[webkit-changes] [99329] trunk

[abarth]

Title: [99329] trunk

Revision

99329

Author

aba...@webkit.org

Date

2011-11-04 15:32:13 -0700 (Fri, 04 Nov 2011)

Log Message

When CSP blocks mixed content, we shouldn't also warn about mixed content
https://bugs.webkit.org/show_bug.cgi?id=71588

Reviewed by Eric Seidel.

Source/WebCore:

Getting both warnings confused some early adopters.  They thought the
insecure loads were happening even though they blocked them with CSP.
This patch restricts the mixed content warnings to show only when the
load isn't already blocked by CSP or by the embedder.

Test: http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning.html

* loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::canRequest):

LayoutTests:

These tests check what kinds of warnings we generate when blocking insecure scripts with CSP.

* http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt: Added.
* http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning.html: Added.
* http/tests/security/contentSecurityPolicy/resources/alert-fail.js: Added.
* http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

Added Paths

• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning.html
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.js
• trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html

Diff

Modified: trunk/LayoutTests/ChangeLog (99328 => 99329)

--- trunk/LayoutTests/ChangeLog	2011-11-04 22:24:17 UTC (rev 99328)
+++ trunk/LayoutTests/ChangeLog	2011-11-04 22:32:13 UTC (rev 99329)
@@ -1,3 +1,17 @@
+2011-11-04  Adam Barth  <aba...@webkit.org>
+
+        When CSP blocks mixed content, we shouldn't also warn about mixed content
+        https://bugs.webkit.org/show_bug.cgi?id=71588
+
+        Reviewed by Eric Seidel.
+
+        These tests check what kinds of warnings we generate when blocking insecure scripts with CSP.
+
+        * http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning.html: Added.
+        * http/tests/security/contentSecurityPolicy/resources/alert-fail.js: Added.
+        * http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html: Added.
+
 2011-11-04  Sheriff Bot  <webkit.review....@gmail.com>
 
         Unreviewed, rolling out r99315.

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt (0 => 99329)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning-expected.txt	2011-11-04 22:32:13 UTC (rev 99329)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Refused to load script from 'http://127.0.0.1:8080/security/contentSecurityPolicy/resources/alert-fail.js' because of Content-Security-Policy.
+
+This page should neither alert "FAIL" nor generate any mixed content warnings in the console. 

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning.html (0 => 99329)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning.html	2011-11-04 22:32:13 UTC (rev 99329)
@@ -0,0 +1,6 @@
+<script>
+if (window.layoutTestController)
+    layoutTestController.dumpAsText();
+</script>
+This page should neither alert "FAIL" nor generate any mixed content warnings in the console.
+<iframe src=""

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.js (0 => 99329)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.js	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/alert-fail.js	2011-11-04 22:32:13 UTC (rev 99329)
@@ -0,0 +1 @@
+alert('FAIL');

Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html (0 => 99329)

--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/resources/mixed-content-with-csp.html	2011-11-04 22:32:13 UTC (rev 99329)
@@ -0,0 +1,3 @@
+<meta http-equiv="X-WebKit-CSP" content="default-src 'self'">
+This page includes an insecure script that alerts "FAIL", but that script is blocked by CSP.
+<script src=""

Modified: trunk/Source/WebCore/ChangeLog (99328 => 99329)

--- trunk/Source/WebCore/ChangeLog	2011-11-04 22:24:17 UTC (rev 99328)
+++ trunk/Source/WebCore/ChangeLog	2011-11-04 22:32:13 UTC (rev 99329)
@@ -1,3 +1,20 @@
+2011-11-04  Adam Barth  <aba...@webkit.org>
+
+        When CSP blocks mixed content, we shouldn't also warn about mixed content
+        https://bugs.webkit.org/show_bug.cgi?id=71588
+
+        Reviewed by Eric Seidel.
+
+        Getting both warnings confused some early adopters.  They thought the
+        insecure loads were happening even though they blocked them with CSP.
+        This patch restricts the mixed content warnings to show only when the
+        load isn't already blocked by CSP or by the embedder.
+
+        Test: http/tests/security/contentSecurityPolicy/block-mixed-content-hides-warning.html
+
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::canRequest):
+
 2011-11-04  Michael Nordman  <micha...@google.coom>
 
         Allow ScriptExecutionContext::addMessage to be called from background threads.

Modified: trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp (99328 => 99329)

--- trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp	2011-11-04 22:24:17 UTC (rev 99328)
+++ trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp	2011-11-04 22:32:13 UTC (rev 99329)
@@ -303,13 +303,6 @@
 #endif
     }
 
-    // Given that the load is allowed by the same-origin policy, we should
-    // check whether the load passes the mixed-content policy.
-    //
-    // FIXME: Should we consider forPreload here?
-    if (!checkInsecureContent(type, url))
-        return false;
-
     switch (type) {
 #if ENABLE(XSLT)
     case CachedResource::XSLStyleSheet:
@@ -362,6 +355,14 @@
 #endif
     }
 
+    // Last of all, check for insecure content. We do this last so that when
+    // folks block insecure content with a CSP policy, they don't get a warning.
+    // They'll still get a warning in the console about CSP blocking the load.
+
+    // FIXME: Should we consider forPreload here?
+    if (!checkInsecureContent(type, url))
+        return false;
+
     return true;
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes