157275 2016-05-02 13:14:03 -0700 CSP: Perform case sensitive match against path portion of source expression URL that ends in '/' 2016-05-04 17:33:20 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Local Build All All RESOLVED FIXED BlinkMergeCandidate, InRadar P2 Normal --- 1 dbates dbates aestes bfulgham commit-queue mkwst webkit-bug-importer oldest_to_newest 1189486 0 dbates 2016-05-02 13:14:03 -0700 I came across <https://chromium.googlesource.com/chromium/src/+/7bd0a75e3f71a10e71ded31ea5905d5ee3d992eb> today (05/02). We should consider merging it. As per step 8.5.4 of section Does url match expression in origin with redirect count of the Content Security Policy Level 3 spec., we should perform a case-sensitive match of the path portion of the request URL against the path of the source expression regardless of whether the source expression ends in a '/'. The following is a re-publishing of the relevant section: [[ ... 8. If expression contains a non-empty path-part, and redirect count is 0, then: 1. Let exact match be false if the final character of expression’s path-part is the U+002F SOLIDUS character (/), and true otherwise. 2. Let path list be the result of strictly splitting expression’s path-part on the U+002F SOLIDUS character (/). 3. If path list has more items than url’s path, return "Does Not Match". 4. If exact match is true, and path list does not have the same number of items as url’s path, return "Does Not Match". 5. For each expression piece in path list: 1. Let url piece be the next item in url’s path. 2. Percent decode expression piece. 3. Percent decode url piece. 4. If expression piece is not a case-sensitive match for url piece, return "Does Not Match". ]] <https://w3c.github.io/webappsec-csp/#match-url-to-source-expression> (Editor's Draft, 27 April 2016) For example, suppose the Content Security Policy of a page is "script-src http://www.example.com/A/" and it contains <script src="http://www.example.com/a/b.js">. Then the <script> should be blocked by the Content Security Policy of the page because "http://www.example.com/a/b.js" does not start with "http://www.example.com/A/". 1189490 1 277927 dbates 2016-05-02 13:18:09 -0700 Created attachment 277927 Patch and Layout Test 1190285 2 277927 dbates 2016-05-04 17:31:57 -0700 Comment on attachment 277927 Patch and Layout Test Clearing flags on attachment: 277927 Committed r200445: <http://trac.webkit.org/changeset/200445> 1190286 3 dbates 2016-05-04 17:32:01 -0700 All reviewed patches have been landed. Closing bug. 1190287 4 webkit-bug-importer 2016-05-04 17:33:20 -0700 <rdar://problem/26103603> 