| Summary: | CSP frame-src is missing | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Adam Barth <abarth> | ||||||||||
| Component: | Tools / Tests | Assignee: | Adam Barth <abarth> | ||||||||||
| Status: | RESOLVED FIXED | ||||||||||||
| Severity: | Normal | CC: | abarth, commit-queue, eric, ossy, webkit.review.bot | ||||||||||
| Priority: | P2 | ||||||||||||
| Version: | 528+ (Nightly build) | ||||||||||||
| Hardware: | All | ||||||||||||
| OS: | All | ||||||||||||
| Bug Depends on: | |||||||||||||
| Bug Blocks: | 53572 | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Adam Barth
2011-04-15 00:23:56 PDT
Created attachment 90377 [details]
Patch
EWS failures expected because this patch depends on Bug 58646. Comment on attachment 90377 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=90377&action=review LGTM. You said you were gonna make the message reporting hotter before landing. > Source/WebCore/html/HTMLFrameElementBase.cpp:81 > + // the Content-Security-Policy of the parent frame or the requestor. requester? Created attachment 90417 [details]
Patch
Created attachment 90480 [details]
Patch for landing
The commit-queue encountered the following flaky tests while processing attachment 90480 [details]: http/tests/xmlhttprequest/remember-bad-password.html bug 51733 (author: ap@webkit.org) The commit-queue is continuing to process your patch. Comment on attachment 90480 [details] Patch for landing Clearing flags on attachment: 90480 Committed r84460: <http://trac.webkit.org/changeset/84460> All reviewed patches have been landed. Closing bug. http://trac.webkit.org/changeset/84460 might have broken Qt Linux Release (In reply to comment #9) > http://trac.webkit.org/changeset/84460 might have broken Qt Linux Release http/tests/security/contentSecurityPolicy/frame-src-blocked.html broke http/tests/security/contentSecurityPolicy/image-allowed.html on Qt bot, on Win7 release test bot and on Windows XP debug test bot --- /home/webkitbuildbot/slaves/release32bit/buildslave/qt-linux-release/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-expected.txt 2011-04-21 02:50:47.567542636 -0700 +++ /home/webkitbuildbot/slaves/release32bit/buildslave/qt-linux-release/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-actual.txt 2011-04-21 02:50:47.567542636 -0700 @@ -1,2 +1,4 @@ +CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. + ALERT: PASS --- /home/buildbot/slave/WebKit-BuildSlave/win-release-tests/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-expected.txt 2011-04-21 03:36:29.043649200 -0700 +++ /home/buildbot/slave/WebKit-BuildSlave/win-release-tests/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-actual.txt 2011-04-21 03:36:29.041649100 -0700 @@ -1,2 +1,6 @@ +CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. + +CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. + ALERT: PASS --- /home/buildbot/slave/win-debug-tests/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-expected.txt 2011-04-21 19:26:48.328125000 -0700 +++ /home/buildbot/slave/win-debug-tests/build/layout-test-results/http/tests/security/contentSecurityPolicy/image-allowed-actual.txt 2011-04-21 19:26:48.328125000 -0700 @@ -1,2 +1,6 @@ +CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. + +CONSOLE MESSAGE: line 1: Refused to load frame from 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/alert-fail.html' because of Content-Security-Policy. + ALERT: PASS I tried to rollout but unfortunately it conflicts with r84478. (In reply to comment #11) > I tried to rollout but unfortunately it conflicts with r84478. I've performed a partial rollout. Sorry for the disruption. :( Created attachment 90725 [details]
Patch
Comment on attachment 90725 [details]
Patch
We need to figure out how to unify these checks. This ends up being a bunch of copy/paste code, which someone else editing this is likely to get wrong.
Comment on attachment 90725 [details]
Patch
I think we should have contentSecurityPolicy call canDisplay, which would simply all these call sites.
(In reply to comment #15) > (From update of attachment 90725 [details]) > I think we should have contentSecurityPolicy call canDisplay, which would simply all these call sites. If you'd file the follow-up when you get the chance, that'd be fantastic. Thanks again for the patch. The commit-queue encountered the following flaky tests while processing attachment 90725 [details]: http/tests/misc/favicon-loads-with-icon-loading-override.html bug 58412 (author: alice.liu@apple.com) The commit-queue is continuing to process your patch. Comment on attachment 90725 [details] Patch Clearing flags on attachment: 90725 Committed r84681: <http://trac.webkit.org/changeset/84681> All reviewed patches have been landed. Closing bug. The commit-queue encountered the following flaky tests while processing attachment 90725 [details]: http/tests/inspector/console-websocket-error.html bug 57392 (authors: pfeldman@chromium.org and yutak@chromium.org) The commit-queue is continuing to process your patch. http://trac.webkit.org/changeset/84681 might have broken GTK Linux 64-bit Debug |