchronous-in-main-frame.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-in-iframe.html
+               http/tests/security/contentSecurityPolicy/block-all-mixed-content/secure-image-after-upgrade-redirect-in-iframe.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::initSecurityContext): Inherit strict mixed content checking mode from parent document.
+        * dom/SecurityContext.h:
+        (WebCore::SecurityContext::isStrictMixedContentMode): Added.
+        (WebCore::SecurityContext::setStrictMixedContentMode): Added.
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::willSendRequest): Check mixed content policy with respect to the current frame.
+        The document in the current frame may have opted into strict mixed content checking or inherited it from
+        its parent document.
+        * loader/DocumentWriter.cpp:
+        (WebCore::DocumentWriter::begin): Inherit the strict mixed content checking mode from the owner document
+        when loading a JavaScript URL in a frame (e.g. <iframe src="javascript:...">) because such URLs inherit
+        the security origin of their parent document.
+        * loader/MixedContentChecker.cpp:
+        (WebCore::MixedContentChecker::canDisplayInsecureContent): Check the content security policy of the document
+        and the strict mixed content checking mode bit on the document (in that order) to determine if we are in
+        strict mode. Block display of insecure content when in strict mode. Modified to take enum AlwaysDisplayInNonStrictMode (defaults
+        to AlwaysDisplayInNonStrictMode::No) as to whether to allow our current relaxed behavior of displaying insecure
+        content in non-strict mode.
+        (WebCore::MixedContentChecker::canRunInsecureContent): Check the content security policy of the document
+        and the strict mixed content checking mode bit on the document (in that order) to determine if we are in
+        strict mode. Block running of insecure content when in strict mode.
+        * loader/MixedContentChecker.h:
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::checkInsecureContent): Always check mixed content policy with respect to
+        the current frame. The document in the current frame may have opted into strict mixed content checking or
+        inherited it from its parent document. Also renamed a local variable f to frame to better describe its
+        purpose.
+        * page/csp/ContentSecurityPolicy.cpp:
+        (WebCore::ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent): Added. Iterate through all the
+        policies and report violations with respect to policies that have directive block-all-mixed-content.
+        (WebCore::ContentSecurityPolicy::didReceiveHeader): Move logic to set eval() error message from here...
+        (WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): ...to here so that we only perform
+        it once we are ready to apply the CSP policy to the script execution context. Additionally, enable
+        strict mixed content checking on the script execution context if applicable.
+        (WebCore::ContentSecurityPolicy::reportViolation): Added overrides that take a string and a directive list
+        object (ContentSecurityPolicyDirectiveList) for the effective violated directive and its associated directive
+        list, respectively. We make use of these overrides so as to support reporting block-all-mixed-content
+        violations, which are not implemented using a ContentSecurityPolicyDirective object as it seemed sufficient
+        to implement it as a boolean on ContentSecurityPolicyDirectiveList.
+        * page/csp/ContentSecurityPolicy.h:
+        * page/csp/ContentSecurityPolicyDirectiveList.cpp:
+        (WebCore::ContentSecurityPolicyDirectiveList::setBlockAllMixedContentEnabled): Added.
+        (WebCore::ContentSecurityPolicyDirectiveList::addDirective): Parse the directive block-all-mixed-content.
+        * page/csp/ContentSecurityPolicyDirectiveList.h:
+        (WebCore::ContentSecurityPolicyDirectiveList::hasBlockAllMixedContentDirective): Added.
+        * page/csp/ContentSecurityPolicyDirectiveNames.cpp:
+        * page/csp/ContentSecurityPolicyDirectiveNames.h: Add constant for "block-all-mixed-content".
+
 2016-12-08  Sam Weinig  <sam@webkit.org>
 
         [WebIDL] Remove custom bindings for Geolocation
index 8e99b91..476d15b 100644 (file)
@@ -5161,6 +5161,8 @@ void Document::initSecurityContext()
         m_isSrcdocDocument = true;
         setBaseURLOverride(parentDocument->baseURL());
     }
+    if (parentDocument)
+        setStrictMixedContentMode(parentDocument->isStrictMixedContentMode());
 
     if (!shouldInheritSecurityOriginFromOwner(m_url))
         return;
@@ -5178,7 +5180,7 @@ void Document::initSecurityContext()
         didFailToInitializeSecurityOrigin();
         return;
     }
-    
+
     Document* openerDocument = openerFrame ? openerFrame->document() : nullptr;
 
     // Per <http://www.w3.org/TR/upgrade-insecure-requests/>, new browsing contexts must inherit from an
index d3f3566..23976f6 100644 (file)
@@ -81,6 +81,9 @@ public:
     bool geolocationAccessed() const { return m_geolocationAccessed; }
     void setGeolocationAccessed() { m_geolocationAccessed = true; }
 
+    bool isStrictMixedContentMode() const { return m_isStrictMixedContentMode; }
+    void setStrictMixedContentMode(bool strictMixedContentMode) { m_isStrictMixedContentMode = strictMixedContentMode; }
+
 protected:
     SecurityContext();
     virtual ~SecurityContext();
@@ -97,6 +100,7 @@ private:
     std::unique_ptr<ContentSecurityPolicy> m_contentSecurityPolicy;
     bool m_foundMixedContent { false };
     bool m_geolocationAccessed { false };
+    bool m_isStrictMixedContentMode { false };
 };
 
 } // namespace WebCore
index 2d3cd95..24bb505 100644 (file)
@@ -565,6 +565,10 @@ void DocumentLoader::willSendRequest(ResourceRequest& newRequest, const Resource
         newRequest.setCachePolicy(ReloadIgnoringCacheData);
 
     if (&topFrame != m_frame) {
+        if (!m_frame->loader().mixedContentChecker().canDisplayInsecureContent(m_frame->document()->securityOrigin(), MixedContentChecker::ContentType::Active, newRequest.url(), MixedContentChecker::AlwaysDisplayInNonStrictMode::Yes)) {
+            cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
+            return;
+        }
         if (!frameLoader()->mixedContentChecker().canDisplayInsecureContent(topFrame.document()->securityOrigin(), MixedContentChecker::ContentType::Active, newRequest.url())) {
             cancelMainResourceLoad(frameLoader()->cancelledError(newRequest));
             return;
index 11aba13..7a2aa5d 100644 (file)
@@ -174,6 +174,7 @@ void DocumentWriter::begin(const URL& urlReference, bool dispatch, Document* own
     if (ownerDocument) {
         document->setCookieURL(ownerDocument->cookieURL());
         document->setSecurityOriginPolicy(ownerDocument->securityOriginPolicy());
+        document->setStrictMixedContentMode(ownerDocument->isStrictMixedContentMode());
     }
 
     m_frame->loader().didBeginDocument(dispatch);
index 73923ad..e29613f 100644 (file)
@@ -29,6 +29,7 @@
 #include "config.h"
 #include "MixedContentChecker.h"
 
+#include "ContentSecurityPolicy.h"
 #include "Document.h"
 #include "Frame.h"
 #include "FrameLoader.h"
@@ -60,12 +61,19 @@ bool MixedContentChecker::isMixedContent(SecurityOrigin* securityOrigin, const U
     return !SecurityOrigin::isSecure(url);
 }
 
-bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrigin, ContentType type, const URL& url) const
+bool MixedContentChecker::canDisplayInsecureContent(SecurityOrigin* securityOrigin, ContentType type, const URL& url, AlwaysDisplayInNonStrictMode alwaysDisplayInNonStrictMode) const
 {
     if (!isMixedContent(securityOrigin, url))
         return true;
 