277927 2016-05-02 13:18:09 -0700 2016-05-04 17:31:57 -0700 Patch and Layout Test bug-157275-20160502131845.patch text/plain 5672 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMjAwMzIzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNzA0ZmY5MDkxMDk3ZDk0 NzE2NDJhYzBkYzMzMGQzZDJiN2Q1NTM0MC4uNDBiMjRlODkzMGFjNjI5YjdhMTc5OTRkYjhiZmU4 YmFhZGZmOTQ3NSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSw1ICsxLDIzIEBACiAyMDE2LTA1LTAyICBEYW5p ZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KIAorICAgICAgICBDU1A6IFBlcmZvcm0gY2Fz ZSBzZW5zaXRpdmUgbWF0Y2ggYWdhaW5zdCBwYXRoIHBvcnRpb24gb2Ygc291cmNlIGV4cHJlc3Np b24gVVJMIHRoYXQgZW5kcyBpbiAnLycKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcv c2hvd19idWcuY2dpP2lkPTE1NzI3NQorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09Q UyEpLgorCisgICAgICAgIE1lcmdlZCBmcm9tIEJsaW5rOgorICAgICAgICA8aHR0cHM6Ly9jaHJv bWl1bS5nb29nbGVzb3VyY2UuY29tL2Nocm9taXVtL3NyYy8rLzdiZDBhNzVlM2Y3MWExMGU3MWRl ZDMxZWE1OTA1ZDVlZTNkOTkyZWI+CisKKyAgICAgICAgUGVyZm9ybSBhIGNhc2Utc2Vuc2l0aXZl IHByZWZpeCBtYXRjaCBvZiB0aGUgcGF0aCBwb3J0aW9uIGEgc291cmNlIGV4cHJlc3Npb24gdGhh dCBlbmRzIGluICcvJworICAgICAgICBhZ2FpbnN0IHRoZSBwYXRoIHBvcnRpb24gb2YgYSByZXF1 ZXN0IFVSTCBhcyBwZXIgc3RlcCA4LjUuNCBvZiBzZWN0aW9uIERvZXMgdXJsIG1hdGNoIGV4cHJl c3Npb24KKyAgICAgICAgaW4gb3JpZ2luIHdpdGggcmVkaXJlY3QgY291bnQgb2YgdGhlIENvbnRl bnQgU2VjdXJpdHkgUG9saWN5IExldmVsIDMgc3BlYy4sIDxodHRwczovL3czYy5naXRodWIuaW8v d2ViYXBwc2VjLWNzcD4KKyAgICAgICAgKEVkaXRvcidzIERyYWZ0LCAyNyBBcHJpbCAyMDE2KS4K KworICAgICAgICAqIHBhZ2UvY3NwL0NvbnRlbnRTZWN1cml0eVBvbGljeVNvdXJjZS5jcHA6Cisg ICAgICAgIChXZWJDb3JlOjpDb250ZW50U2VjdXJpdHlQb2xpY3lTb3VyY2U6OnBhdGhNYXRjaGVz KToKKworMjAxNi0wNS0wMiAgRGFuaWVsIEJhdGVzICA8ZGFiYXRlc0BhcHBsZS5jb20+CisKICAg ICAgICAgQ1NQOiBBZGQgd29ya2Fyb3VuZCBmb3IgWHRyYU1hdGgKICAgICAgICAgaHR0cHM6Ly9i dWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1NzI1MgogCmRpZmYgLS1naXQgYS9Tb3Vy Y2UvV2ViQ29yZS9wYWdlL2NzcC9Db250ZW50U2VjdXJpdHlQb2xpY3lTb3VyY2UuY3BwIGIvU291 cmNlL1dlYkNvcmUvcGFnZS9jc3AvQ29udGVudFNlY3VyaXR5UG9saWN5U291cmNlLmNwcAppbmRl eCA1ZDViMTY2MGU3M2UwZDkwYzY1NTYwY2JkYTQ2ZDk0NTU1MDM0YjA0Li5lZjkxYjI2OGJjNjQ2 ZmVjYmIxZWNhOGNjYzI0NTRhMmUwMWZjMDk2IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9w YWdlL2NzcC9Db250ZW50U2VjdXJpdHlQb2xpY3lTb3VyY2UuY3BwCisrKyBiL1NvdXJjZS9XZWJD b3JlL3BhZ2UvY3NwL0NvbnRlbnRTZWN1cml0eVBvbGljeVNvdXJjZS5jcHAKQEAgLTc2LDcgKzc2 LDcgQEAgYm9vbCBDb250ZW50U2VjdXJpdHlQb2xpY3lTb3VyY2U6OnBhdGhNYXRjaGVzKGNvbnN0 IFVSTCYgdXJsKSBjb25zdAogICAgIFN0cmluZyBwYXRoID0gZGVjb2RlVVJMRXNjYXBlU2VxdWVu Y2VzKHVybC5wYXRoKCkpOwogCiAgICAgaWYgKG1fcGF0aC5lbmRzV2l0aCgiLyIpKQotICAgICAg