Isolated worlds should respect Content Security Policy; User Agent Shadow DOM
should be exempt from Content Security Policy
https://bugs.webkit.org/show_bug.cgi?id=144830
<rdar://problem/18860261>
Reviewed by Geoffrey Garen.
Source/WebCore:
Make scripts that run in an isolated world be subject to the Content Security Policy (CSP) of the page
and exempt features implemented using a user agent shadow DOM. As a side effect of this change,
Safari Content Extensions will respect the CSP policy of the page when loading subresources (e.g. an image).
Tests: http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-background.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-cursor.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-filter-on-image.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-webkit-image-set.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-embed-plugin.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-external-script.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-iframe.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image-after-redirect.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-style.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-stylesheet.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object-plugin.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-feimage-element.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-use-element.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-track.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/block-loading-user-agent-image-from-non-user-agent-content.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-allowed.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked2.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked3.html
http/tests/security/contentSecurityPolicy/userAgentShadowDOM/video-controls-allowed.html
http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html
* Modules/websockets/WebSocket.cpp:
(WebCore::WebSocket::connect): Pass shouldBypassMainWorldContentSecurityPolicy to ContentSecurityPolicy::allowConnectToSource().
* css/CSSCanvasValue.h:
(WebCore::CSSCanvasValue::loadSubimages): Modified to take argument ResourceLoaderOptions (unused).
* css/CSSCrossfadeValue.cpp:
(WebCore::CSSCrossfadeValue::fixedSize): Explicitly instantiate default ResourceLoaderOptions and pass
pass it when requesting a cached image. Added FIXME comment to skip Content Security Policy check when
the cross fade is applied to an element in a user agent shadow tree.
(WebCore::CSSCrossfadeValue::loadSubimages): Take a ResourceLoaderOptions as an argument and passes it
as appropriate.
(WebCore::CSSCrossfadeValue::image): Explicitly instantiate default ResourceLoaderOptions and pass it
when requesting a cached image. Added FIXME comment to skip Content Security Policy check when the cross
fade is applied to an element in a user agent shadow tree.
* css/CSSCrossfadeValue.h:
* css/CSSCursorImageValue.cpp:
(WebCore::CSSCursorImageValue::cachedImage): Take a ResourceLoaderOptions as an argument and passes it
as appropriate.
* css/CSSCursorImageValue.h:
* css/CSSFilterImageValue.cpp:
(WebCore::CSSFilterImageValue::fixedSize): Explicitly instantiate default ResourceLoaderOptions and pass
pass it when requesting a cached image. Added FIXME comment to skip Content Security Policy check when
the cross fade is applied to an element in a user agent shadow tree.
(WebCore::CSSFilterImageValue::loadSubimages): Take a ResourceLoaderOptions as an argument and passes it
as appropriate.
(WebCore::CSSFilterImageValue::loadSubimages): Explicitly instantiate default ResourceLoaderOptions and pass
pass it when requesting a cached image. Added FIXME comment to skip Content Security Policy check when
the cross fade is applied to an element in a user agent shadow tree.
(WebCore::CSSFilterImageValue::image):
* css/CSSFilterImageValue.h:
* css/CSSFontFaceSrcValue.cpp:
(WebCore::CSSFontFaceSrcValue::cachedFont): Take a boolean, isInitiatingElementInUserAgentShadowTree,
so as to determine the appropriate CSP imposition. In particular, we skip the CSP check when the initiating element
(e.g. SVG font-face element) is in a user agent shadow tree.
* css/CSSFontFaceSrcValue.h:
* css/CSSFontSelector.cpp:
(WebCore::CSSFontSelector::addFontFaceRule): Take a boolean, isInitiatingElementInUserAgentShadowTree, and passes
it as appropriate.
* css/CSSFontSelector.h:
* css/CSSGradientValue.h:
(WebCore::CSSGradientValue::loadSubimages): Take a ResourceLoaderOptions as an argument and passes it
as appropriate.
