154177 2016-02-12 11:26:07 -0800 CSP: Allow schemeless source expressions to match an HTTP or HTTPS resource 2017-09-10 05:56:47 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build All All RESOLVED FIXED InRadar, WebExposed P2 Normal --- 1 dbates dbates aestes bfulgham commit-queue czirkos.zoltan dbates ksajxai mkwst sam webkit-bug-importer oldest_to_newest 1164226 0 dbates 2016-02-12 11:26:07 -0800 Following up from bug #112573 and bug #153748, we should remove the ENABLE(CSP_NEXT)-guard around the code in ContentSecurityPolicy::protocolMatchesSelf() so that we allow a schemeless source expression to match against a HTTP or HTTPS resource. For example, assume the page http://www.example.com has Content Security Policy script-src example.com. If the page loads an external JavaScript script https://example.com/script.js then the load will be blocked by the Content Security Policy of the page because the scheme of the page (http) differs from the scheme of the requested script (https). But the load should be allowed by <https://www.w3.org/TR/CSP2/#match-source-expression> (21 July 2015). 1164228 1 dbates 2016-02-12 11:26:39 -0800 <rdar://problem/22708772> 1164238 2 271196 dbates 2016-02-12 11:47:12 -0800 Created attachment 271196 Patch and Layout Tests 1164766 3 271196 bfulgham 2016-02-15 09:54:05 -0800 Comment on attachment 271196 Patch and Layout Tests r=me. 1164777 4 271196 dbates 2016-02-15 10:53:56 -0800 Comment on attachment 271196 Patch and Layout Tests Clearing flags on attachment: 271196 Committed r196581: <http://trac.webkit.org/changeset/196581> 1164778 5 dbates 2016-02-15 10:53:59 -0800 All reviewed patches have been landed. Closing bug. 1165022 6 dbates 2016-02-15 20:28:29 -0800 *** Bug 146723 has been marked as a duplicate of this bug. *** 1347249 7 czirkos.zoltan 2017-09-10 05:56:47 -0700 Is this patch supposed to be in iOS 9.3.5? The bug still exists on an iPhone 4 which is claiming to be up to date, although the date of closing the bug is February 2016. 271196 2016-02-12 11:47:12 -0800 2016-02-15 10:53:56 -0800 Patch and Layout Tests bug-154177-20160212114651.patch text/plain 5013 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMTk2NDc2CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZmU0ZWJkNTdjZTc1ZmNi ODgwNmUwMGU5ZjcwZDU1ZTEzMjE1NGM0ZS4uM2IyYzIwMDVjM2ZmZGZlNjQ0OWFmNTAyMWJjOTgw MWI5Zjc0MDc3MiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDIzIEBACisyMDE2LTAyLTEyICBEYW5p ZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KKworICAgICAgICBDU1A6IEFsbG93IHNjaGVt ZWxlc3Mgc291cmNlIGV4cHJlc3Npb25zIHRvIG1hdGNoIGFuIEhUVFAgb3IgSFRUUFMgcmVzb3Vy Y2UKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1NDE3 NworICAgICAgICA8cmRhcjovL3Byb2JsZW0vMjI3MDg3NzI+CisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgQWxsb3cgYSBzY2hlbWVsZXNzIHNvdXJjZSBl eHByZXNzaW9uIHRvIG1hdGNoIGFuIEhUVFAgb3IgSFRUUFMgc3VicmVzb3VyY2Ugd2hlbiB0aGUg cGFnZSBpcworICAgICAgICBkZWxpdmVyZWQgb3ZlciBIVFRQIGFzIHBlciBzZWN0aW9uIE1hdGNo