Implement the canonical "Content-Security-Policy" header.
https://bugs.webkit.org/show_bug.cgi?id=96765
Reviewed by Adam Barth.
Source/WebCore:
The CSP 1.0 specification defines the "Content-Security-Policy" header
as the canonical mechanism of defining a resource's security policy. Up
through this patch, we've implemented the functionality behind a prefix
in order to ensure compatibility with the standard once it's released as
a recommendation. Both the specification and WebKit's implementation are
far enough along in that process that it makes sense to support the
unprefixed header for sites that wish to opt-in to CSP 1.0.
As discussed on public-webappsec[1], we'll keep the experimental 1.1
features behind the prefixed header ('X-WebKit-CSP') until that standard
is far enough along to justify moving them out to the canonical header.
This patch defines the 'Content-Security-Policy' header for all ports,
just as the 'X-WebKit-CSP' header is currently supported on all ports.
Ports that have not opted-in to the CSP_NEXT flag will see exactly the
same behavior with both headers. Ports that have opted-in will see much
of CSP 1.1's current definition on the prefixed header, and CSP 1.0 on
the canonical header.
The functionality in this change is covered by the changes made to
existing tests. No expectations changed, only the headers that are sent.
* dom/Document.cpp:
(WebCore::Document::processHttpEquiv):
Add canonical header support to 'meta' element definitions.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::didBeginDocument):
Add canonical header support to FrameLoader.
* page/ContentSecurityPolicy.cpp:
(WebCore::CSPDirectiveList::headerType):
The ContentSecurityPolicy::HeaderType enum now has four values:
prefixed/report-only, unprefixed/report-only, prefixed/enforce, and
unprefixed/enforce. Instead of creating logic to output the proper
type based on internal flags, CSPDirectiveList now saves the value
provided at creation time, and returns it via this method.
(CSPDirectiveList):
(WebCore::CSPDirectiveList::CSPDirectiveList):
The constructor now accepts a type, which is stored on the object.
It also stores a new internal variable, 'm_experimental', which
defines whether or not experimental features ought to be available.
These features are still locked behind the CSP_NEXT flag, but that
might not be the case forever.
(WebCore::CSPDirectiveList::create):
The static constructor wrapper now passes the type into the real
constructor, which also now handles setting its internal variables.
(WebCore::CSPDirectiveList::parse):
'parse()' is given the header, so it makes sense to store it here as
well, rather than in the create wrapper.
(WebCore::CSPDirectiveList::addDirective):
1.1 directives remain locked behind CSP_NEXT, but now also require
that 'm_experimental' is set, signaling usage of the prefixed header
and an implicit opt-in to 1.1.
* page/ContentSecurityPolicy.h:
Added two new types to the HeaderTypes enum: PrefixedReportOnly, and
PrefixedEnforcePolicy. These map to 'X-WebKitCSP-Report-Only' and
'X-WebKit-CSP', respectively.
LayoutTests:
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-invalid.html:
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-01.html:
* http/tests/security/contentSecurityPolicy/1.1/plugintypes-url-02.html:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-scriptsrc-blocked.html:
* http/tests/security/contentSecurityPolicy/1.1/scriptnonce-separators-allowed.html:
Updating these 1.1 tests along with the multiple-iframe-*.js test
"framework" to ensure that the experimental prefixed header is sent.
* http/tests/security/contentSecurityPolicy/blob-urls-match-self.html:
* http/tests/security/contentSecurityPolicy/combine-multiple-policies.html:
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-allowed.html:
* http/tests/security/contentSecurityPolicy/connect-src-eventsource-blocked.html:
* http/tests/security/contentSecurityPolicy/connect-src-websocket-allowed.html:
* http/tests/security/contentSecurityPolicy/connect-src-websocket-blocked.html:
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-allowed.html:
* http/tests/security/contentSecurityPolicy/connect-src-xmlhttprequest-blocked.html:
* http/tests/security/contentSecurityPolicy/default-src-inline-allowed.html:
* http/tests/security/contentSecurityPolicy/default-src-inline-blocked.html:
* http/tests/security/contentSecurityPolicy/duplicate-directive.html:
* http/tests/security/contentSecurityPolicy/eval-allowed.html:
* http/tests/security/contentSecurityPolicy/eval-blocked-in-about-blank-iframe.html:
* http/tests/security/contentSecurityPolicy/eval-blocked.html:
* http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-allowed.html:
* http/tests/security/contentSecurityPolicy/eval-scripts-setInterval-blocked.html:
* http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-allowed.html:
* http/tests/security/contentSecurityPolicy/eval-scripts-setTimeout-blocked.html:
* http/tests/security/contentSecurityPolicy/filesystem-urls-match-self.html:
* http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-default.html:
* http/tests/security/contentSecurityPolicy/frame-src-about-blank-allowed-by-scheme.html:
* http/tests/security/contentSecurityPolicy/frame-src-allowed.html:
* http/tests/security/contentSecurityPolicy/frame-src-blocked.html:
* http/tests/security/contentSecurityPolicy/function-constructor-allowed.html:
* http/tests/security/contentSecurityPolicy/function-constructor-blocked.html:
