Summary: | CSP: 'blob:' URLs should not match 'self' in CSP source expression lists. | ||
---|---|---|---|
Product: | WebKit | Reporter: | Daniel Bates <dbates> |
Component: | WebCore Misc. | Assignee: | Daniel Bates <dbates> |
Status: | RESOLVED FIXED | ||
Severity: | Normal | CC: | bfulgham, buildbot, commit-queue, mkwst, rniwa, webkit-bug-importer |
Priority: | P2 | Keywords: | BlinkMergeCandidate, InRadar, WebExposed |
Version: | WebKit Local Build | ||
Hardware: | All | ||
OS: | All | ||
See Also: | https://bugs.webkit.org/show_bug.cgi?id=154122 | ||
Bug Depends on: | 153562 | ||
Bug Blocks: | |||
Attachments: |
Description
Daniel Bates
2016-01-15 15:10:01 PST
Created attachment 271081 [details]
Patch and Layout Tests
Comment on attachment 271081 [details] Patch and Layout Tests Attachment 271081 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/816263 New failing tests: http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html Created attachment 271087 [details]
Archive of layout-test-results from ews101 for mac-yosemite
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5
Comment on attachment 271081 [details] Patch and Layout Tests Attachment 271081 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/816306 New failing tests: http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html Created attachment 271091 [details]
Archive of layout-test-results from ews104 for mac-yosemite-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Comment on attachment 271081 [details] Patch and Layout Tests Attachment 271081 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/816308 New failing tests: http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html Created attachment 271093 [details]
Archive of layout-test-results from ews113 for mac-yosemite
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews113 Port: mac-yosemite Platform: Mac OS X 10.10.5
(In reply to comment #7) > Comment on attachment 271081 [details] > Patch and Layout Tests > > Attachment 271081 [details] did not pass mac-debug-ews (mac): > Output: http://webkit-queues.webkit.org/results/816308 > > New failing tests: > http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp- > importScripts-redirect-cross-origin-blocked.html > http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks- > eval.html > http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html > http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp- > importScripts-block-aborts-all-subsequent-imports.html These failures are because this patch depends on the patch for bug #153562. Without the patch for bug #153562, the script URL of a Web Worker is checked against the script-src directive as opposed to the child-src directive. As a workaround for this bug (bug # 153158) these tests needed to put 'self' or http://127.0.0.1:8000 to allow the load of a blob URL Web Worker script. The failure of these tests indicate that the proposed patch (attachment #271081 [details]) works as intended as a blob URL matches neither 'self' nor http://127.0.0.1:8000. Comment on attachment 271081 [details] Patch and Layout Tests View in context: https://bugs.webkit.org/attachment.cgi?id=271081&action=review > Source/WebCore/ChangeLog:16 > + (WebCore::ContentSecurityPolicySourceList::matches): Could you add some text explaining why the SecurityOrigin::extractInnerlURL is no longer appropriate here? > Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:-105 > - if (m_allowSelf && m_policy.urlMatchesSelf(effectiveURL)) I don't understand this change. Were we wrong to be considering the SecurityOrigin rules here? (In reply to comment #10) > Comment on attachment 271081 [details] > Patch and Layout Tests > > View in context: > https://bugs.webkit.org/attachment.cgi?id=271081&action=review > > > Source/WebCore/ChangeLog:16 > > + (WebCore::ContentSecurityPolicySourceList::matches): > > Could you add some text explaining why the SecurityOrigin::extractInnerlURL > is no longer appropriate here? > Will add following text: Do not make a distinction between URLs that contain a nested URL (e.g. blob://http://www.example.com/...) and URLs that do not contain a nested URL. The URL of the requested resource should be matched against the source list sources expressions. > > Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:-105 > > - if (m_allowSelf && m_policy.urlMatchesSelf(effectiveURL)) > > I don't understand this change. Were we wrong to be considering the > SecurityOrigin rules here? Yes, we should not have made use of SecurityOrigin to differentiate between URLs that contain a nested URL and URLs that do not. Created attachment 271186 [details]
Patch and Layout Tests
Updated patch based on Brent Fulgham's feedback.
Comment on attachment 271186 [details]
Patch and Layout Tests
r=me
Comment on attachment 271186 [details] Patch and Layout Tests Attachment 271186 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/820286 New failing tests: http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html Created attachment 271191 [details]
Archive of layout-test-results from ews103 for mac-yosemite
The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103 Port: mac-yosemite Platform: Mac OS X 10.10.5
Comment on attachment 271186 [details] Patch and Layout Tests Attachment 271186 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/820295 New failing tests: http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html Created attachment 271192 [details]
Archive of layout-test-results from ews106 for mac-yosemite-wk2
The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Comment on attachment 271186 [details] Patch and Layout Tests Attachment 271186 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/820426 New failing tests: http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-redirect-cross-origin-blocked.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-blocks-eval.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp.html http/tests/security/contentSecurityPolicy/worker-blob-inherits-csp-importScripts-block-aborts-all-subsequent-imports.html Created attachment 271195 [details]
Archive of layout-test-results from ews115 for mac-yosemite
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews115 Port: mac-yosemite Platform: Mac OS X 10.10.5
Comment on attachment 271186 [details] Patch and Layout Tests Clearing flags on attachment: 271186 Committed r196528: <http://trac.webkit.org/changeset/196528> All reviewed patches have been landed. Closing bug. |