CSP: Perform case sensitive match against path portion of source expression URL that ends in '/'
https://bugs.webkit.org/show_bug.cgi?id=157275
Reviewed by Darin Adler.
Source/WebCore:
Merged from Blink:
<https://chromium.googlesource.com/chromium/src/+/7bd0a75e3f71a10e71ded31ea5905d5ee3d992eb>
Perform a case-sensitive prefix match of the path portion a source expression that ends in '/'
against the path portion of a request URL as per step 8.5.4 of section Does url match expression
in origin with redirect count of the Content Security Policy Level 3 spec., <https://w3c.github.io/webappsec-csp>
(Editor's Draft, 27 April 2016).
* page/csp/ContentSecurityPolicySource.cpp:
(WebCore::ContentSecurityPolicySource::pathMatches):
LayoutTests:
Add test to ensure that the path portion of a request URL is case-sensitively
matched against the path portion of a source expression that ends in '/'.
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt:
* http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@200445 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index ce7f368..10584e5 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2016-05-04 Daniel Bates <dabates@apple.com>
+
+ CSP: Perform case sensitive match against path portion of source expression URL that ends in '/'
+ https://bugs.webkit.org/show_bug.cgi?id=157275
+
+ Reviewed by Darin Adler.
+
+ Add test to ensure that the path portion of a request URL is case-sensitively
+ matched against the path portion of a source expression that ends in '/'.
+
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt:
+ * http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html:
+
2016-05-04 Aaron Chu <aaron_chu@apple.com>
AX: Nonfunctional controls appear before every HTML5 video when using VoiceOver
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt b/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt
index b04d8cf..7f3bfc0 100644
--- a/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt
+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01-expected.txt
@@ -2,6 +2,7 @@
CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js because it does not appear in the script-src directive of the Content Security Policy.
+CONSOLE MESSAGE: Refused to load http://127.0.0.1:8000/security/contentSecurityPolicy/RESOURCES/script.js because it does not appear in the script-src directive of the Content Security Policy.
Resources should be rejected unless they match a whitelisted path.
@@ -40,3 +41,8 @@
Frame: '<!--framePath //<!--frame6-->-->'
--------
PASS
+
+--------
+Frame: '<!--framePath //<!--frame7-->-->'
+--------
+PASS
diff --git a/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html b/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html
index a8459d3c..a3b6bbe 100644
--- a/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html
+++ b/LayoutTests/http/tests/security/contentSecurityPolicy/source-list-parsing-paths-01.html
@@ -10,6 +10,7 @@
['no', 'script-src 127.0.0.1:*/sec/', 'resources/script.js'],
['no', 'script-src 127.0.0.1:8000/not-security', 'resources/script.js'],
['no', 'script-src 127.0.0.1:8000/security%3bnot-contentSecurityPolicy', 'resources/script.js'],
+ ['no', 'script-src 127.0.0.1:8000/security/contentSecurityPolicy/resources/', 'http://127.0.0.1:8000/security/contentSecurityPolicy/RESOURCES/script.js'],
['yes', 'script-src 127.0.0.1:*/' + security + '/', 'resources/script.js'],
['yes', 'script-src 127.0.0.1:*/security/', resources + '/script.js'],
['yes', 'script-src 127.0.0.1:*/' + security + '/', resources + '/script.js'],
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 2e604c1..ae90247 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2016-05-04 Daniel Bates <dabates@apple.com>
+
+ CSP: Perform case sensitive match against path portion of source expression URL that ends in '/'
+ https://bugs.webkit.org/show_bug.cgi?id=157275
+
+ Reviewed by Darin Adler.
+
+ Merged from Blink:
+ <https://chromium.googlesource.com/chromium/src/+/7bd0a75e3f71a10e71ded31ea5905d5ee3d992eb>
+
+ Perform a case-sensitive prefix match of the path portion a source expression that ends in '/'
+ against the path portion of a request URL as per step 8.5.4 of section Does url match expression
+ in origin with redirect count of the Content Security Policy Level 3 spec., <https://w3c.github.io/webappsec-csp>
+ (Editor's Draft, 27 April 2016).
+
+ * page/csp/ContentSecurityPolicySource.cpp:
+ (WebCore::ContentSecurityPolicySource::pathMatches):
+
2016-05-04 Aaron Chu <aaron_chu@apple.com>
AX: Nonfunctional controls appear before every HTML5 video when using VoiceOver
diff --git a/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp b/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp
index 5d5b166..ef91b26 100644
--- a/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp
+++ b/Source/WebCore/page/csp/ContentSecurityPolicySource.cpp
@@ -76,7 +76,7 @@
String path = decodeURLEscapeSequences(url.path());
if (m_path.endsWith("/"))
- return path.startsWith(m_path, false);
+ return path.startsWith(m_path);
return path == m_path;
}