-    bool allowed = (m_frame.settings().allowDisplayOfInsecureContent() || type == ContentType::ActiveCanWarn) && !m_frame.document()->geolocationAccessed();
+    if (!m_frame.document()->contentSecurityPolicy()->allowRunningOrDisplayingInsecureContent(url))
+        return false;
+
+    bool isStrictMode = m_frame.document()->isStrictMixedContentMode();
+    if (!isStrictMode && alwaysDisplayInNonStrictMode == AlwaysDisplayInNonStrictMode::Yes)
+        return true;
+
+    bool allowed = !isStrictMode && (m_frame.settings().allowDisplayOfInsecureContent() || type == ContentType::ActiveCanWarn) && !m_frame.document()->geolocationAccessed();
     logWarning(allowed, "display", url);
 
     if (allowed) {
@@ -81,7 +89,10 @@ bool MixedContentChecker::canRunInsecureContent(SecurityOrigin* securityOrigin,
     if (!isMixedContent(securityOrigin, url))
         return true;
 
-    bool allowed = m_frame.settings().allowRunningOfInsecureContent() && !m_frame.document()->geolocationAccessed();
+    if (!m_frame.document()->contentSecurityPolicy()->allowRunningOrDisplayingInsecureContent(url))
+        return false;
+
+    bool allowed = !m_frame.document()->isStrictMixedContentMode() && m_frame.settings().allowRunningOfInsecureContent() && !m_frame.document()->geolocationAccessed();
     logWarning(allowed, "run", url);
 
     if (allowed) {
index c94070b..38fcf8c 100644 (file)
@@ -50,7 +50,12 @@ public:
 
     MixedContentChecker(Frame&);
 
-    bool canDisplayInsecureContent(SecurityOrigin*, ContentType, const URL&) const;
+    enum class AlwaysDisplayInNonStrictMode {
+        No,
+        Yes,
+    };
+
+    bool canDisplayInsecureContent(SecurityOrigin*, ContentType, const URL&, AlwaysDisplayInNonStrictMode = AlwaysDisplayInNonStrictMode::No) const;
     bool canRunInsecureContent(SecurityOrigin*, const URL&) const;
     void checkFormForMixedContent(SecurityOrigin*, const URL&) const;
     static bool isMixedContent(SecurityOrigin*, const URL&);
index e163e8b..c13e8fc 100644 (file)
@@ -344,11 +344,11 @@ bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const
     case CachedResource::CSSStyleSheet:
         // These resource can inject script into the current document (Script,
         // XSL) or exfiltrate the content of the current document (CSS).
-        if (Frame* f = frame()) {
-            if (!f->loader().mixedContentChecker().canRunInsecureContent(m_document->securityOrigin(), url))
+        if (Frame* frame = this->frame()) {
+            if (!frame->loader().mixedContentChecker().canRunInsecureContent(m_document->securityOrigin(), url))
                 return false;
-            Frame& top = f->tree().top();
-            if (&top != f && !top.loader().mixedContentChecker().canRunInsecureContent(top.document()->securityOrigin(), url))
+            Frame& top = frame->tree().top();
+            if (&top != frame && !top.loader().mixedContentChecker().canRunInsecureContent(top.document()->securityOrigin(), url))
                 return false;
         }
         break;
@@ -363,8 +363,10 @@ bool CachedResourceLoader::checkInsecureContent(CachedResource::Type type, const
 #endif
     case CachedResource::FontResource: {
         // These resources can corrupt only the frame's pixels.
-        if (Frame* f = frame()) {
-            Frame& topFrame = f->tree().top();
+        if (Frame* frame = this->frame()) {
+            if (!frame->loader().mixedContentChecker().canDisplayInsecureContent(m_document->securityOrigin(), contentTypeFromResourceType(type), url, MixedContentChecker::AlwaysDisplayInNonStrictMode::Yes))
+                return false;
+            Frame& topFrame = frame->tree().top();
             if (!topFrame.loader().mixedContentChecker().canDisplayInsecureContent(topFrame.document()->securityOrigin(), contentTypeFromResourceType(type), url))
                 return false;
         }
index 5c8bf13..2c1f219 100644 (file)
@@ -123,6 +123,31 @@ void ContentSecurityPolicy::copyUpgradeInsecureRequestStateFrom(const ContentSec
     m_insecureNavigationRequestsToUpgrade.add(other.m_insecureNavigationRequestsToUpgrade.begin(), other.m_insecureNavigationRequestsToUpgrade.end());
 }
 
