154520 2016-02-21 15:32:16 -0800 CSP: Enable form-action directive by default 2016-11-17 11:48:58 -0800 1 1 1 Unclassified WebKit WebCore Misc. WebKit Local Build All All RESOLVED FIXED InRadar, WebExposed P2 Normal --- 154555 154563 1 dbates dbates aestes bfulgham commit-queue mkwst webkit-bug-importer webkit.bugzilla oldest_to_newest 1166870 0 dbates 2016-02-21 15:32:16 -0800 Currently the Content Security Policy form-action directive is guarded by ENABLE(CSP_NEXT) and a runtime flag, both are disabled by default. This directive has been part of the Content Security Policy spec. since version 1.1 and other browsers, Google Chrome, have enabled it by default for some time. We should enable it by default. 1166871 1 webkit-bug-importer 2016-02-21 15:33:00 -0800 <rdar://problem/24762029> 1166874 2 271889 dbates 2016-02-21 15:35:42 -0800 Created attachment 271889 Patch 1166936 3 dbates 2016-02-21 21:26:12 -0800 Committed r196892: <http://trac.webkit.org/changeset/196892> 1252381 4 dbates 2016-11-17 11:48:58 -0800 *** Bug 157355 has been marked as a duplicate of this bug. *** 271889 2016-02-21 15:35:42 -0800 2016-02-21 19:04:00 -0800 Patch bug-154520-20160221153523.patch text/plain 5402 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMTk2ODc5CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZmY5ZWM4ZWZkZTdjYTUw OGZjYjdmYjhmZDk0Y2FiMTQ2YzI0ZGU2Ny4uMzliYmU5NDc4MWYwZDE4YzE4MzI5MWI5NmZkMDc0 ZTU3ODcxNGNiYyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSw1ICsxLDE5IEBACiAyMDE2LTAyLTIxICBEYW5p ZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KIAorICAgICAgICBDU1A6IEVuYWJsZSBmb3Jt LWFjdGlvbiBkaXJlY3RpdmUgYnkgZGVmYXVsdAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0 Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTU0NTIwCisgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yNDc2 MjAyOT4KKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICAq IHBhZ2UvY3NwL0NvbnRlbnRTZWN1cml0eVBvbGljeURpcmVjdGl2ZUxpc3QuY3BwOgorICAgICAg ICAoV2ViQ29yZTo6Q29udGVudFNlY3VyaXR5UG9saWN5RGlyZWN0aXZlTGlzdDo6YWRkRGlyZWN0 aXZlKTogQ29tcGlsZSBjb2RlIHRvIHBhcnNlIHRoZQorICAgICAgICBmb3JtLWFjdGlvbiBkaXJl Y3RpdmUgYnkgZGVmYXVsdC4KKyAgICAgICAgKFdlYkNvcmU6OmlzRXhwZXJpbWVudGFsRGlyZWN0 aXZlTmFtZSk6IFJlbW92ZSBmb3JtLWFjdGlvbiBmcm9tIHRoZSBkaXJlY3RpdmVzIGNvbnNpZGVy ZWQKKyAgICAgICAgZXhwZXJpbWVudGFsLgorCisyMDE2LTAyLTIxICBEYW5pZWwgQmF0ZXMgIDxk YWJhdGVzQGFwcGxlLmNvbT4KKwogICAgICAgICBDU1A6IFZpb2xhdGlvbiByZXBvcnQgc2hvdWxk IGluY2x1ZGUgY29sdW1uIG51bWJlcgogICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9z aG93X2J1Zy5jZ2k/aWQ9MTU0NDE4CiAgICAgICAgIDxyZGFyOi8vcHJvYmxlbS8yNDcyOTUyNT4K ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BhZ2UvY3NwL0NvbnRlbnRTZWN1cml0eVBvbGlj eURpcmVjdGl2ZUxpc3QuY3BwIGIvU291cmNlL1dlYkNvcmUvcGFnZS9jc3AvQ29udGVudFNlY3Vy aXR5UG9saWN5RGlyZWN0aXZlTGlzdC5jcHAKaW5kZXggYmFmZmZhYzU0YTNhZTJjNWNiODMyNDZh YWQxZjllNDA1YWE0ZjBkNi4uYjNiOTk2YzQ3MWI5NDg2NDFhMDgxY2Y1OGM1MDY3YTNlNTUxM2Fh NSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvcGFnZS9jc3AvQ29udGVudFNlY3VyaXR5UG9s aWN5RGlyZWN0aXZlTGlzdC5jcHAKKysrIGIvU291cmNlL1dlYkNvcmUvcGFnZS9jc3AvQ29udGVu dFNlY3VyaXR5UG9saWN5RGlyZWN0aXZlTGlzdC5jcHAKQEAgLTYwLDcgKzYwLDYgQEAgc3RhdGlj IGNvbnN0IGNoYXIgcmVmbGVjdGVkWFNTW10gPSAicmVmbGVjdGVkLXhzcyI7CiBzdGF0aWMgaW5s aW5lIGJvb2wgaXNFeHBlcmltZW50YWxEaXJlY3RpdmVOYW1lKGNvbnN0IFN0cmluZyYgbmFtZSkK IHsKICAgICByZXR1cm4gZXF1YWxMZXR0ZXJzSWdub3JpbmdBU0NJSUNhc2UobmFtZSwgYmFzZVVS SSkKLSAgICAgICAgfHwgZXF1YWxMZXR0ZXJzSWdub3JpbmdBU0NJSUNhc2UobmFtZSwgZm9ybUFj dGlvbikKICAgICAgICAgfHwgZXF1YWxMZXR0ZXJzSWdub3JpbmdBU0NJSUNhc2UobmFtZSwgcGx1 Z2luVHlwZXMpCiAgICAgICAgIHx8IGVxdWFsTGV0dGVyc0lnbm9yaW5nQVNDSUlDYXNlKG5hbWUs IHJlZmxlY3RlZFhTUyk7CiB9CkBAIC01OTksNiArNTk4LDggQEAgdm9pZCBDb250ZW50U2VjdXJp dHlQb2xpY3lEaXJlY3RpdmVMaXN0OjphZGREaXJlY3RpdmUoY29uc3QgU3RyaW5nJiBuYW1lLCBj b25zdAogICAgICAgICBzZXRDU1BEaXJlY3RpdmU8Q29udGVudFNlY3VyaXR5UG9saWN5U291cmNl TGlzdERpcmVjdGl2ZT4obmFtZSwgdmFsdWUsIG1fY29ubmVjdFNyYyk7CiAgICAgZWxzZSBpZiAo ZXF1YWxMZXR0ZXJzSWdub3JpbmdBU0NJSUNhc2UobmFtZSwgY2hpbGRTcmMpKQogICAgICAgICBz ZXRDU1BEaXJlY3RpdmU8Q29udGVudFNlY3VyaXR5UG9saWN5U291cmNlTGlzdERpcmVjdGl2ZT4o bmFtZSwgdmFsdWUsIG1fY2hpbGRTcmMpOworICAgIGVsc2UgaWYgKGVxdWFsTGV0dGVyc0lnbm9y aW5nQVNDSUlDYXNlKG5hbWUsIGZvcm1BY3Rpb24pKQorICAgICAgICBzZXRDU1BEaXJlY3RpdmU8 Q29udGVudFNlY3VyaXR5UG9saWN5U291cmNlTGlzdERpcmVjdGl2ZT4obmFtZSwgdmFsdWUsIG1f Zm9ybUFjdGlvbik7CiAgICAgZWxzZSBpZiAoZXF1YWxMZXR0ZXJzSWdub3JpbmdBU0NJSUNhc2Uo bmFtZSwgc2FuZGJveCkpCiAgICAgICAgIGFwcGx5U2FuZGJveFBvbGljeShuYW1lLCB2YWx1ZSk7 CiAgICAgZWxzZSBpZiAoZXF1YWxMZXR0ZXJzSWdub3JpbmdBU0NJSUNhc2UobmFtZSwgcmVwb3J0 VVJJKSkKQEAgLTYwNyw4ICs2MDgsNiBAQCB2b2lkIENvbnRlbnRTZWN1cml0eVBvbGljeURpcmVj dGl2ZUxpc3Q6OmFkZERpcmVjdGl2ZShjb25zdCBTdHJpbmcmIG5hbWUsIGNvbnN0CiAgICAgZWxz ZSBpZiAobV9wb2xpY3kuZXhwZXJpbWVudGFsRmVhdHVyZXNFbmFibGVkKCkpIHsKICAgICAgICAg aWYgKGVxdWFsTGV0dGVyc0lnbm9yaW5nQVNDSUlDYXNlKG5hbWUsIGJhc2VVUkkpKQogICAgICAg ICAgICAgc2V0Q1NQRGlyZWN0aXZlPENvbnRlbnRTZWN1cml0eVBvbGljeVNvdXJjZUxpc3REaXJl Y3RpdmU+KG5hbWUsIHZhbHVlLCBtX2Jhc2VVUkkpOwotICAgICAgICBlbHNlIGlmIChlcXVhbExl dHRlcnNJZ25vcmluZ0FTQ0lJQ2FzZShuYW1lLCBmb3JtQWN0aW9uKSkKLSAgICAgICAgICAgIHNl dENTUERpcmVjdGl2ZTxDb250ZW50U2VjdXJpdHlQb2xpY3lTb3VyY2VMaXN0RGlyZWN0aXZlPihu YW1lLCB2YWx1ZSwgbV9mb3JtQWN0aW9uKTsKICAgICAgICAgZWxzZSBpZiAoZXF1YWxMZXR0ZXJz SWdub3JpbmdBU0NJSUNhc2UobmFtZSwgcGx1Z2luVHlwZXMpKQogICAgICAgICAgICAgc2V0Q1NQ RGlyZWN0aXZlPENvbnRlbnRTZWN1cml0eVBvbGljeU1lZGlhTGlzdERpcmVjdGl2ZT4obmFtZSwg dmFsdWUsIG1fcGx1Z2luVHlwZXMpOwogICAgICAgICBlbHNlIGlmIChlcXVhbExldHRlcnNJZ25v cmluZ0FTQ0lJQ2FzZShuYW1lLCByZWZsZWN0ZWRYU1MpKQpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVz dHMvQ2hhbmdlTG9nIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCmluZGV4IDRkZjE4MmQ5NzFlMDNm MDZmY2YyOTE0YjM5ODkwMGY1OTk5ZDdmZTguLjZiZmMxMDNjZmI1YjhmNTU1YmJlM2NhODk4ZTA4 ZmNjZGNlNmVmNzUgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL0NoYW5nZUxvZworKysgYi9MYXlv dXRUZXN0cy9DaGFuZ2VMb2cKQEAgLTEsNSArMSwxNyBAQAogMjAxNi0wMi0yMSAgRGFuaWVsIEJh dGVzICA8ZGFiYXRlc0BhcHBsZS5jb20+CiAKKyAgICAgICAgQ1NQOiBFbmFibGUgZm9ybS1hY3Rp b24gZGlyZWN0aXZlIGJ5IGRlZmF1bHQKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcv c2hvd19idWcuY2dpP2lkPTE1NDUyMAorICAgICAgICA8cmRhcjovL3Byb2JsZW0vMjQ3NjIwMjk+ CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgTWFyayBm b3JtLWFjdGlvbiB0ZXN0cyBhcyBQYXNzIHNvIHRoYXQgd2UgcnVuIHRoZW0uCisKKyAgICAgICAg KiBUZXN0RXhwZWN0YXRpb25zOgorCisyMDE2LTAyLTIxICBEYW5pZWwgQmF0ZXMgIDxkYWJhdGVz QGFwcGxlLmNvbT4KKwogICAgICAgICBBbm90aGVyIGF0dGVtcHQgdG8gZml4IHRoZSBDb250ZW50 IEV4dGVuc2lvbiB0ZXN0IGZhaWx1cmVzIGZvbGxvd2luZyA8aHR0cHM6Ly90cmFjLndlYmtpdC5v