106084 2013-01-04 04:35:18 -0800 CSP: 'frame-src' should block redirects to invalid sources. 2013-01-04 11:14:45 -0800 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 103582 1 mkwst mkwst abarth japhet mkwst+watchlist webkit.review.bot oldest_to_newest 800145 0 mkwst 2013-01-04 04:35:18 -0800 WebKit currently fails test 95 and 101 on http://csptesting.herokuapp.com/. These test variations on whitelisting a source via a 'frame-src' directive, and then loading a whitelisted frame from that source which redirects to a non-whitelisted source. This redirection should be blocked, but currently isn't. 800146 1 181289 mkwst 2013-01-04 04:38:22 -0800 Created attachment 181289 Patch 800147 2 mkwst 2013-01-04 04:40:03 -0800 Hi Adam! This patch moves the CSP check for 'frame-src' out of SubframeLoader and into PolicyChecker, which allows us to validate the whole redirect chain, and also seems like a better location semantically. FrameLoader is pretty complex, however, so I'm not actually sure I'm doing the right thing here. Would you mind taking a look? Thanks! 800305 3 181289 abarth 2013-01-04 09:57:50 -0800 Comment on attachment 181289 Patch Yeah, putting this in policy checker is much better. 800385 4 181289 mkwst 2013-01-04 10:51:41 -0800 Comment on attachment 181289 Patch Glad I interpreted things correctly. Thanks for the review! 800413 5 181289 webkit.review.bot 2013-01-04 11:14:42 -0800 Comment on attachment 181289 Patch Clearing flags on attachment: 181289 Committed r138818: <http://trac.webkit.org/changeset/138818> 800414 6 webkit.review.bot 2013-01-04 11:14:45 -0800 All reviewed patches have been landed. Closing bug. 181289 2013-01-04 04:38:22 -0800 2013-01-04 11:14:42 -0800 Patch bug-106084-20130104133527.patch text/plain 6144 mkwst U3VidmVyc2lvbiBSZXZpc2lvbjogMTM4NzI4CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNDYzYzcxYWRlYTUxZTYy ZmZjZTYwYWIzMjRkNzA5ZGJhMGZhOTEyOS4uNGRiODA0NDljYjQ0YTg2ODBmOWU4NjcyODQwNDMw MjM2YzQ1YzU5MiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI2IEBACisyMDEzLTAxLTA0ICBNaWtl IFdlc3QgIDxta3dzdEBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgQ1NQOiAnZnJhbWUtc3JjJyBz aG91bGQgYmxvY2sgcmVkaXJlY3RzIHRvIGludmFsaWQgc291cmNlcy4KKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTEwNjA4NAorCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFRoZSAnZnJhbWUtc3JjJyBDU1AgZGly ZWN0aXZlIHdoaXRlbGlzdHMgdmFsaWQgaWZyYW1lIHRhcmdldHMsIGJ1dAorICAgICAgICBjdXJy ZW50bHkgZmFpbHMgdG8gY29ycmVjdGx5IGRlYWwgd2l0aCByZWRpcmVjdGlvbi4gQXMgbG9uZyBh