ICByZXR1cm4gcGF0aC5zdGFydHNXaXRoKG1fcGF0aCwgZmFsc2UpOworICAgICAgICByZXR1cm4g cGF0aC5zdGFydHNXaXRoKG1fcGF0aCk7CiAKICAgICByZXR1cm4gcGF0aCA9PSBtX3BhdGg7CiB9 CmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cgYi9MYXlvdXRUZXN0cy9DaGFuZ2VM b2cKaW5kZXggMzIxYzJjNGFkNjU5ZDEzYjlkNmVlZjExOWJmYTE5YmUwMzhmZmEyNi4uMDZmMzdk MmUxNGVkNDgwZmZkMTY1YTNkZGZhZTE3NzcwYjMyNzM4ZiAxMDA2NDQKLS0tIGEvTGF5b3V0VGVz dHMvQ2hhbmdlTG9nCisrKyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBA CisyMDE2LTA1LTAyICBEYW5pZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KKworICAgICAg ICBDU1A6IFBlcmZvcm0gY2FzZSBzZW5zaXRpdmUgbWF0Y2ggYWdhaW5zdCBwYXRoIHBvcnRpb24g b2Ygc291cmNlIGV4cHJlc3Npb24gVVJMIHRoYXQgZW5kcyBpbiAnLycKKyAgICAgICAgaHR0cHM6 Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1NzI3NQorCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEFkZCB0ZXN0IHRvIGVuc3VyZSB0aGF0 IHRoZSBwYXRoIHBvcnRpb24gb2YgYSByZXF1ZXN0IFVSTCBpcyBjYXNlLXNlbnNpdGl2ZWx5Cisg ICAgICAgIG1hdGNoZWQgYWdhaW5zdCB0aGUgcGF0aCBwb3J0aW9uIG9mIGEgc291cmNlIGV4cHJl c3Npb24gdGhhdCBlbmRzIGluICcvJy4KKworICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkv Y29udGVudFNlY3VyaXR5UG9saWN5L3NvdXJjZS1saXN0LXBhcnNpbmctcGF0aHMtMDEtZXhwZWN0 ZWQudHh0OgorICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9s aWN5L3NvdXJjZS1saXN0LXBhcnNpbmctcGF0aHMtMDEuaHRtbDoKKwogMjAxNi0wNS0wMSAgU2th Y2hrb3YgT2xla3NhbmRyICA8Z3NrYWNoa292QGdtYWlsLmNvbT4KIAogICAgICAgICBDbGFzcyBj b250cnVjdG9yIGFuZCBtZXRob2RzIHNob3VsZG4ndCBoYXZlICJhcmd1bWVudHMiIGFuZCAiY2Fs bGVyIgpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50 U2VjdXJpdHlQb2xpY3kvc291cmNlLWxpc3QtcGFyc2luZy1wYXRocy0wMS1leHBlY3RlZC50eHQg Yi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9z b3VyY2UtbGlzdC1wYXJzaW5nLXBhdGhzLTAxLWV4cGVjdGVkLnR4dAppbmRleCBiMDRkOGNmZjRm MjM2ZDA2ZmZmOWI3ODA4NzJiMjkyMDA5ZmE3NmUwLi43ZjNiZmMwZTljNTg3NTgxZWI5MWM3ODNm YWI0YWIzM2ZlYWU0YTQwIDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3Vy aXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9zb3VyY2UtbGlzdC1wYXJzaW5nLXBhdGhzLTAxLWV4 cGVjdGVkLnR4dAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRT ZWN1cml0eVBvbGljeS9zb3VyY2UtbGlzdC1wYXJzaW5nLXBhdGhzLTAxLWV4cGVjdGVkLnR4dApA QCAtMiw2ICsyLDcgQEAgQ09OU09MRSBNRVNTQUdFOiBSZWZ1c2VkIHRvIGxvYWQgaHR0cDovLzEy Ny4wLjAuMTo4MDAwL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVAKIENPTlNPTEUgTUVTU0FHRTog UmVmdXNlZCB0byBsb2FkIGh0dHA6Ly8xMjcuMC4wLjE6ODAwMC9zZWN1cml0eS9jb250ZW50U2Vj dXJpdHlQb2xpY3kvcmVzb3VyY2VzL3NjcmlwdC5qcyBiZWNhdXNlIGl0IGRvZXMgbm90IGFwcGVh ciBpbiB0aGUgc2NyaXB0LXNyYyBkaXJlY3RpdmUgb2YgdGhlIENvbnRlbnQgU2VjdXJpdHkgUG9s aWN5LgogQ09OU09MRSBNRVNTQUdFOiBSZWZ1c2VkIHRvIGxvYWQgaHR0cDovLzEyNy4wLjAuMTo4 