Bug 58643

Summary: CSP frame-src is missing
Product: WebKit Reporter: Adam Barth <abarth>
Component: Tools / TestsAssignee: Adam Barth <abarth>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, commit-queue, eric, ossy, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 53572    
Attachments:
Description Flags
Patch
none
Patch
none
Patch for landing
none
Patch none

Adam Barth
Reported 2011-04-15 00:23:56 PDT
CSP frame-src is missing
Attachments
Patch (10.12 KB, patch)
2011-04-20 12:03 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch (9.86 KB, patch)
2011-04-20 14:34 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch for landing (9.15 KB, patch)
2011-04-20 19:38 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Patch (8.28 KB, patch)
2011-04-22 10:59 PDT, Adam Barth 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Adam Barth
Comment 1 2011-04-20 12:03:37 PDT
Created attachment 90377 [details] Patch
Adam Barth
Comment 2 2011-04-20 12:04:04 PDT
EWS failures expected because this patch depends on Bug 58646.
Eric Seidel (no email)
Comment 3 2011-04-20 13:28:22 PDT
Comment on attachment 90377 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=90377&action=review LGTM. You said you were gonna make the message reporting hotter before landing. > Source/WebCore/html/HTMLFrameElementBase.cpp:81 > + // the Content-Security-Policy of the parent frame or the requestor. requester?
Adam Barth
Comment 4 2011-04-20 14:34:53 PDT
Created attachment 90417 [details] Patch
Adam Barth
Comment 5 2011-04-20 19:38:36 PDT
Created attachment 90480 [details] Patch for landing
WebKit Commit Bot
Comment 6 2011-04-20 20:18:32 PDT
The commit-queue encountered the following flaky tests while processing attachment 90480 [details]: http/tests/xmlhttprequest/remember-bad-password.html bug 51733 (author: ap@webkit.org) The commit-queue is continuing to process your patch.
WebKit Commit Bot
Comment 7 2011-04-20 20:21:42 PDT
Comment on attachment 90480 [details] Patch for landing Clearing flags on attachment: 90480 Committed r84460: <http://trac.webkit.org/changeset/84460>
WebKit Commit Bot
Comment 8 2011-04-20 20:21:47 PDT
All reviewed patches have been landed. Closing bug.
WebKit Review Bot
Comment 9 2011-04-21 02:08:41 PDT
http://trac.webkit.org/changeset/84460 might have broken Qt Linux Release
Csaba Osztrogonác
Comment 10 2011-04-21 04:38:21 PDT
(In reply to comment #9) > http://trac.webkit.org/changeset/84460 might have broken Qt Linux Release http/tests/security/contentSecurityPolicy/frame-src-blocked.html broke http/tests/security/contentSecurityPolicy/image-allowed.html on Qt bot, on Win7 release test bot and on Windows XP debug test bot --- /home/webkitbuildbot/slaves/release32bit/buildslave/qt-linux-release/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-expected.txt 2011-04-21 02:50:47.567542636 -0700 +++ /home/webkitbuildbot/slaves/release32bit/buildslave/qt-linux-release/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-actual.txt 2011-04-21 02:50:47.567542636 -0700 @@ -1,2 +1,4 @@ +CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. + ALERT: PASS --- /home/buildbot/slave/WebKit-BuildSlave/win-release-tests/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-expected.txt 2011-04-21 03:36:29.043649200 -0700 +++ /home/buildbot/slave/WebKit-BuildSlave/win-release-tests/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-actual.txt 2011-04-21 03:36:29.041649100 -0700 @@ -1,2 +1,6 @@ +CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. + +CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. + ALERT: PASS --- /home/buildbot/slave/win-debug-tests/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-expected.txt 2011-04-21 19:26:48.328125000 -0700 +++ /home/buildbot/slave/win-debug-tests/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-actual.txt 2011-04-21 19:26:48.328125000 -0700 @@ -1,2 +1,6 @@ +CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. + +CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. + ALERT: PASS
Csaba Osztrogonác
Comment 11 2011-04-21 04:42:38 PDT
I tried to rollout but unfortunately it conflicts with r84478.
Adam Barth
Comment 12 2011-04-21 09:59:22 PDT
(In reply to comment #11) > I tried to rollout but unfortunately it conflicts with r84478. I've performed a partial rollout. Sorry for the disruption. :(
Adam Barth
Comment 13 2011-04-22 10:59:56 PDT
Created attachment 90725 [details] Patch
Eric Seidel (no email)
Comment 14 2011-04-22 11:19:24 PDT
Comment on attachment 90725 [details] Patch We need to figure out how to unify these checks. This ends up being a bunch of copy/paste code, which someone else editing this is likely to get wrong.
Adam Barth
Comment 15 2011-04-22 11:22:37 PDT
Comment on attachment 90725 [details] Patch I think we should have contentSecurityPolicy call canDisplay, which would simply all these call sites.
Eric Seidel (no email)
Comment 16 2011-04-22 11:26:07 PDT
(In reply to comment #15) > (From update of attachment 90725 [details]) > I think we should have contentSecurityPolicy call canDisplay, which would simply all these call sites. If you'd file the follow-up when you get the chance, that'd be fantastic. Thanks again for the patch.
WebKit Commit Bot
Comment 17 2011-04-22 14:18:10 PDT
The commit-queue encountered the following flaky tests while processing attachment 90725 [details]: http/tests/misc/favicon-loads-with-icon-loading-override.html bug 58412 (author: alice.liu@apple.com) The commit-queue is continuing to process your patch.
WebKit Commit Bot
Comment 18 2011-04-22 14:20:29 PDT
Comment on attachment 90725 [details] Patch Clearing flags on attachment: 90725 Committed r84681: <http://trac.webkit.org/changeset/84681>
WebKit Commit Bot
Comment 19 2011-04-22 14:20:34 PDT
All reviewed patches have been landed. Closing bug.
WebKit Commit Bot
Comment 20 2011-04-22 15:58:30 PDT
The commit-queue encountered the following flaky tests while processing attachment 90725 [details]: http/tests/inspector/console-websocket-error.html bug 57392 (authors: pfeldman@chromium.org and yutak@chromium.org) The commit-queue is continuing to process your patch.
WebKit Review Bot
Comment 21 2011-04-22 16:18:55 PDT
http://trac.webkit.org/changeset/84681 might have broken GTK Linux 64-bit Debug
Note You need to log in before you can comment on or make changes to this bug.