cyB0aGUKKyAgICAgICAgaW5pdGlhbCB0YXJnZXQgaXMgdmFsaWQsIGFueSByZWRpcmVjdGlvbiBn b2VzIHRocm91Z2ggd2l0aG91dAorICAgICAgICBxdWVzdGlvbi4gVGhpcyBwYXRjaCBtb3ZlcyB0 aGUgQ1NQIGNoZWNrIG91dCBvZgorICAgICAgICBTdWJmcmFtZUxvYWRlcjo6bG9hZFN1YmZyYW1l LCBhbmQgaW50bworICAgICAgICBQb2xpY3lDaGVja2VyOjpjaGVja05hdmlnYXRpb25Qb2xpY3ku IEluIHRoZSBuZXcgbG9jYXRpb24sIHRoZSBjaGVjaworICAgICAgICBpcyB3ZWxsLXBvc2l0aW9u ZWQgdG8gY2hlY2sgZWFjaCBVUkwgaW4gYSByZWRpcmVjdCBjaGFpbiwgYXMgb3Bwb3NlZAorICAg ICAgICB0byBjaGVja2luZyBvbmx5IHRoZSBpbml0aWFsIHRhcmdldC4KKworICAgICAgICBUZXN0 OiBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9mcmFtZS1zcmMtcmVk aXJlY3QtYmxvY2tlZC5odG1sCisKKyAgICAgICAgKiBsb2FkZXIvUG9saWN5Q2hlY2tlci5jcHA6 CisgICAgICAgIChXZWJDb3JlOjpQb2xpY3lDaGVja2VyOjpjaGVja05hdmlnYXRpb25Qb2xpY3kp OgorICAgICAgICAqIGxvYWRlci9TdWJmcmFtZUxvYWRlci5jcHA6CisgICAgICAgIChXZWJDb3Jl OjpTdWJmcmFtZUxvYWRlcjo6bG9hZFN1YmZyYW1lKToKKwogMjAxMy0wMS0wMyAgQWxleGlzIE1l bmFyZCAgPGFsZXhpc0B3ZWJraXQub3JnPgogCiAgICAgICAgIFF1ZXJ5aW5nIHRyYW5zaXRpb24t dGltaW5nLWZ1bmN0aW9uIHZhbHVlIG9uIHRoZSBjb21wdXRlZCBzdHlsZSBkb2VzIG5vdCByZXR1 cm4ga2V5d29yZHMgd2hlbiBpdCBzaG91bGQuCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9s b2FkZXIvUG9saWN5Q2hlY2tlci5jcHAgYi9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvUG9saWN5Q2hl Y2tlci5jcHAKaW5kZXggZGI1MjBhNGEwZGQ1NTkyMzFhN2JhZTU0YzJiZGEyMzBlM2NhZTAxYy4u ZTk0YTVlNzRjNjJjNDFhZWNjYWI5OGIyNWJkMDE3ODhjMDRlZDNmNiAxMDA2NDQKLS0tIGEvU291 cmNlL1dlYkNvcmUvbG9hZGVyL1BvbGljeUNoZWNrZXIuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3Jl L2xvYWRlci9Qb2xpY3lDaGVja2VyLmNwcApAQCAtMzEsMTIgKzMxLDE0IEBACiAjaW5jbHVkZSAi Y29uZmlnLmgiCiAjaW5jbHVkZSAiUG9saWN5Q2hlY2tlci5oIgogCisjaW5jbHVkZSAiQ29udGVu dFNlY3VyaXR5UG9saWN5LmgiCiAjaW5jbHVkZSAiRG9jdW1lbnRMb2FkZXIuaCIKICNpbmNsdWRl ICJGb3JtU3RhdGUuaCIKICNpbmNsdWRlICJGcmFtZS5oIgogI2luY2x1ZGUgIkZyYW1lTG9hZGVy LmgiCiAjaW5jbHVkZSAiRnJhbWVMb2FkZXJDbGllbnQuaCIKICNpbmNsdWRlICJIVE1MRm9ybUVs ZW1lbnQuaCIKKyNpbmNsdWRlICJIVE1MRnJhbWVPd25lckVsZW1lbnQuaCIKICNpbmNsdWRlICJT ZWN1cml0eU9yaWdpbi5oIgogCiBuYW1lc3BhY2UgV2ViQ29yZSB7CkBAIC03MCw3ICs3Miw3IEBA IHZvaWQgUG9saWN5Q2hlY2tlcjo6Y2hlY2tOYXZpZ2F0aW9uUG9saWN5KGNvbnN0IFJlc291cmNl UmVxdWVzdCYgcmVxdWVzdCwgRG9jdW1lCiAgICAgICAgIGxvYWRlci0+c2V0TGFzdENoZWNrZWRS ZXF1ZXN0KHJlcXVlc3QpOwogICAgICAgICByZXR1cm47CiAgICAgfQotICAgIAorCiAgICAgLy8g V2UgYXJlIGFsd2F5cyB3aWxsaW5nIHRvIHNob3cgYWx0ZXJuYXRlIGNvbnRlbnQgZm9yIHVucmVh Y2hhYmxlIFVSTHM7CiAgICAgLy8gdHJlYXQgaXQgbGlrZSBhIHJlbG9hZCBzbyBpdCBtYWludGFp bnMgdGhlIHJpZ2h0IHN0YXRlIGZvciBiL2YgbGlzdC4KICAgICBpZiAobG9hZGVyLT5zdWJzdGl0 