Bug 153562

Summary: CSP: Implement child-src directive
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: aestes, bfulgham, cdumez, commit-queue, japhet, mjs, mkwst, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar, WebExposed
Version: WebKit Local Build   
Hardware: All   
OS: All   
Bug Depends on: 153157    
Bug Blocks: 85558, 153158    
Attachments:
Description Flags
Patch and Layout Tests bfulgham: review+, bfulgham: commit-queue-

Description Daniel Bates 2016-01-27 14:54:54 PST 
We should implement the CSP child-src directive. Together with the fix for bug #153157 then the test LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src.html will pass.
Comment 1 Daniel Bates 2016-02-11 10:03:46 PST 
Created attachment 271061 [details]
Patch and Layout Tests
Comment 2 Radar WebKit Bug Importer 2016-02-11 10:07:08 PST 
<rdar://problem/24610087>
Comment 3 Brent Fulgham 2016-02-12 08:54:00 PST 
Comment on attachment 271061 [details]
Patch and Layout Tests

View in context: https://bugs.webkit.org/attachment.cgi?id=271061&action=review

Nice work! I had a question about the test skips you added with the comment "Needs expected file". Otherwise this looks good. r=me.

> LayoutTests/TestExpectations:799
> +http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html # Needs expected file.

Why can't we generate these three test expectations? Do we need later patches to complete these tests?
Comment 4 Daniel Bates 2016-02-12 11:02:47 PST 
(In reply to comment #3)
> [...]
> > LayoutTests/TestExpectations:799
> > +http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html # Needs expected file.
> 
> Why can't we generate these three test expectations? 

Notice that we neither support resources hashes nor directive frame-ancestors at the time of writing and Blink did not commit expected results for these tests (*).

We can generate them though it will require that we reason about the expected result of the test and may require understanding how results are formatted by the scripts LayoutTests/resources/testharness.js/LayoutTests/resources/testharnessreport.js so as to predict how the expected result will look on success once we implement these features. I hope you do not mind that I defer landing expected results for these tests until we implement resource hashes and the directive frame-ancestors as it will be straightforward to reason about the expected result (since we will already be in the mindset to reason about these features given we are implementing them).

> Do we need later patches to complete these tests?

As aforementioned above, I would prefer to land expected results for these tests when we implement support for resource hashes and the directive frame-ancestors.

(*) I suspect Blink's test driver machinery knows how to determine success/failure for these tests (I haven't read the code, yet).
Comment 5 Daniel Bates 2016-02-12 16:15:33 PST 
Filed bug #154203 to add expected results for tests http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html, http/tests/security/contentSecurityPolicy/1.1/{script, style}hash-default-src.html. Will update patch so that LayoutTests/TestExpectations references this bug for these tests before landing.
Comment 6 Daniel Bates 2016-02-12 16:18:43 PST 
Committed r196526: <http://trac.webkit.org/changeset/196526>