RESOLVED FIXED 153562
CSP: Implement child-src directive 
https://bugs.webkit.org/show_bug.cgi?id=153562
Summary CSP: Implement child-src directive
Daniel Bates
Reported 2016-01-27 14:54:54 PST
We should implement the CSP child-src directive. Together with the fix for bug #153157 then the test LayoutTests/http/tests/security/contentSecurityPolicy/worker-script-src.html will pass.
Attachments
Patch and Layout Tests (65.58 KB, patch)
2016-02-11 10:03 PST, Daniel Bates 		bfulgham: review+
bfulgham: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2016-02-11 10:03:46 PST
Created attachment 271061 [details] Patch and Layout Tests
Radar WebKit Bug Importer
Comment 2 2016-02-11 10:07:08 PST
<rdar://problem/24610087>
Brent Fulgham
Comment 3 2016-02-12 08:54:00 PST
Comment on attachment 271061 [details] Patch and Layout Tests View in context: https://bugs.webkit.org/attachment.cgi?id=271061&action=review Nice work! I had a question about the test skips you added with the comment "Needs expected file". Otherwise this looks good. r=me. > LayoutTests/TestExpectations:799 > +http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html # Needs expected file. Why can't we generate these three test expectations? Do we need later patches to complete these tests?
Daniel Bates
Comment 4 2016-02-12 11:02:47 PST
(In reply to comment #3) > [...] > > LayoutTests/TestExpectations:799 > > +http/tests/security/contentSecurityPolicy/1.1/stylehash-default-src.html # Needs expected file. > > Why can't we generate these three test expectations? Notice that we neither support resources hashes nor directive frame-ancestors at the time of writing and Blink did not commit expected results for these tests (*). We can generate them though it will require that we reason about the expected result of the test and may require understanding how results are formatted by the scripts LayoutTests/resources/testharness.js/LayoutTests/resources/testharnessreport.js so as to predict how the expected result will look on success once we implement these features. I hope you do not mind that I defer landing expected results for these tests until we implement resource hashes and the directive frame-ancestors as it will be straightforward to reason about the expected result (since we will already be in the mindset to reason about these features given we are implementing them). > Do we need later patches to complete these tests? As aforementioned above, I would prefer to land expected results for these tests when we implement support for resource hashes and the directive frame-ancestors. (*) I suspect Blink's test driver machinery knows how to determine success/failure for these tests (I haven't read the code, yet).
Daniel Bates
Comment 5 2016-02-12 16:15:33 PST
Filed bug #154203 to add expected results for tests http/tests/security/contentSecurityPolicy/1.1/frame-ancestors/frame-ancestors-overrides-xfo.html, http/tests/security/contentSecurityPolicy/1.1/{script, style}hash-default-src.html. Will update patch so that LayoutTests/TestExpectations references this bug for these tests before landing.
Daniel Bates
Comment 6 2016-02-12 16:18:43 PST
Committed r196526: <http://trac.webkit.org/changeset/196526>
Note You need to log in before you can comment on or make changes to this bug.