+bool ContentSecurityPolicy::allowRunningOrDisplayingInsecureContent(const URL& url)
+{
+    bool allow = true;
+    bool isReportOnly = false;
+    for (auto& policy : m_policies) {
+        if (!policy->hasBlockAllMixedContentDirective())
+            continue;
+
+        isReportOnly = policy->isReportOnly();
+
+        StringBuilder consoleMessage;
+        if (isReportOnly)
+            consoleMessage.appendLiteral("[Report Only] ");
+        consoleMessage.append("Blocked mixed content ");
+        consoleMessage.append(url.stringCenterEllipsizedToLength());
+        consoleMessage.appendLiteral(" because ");
+        consoleMessage.append("'block-all-mixed-content' appears in the Content Security Policy.");
+        reportViolation(ContentSecurityPolicyDirectiveNames::blockAllMixedContent, ContentSecurityPolicyDirectiveNames::blockAllMixedContent, *policy, url, consoleMessage.toString());
+
+        if (!isReportOnly)
+            allow = false;
+    }
+    return allow;
+}
+
 void ContentSecurityPolicy::didCreateWindowShell(JSDOMWindowShell& windowShell) const
 {
     JSDOMWindow* window = windowShell.window();
@@ -166,12 +191,7 @@ void ContentSecurityPolicy::didReceiveHeader(const String& header, ContentSecuri
 
         // header1,header2 OR header1
         //        ^                  ^
-        std::unique_ptr<ContentSecurityPolicyDirectiveList> policy = ContentSecurityPolicyDirectiveList::create(*this, String(begin, position - begin), type, policyFrom);
-        const ContentSecurityPolicyDirective* violatedDirective = policy->violatedDirectiveForUnsafeEval();
-        if (violatedDirective && !violatedDirective->directiveList().isReportOnly())
-            m_lastPolicyEvalDisabledErrorMessage = policy->evalDisabledErrorMessage();
-
-        m_policies.append(policy.release());
+        m_policies.append(ContentSecurityPolicyDirectiveList::create(*this, String(begin, position - begin), type, policyFrom));
 
         // Skip the comma, and begin the next header from the current position.
         ASSERT(position == end || *position == ',');
@@ -199,10 +219,21 @@ void ContentSecurityPolicy::applyPolicyToScriptExecutionContext()
     ASSERT(m_scriptExecutionContext->securityOrigin());
     updateSourceSelf(*m_scriptExecutionContext->securityOrigin());
 
+    bool enableStrictMixedContentMode = false;
+    for (auto& policy : m_policies) {
+        const ContentSecurityPolicyDirective* violatedDirective = policy->violatedDirectiveForUnsafeEval();
+        if (violatedDirective && !violatedDirective->directiveList().isReportOnly())
+            m_lastPolicyEvalDisabledErrorMessage = policy->evalDisabledErrorMessage();
+        if (policy->hasBlockAllMixedContentDirective() && !policy->isReportOnly())
+            enableStrictMixedContentMode = true;
+    }
+
     if (!m_lastPolicyEvalDisabledErrorMessage.isNull())
         m_scriptExecutionContext->disableEval(m_lastPolicyEvalDisabledErrorMessage);
     if (m_sandboxFlags != SandboxNone && is<Document>(m_scriptExecutionContext))
         m_scriptExecutionContext->enforceSandboxFlags(m_sandboxFlags);
+    if (enableStrictMixedContentMode)
+        m_scriptExecutionContext->setStrictMixedContentMode(true);
 }
 
