Source/WebCore/ChangeLog

 12013-04-09 Geoffrey Garen <ggaren@apple.com>
 2
 3 [JSC] Script run from an isolated world should bypass a page's CSP
 4 https://bugs.webkit.org/show_bug.cgi?id=100815
 5
 6 Reviewed by NOBODY (OOPS!).
 7
 8 No new tests (OOPS!).
 9
 10 * bindings/js/ScriptController.cpp:
 11 (WebCore::ScriptController::shouldBypassMainWorldContentSecurityPolicy):
 12 * bindings/js/ScriptController.h: Test the current caller's DOM wrapper
 13 world to decide whether CSP should be enforced.
 14
 15 Like most of CSP, this is a stupid policy because it doesn't address
 16 second-order effects like <script> parsing or event handler execution,
 17 which might be triggered indirectly by privileged scripts. These indirect
 18 effects are still broken. Oh well.
 19
1202013-04-09 Benjamin Poulain <bpoulain@apple.com>
221
322 Remove chromium exceptions from WebCore's gitattributes
148074

Source/WebCore/bindings/js/ScriptController.cpp

@@ScriptValue ScriptController::executeScr
471471 return evaluateInWorld(sourceCode, world);
472472}
473473
 474bool ScriptController::shouldBypassMainWorldContentSecurityPolicy()
 475{
 476 CallFrame* callFrame = JSDOMWindow::commonJSGlobalData()->topCallFrame;
 477 if (!callFrame || callFrame == CallFrame::noCaller())
 478 return false;
 479 DOMWrapperWorld* domWrapperWorld = currentWorld(callFrame);
 480 if (domWrapperWorld->isNormal())
 481 return false;
 482 return true;
 483}
 484
474485} // namespace WebCore
147962

Source/WebCore/bindings/js/ScriptController.h

@@public:
163163 NPObject* windowScriptNPObject();
164164#endif
165165
166  // FIXME: Script run from an isolated world should bypass a page's CSP. http://webkit.org/b/100815
167  bool shouldBypassMainWorldContentSecurityPolicy() { return false; }
 166 bool shouldBypassMainWorldContentSecurityPolicy();
168167
169168private:
170169 JSDOMWindowShell* initScript(DOMWrapperWorld* world);
147962

LayoutTests/ChangeLog

 12013-04-09 Geoffrey Garen <ggaren@apple.com>
 2
 3 [JSC] Script run from an isolated world should bypass a page's CSP
 4 https://bugs.webkit.org/show_bug.cgi?id=100815
 5
 6 Reviewed by NOBODY (OOPS!).
 7
 8 Enabled these tests, now that they pass.
 9
 10 I removed all the nonsense in these tests about setting an isolated world's
 11 CSP and origin manually, since we have no use for those features.
 12
 13 * http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt:
 14 * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt:
 15 * http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html:
 16 * http/tests/security/isolatedWorld/bypass-main-world-csp.html:
 17 * platform/efl/TestExpectations:
 18 * platform/mac/TestExpectations:
 19 * platform/qt/TestExpectations:
 20 * platform/win/TestExpectations:
 21
1222013-04-09 Adam Klein <adamk@chromium.org>
223
324 Update Document's event listener type bitfield when adopting a Node
148074

LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-expected.txt

11CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
22
33ALERT: BLOCKED in main world
4 CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
5 
6 ALERT: BLOCKED in isolated world
7 ALERT: Starting to bypass main world's CSP:
84ALERT: LOADED in isolated world
9 CONSOLE MESSAGE: Refused to load the image 'http://127.0.0.1:8000/security/resources/abe.png' because it violates the following Content Security Policy directive: "img-src 'none'".
10 
11 ALERT: BLOCKED in main world
12 This test ensures that scripts run in isolated worlds marked with their own Content Security Policy aren't affected by the page's content security policy. Extensions, for example, should be able to load any resource they like.
 5This test ensures that scripts run in isolated worlds aren't affected by the page's content security policy. Extensions, for example, should be able to load any resource they like.
136
147
147962

LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr-expected.txt

11CONSOLE MESSAGE: Refused to connect to 'http://localhost:8000/security/isolatedWorld/resources/cross-origin-xhr.txt' because it violates the following Content Security Policy directive: "connect-src 'none'".
22
3 CONSOLE MESSAGE: Refused to connect to 'http://localhost:8000/security/isolatedWorld/resources/cross-origin-xhr.txt' because it violates the following Content Security Policy directive: "connect-src 'none'".
4 
5 CONSOLE MESSAGE: Refused to connect to 'http://localhost:8000/security/isolatedWorld/resources/cross-origin-xhr.txt' because it violates the following Content Security Policy directive: "connect-src 'none'".
6 
7 CONSOLE MESSAGE: Refused to connect to 'http://localhost:8000/security/isolatedWorld/resources/cross-origin-xhr.txt' because it violates the following Content Security Policy directive: "connect-src 'none'".
8 
93Tests that isolated worlds can have XHRs that the page's CSP wouldn't allow.
104
115On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".

@@On success, you will see a series of "PA
137
148XHR from main world
159PASS: XHR.open threw an exception.
16 XHR from isolated world with unchanged CSP
17 PASS: XHR.open threw an exception.
18 XHR from isolated world with same security origin as XHR target.
19 PASS: XHR.open threw an exception.
20 XHR from isolated world with same security origin as XHR target, and looser CSP.
 10XHR from isolated world
2111PASS: XHR.open did not throw an exception.
22 XHR from main world is not affected by the isolated world origin or CSP
23 PASS: XHR.open threw an exception.
2412PASS successfullyParsed is true
2513
2614TEST COMPLETE
147962

LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html

@@var tests = [
1717 xhr(true);
1818 },
1919 function() {
20  debug('XHR from isolated world with unchanged CSP');
21  runTestInWorld(1, 'xhr', 'true');
 20 debug('XHR from isolated world');
 21 runTestInWorld(1, 'xhr', 'false');
2222 },
23  function() {
24  debug('XHR from isolated world with same security origin as XHR target.');
25  testRunner.setIsolatedWorldSecurityOrigin(2, 'http://localhost:8000');
26  runTestInWorld(2, 'xhr', 'true');
27  },
28  function() {
29  debug('XHR from isolated world with same security origin as XHR target, and looser CSP.');
30  testRunner.setIsolatedWorldContentSecurityPolicy(3, 'connect-src *');
31  testRunner.setIsolatedWorldSecurityOrigin(3, 'http://localhost:8000');
32  runTestInWorld(3, 'xhr', 'false');
33  },
34  function() {
35  debug('XHR from main world is not affected by the isolated world origin or CSP');
36  xhr(true);
37  }
3823];
3924var currentTest = 0;
4025

@@if (window.testRunner) {
4732 switch (message.type) {
4833 case 'test-done':
4934 currentTest++;
50  if (currentTest == tests.length) {
51  testRunner.setIsolatedWorldSecurityOrigin(1, null);
52  testRunner.setIsolatedWorldSecurityOrigin(2, null);
53  testRunner.setIsolatedWorldSecurityOrigin(3, null);
54  testRunner.setIsolatedWorldContentSecurityPolicy(1, '');
55  testRunner.setIsolatedWorldContentSecurityPolicy(2, '');
56  testRunner.setIsolatedWorldContentSecurityPolicy(3, '');
 35 if (currentTest == tests.length)
5736 finishJSTest();
58  }
5937 else
6038 tests[currentTest]();
6139 break;
147962

LayoutTests/http/tests/security/isolatedWorld/bypass-main-world-csp.html

88 testRunner.waitUntilDone();
99 }
1010
11  tests = 4;
 11 tests = 2;
1212 window.addEventListener("message", function(message) {
1313 tests -= 1;
1414 test();