* css/CSSImageGeneratorValue.cpp:
(WebCore::CSSImageGeneratorValue::loadSubimages): Ditto.
(WebCore::CSSImageGeneratorValue::cachedImageForCSSValue): Ditto.
* css/CSSImageGeneratorValue.h:
* css/CSSImageSetValue.cpp:
(WebCore::CSSImageSetValue::cachedImageSet): Deleted.
* css/CSSImageSetValue.h:
* css/CSSImageValue.cpp:
(WebCore::CSSImageValue::cachedImage): Deleted.
* css/CSSImageValue.h:
* css/RuleSet.cpp:
(WebCore::RuleSet::addChildRules): Take a boolean, isInitiatingElementInUserAgentShadowTree, and passes
it as appropriate.
(WebCore::RuleSet::addRulesFromSheet): Added FIXME comment to skip Content Security Policy check when
when stylesheet is in a user agent shadow tree.
* css/RuleSet.h:
* css/StyleResolver.cpp:
(WebCore::StyleResolver::StyleResolver): Determine whether the SVG font-face element is in a user agent shadow tree
and pass the appropriate value when calling CSSFontSelector::addFontFaceRule(). Also, modernized code; used C++11 range
-based for-loop instead of const_iterator idiom.
(WebCore::StyleResolver::loadPendingSVGDocuments): Skip CSP check when requesting subresources as a byproduct of
resolving style for an element in a user agent shadow tree.
(WebCore::StyleResolver::loadPendingImage): Ditto.
(WebCore::StyleResolver::loadPendingShapeImage): Ditto.
* css/StyleRuleImport.cpp:
(WebCore::StyleRuleImport::requestStyleSheet): Added FIXME comment to skip Content Security Policy check when
when stylesheet is in a user agent shadow tree.
* dom/Element.h:
* dom/InlineStyleSheetOwner.cpp:
(WebCore::InlineStyleSheetOwner::createSheet): Skip CSP check for an inline <style> that is in a user agent shadow tree.
* dom/Node.cpp:
(WebCore::Node::isInUserAgentShadowTree): Added.
* dom/Node.h:
* dom/ScriptElement.cpp:
(WebCore::ScriptElement::requestScript): Skip CSP check for an external JavaScript script in a user agent shadow tree.
(WebCore::ScriptElement::executeScript): Skip CSP check for an inline JavaScript script that is in a user agent shadow tree.
* dom/StyledElement.cpp:
(WebCore::StyledElement::styleAttributeChanged): Skip CSP check when modifying the inline style of an element in a user
agent shadow tree.
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::isSafeToLoadURL): Skip CSP check for a <audio>, <video> in a user agent shadow tree.
(WebCore::HTMLMediaElement::outOfBandTrackSources): Ditto.
* html/HTMLTrackElement.cpp:
(WebCore::HTMLTrackElement::canLoadURL): Ditto.
* html/track/LoadableTextTrack.cpp:
(WebCore::LoadableTextTrack::loadTimerFired): Determine whether the <track> is in a user agent shadow tree
and pass the appropriate value when calling TextTrackLoader::load().
* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::startLoadingMainResource): Do CSP check when loading a resource by default.
* loader/ImageLoader.cpp:
(WebCore::ImageLoader::updateFromElement): Skip CSP check for an image that is in a user agent shadow tree.
* loader/MediaResourceLoader.cpp:
(WebCore::MediaResourceLoader::start): Instantiate ResourceLoaderOptions passing placeholder value ContentSecurityPolicyImposition::DoPolicyCheck.
This value does not affect the request because we do not check the Content Security Policy for raw resource requests.
* loader/NetscapePlugInStreamLoader.cpp:
(WebCore::NetscapePlugInStreamLoader::NetscapePlugInStreamLoader): Added FIXME comment to skip Content Security Policy check
when when associated plugin element is in a user agent shadow tree.