* http/tests/security/contentSecurityPolicy/iframe-inside-csp.html:
* http/tests/security/contentSecurityPolicy/image-allowed.html:
* http/tests/security/contentSecurityPolicy/image-blocked.html:
* http/tests/security/contentSecurityPolicy/image-full-host-wildcard-allowed.html:
* http/tests/security/contentSecurityPolicy/image-host-wildcard-allowed.html:
* http/tests/security/contentSecurityPolicy/injected-inline-script-allowed.html:
* http/tests/security/contentSecurityPolicy/injected-inline-script-blocked.html:
* http/tests/security/contentSecurityPolicy/injected-inline-style-allowed.html:
* http/tests/security/contentSecurityPolicy/injected-inline-style-blocked.html:
* http/tests/security/contentSecurityPolicy/inline-script-allowed.html:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-goofy.html:
* http/tests/security/contentSecurityPolicy/inline-script-blocked-javascript-url.html:
* http/tests/security/contentSecurityPolicy/inline-script-blocked.html:
* http/tests/security/contentSecurityPolicy/inline-style-allowed.html:
* http/tests/security/contentSecurityPolicy/inline-style-attribute-allowed.html:
* http/tests/security/contentSecurityPolicy/inline-style-attribute-blocked.html:
* http/tests/security/contentSecurityPolicy/inline-style-attribute-on-html.html:
* http/tests/security/contentSecurityPolicy/inline-style-blocked.html:
* http/tests/security/contentSecurityPolicy/media-src-allowed.html:
* http/tests/security/contentSecurityPolicy/media-src-blocked.html:
* http/tests/security/contentSecurityPolicy/object-src-no-url-allowed.html:
* http/tests/security/contentSecurityPolicy/object-src-no-url-blocked.html:
* http/tests/security/contentSecurityPolicy/object-src-url-allowed.html:
* http/tests/security/contentSecurityPolicy/object-src-url-blocked.html:
* http/tests/security/contentSecurityPolicy/policy-does-not-affect-child.html:
* http/tests/security/contentSecurityPolicy/register-bypassing-scheme.html:
* http/tests/security/contentSecurityPolicy/report-and-enforce.html:
* http/tests/security/contentSecurityPolicy/report-blocked-uri-cross-origin.html:
* http/tests/security/contentSecurityPolicy/report-blocked-uri.html:
* http/tests/security/contentSecurityPolicy/report-only-from-header.php:
* http/tests/security/contentSecurityPolicy/report-only.html:
* http/tests/security/contentSecurityPolicy/report-uri.html:
* http/tests/security/contentSecurityPolicy/resources/echo-iframe.pl:
* http/tests/security/contentSecurityPolicy/resources/echo-multiple-headers.pl:
s/X-WebKit-CSP/Content-Security-Policy/g
* http/tests/security/contentSecurityPolicy/resources/echo-object-data.pl:
* http/tests/security/contentSecurityPolicy/resources/echo-script-src.pl:
Reworking these two scripts in order to support sending both
the experimental header and the canonical header, as required.
* http/tests/security/contentSecurityPolicy/resources/event-handler.pl:
* http/tests/security/contentSecurityPolicy/resources/generate-csp-report.html:
* http/tests/security/contentSecurityPolicy/resources/javascript-url.pl:
* http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html:
s/X-WebKit-CSP/Content-Security-Policy/g
* http/tests/security/contentSecurityPolicy/resources/multiple-iframe-plugin-test.js:
(testExperimentalPolicy):
(test):
(testImpl.iframe.onload):
(testImpl):
* http/tests/security/contentSecurityPolicy/resources/multiple-iframe-test.js:
(testPreescapedPolicy):
(testExperimentalPolicy):
(test):
(testImpl.iframe.onload):
(testImpl):
Reworking these two "frameworks" in order to support sending both
the experimental header and the canonical header, as required.
* http/tests/security/contentSecurityPolicy/resources/sandbox.php:
* http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-subframe.html:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts.html:
* http/tests/security/contentSecurityPolicy/sandbox-empty-subframe.html:
* http/tests/security/contentSecurityPolicy/sandbox-empty.html:
* http/tests/security/contentSecurityPolicy/script-src-overrides-default-src.html:
* http/tests/security/contentSecurityPolicy/shared-worker-connect-src-allowed.html:
* http/tests/security/contentSecurityPolicy/shared-worker-connect-src-blocked.html:
* http/tests/security/contentSecurityPolicy/source-list-parsing-malformed-meta.html:
* http/tests/security/contentSecurityPolicy/srcdoc-doesnt-bypass-script-src.html:
* http/tests/security/contentSecurityPolicy/style-allowed.html:
* http/tests/security/contentSecurityPolicy/style-blocked.html:
* http/tests/security/contentSecurityPolicy/worker-connect-src-allowed.html:
* http/tests/security/contentSecurityPolicy/worker-connect-src-blocked.html:
* http/tests/security/contentSecurityPolicy/worker-eval-blocked.html:
* http/tests/security/contentSecurityPolicy/worker-function-function-blocked.html:
* http/tests/security/contentSecurityPolicy/worker-script-src.html:
* http/tests/security/contentSecurityPolicy/worker-set-timeout-blocked.html:
* http/tests/security/contentSecurityPolicy/xsl-allowed.php:
* http/tests/security/contentSecurityPolicy/xsl-blocked.php:
* http/tests/security/contentSecurityPolicy/xsl-img-blocked.php:
* http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-1.php:
* http/tests/security/contentSecurityPolicy/xsl-unaffected-by-style-src-2.php:
s/X-WebKit-CSP/Content-Security-Policy/g
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@133095 268f45cc-cd09-0410-ab3c-d52691b4dbfc
105 files changed