 void ContentSecurityPolicy::setOverrideAllowInlineStyle(bool value)
@@ -569,11 +600,22 @@ static String stripURLForUseInReport(Document& document, const URL& url)
 void ContentSecurityPolicy::reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::ExecState* state) const
 {
     // FIXME: Extract source file and source position from JSC::ExecState.
-    return reportViolation(violatedDirective, effectiveViolatedDirective, blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
+    return reportViolation(violatedDirective, effectiveViolatedDirective.text(), effectiveViolatedDirective.directiveList(), blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
+}
+
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, JSC::ExecState* state) const
+{
+    // FIXME: Extract source file and source position from JSC::ExecState.
+    return reportViolation(effectiveViolatedDirective, violatedDirective, violatedDirectiveList, blockedURL, consoleMessage, String(), TextPosition(WTF::OrdinalNumber::beforeFirst(), WTF::OrdinalNumber::beforeFirst()), state);
 }
 
 void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::ExecState* state) const
 {
+    return reportViolation(effectiveViolatedDirective, violatedDirective.text(), violatedDirective.directiveList(), blockedURL, consoleMessage, sourceURL, sourcePosition, state);
+}
+
+void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::ExecState* state) const
+{
     logToConsole(consoleMessage, sourceURL, sourcePosition.m_line, state);
 
     if (!m_isReportingEnabled)
@@ -602,8 +644,8 @@ void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirec
         documentURI = blockedURL;
         blockedURI = blockedURL;
     }
-    String violatedDirectiveText = violatedDirective.text();
-    String originalPolicy = violatedDirective.directiveList().header();
+    String violatedDirectiveText = violatedDirective;
+    String originalPolicy = violatedDirectiveList.header();
     String referrer = document.referrer();
     ASSERT(document.loader());
     unsigned short statusCode = document.url().protocolIs("http") && document.loader() ? document.loader()->response().httpStatusCode() : 0;
@@ -625,7 +667,7 @@ void ContentSecurityPolicy::reportViolation(const String& effectiveViolatedDirec
     document.enqueueDocumentEvent(SecurityPolicyViolationEvent::create(eventNames().securitypolicyviolationEvent, canBubble, cancelable, documentURI, referrer, blockedURI, violatedDirectiveText, effectiveViolatedDirective, originalPolicy, sourceFile, statusCode, lineNumber, columnNumber));
 
     // 2. Send violation report (if applicable).
-    const Vector<String>& reportURIs = violatedDirective.directiveList().reportURIs();
+    const Vector<String>& reportURIs = violatedDirectiveList.reportURIs();
     if (reportURIs.isEmpty())
         return;
 
index e335c42..f6718a0 100644 (file)
@@ -118,6 +118,8 @@ public:
 
     bool experimentalFeaturesEnabled() const;
 
+    bool allowRunningOrDisplayingInsecureContent(const URL&);
+
     // The following functions are used by internal data structures to call back into this object when parsing, validating,
     // and applying a Content Security Policy.
     // FIXME: We should make the various directives serve only as state stores for the parsed policy and remove these functions.
@@ -193,8 +195,10 @@ private:
     using HashInEnforcedAndReportOnlyPoliciesPair = std::pair<bool, bool>;
     template<typename Predicate> HashInEnforcedAndReportOnlyPoliciesPair findHashOfContentInPolicies(Predicate&&, const String& content, OptionSet<ContentSecurityPolicyHashAlgorithm>) const WARN_UNUSED_RETURN;
 
-    void reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::ExecState*) const;
-    void reportViolation(const String& violatedDirective, const ContentSecurityPolicyDirective& effectiveViolatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::ExecState* = nullptr) const;
+    void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, JSC::ExecState*) const;
+    void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList&, const URL& blockedURL, const String& consoleMessage, JSC::ExecState* = nullptr) const;
+    void reportViolation(const String& effectiveViolatedDirective, const ContentSecurityPolicyDirective& violatedDirective, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::ExecState* = nullptr) const;
+    void reportViolation(const String& effectiveViolatedDirective, const String& violatedDirective, const ContentSecurityPolicyDirectiveList& violatedDirectiveList, const URL& blockedURL, const String& consoleMessage, const String& sourceURL, const TextPosition& sourcePosition, JSC::ExecState*) const;
     void reportBlockedScriptExecutionToInspector(const String& directiveText) const;
 