dXRlRGF0YSgpLmlzVmFsaWQoKSAmJiAhbG9hZGVyLT5zdWJzdGl0dXRlRGF0YSgpLmZhaWxpbmdV UkwoKS5pc0VtcHR5KCkpIHsKQEAgLTc5LDcgKzgxLDE0IEBAIHZvaWQgUG9saWN5Q2hlY2tlcjo6 Y2hlY2tOYXZpZ2F0aW9uUG9saWN5KGNvbnN0IFJlc291cmNlUmVxdWVzdCYgcmVxdWVzdCwgRG9j dW1lCiAgICAgICAgIGZ1bmN0aW9uKGFyZ3VtZW50LCByZXF1ZXN0LCAwLCB0cnVlKTsKICAgICAg ICAgcmV0dXJuOwogICAgIH0KLSAgICAKKworICAgIC8vIElmIHdlJ3JlIGxvYWRpbmcgY29udGVu dCBpbnRvIGEgc3ViZnJhbWUsIGNoZWNrIGFnYWluc3QgdGhlIHBhcmVudCdzIENvbnRlbnQgU2Vj dXJpdHkgUG9saWN5CisgICAgLy8gYW5kIGtpbGwgdGhlIGxvYWQgaWYgdGhhdCBjaGVjayBmYWls cy4KKyAgICBpZiAobV9mcmFtZS0+b3duZXJFbGVtZW50KCkgJiYgIW1fZnJhbWUtPm93bmVyRWxl bWVudCgpLT5kb2N1bWVudCgpLT5jb250ZW50U2VjdXJpdHlQb2xpY3koKS0+YWxsb3dDaGlsZEZy YW1lRnJvbVNvdXJjZShyZXF1ZXN0LnVybCgpKSkgeworICAgICAgICBmdW5jdGlvbihhcmd1bWVu dCwgcmVxdWVzdCwgMCwgZmFsc2UpOworICAgICAgICByZXR1cm47CisgICAgfQorCiAgICAgbG9h ZGVyLT5zZXRMYXN0Q2hlY2tlZFJlcXVlc3QocmVxdWVzdCk7CiAKICAgICBtX2NhbGxiYWNrLnNl dChyZXF1ZXN0LCBmb3JtU3RhdGUuZ2V0KCksIGZ1bmN0aW9uLCBhcmd1bWVudCk7CmRpZmYgLS1n aXQgYS9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvU3ViZnJhbWVMb2FkZXIuY3BwIGIvU291cmNlL1dl YkNvcmUvbG9hZGVyL1N1YmZyYW1lTG9hZGVyLmNwcAppbmRleCA3MWY4ZTJmMGE5YTgxMTUzN2Fl YWY1NTNjMTAxYjc3NzMxZGZiOTdkLi4xZjY4ZmI0YWMzN2RiZGY5MDQxNTBiNzEwZWU5YzBmZTU3 OTEzNTc3IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9sb2FkZXIvU3ViZnJhbWVMb2FkZXIu Y3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL2xvYWRlci9TdWJmcmFtZUxvYWRlci5jcHAKQEAgLTM2 Myw5ICszNjMsNiBAQCBGcmFtZSogU3ViZnJhbWVMb2FkZXI6OmxvYWRTdWJmcmFtZShIVE1MRnJh bWVPd25lckVsZW1lbnQqIG93bmVyRWxlbWVudCwgY29uc3QgSwogICAgICAgICByZXR1cm4gMDsK ICAgICB9CiAKLSAgICBpZiAoIW93bmVyRWxlbWVudC0+ZG9jdW1lbnQoKS0+Y29udGVudFNlY3Vy aXR5UG9saWN5KCktPmFsbG93Q2hpbGRGcmFtZUZyb21Tb3VyY2UodXJsKSkKLSAgICAgICAgcmV0 dXJuIDA7Ci0KICAgICBTdHJpbmcgcmVmZXJyZXJUb1VzZSA9IFNlY3VyaXR5UG9saWN5OjpnZW5l cmF0ZVJlZmVycmVySGVhZGVyKG93bmVyRWxlbWVudC0+ZG9jdW1lbnQoKS0+cmVmZXJyZXJQb2xp Y3koKSwgdXJsLCByZWZlcnJlcik7CiAgICAgUmVmUHRyPEZyYW1lPiBmcmFtZSA9IG1fZnJhbWUt PmxvYWRlcigpLT5jbGllbnQoKS0+Y3JlYXRlRnJhbWUodXJsLCBuYW1lLCBvd25lckVsZW1lbnQs IHJlZmVycmVyVG9Vc2UsIGFsbG93c1Njcm9sbGluZywgbWFyZ2luV2lkdGgsIG1hcmdpbkhlaWdo dCk7CiAKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0No YW5nZUxvZwppbmRleCBhYjE5NjNlMTNjYjM2OGQwZWQxYzg2YTM3N2YwZjRmMjZhOTY5ZGY1Li4w OGQ0YjZhMDhhMGIzZWNiYjBiYjIyOGVlZWQ5NmE4YjZmOThjMzg1IDEwMDY0NAotLS0gYS9MYXlv dXRUZXN0cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEs MTMgQEAKKzIwMTMtMDEtMDQgIE1pa2UgV2VzdCAgPG1rd3N0QGNocm9taXVtLm9yZz4KKworICAg