* loader/PolicyChecker.cpp:
(WebCore::PolicyChecker::checkNavigationPolicy): Skip CSP check for a <iframe> in a user agent shadow tree.
* loader/ResourceLoaderOptions.h: Defined enum class ContentSecurityPolicyImposition with explicit type uint8_t so
as to provide a hint to the compiler (for better packing) when it computes the memory layout for struct that
contains an instance of this class.
(WebCore::ResourceLoaderOptions::ResourceLoaderOptions): Added argument contentSecurityPolicyImposition.
(WebCore::ResourceLoaderOptions::contentSecurityPolicyImposition): Added.
(WebCore::ResourceLoaderOptions::setContentSecurityPolicyImposition): Added.
* loader/SubframeLoader.cpp:
(WebCore::SubframeLoader::pluginIsLoadable): Skip CSP check for a plugin element that is in a user agent shadow tree.
(WebCore::SubframeLoader::createJavaAppletWidget): Skip CSP check for an applet element that is in a user agent shadow tree.
* loader/TextTrackLoader.cpp:
(WebCore::TextTrackLoader::load): Take a boolean, isInitiatingElementInUserAgentShadowTree, and sets the appropriate
Content Security Policy imposition for the text track request.
* loader/TextTrackLoader.h:
* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestUserCSSStyleSheet): Skip CSP check for a user-specified stylesheet.
(WebCore::CachedResourceLoader::canRequest): Only check the CSP of the page if specified in the resource loader options for the request.
(WebCore::CachedResourceLoader::defaultCachedResourceOptions): Add ContentSecurityPolicyImposition::DoPolicyCheck to the default
resource loader options so that do check the CSP policy of the page before performing a resource request by default.
* loader/cache/CachedSVGDocumentReference.cpp:
(WebCore::CachedSVGDocumentReference::load): Take a ResourceLoaderOptions as an argument and passes it as appropriate.
* loader/cache/CachedSVGDocumentReference.h:
* loader/icon/IconLoader.cpp:
(WebCore::IconLoader::startLoading): Instantiate ResourceLoaderOptions passing placeholder value ContentSecurityPolicyImposition::DoPolicyCheck.
This value does not affect the request because we do not check the Content Security Policy for raw resource requests.
* page/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::allowJavaScriptURLs): Take an argument called overrideContentSecurityPolicy (defaults to false). When
overrideContentSecurityPolicy := true, this function unconditionally returns true.
(WebCore::ContentSecurityPolicy::allowInlineEventHandlers): Ditto.
(WebCore::ContentSecurityPolicy::allowInlineScript): Ditto.
(WebCore::ContentSecurityPolicy::allowInlineStyle): Ditto.
(WebCore::ContentSecurityPolicy::allowEval): Ditto.
(WebCore::ContentSecurityPolicy::allowPluginType): Ditto.
(WebCore::ContentSecurityPolicy::allowScriptFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowObjectFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowChildFrameFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowImageFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowStyleFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowFontFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowMediaFromSource): Ditto.
(WebCore::ContentSecurityPolicy::allowConnectToSource): Ditto.
(WebCore::ContentSecurityPolicy::allowFormAction): Ditto.
(WebCore::ContentSecurityPolicy::allowBaseURI): Ditto.
* page/ContentSecurityPolicy.h:
* page/DOMSecurityPolicy.cpp:
* page/EventSource.cpp:
(WebCore::EventSource::create): Pass shouldBypassMainWorldContentSecurityPolicy to ContentSecurityPolicy::allowConnectToSource().
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::startLoading): Instantiate ResourceLoaderOptions passing placeholder value ContentSecurityPolicyImposition::DoPolicyCheck.
This value does not affect the request because we do not check the Content Security Policy for raw resource requests.
* svg/SVGFEImageElement.cpp:
(WebCore::SVGFEImageElement::requestImageResource): Skip CSP check for a SVG FEImage element in a user agent shadow tree.