     // We can never have both a script execution context and a frame.
index 9777f83..79db7c2 100644 (file)
@@ -446,6 +446,15 @@ void ContentSecurityPolicyDirectiveList::setUpgradeInsecureRequests(const String
     m_policy.setUpgradeInsecureRequests(true);
 }
 
+void ContentSecurityPolicyDirectiveList::setBlockAllMixedContentEnabled(const String& name)
+{
+    if (m_hasBlockAllMixedContentDirective) {
+        m_policy.reportDuplicateDirective(name);
+        return;
+    }
+    m_hasBlockAllMixedContentDirective = true;
+}
+
 void ContentSecurityPolicyDirectiveList::addDirective(const String& name, const String& value)
 {
     ASSERT(!name.isEmpty());
@@ -494,6 +503,8 @@ void ContentSecurityPolicyDirectiveList::addDirective(const String& name, const
         parseReportURI(name, value);
     else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::upgradeInsecureRequests))
         setUpgradeInsecureRequests(name);
+    else if (equalIgnoringASCIICase(name, ContentSecurityPolicyDirectiveNames::blockAllMixedContent))
+        setBlockAllMixedContentEnabled(name);
     else
         m_policy.reportUnsupportedDirective(name);
 }
index abfcca6..3adb22f 100644 (file)
@@ -71,6 +71,8 @@ public:
 
     const ContentSecurityPolicyDirective* defaultSrc() const { return m_defaultSrc.get(); }
 
+    bool hasBlockAllMixedContentDirective() const { return m_hasBlockAllMixedContentDirective; }
+
     const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
     bool isReportOnly() const { return m_reportOnly; }
     const Vector<String>& reportURIs() const { return m_reportURIs; }
@@ -87,6 +89,7 @@ private:
     void addDirective(const String& name, const String& value);
     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
     void setUpgradeInsecureRequests(const String& name);
+    void setBlockAllMixedContentEnabled(const String& name);
 
     template <class CSPDirectiveType>
     void setCSPDirective(const String& name, const String& value, std::unique_ptr<CSPDirectiveType>&);
@@ -104,6 +107,7 @@ private:
     bool m_reportOnly { false };
     bool m_haveSandboxPolicy { false };
     bool m_upgradeInsecureRequests { false };
+    bool m_hasBlockAllMixedContentDirective { false };
 
     std::unique_ptr<ContentSecurityPolicyMediaListDirective> m_pluginTypes;
     std::unique_ptr<ContentSecurityPolicySourceListDirective> m_baseURI;
index d05864f..261f741 100644 (file)
@@ -47,6 +47,7 @@ const char* const sandbox = "sandbox";
 const char* const scriptSrc = "script-src";
 const char* const styleSrc = "style-src";
 const char* const upgradeInsecureRequests = "upgrade-insecure-requests";
+const char* const blockAllMixedContent = "block-all-mixed-content";
     
 } // namespace ContentSecurityPolicyDirectiveNames
 
index fc58795..f13f04a 100644 (file)
@@ -46,6 +46,7 @@ extern const char* const sandbox;
 extern const char* const scriptSrc;
 extern const char* const styleSrc;
 extern const char* const upgradeInsecureRequests;
+extern const char* const blockAllMixedContent;
 
 } // namespace ContentSecurityPolicyDirectiveNames
 
index f1c5b60..53aaccd 100644 (file)
@@ -92,6 +92,7 @@ Ref<Document> XSLTProcessor::createDocumentFromSource(const String& sourceString
             result->setSecurityOriginPolicy(oldDocument->securityOriginPolicy());
             result->setCookieURL(oldDocument->cookieURL());
             result->setFirstPartyForCookies(oldDocument->firstPartyForCookies());
+            result->setStrictMixedContentMode(oldDocument->isStrictMixedContentMode());
             result->contentSecurityPolicy()->copyStateFrom(oldDocument->contentSecurityPolicy());
         }