ICAgICBDU1A6ICdmcmFtZS1zcmMnIHNob3VsZCBibG9jayByZWRpcmVjdHMgdG8gaW52YWxpZCBz b3VyY2VzLgorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9 MTA2MDg0CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAg KiBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9mcmFtZS1zcmMtcmVk aXJlY3QtYmxvY2tlZC1leHBlY3RlZC50eHQ6IEFkZGVkLgorICAgICAgICAqIGh0dHAvdGVzdHMv c2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L2ZyYW1lLXNyYy1yZWRpcmVjdC1ibG9ja2Vk Lmh0bWw6IEFkZGVkLgorCiAyMDEzLTAxLTAzICBBbGV4aXMgTWVuYXJkICA8YWxleGlzQHdlYmtp dC5vcmc+CiAKICAgICAgICAgUXVlcnlpbmcgdHJhbnNpdGlvbi10aW1pbmctZnVuY3Rpb24gdmFs dWUgb24gdGhlIGNvbXB1dGVkIHN0eWxlIGRvZXMgbm90IHJldHVybiBrZXl3b3JkcyB3aGVuIGl0 IHNob3VsZC4KZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29u dGVudFNlY3VyaXR5UG9saWN5L2ZyYW1lLXNyYy1yZWRpcmVjdC1ibG9ja2VkLWV4cGVjdGVkLnR4 dCBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5 L2ZyYW1lLXNyYy1yZWRpcmVjdC1ibG9ja2VkLWV4cGVjdGVkLnR4dApuZXcgZmlsZSBtb2RlIDEw MDY0NAppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwLi5lN2I5 MTljNGE2MmY5YjNiZTk3ODc3ZTUxMmIzODU3NTczZmE1Y2VkCi0tLSAvZGV2L251bGwKKysrIGIv TGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvZnJh bWUtc3JjLXJlZGlyZWN0LWJsb2NrZWQtZXhwZWN0ZWQudHh0CkBAIC0wLDAgKzEsMyBAQAorQ09O U09MRSBNRVNTQUdFOiBSZWZ1c2VkIHRvIGxvYWQgdGhlIGZyYW1lICdodHRwOi8vbG9jYWxob3N0 OjgwMDAvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3Jlc291cmNlcy9hbGVydC1mYWls Lmh0bWwnIGJlY2F1c2UgaXQgdmlvbGF0ZXMgdGhlIGZvbGxvd2luZyBDb250ZW50IFNlY3VyaXR5 IFBvbGljeSBkaXJlY3RpdmU6ICJmcmFtZS1zcmMgMTI3LjAuMC4xOjgwMDAiLgorCisKZGlmZiAt LWdpdCBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9s aWN5L2ZyYW1lLXNyYy1yZWRpcmVjdC1ibG9ja2VkLmh0bWwgYi9MYXlvdXRUZXN0cy9odHRwL3Rl c3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9mcmFtZS1zcmMtcmVkaXJlY3QtYmxv Y2tlZC5odG1sCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAuLjcxMGFhNGJiZWRjM2ZkMWNjZDM4NmUwOGE5M2FlZWViNTg2 ZTgxMzkKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5 L2NvbnRlbnRTZWN1cml0eVBvbGljeS9mcmFtZS1zcmMtcmVkaXJlY3QtYmxvY2tlZC5odG1sCkBA IC0wLDAgKzEsMyBAQAorPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1TZWN1cml0eS1Qb2xpY3ki IGNvbnRlbnQ9ImZyYW1lLXNyYyAxMjcuMC4wLjE6ODAwMCI+Cis8c2NyaXB0IHNyYz0icmVzb3Vy Y2VzL2R1bXAtYXMtdGV4dC5qcyI+PC9zY3JpcHQ+Cis8aWZyYW1lIHNyYz0icmVzb3VyY2VzL3Jl ZGlyLnBocD91cmw9aHR0cDovL2xvY2FsaG9zdDo4MDAwL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0 eVBvbGljeS9yZXNvdXJjZXMvYWxlcnQtZmFpbC5odG1sIj48L2lmcmFtZT4K