* svg/SVGFontFaceUriElement.cpp:
(WebCore::SVGFontFaceUriElement::loadFont): Skip CSP check for a SVG font-face-uri element in a user agent shadow tree.
* svg/SVGUseElement.cpp:
(WebCore::SVGUseElement::updateExternalDocument): Skip CSP check for a SVG use element in a user agent shadow tree.
* testing/Internals.cpp:
(WebCore::Internals::ensureUserAgentShadowRoot): Added.
* testing/Internals.h:
* testing/Internals.idl: Added declaration for ensureUserAgentShadowRoot().
* xml/XMLHttpRequest.cpp:
(WebCore::XMLHttpRequest::open): Pass shouldBypassMainWorldContentSecurityPolicy to ContentSecurityPolicy::allowConnectToSource().
LayoutTests:
Add tests to ensure that we exempt nodes in a user agent shadow tree from the Content Security Policy (CSP) of the page.
Updated test LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html to ensure that
we do not bypass the CSP of the page for a script that executes in an isolated world and renamed the
file image-load-should-not-bypass-main-world-csp.html.
* http/tests/security/contentSecurityPolicy/resources/alert-pass-and-notify-done.js: Added.
* http/tests/security/contentSecurityPolicy/resources/wait-until-done.js: Added.
(alertAndDone):
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-audio.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-background-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-background.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-cursor-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-cursor.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-filter-on-image-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-filter-on-image.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-webkit-image-set-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-css-webkit-image-set.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-embed-plugin-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-embed-plugin.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-external-script-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-external-script.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-iframe-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-iframe.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image-after-redirect-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image-after-redirect.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-image.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-script.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-style-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-style.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-stylesheet-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-inline-stylesheet.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object-plugin-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object-plugin.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-object.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-feimage-element-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-feimage-element.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-font.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-use-element-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-svg-use-element.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-track-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-track.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/allow-video.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/block-loading-user-agent-image-from-non-user-agent-content-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/block-loading-user-agent-image-from-non-user-agent-content.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-allowed.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked2-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked2.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked3-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/default-src-object-data-url-blocked3.html: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/ABCFont.svg: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/allow-inline-script.js: Added.
(window.onload):
(testPassed):
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/resources/floodGreenFilter.svg: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/video-controls-allowed-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/userAgentShadowDOM/video-controls-allowed.html: Added.
* http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp-expected.txt: Renamed from LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt.
* http/tests/security/isolatedWorld/image-load-should-not-bypass-main-world-csp.html: Renamed from LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@186388 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/dom/ScriptElement.cpp b/Source/WebCore/dom/ScriptElement.cpp
index cb2690c..66bbece 100644
--- a/Source/WebCore/dom/ScriptElement.cpp
+++ b/Source/WebCore/dom/ScriptElement.cpp
@@ -255,7 +255,10 @@
ASSERT(!m_cachedScript);
if (!stripLeadingAndTrailingHTMLSpaces(sourceUrl).isEmpty()) {
- CachedResourceRequest request(ResourceRequest(m_element.document().completeURL(sourceUrl)));
+ ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
+ options.setContentSecurityPolicyImposition(m_element.isInUserAgentShadowTree() ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck);
+
+ CachedResourceRequest request(ResourceRequest(m_element.document().completeURL(sourceUrl)), options);
String crossOriginMode = m_element.fastGetAttribute(HTMLNames::crossoriginAttr);
if (!crossOriginMode.isNull()) {
@@ -285,7 +288,7 @@
if (sourceCode.isEmpty())
return;
- if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber))
+ if (!m_isExternalScript && !m_element.document().contentSecurityPolicy()->allowInlineScript(m_element.document().url(), m_startLineNumber, m_element.isInUserAgentShadowTree()))
return;
#if ENABLE(NOSNIFF)