MDAwL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9yZXNvdXJjZXMvc2NyaXB0LmpzIGJl Y2F1c2UgaXQgZG9lcyBub3QgYXBwZWFyIGluIHRoZSBzY3JpcHQtc3JjIGRpcmVjdGl2ZSBvZiB0 aGUgQ29udGVudCBTZWN1cml0eSBQb2xpY3kuCiBDT05TT0xFIE1FU1NBR0U6IFJlZnVzZWQgdG8g bG9hZCBodHRwOi8vMTI3LjAuMC4xOjgwMDAvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5 L3Jlc291cmNlcy9zY3JpcHQuanMgYmVjYXVzZSBpdCBkb2VzIG5vdCBhcHBlYXIgaW4gdGhlIHNj cmlwdC1zcmMgZGlyZWN0aXZlIG9mIHRoZSBDb250ZW50IFNlY3VyaXR5IFBvbGljeS4KK0NPTlNP TEUgTUVTU0FHRTogUmVmdXNlZCB0byBsb2FkIGh0dHA6Ly8xMjcuMC4wLjE6ODAwMC9zZWN1cml0 eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvUkVTT1VSQ0VTL3NjcmlwdC5qcyBiZWNhdXNlIGl0IGRv ZXMgbm90IGFwcGVhciBpbiB0aGUgc2NyaXB0LXNyYyBkaXJlY3RpdmUgb2YgdGhlIENvbnRlbnQg U2VjdXJpdHkgUG9saWN5LgogUmVzb3VyY2VzIHNob3VsZCBiZSByZWplY3RlZCB1bmxlc3MgdGhl eSBtYXRjaCBhIHdoaXRlbGlzdGVkIHBhdGguCiAKIApAQCAtNDAsMyArNDEsOCBAQCBQQVNTCiBG cmFtZTogJzwhLS1mcmFtZVBhdGggLy88IS0tZnJhbWU2LS0+LS0+JwogLS0tLS0tLS0KIFBBU1MK KworLS0tLS0tLS0KK0ZyYW1lOiAnPCEtLWZyYW1lUGF0aCAvLzwhLS1mcmFtZTctLT4tLT4nCist LS0tLS0tLQorUEFTUwpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0 eS9jb250ZW50U2VjdXJpdHlQb2xpY3kvc291cmNlLWxpc3QtcGFyc2luZy1wYXRocy0wMS5odG1s IGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS9jb250ZW50U2VjdXJpdHlQb2xpY3kv c291cmNlLWxpc3QtcGFyc2luZy1wYXRocy0wMS5odG1sCmluZGV4IGE4NDU5ZDNjOWIxOGY3Njg3 MWFlMGZiZTA1ZWFiYjUwMzE0YWM3NzMuLmEzYjZiYmVlYjhmMWRlMGIxODcyMzMwY2IwMjY4Y2Iw ZjZlOGQwMjkgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkvY29u dGVudFNlY3VyaXR5UG9saWN5L3NvdXJjZS1saXN0LXBhcnNpbmctcGF0aHMtMDEuaHRtbAorKysg Yi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9z b3VyY2UtbGlzdC1wYXJzaW5nLXBhdGhzLTAxLmh0bWwKQEAgLTEwLDYgKzEwLDcgQEAgdmFyIHRl c3RzID0gWwogICAgIFsnbm8nLCAnc2NyaXB0LXNyYyAxMjcuMC4wLjE6Ki9zZWMvJywgJ3Jlc291 cmNlcy9zY3JpcHQuanMnXSwKICAgICBbJ25vJywgJ3NjcmlwdC1zcmMgMTI3LjAuMC4xOjgwMDAv bm90LXNlY3VyaXR5JywgJ3Jlc291cmNlcy9zY3JpcHQuanMnXSwKICAgICBbJ25vJywgJ3Njcmlw dC1zcmMgMTI3LjAuMC4xOjgwMDAvc2VjdXJpdHklM2Jub3QtY29udGVudFNlY3VyaXR5UG9saWN5 JywgJ3Jlc291cmNlcy9zY3JpcHQuanMnXSwKKyAgICBbJ25vJywgJ3NjcmlwdC1zcmMgMTI3LjAu MC4xOjgwMDAvc2VjdXJpdHkvY29udGVudFNlY3VyaXR5UG9saWN5L3Jlc291cmNlcy8nLCAnaHR0 cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L2NvbnRlbnRTZWN1cml0eVBvbGljeS9SRVNPVVJD RVMvc2NyaXB0LmpzJ10sCiAgICAgWyd5ZXMnLCAnc2NyaXB0LXNyYyAxMjcuMC4wLjE6Ki8nICsg c2VjdXJpdHkgKyAnLycsICdyZXNvdXJjZXMvc2NyaXB0LmpzJ10sCiAgICAgWyd5ZXMnLCAnc2Ny aXB0LXNyYyAxMjcuMC4wLjE6Ki9zZWN1cml0eS8nLCByZXNvdXJjZXMgKyAnL3NjcmlwdC5qcydd LAogICAgIFsneWVzJywgJ3NjcmlwdC1zcmMgMTI3LjAuMC4xOiovJyArIHNlY3VyaXR5ICsgJy8n LCByZXNvdXJjZXMgKyAnL3NjcmlwdC5qcyddLAo=