Bug 235260

Summary: "Unrecognized Content-Security-Policy directive 'worker-src'."
Product: WebKit Reporter: Kate Cheney <katherine_cheney>
Component: New BugsAssignee: Kate Cheney <katherine_cheney>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, eric.carlson, ews-watchlist, glenn, japhet, jer.noble, mkwst, pgriffis, philipj, sergio, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=229875
Attachments:
Description Flags
WIP patch
none
WIP patch
none
WIP patch
none
Patch
none
Patch for landing
none
Patch ews-feeder: commit-queue-

Description Kate Cheney 2022-01-14 17:56:51 PST 
"Unrecognized Content-Security-Policy directive 'worker-src'."
Comment 1 Kate Cheney 2022-01-14 17:59:02 PST 
Created attachment 449238 [details]
WIP patch
Comment 2 Kate Cheney 2022-01-18 20:27:08 PST 
Created attachment 449460 [details]
WIP patch
Comment 3 Kate Cheney 2022-01-19 13:17:42 PST 
Created attachment 449511 [details]
WIP patch
Comment 4 Patrick Griffis 2022-01-19 13:38:02 PST 
Overall patch looks really good.

Was one regression: script-src-strict_dynamic_worker-importScripts.https.html

Looks like when it falls back to the `script-src` directive it expects all of its rules to pass including 'strict-dynamic'. I wonder if we match that behavior with all other directives that can fallback to `script-src`.
Comment 5 Patrick Griffis 2022-01-19 13:40:47 PST 
And fixed, looks great.
Comment 6 Kate Cheney 2022-01-19 13:42:07 PST 
Yes! I found https://github.com/w3c/webappsec-csp/issues/200 which pretty much outlines exactly what you suggested. Hopefully that fixes all the regressions.
Comment 7 Kate Cheney 2022-01-20 08:47:34 PST 
Created attachment 449581 [details]
Patch
Comment 8 Kate Cheney 2022-01-21 09:50:39 PST 
Something I could probably clarify in the Changelog is that some worker-src tests are still skipped because they log seemingly random URL paths that change with each test run, making them impossible to write expectations for.
Comment 9 Radar WebKit Bug Importer 2022-01-21 17:57:18 PST 
<rdar://problem/87912445>
Comment 10 Brent Fulgham 2022-01-27 09:11:06 PST 
Comment on attachment 449581 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=449581&action=review

Awesome work, Kate! r=me

> Source/WebCore/page/csp/ContentSecurityPolicy.cpp:619
> +        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::workerSrc, violatedDirective, blockedURL, "Refused to load");

Nit: consoleMessage could be auto.

> Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:155
> +{

I found this ChangeLog comment to be helpful. I wonder if it might be useful to reference here (perhaps with a spec reference):

// worker-src defers to child-src, then script-src, then default-src.

> LayoutTests/imported/w3c/ChangeLog:90
> +        * web-platform-tests/content-security-policy/gen/top.meta/worker-src-self/worker-import-data.https-expected.txt:

So exciting to see! :-)

> LayoutTests/TestExpectations:-489
> -imported/w3c/web-platform-tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.https.html [ Skip ]

Yes!!!

> LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub-expected.txt:4
> +PASS Expecting logs: ["violated-directive=worker-src","TEST COMPLETE"]

:-)
Comment 11 Kate Cheney 2022-01-27 09:58:18 PST 
Created attachment 450150 [details]
Patch for landing
Comment 12 Kate Cheney 2022-01-27 10:16:08 PST 
(In reply to Brent Fulgham from comment #10)
> Comment on attachment 449581 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=449581&action=review
> 
> Awesome work, Kate! r=me
> 

thanks for the review! 

> > Source/WebCore/page/csp/ContentSecurityPolicy.cpp:619
> > +        String consoleMessage = consoleMessageForViolation(ContentSecurityPolicyDirectiveNames::workerSrc, violatedDirective, blockedURL, "Refused to load");
> 
> Nit: consoleMessage could be auto.
> 

Fixed!

> > Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:155
> > +{
> 
> I found this ChangeLog comment to be helpful. I wonder if it might be useful
> to reference here (perhaps with a spec reference):
> 
> // worker-src defers to child-src, then script-src, then default-src.
> 

Ditto, added this in PFL.

> > LayoutTests/imported/w3c/ChangeLog:90
> > +        * web-platform-tests/content-security-policy/gen/top.meta/worker-src-self/worker-import-data.https-expected.txt:
> 
> So exciting to see! :-)
> 
> > LayoutTests/TestExpectations:-489
> > -imported/w3c/web-platform-tests/content-security-policy/gen/top.http-rp/script-src-self/worker-import-data.https.html [ Skip ]
> 
> Yes!!!
> 
> > LayoutTests/imported/w3c/web-platform-tests/content-security-policy/blob/self-doesnt-match-blob.sub-expected.txt:4
> > +PASS Expecting logs: ["violated-directive=worker-src","TEST COMPLETE"]
> 
> :-)

!!! :) !!
Comment 13 Patrick Griffis 2022-01-27 10:19:26 PST 
Will need a simple rebase over r288678
Comment 14 EWS 2022-01-27 10:39:53 PST 
Tools/Scripts/svn-apply failed to apply attachment 450150 [details] to trunk.
Please resolve the conflicts and upload a new patch.
Comment 15 Kate Cheney 2022-01-27 11:25:10 PST 
Created attachment 450160 [details]
Patch
Comment 16 EWS 2022-01-27 14:12:46 PST 
Committed r288701 (246499@main): <https://commits.webkit.org/246499@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 450160 [details].