Bug 155466

<rdar://problem/25152480>

Created attachment 274031 [details]
Patch and Layout Tests

Created attachment 274032 [details]
[Screenshot] Example UI

A screenshot that illustrates the appearance of a CSP hash in the sidebar when an HTML script element (for an inline JavaScript script) is selected.

Comment on attachment 274031 [details]
Patch and Layout Tests

View in context: https://bugs.webkit.org/attachment.cgi?id=274031&action=review

r=me! Awesome.

> Source/WebCore/inspector/InspectorDOMAgent.cpp:1284
> +    return makeString("'sha256-", base64Encode(digest.data(), digest.size()), '\'');

Are these single-quotes necessary?

> Source/WebCore/inspector/InspectorFrontendHost.h:41
> +class Element;

Is this needed? I don't see it used.

> LayoutTests/inspector/dom/csp-hash.html:1
> +<html>

We normally add a DOCTYPE. Would that affect things here?

> LayoutTests/inspector/dom/csp-hash.html:48
> +        WebInspector.domTreeManager.querySelector(documentNode.id, "#script-with-uncode-code-point-00C5", function(nodeId) {

Typo: "uncode" => "unicode". Here and a few other places.

> LayoutTests/inspector/dom/csp-hash.html:62
> +        WebInspector.domTreeManager.querySelector(documentNode.id, "#script-with-uncode-code-point-212B", function(nodeId) {
> +            let domNode = WebInspector.domTreeManager.nodeForId(nodeId);
> +            let expectedHash = "'sha256-YcKgriaBGkU6FsWZXgDLv4Wo5UZ5Qe5hNp6Psb3RJOE='"; // Same hash as for script #script-with-uncode-code-point-00C5.
> +            InspectorTest.log("");
> +            InspectorTest.expectThat(domNode, "Got DOMNode for #script-with-uncode-code-point-212B");
> +            InspectorTest.expectThat(domNode.contentSecurityPolicyHash() === expectedHash, `DOMNode has hash ${expectedHash}`);
> +        });

An easier way to write this file could be a set of test that you loop through. Since it seems the contents of all of these functions are nearly identical.

    // Nit: Style this however you wish.
    let testCases = [
        {selector: '#stylesheet-without-whitespace", hash: "'sha256-NW7+Fm6YV404pkklaopT0jgCBCmfOAn0K+NtIfyPN4A='"},
        {selector: '#stylesheet-with-whitespace", hash: "'sha256-NW7+Fm6YV404pkklaopT0jgCBCmfOAn0K+NtIfyPN4A='"},
        ...
    ];

    for (let {selector, hash} of testCases) {
        WebInspector.domTreeManager.querySelector(documentNode.id, test.selector, function(nodeId) {
            let domNode = WebInspector.domTreeManager.nodeForId(nodeId);
            InspectorTest.log("");
            InspectorTest.expectThat(domNode, `Got DOMNode for ${selector}`);
            InspectorTest.expectThat(domNode.contentSecurityPolicyHash() === hash, `DOMNode has hash ${hash}`);
        }
    }

    InspectorTest.completeTest();

> LayoutTests/inspector/dom/csp-hash.html:90
> +    <p>Test for Content Security Policy hash support.</p>

Please add " on DOM.DOMNode".

> LayoutTests/inspector/dom/csp-hash.html:113
> +     <!-- Hash of this script should be equivalent to hash of script script-with-uncode-code-point-00C5. -->

Typo: "uncode" => "unicode"

Comment on attachment 274031 [details]
Patch and Layout Tests

View in context: https://bugs.webkit.org/attachment.cgi?id=274031&action=review

>> Source/WebCore/inspector/InspectorDOMAgent.cpp:1284
>> +    return makeString("'sha256-", base64Encode(digest.data(), digest.size()), '\'');
> 
> Are these single-quotes necessary?

They are needed when putting the hash in the CSP header, but they clutter the UI. Lets drop them. A developer will know to add them if they use this.

> Source/WebInspectorUI/UserInterface/Views/DOMNodeDetailsSidebarPanel.js:41
> +        this._identityNodeContentSecurityPolicyHashRow = new WebInspector.DetailsSectionSimpleRow(WebInspector.UIString("Content Security Policy Hash"));

This is a long label. I think we can just say "CSP Hash", most developers will know what that is if they need it.