aW5nIFNvdXJjZSBFeHByZXNzaW9ucyBvZiB0aGUgQ29udGVudCBTZWN1cml0eSBQb2xpY3kKKyAg ICAgICAgMi4wIHNwZWMuLCA8aHR0cHM6Ly93d3cudzMub3JnL1RSLzIwMTUvQ1ItQ1NQMi0yMDE1 MDcyMS8+ICgyMSBKdWx5IDIwMTUpLgorCisgICAgICAgIEN1cnJlbnRseSB3ZSBoYXZlIGxvZ2lj IHRoYXQgaW1wbGVtZW50cyB0aGlzIGZ1bmN0aW9uYWxpdHksIGJ1dCBpdCBpcyBndWFyZGVkIGJl aGluZCB0aGUgY29tcGlsZS0KKyAgICAgICAgdGltZSBtYWNybyBFTkFCTEUoQ1NQX05FWFQpIHRo YXQgaXMgZGlzYWJsZWQgYnkgZGVmYXVsdC4gSW5zdGVhZCB3ZSBzaG91bGQgYWx3YXlzIGNvbXBp bGUgc3VjaAorICAgICAgICBjb2RlLiBJbiBzdWJzZXF1ZW50IGNvbW1pdHMgd2Ugd2lsbCBtb3Zl IG1vcmUgY29kZSBvdXQgZnJvbSB1bmRlciB0aGUgRU5BQkxFKENTUF9ORVhUKS1ndWFyZAorICAg ICAgICB0b3dhcmRzIHJlbW92aW5nIHRoZSBFTkFCTEVfQ1NQX05FWFQgbWFjcm8gZW50aXJlbHku CisKKyAgICAgICAgKiBwYWdlL2NzcC9Db250ZW50U2VjdXJpdHlQb2xpY3kuY3BwOgorICAgICAg ICAoV2ViQ29yZTo6Q29udGVudFNlY3VyaXR5UG9saWN5Ojpwcm90b2NvbE1hdGNoZXNTZWxmKToK KwogMjAxNi0wMi0xMiAgQ2hyaXMgRHVtZXogIDxjZHVtZXpAYXBwbGUuY29tPgogCiAgICAgICAg IFVucmV2aWV3ZWQgbml0IGZpeGVzIGFmdGVyIHIxOTY0NjYuCmRpZmYgLS1naXQgYS9Tb3VyY2Uv V2ViQ29yZS9wYWdlL2NzcC9Db250ZW50U2VjdXJpdHlQb2xpY3kuY3BwIGIvU291cmNlL1dlYkNv cmUvcGFnZS9jc3AvQ29udGVudFNlY3VyaXR5UG9saWN5LmNwcAppbmRleCA2MjUyYjBiYmVhMzZk NWRlNGVkNzU5YTQ5M2Q2Y2E4NzkzZTBlNzU3Li5hZDRkZjQyNTExMDg5YjYwMGY5YTc1ODNiNDcx NTM2YjdjNDZlNjMyIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wYWdlL2NzcC9Db250ZW50 U2VjdXJpdHlQb2xpY3kuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3BhZ2UvY3NwL0NvbnRlbnRT ZWN1cml0eVBvbGljeS5jcHAKQEAgLTE0NywxMCArMTQ3LDggQEAgYm9vbCBDb250ZW50U2VjdXJp dHlQb2xpY3k6OnVybE1hdGNoZXNTZWxmKGNvbnN0IFVSTCYgdXJsKSBjb25zdAogCiBib29sIENv bnRlbnRTZWN1cml0eVBvbGljeTo6cHJvdG9jb2xNYXRjaGVzU2VsZihjb25zdCBVUkwmIHVybCkg Y29uc3QKIHsKLSNpZiBFTkFCTEUoQ1NQX05FWFQpCiAgICAgaWYgKGVxdWFsTGV0dGVyc0lnbm9y aW5nQVNDSUlDYXNlKG1fc2VsZlNvdXJjZVByb3RvY29sLCAiaHR0cCIpKQogICAgICAgICByZXR1 cm4gdXJsLnByb3RvY29sSXNJbkhUVFBGYW1pbHkoKTsKLSNlbmRpZgogICAgIHJldHVybiBlcXVh bElnbm9yaW5nQVNDSUlDYXNlKHVybC5wcm90b2NvbCgpLCBtX3NlbGZTb3VyY2VQcm90b2NvbCk7 CiB9CiAKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0NoYW5nZUxvZyBiL0xheW91dFRlc3RzL0No YW5nZUxvZwppbmRleCBkMWYzZTk2NDNiNjkzOWI2MTE1N2E0ZjI5M2MxMTZiNGVkNDNkZGU3Li43 MjEyNDRlMmNjZTlmZWU5MTAxNzFiYzY3MzM5YzAyNDE5N2RkYjk3IDEwMDY0NAotLS0gYS9MYXlv dXRUZXN0cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEs MjAgQEAKKzIwMTYtMDItMTIgIERhbmllbCBCYXRlcyAgPGRhYmF0ZXNAYXBwbGUuY29tPgorCisg ICAgICAgIENTUDogQWxsb3cgc2NoZW1lbGVzcyBzb3VyY2UgZXhwcmVzc2lvbnMgdG8gbWF0Y2gg YW4gSFRUUCBvciBIVFRQUyByZXNvdXJjZQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9y Zy9zaG93X2J1Zy5jZ2k/aWQ9MTU0MTc3CisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yMjcwODc3 Mj4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBVcGRh dGUgdGVzdCBjYXNlIGFuZCBleHBlY3RlZCByZXN1bHQgdG8gdGVzdCB0aGF0IGEgc2NoZW1lbGVz cyBzb3VyY2UgZXhwcmVzc2lvbgorICAgICAgICBtYXRjaGVzIGFuIEhUVFBTIHN1YnJlc291cmNl IChhbmQgZG9lcyBub3QgdHJpZ2dlciBhIENvbnRlbnQgU2VjdXJpdHkgUG9saWN5IHZpb2xhdGlv bikKKyAgICAgICAgd2hlbiB0aGUgcGFnZSBpcyBzZXJ2ZWQgb3ZlciBIVFRQLgorCisgICAgICAg ICogaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvc291cmNlLWxpc3Qt cGFyc2luZy0xMC1leHBlY3RlZC50eHQ6CisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS9j b250ZW50U2VjdXJpdHlQb2xpY3kvc291cmNlLWxpc3QtcGFyc2luZy0xMC5odG1sOiBDaGFuZ2Ug Im5vIiB0byAieWVzIgorICAgICAgICBzbyB0aGF0IHdlIGNvbnNpZGVyIGl0IGEgc3VjY2VzcyAo YW5kIGNvbnRpbnVlIHByaW50aW5nICJQQVNTIikgd2hlbiB3ZSBsb2FkIGFuZCBleGVjdXRlIHRo ZQorICAgICAgICBzY3JpcHQsIDxodHRwczovLzEyNy4wLjAuMTo4NDQzL3NlY3VyaXR5L2NvbnRl bnRTZWN1cml0eVBvbGljeS9yZXNvdXJjZXMvc2NyaXB0LmpzPi4KKwogMjAxNi0wMi0xMSAgQ2hy aXMgRHVtZXogIDxjZHVtZXpAYXBwbGUuY29tPgogCiAgICAgICAgIFtXZWIgSURMXSBpbnRlcmZh Y2VzIHNob3VsZCBpbmhlcml0IEV2ZW50VGFyZ2V0IGluc3RlYWQgb2YgZHVwbGljYXRpbmcgdGhl IEV2ZW50VGFyZ2V0IEFQSQpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1 cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvc291cmNlLWxpc3QtcGFyc2luZy0xMC1leHBlY3Rl ZC50eHQgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBv bGljeS9zb3VyY2UtbGlzdC1wYXJzaW5nLTEwLWV4cGVjdGVkLnR4dAppbmRleCA5ZjVhZjlmZjRk Y2I2ZmVhNGNhYjk0M2U3NjYxMzlhZDY1NzE5YjRjLi4zZGExMjViMzg5Y2JhZGViZmM0YzRjMjEz Yzc5MmMxMDQ0YWZmZDE3IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3Vy aXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9zb3VyY2UtbGlzdC1wYXJzaW5nLTEwLWV4cGVjdGVk LnR4dAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0 eVBvbGljeS9zb3VyY2UtbGlzdC1wYXJzaW5nLTEwLWV4cGVjdGVkLnR4dApAQCAtMSw1ICsxLDMg QEAKLUNPTlNPTEUgTUVTU0FHRTogUmVmdXNlZCB0byBsb2FkIHRoZSBzY3JpcHQgJ2h0dHBzOi8v MTI3LjAuMC4xOjg0NDMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3Jlc291cmNlcy9z Y3JpcHQuanMnIGJlY2F1c2UgaXQgdmlvbGF0ZXMgdGhlIGZvbGxvd2luZyBDb250ZW50IFNlY3Vy aXR5IFBvbGljeSBkaXJlY3RpdmU6ICJzY3JpcHQtc3JjIDEyNy4wLjAuMTo4NDQzIi4KLQogTm9u ZSBvZiB0aGVzZSBzY3JpcHRzIHNob3VsZCBleGVjdXRlIGV2ZW4gdGhvdWdoIHRoZXJlIGFyZSBw YXJzZSBlcnJvcnMgaW4gdGhlIHBvbGljeS4KIAogCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9o dHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9zb3VyY2UtbGlzdC1wYXJz aW5nLTEwLmh0bWwgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1 cml0eVBvbGljeS9zb3VyY2UtbGlzdC1wYXJzaW5nLTEwLmh0bWwKaW5kZXggOWNjNWI0MjkwYjdm MzFjOGYyN2FiZmE4ODY5MjcwMjI3ZTk4NzUzMy4uNDkxMWQ4YThmMGMwYTE5MTAzNzQ5ODc1NjZh NjIxZWZhZmE4Mjk0OSAxMDA2NDQKLS0tIGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0 eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvc291cmNlLWxpc3QtcGFyc2luZy0xMC5odG1sCisrKyBi L0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3Nv dXJjZS1saXN0LXBhcnNpbmctMTAuaHRtbApAQCAtNSw3ICs1LDcgQEAKIDxzY3JpcHQ+CiB2YXIg dGVzdHMgPSBbCiAgICAgWyd5ZXMnLCAnc2NyaXB0LXNyYyAxMjcuMC4wLjE6ODAwMCcsICdyZXNv dXJjZXMvc2NyaXB0LmpzJ10sCi0gICAgWydubycsICdzY3JpcHQtc3JjIDEyNy4wLjAuMTo4NDQz JywgJ2h0dHBzOi8vMTI3LjAuMC4xOjg0NDMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5 L3Jlc291cmNlcy9zY3JpcHQuanMnXSwKKyAgICBbJ3llcycsICdzY3JpcHQtc3JjIDEyNy4wLjAu MTo4NDQzJywgJ2h0dHBzOi8vMTI3LjAuMC4xOjg0NDMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5 UG9saWN5L3Jlc291cmNlcy9zY3JpcHQuanMnXSwKIF07CiA8L3NjcmlwdD4KIDwvaGVhZD4K