3030 }
3131
3232 switch (tests) {
33  case 4:
34  setImgSrc(false);
35  break;
36  case 3:
37  testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(true);");
38  break;
3933 case 2:
40  alert("Starting to bypass main world's CSP:");
41  testRunner.setIsolatedWorldContentSecurityPolicy(1, 'img-src *');
42  testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(true);");
 34 setImgSrc(false);
4335 break;
4436 case 1:
45  setImgSrc(false);
 37 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(true);");
4638 break;
4739 case 0:
48  testRunner.setIsolatedWorldContentSecurityPolicy(1, '');
4940 testRunner.notifyDone();
5041 break;
5142 }

5445</head>
5546<body onload='test();'>
5647 <p>
57  This test ensures that scripts run in isolated worlds marked with their
58  own Content Security Policy aren't affected by the page's content
59  security policy. Extensions, for example, should be able to load any
60  resource they like.
 48 This test ensures that scripts run in isolated worlds aren't affected
 49 by the page's content security policy. Extensions, for example, should
 50 be able to load any resource they like.
6151 </p>
6252</body>
6353</html>
147962

LayoutTests/platform/efl/TestExpectations

@@webkit.org/b/61540 http/tests/security/i
11381138webkit.org/b/61540 inspector/extensions/extensions-audits-content-script.html [ Failure ]
11391139webkit.org/b/61540 inspector/extensions/extensions-eval-content-script.html [ Failure ]
11401140
1141 # JSC also doesn't support setIsolatedWorldContentSecurityPolicy
1142 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp.html [ Failure ]
1143 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html [ Failure ]
1144 
11451141#__worldID is undefined in isolated world
11461142Bug(EFL) http/tests/security/isolatedWorld/didClearWindowObject.html
11471143
147962

LayoutTests/platform/mac/TestExpectations

@@fast/xsl/xslt-processor-template.html
492492# JSC does not support setIsolatedWorldSecurityOrigin (http://webkit.org/b/61540)
493493http/tests/security/isolatedWorld/cross-origin-xhr.html
494494
495 # JSC also doesn't support setIsolatedWorldContentSecurityPolicy (webkit.org/b/100815)
496 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp.html [ Failure ]
497 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html [ Failure ]
498 
499495# https://bugs.webkit.org/show_bug.cgi?id=63282 layerTreeAsText doesn't work for iframes
500496compositing/rtl/rtl-iframe-absolute-overflow-scrolled.html
501497compositing/rtl/rtl-iframe-absolute-overflow.html
147962

LayoutTests/platform/qt/TestExpectations

@@fast/js/i18n-bindings-locale.html
213213# JSC does not support setIsolatedWorldSecurityOrigin, (http://webkit.org/b/61540)
214214http/tests/security/isolatedWorld/cross-origin-xhr.html
215215
216 # JSC also doesn't support setIsolatedWorldContentSecurityPolicy (webkit.org/b/100815)
217 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp.html
218 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html
219 
220216# This test is for clients that choose to make the missing plugin indicator a button
221217
222218plugins/clicking-missing-plugin-fires-delegate.html
147962

LayoutTests/platform/win/TestExpectations

@@loader/navigation-while-deferring-loads.
15291529# JSC does not support setIsolatedWorldSecurityOrigin (http://webkit.org/b/61540)
15301530http/tests/security/isolatedWorld/cross-origin-xhr.html
15311531
1532 # JSC also doesn't support setIsolatedWorldContentSecurityPolicy (webkit.org/b/100815)
1533 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp.html [ Failure ]
1534 webkit.org/b/100815 http/tests/security/isolatedWorld/bypass-main-world-csp-for-xhr.html [ Failure ]
1535 
15361532# ENABLE(WEBGL) is disabled
15371533compositing/backface-visibility/backface-visibility-webgl.html
15381534compositing/visibility/visibility-simple-webgl-layer.html
147962