Bug 153562 - CSP: Implement child-src directive
Summary: CSP: Implement child-src directive
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Local Build
Hardware: All All
: P2 Normal
Assignee: Daniel Bates
URL:
Keywords: InRadar, WebExposed
Depends on: 153157
Blocks: 85558 153158
  Show dependency treegraph
 
Reported: 2016-01-27 14:54 PST by Daniel Bates
Modified: 2016-02-12 16:18 PST (History)
9 users (show)

See Also:


Attachments
Patch and Layout Tests (65.58 KB, patch)
2016-02-11 10:03 PST, Daniel Bates
bfulgham: review+
bfulgham: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Bates 2016-01-27 14:54:54 PST
We should implement the CSP child-src directive. Together with the fix for bug #153157 then the test LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src.html will pass.
Comment 1 Daniel Bates 2016-02-11 10:03:46 PST
Created attachment 271061 [details]
Patch and Layout Tests
Comment 2 Radar WebKit Bug Importer 2016-02-11 10:07:08 PST
<rdar://problem/24610087>
Comment 3 Brent Fulgham 2016-02-12 08:54:00 PST
Comment on attachment 271061 [details]
Patch and Layout Tests

View in context: https://bugs.webkit.org/attachment.cgi?id=271061&action=review

Nice work! I had a question about the test skips you added with the comment "Needs expected file". Otherwise this looks good. r=me.

> LayoutTests/TestExpectations:799
> +http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html # Needs expected file.

Why can't we generate these three test expectations? Do we need later patches to complete these tests?
Comment 4 Daniel Bates 2016-02-12 11:02:47 PST
(In reply to comment #3)
> [...]
> > LayoutTests/TestExpectations:799
> > +http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html # Needs expected file.
> 
> Why can't we generate these three test expectations? 

Notice that we neither support resources hashes nor directive frame-ancestors at the time of writing and Blink did not commit expected results for these tests (*).

We can generate them though it will require that we reason about the expected result of the test and may require understanding how results are formatted by the scripts LayoutTests/resources/testharness.js/LayoutTests/resources/testharnessreport.js so as to predict how the expected result will look on success once we implement these features. I hope you do not mind that I defer landing expected results for these tests until we implement resource hashes and the directive frame-ancestors as it will be straightforward to reason about the expected result (since we will already be in the mindset to reason about these features given we are implementing them).

> Do we need later patches to complete these tests?

As aforementioned above, I would prefer to land expected results for these tests when we implement support for resource hashes and the directive frame-ancestors.

(*) I suspect Blink's test driver machinery knows how to determine success/failure for these tests (I haven't read the code, yet).
Comment 5 Daniel Bates 2016-02-12 16:15:33 PST
Filed bug #154203 to add expected results for tests http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html, http/tests/security/contentSecurityPolicy/1.1/{script, style}hash-default-src.html. Will update patch so that LayoutTests/TestExpectations references this bug for these tests before landing.
Comment 6 Daniel Bates 2016-02-12 16:18:43 PST
Committed r196526: <http://trac.webkit.org/changeset/196526>