(In reply to comment #4)
> > Source/WebCore/inspector/InspectorDOMAgent.cpp:1284
> > +    return makeString("'sha256-", base64Encode(digest.data(), digest.size()), '\'');
> 
> Are these single-quotes necessary?
> 

As mentioned in Timothy Hatcher's remark in comment #5, the single quotes are needed "when putting the hash in the CSP header". Timothy Hatcher suggested in the same comment that we omit these single quotes.

> > Source/WebCore/inspector/InspectorFrontendHost.h:41
> > +class Element;
> 
> Is this needed? I don't see it used.
> 

No, it is not needed. Will remove.

> > LayoutTests/inspector/dom/csp-hash.html:1
> > +<html>
> 
> We normally add a DOCTYPE. 

Will add DOCTYPE tag.

> Would that affect things here?
> 

No.

> > LayoutTests/inspector/dom/csp-hash.html:48
> > +        WebInspector.domTreeManager.querySelector(documentNode.id, "#script-with-uncode-code-point-00C5", function(nodeId) {
> 
> Typo: "uncode" => "unicode". Here and a few other places.
> 

Will fix throughout this file.

> > LayoutTests/inspector/dom/csp-hash.html:62
> > +        WebInspector.domTreeManager.querySelector(documentNode.id, "#script-with-uncode-code-point-212B", function(nodeId) {
> > +            let domNode = WebInspector.domTreeManager.nodeForId(nodeId);
> > +            let expectedHash = "'sha256-YcKgriaBGkU6FsWZXgDLv4Wo5UZ5Qe5hNp6Psb3RJOE='"; // Same hash as for script #script-with-uncode-code-point-00C5.
> > +            InspectorTest.log("");
> > +            InspectorTest.expectThat(domNode, "Got DOMNode for #script-with-uncode-code-point-212B");
> > +            InspectorTest.expectThat(domNode.contentSecurityPolicyHash() === expectedHash, `DOMNode has hash ${expectedHash}`);
> > +        });
> 
> An easier way to write this file could be a set of test that you loop
> through. Since it seems the contents of all of these functions are nearly
> identical.
> 
>     // Nit: Style this however you wish.
>     let testCases = [
>         {selector: '#stylesheet-without-whitespace", hash:
> "'sha256-NW7+Fm6YV404pkklaopT0jgCBCmfOAn0K+NtIfyPN4A='"},
>         {selector: '#stylesheet-with-whitespace", hash:
> "'sha256-NW7+Fm6YV404pkklaopT0jgCBCmfOAn0K+NtIfyPN4A='"},
>         ...
>     ];
> 
>     for (let {selector, hash} of testCases) {
>         WebInspector.domTreeManager.querySelector(documentNode.id,
> test.selector, function(nodeId) {
>             let domNode = WebInspector.domTreeManager.nodeForId(nodeId);
>             InspectorTest.log("");
>             InspectorTest.expectThat(domNode, `Got DOMNode for ${selector}`);
>             InspectorTest.expectThat(domNode.contentSecurityPolicyHash() ===
> hash, `DOMNode has hash ${hash}`);
>         }
>     }
> 
>     InspectorTest.completeTest();
> 

Will use your idea to simplify the code in this file (cap-hash.html) and LayoutTests/inspector/dom/csp-big5-hash.html.

> > LayoutTests/inspector/dom/csp-hash.html:90
> > +    <p>Test for Content Security Policy hash support.</p>
> 
> Please add " on DOM.DOMNode".
> 

Will add.

> > LayoutTests/inspector/dom/csp-hash.html:113
> > +     <!-- Hash of this script should be equivalent to hash of script script-with-uncode-code-point-00C5. -->
> 
> Typo: "uncode" => "unicode"

Will fix throughout this file.

(In reply to comment #5)
> >> Source/WebCore/inspector/InspectorDOMAgent.cpp:1284
> >> +    return makeString("'sha256-", base64Encode(digest.data(), digest.size()), '\'');
> > 
> > Are these single-quotes necessary?
> 
> They are needed when putting the hash in the CSP header, but they clutter
> the UI. Lets drop them. A developer will know to add them if they use this.
> 

Will omit the single quotes.

> > Source/WebInspectorUI/UserInterface/Views/DOMNodeDetailsSidebarPanel.js:41
> > +        this._identityNodeContentSecurityPolicyHashRow = new WebInspector.DetailsSectionSimpleRow(WebInspector.UIString("Content Security Policy Hash"));
> 
> This is a long label. I think we can just say "CSP Hash", most developers
> will know what that is if they need it.

Will change label to read "CSP Hash".

Committed r198178: <http://trac.webkit.org/changeset/198178>