cmcvY2hhbmdlc2V0LzE5Njg3NT4KICAgICAgICAgKGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD0xNTQzMDcpIAogCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9UZXN0RXhw ZWN0YXRpb25zIGIvTGF5b3V0VGVzdHMvVGVzdEV4cGVjdGF0aW9ucwppbmRleCBlYWE5YWE0ODA0 YzRhYWViNzdlYjZhZGUxMjMyZWYxNDI1NTRiY2U0Li5hNjc5MzA3YzE3MGNiYTE5MjRiOTE3NjM4 YzkyODY3NDFmMDc0NjYwIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9UZXN0RXhwZWN0YXRpb25z CisrKyBiL0xheW91dFRlc3RzL1Rlc3RFeHBlY3RhdGlvbnMKQEAgLTgwMyw2ICs4MDMsMTMgQEAg d2Via2l0Lm9yZy9iLzUyMTg1IGZhc3QvY3NzL3ZlcnRpY2FsLWFsaWduLWJhc2VsaW5lLXJvd3Nw YW4tMDEwLmh0bWwgWyBJbWFnZU9ubHkKICMgQ29udGVudCBTZWN1cml0eSBQb2xpY3kgZmFpbHVy ZXMKIHdlYmtpdC5vcmcvYi84NTU1OCBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0 eVBvbGljeS8xLjEKIGh0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEu MS9jaGlsZC1zcmMgWyBQYXNzIF0KK2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5 UG9saWN5LzEuMS9mb3JtLWFjdGlvbi1zcmMtYWxsb3dlZC5odG1sIFsgUGFzcyBdCitodHRwL3Rl c3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS8xLjEvZm9ybS1hY3Rpb24tc3JjLWJs b2NrZWQuaHRtbCBbIFBhc3MgXQoraHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQ b2xpY3kvMS4xL2Zvcm0tYWN0aW9uLXNyYy1kZWZhdWx0LWlnbm9yZWQuaHRtbCBbIFBhc3MgXQor aHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvMS4xL2Zvcm0tYWN0aW9u LXNyYy1nZXQtYWxsb3dlZC5odG1sIFsgUGFzcyBdCitodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRl bnRTZWN1cml0eVBvbGljeS8xLjEvZm9ybS1hY3Rpb24tc3JjLWdldC1ibG9ja2VkLmh0bWwgWyBQ YXNzIF0KK2h0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9mb3Jt LWFjdGlvbi1zcmMtamF2YXNjcmlwdC1ibG9ja2VkLmh0bWwgWyBQYXNzIF0KK2h0dHAvdGVzdHMv c2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5LzEuMS9mb3JtLWFjdGlvbi1zcmMtcmVkaXJl Y3QtYmxvY2tlZC5odG1sIFsgUGFzcyBdCiBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1 cml0eVBvbGljeS8xLjEvcmVwb3J0LXVyaS1lZmZlY3RpdmUtZGlyZWN0aXZlLnBocCBbIFBhc3Mg XQogd2Via2l0Lm9yZy9iLzE1NDIwMyBodHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0 eVBvbGljeS8xLjEvZnJhbWUtYW5jZXN0b3JzL2ZyYW1lLWFuY2VzdG9ycy1vdmVycmlkZXMteGZv Lmh0bWwKIHdlYmtpdC5vcmcvYi8xNTQyMDMgaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2Vj dXJpdHlQb2xpY3kvMS4xL3NjcmlwdGhhc2gtZGVmYXVsdC1zcmMuaHRtbAo=