Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 70d6fcb9fc882b766302bdb5116a50f05414383b
https://github.com/WebKit/WebKit/commit/70d6fcb9fc882b766302bdb5116a50f05414383b
Author: Yoav Weiss <yoav.we...@shopify.com>
Date: 2025-01-06 (Mon, 06 Jan 2025)
Changed paths:
M LayoutTests/TestExpectations
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/default-src.https.window-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/default-src.https.window.js.sub.headers
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/multiple-policies.https.sub-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/multiple-policies.https.sub.html.sub.headers
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-default-src.https.window-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-default-src.https.window.js.sub.headers
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-elem.https.window-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-elem.https.window.js.sub.headers
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-none.https.window-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-none.https.window.js.sub.headers
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src.https.window-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src.https.window.js.sub.headers
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/resources/report-hash-test-runner.sub.js
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-elem.https.window-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-elem.https.window.js.sub.headers
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-sha512.https.window-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-sha512.https.window.js.sub.headers
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src.https.window-expected.txt
M
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src.https.window.js.sub.headers
M LayoutTests/platform/mac-wk1/TestExpectations
M Source/WebCore/Modules/reporting/ViolationReportType.h
M Source/WebCore/loader/PingLoader.cpp
M Source/WebCore/loader/SubresourceIntegrity.cpp
M Source/WebCore/loader/SubresourceIntegrity.h
M Source/WebCore/loader/cache/CachedResource.h
M Source/WebCore/loader/cache/CachedResourceLoader.cpp
M Source/WebCore/page/csp/ContentSecurityPolicy.cpp
M Source/WebCore/page/csp/ContentSecurityPolicy.h
M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp
M Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h
M Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp
M Source/WebCore/page/csp/ContentSecurityPolicySourceList.h
M Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h
Log Message:
-----------
Implement CSP hash reporting for scripts
https://bugs.webkit.org/show_bug.cgi?id=285292
Reviewed by Darin Adler.
CSP was recently added new `report-sha256`, `report-sha384` and `report-sha512`
keywords - https://github.com/w3c/webappsec-csp/pull/693/files
These new keywords trigger a new reporting type "hash-report".
It reports hashes for (same-origin or CORS enabled) scripts that are loaded in
the context of the document (regardless of their "integrity" attribute), and
sends reports about them.
Those reports enable developers to:
* Create inventory of the scripts running on their page. (critical for PCI-DSS
v4 - context.)
* Have certainty that they can enable SRI or CSP hash-based enforcement without
breaking their sites. The current PR only covers external scripts. We may want
to extend the feature in the future to cover inline scripts, evals, event
handlers and javascript URLs.
This PR implements that feature.
* LayoutTests/TestExpectations: Stop skipping the relevant tests.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/default-src.https.window-expected.txt:
progression.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/default-src.https.window.js.sub.headers:
Avoid domains.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/multiple-policies.https.sub-expected.txt:
progression.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/multiple-policies.https.sub.html.sub.headers:
Avoid domains.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-default-src.https.window-expected.txt:
progression.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-default-src.https.window.js.sub.headers:
Avoid domains.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-elem.https.window-expected.txt:
progression.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-elem.https.window.js.sub.headers:
Avoid domains.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-none.https.window-expected.txt:
progression.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src-none.https.window.js.sub.headers:
Avoid domains.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src.https.window-expected.txt:
progression.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/reportonly-script-src.https.window.js.sub.headers:
Avoid domains.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/resources/report-hash-test-runner.sub.js:
(report_hash_test): Avoid domains and add error handling.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-elem.https.window-expected.txt:
progression.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-elem.https.window.js.sub.headers:
Avoid domains.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-sha512.https.window-expected.txt:
progression.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src-sha512.https.window.js.sub.headers:
Avoid domains.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src.https.window-expected.txt:
progression.
*
LayoutTests/imported/w3c/web-platform-tests/content-security-policy/report-hash/script-src.https.window.js.sub.headers:
Avoid domains.
* LayoutTests/platform/mac-wk1/TestExpectations: Expect failures on wk1 -
https://bugs.webkit.org/show_bug.cgi?id=285098.
* Source/WebCore/Modules/reporting/ViolationReportType.h: Add
CSPHashReport type.
* Source/WebCore/bindings/js/ScriptModuleLoader.cpp:
(WebCore::ScriptModuleLoader::notifyFinished): rename
matchIntegrityMetadata call.
* Source/WebCore/dom/LoadableClassicScript.cpp:
(WebCore::LoadableNonModuleScriptBase::notifyFinished): rename
matchIntegrityMetadata call.
* Source/WebCore/html/HTMLLinkElement.cpp:
(WebCore::HTMLLinkElement::setCSSStyleSheet): rename
matchIntegrityMetadata call.
* Source/WebCore/loader/DocumentThreadableLoader.cpp:
(WebCore::DocumentThreadableLoader::didFinishLoading): rename
matchIntegrityMetadata call.
* Source/WebCore/loader/PingLoader.cpp:
(WebCore::PingLoader::sendViolationReport): Handle CSPHashReport.
* Source/WebCore/loader/SubresourceIntegrity.cpp:
(WebCore::createReportFormData): Create a report.
(WebCore::addHashPrefix): Add a prefix to the reported value, based on
the algorithm enum value.
(WebCore::findStrongestAlgorithm): Get the strongest algorithm is
a HashAlgorithmSet.
(WebCore::reportHashesIfNeeded): Potentially report hashes for a resource.
(WebCore::matchIntegrityMetadataSlow): implements the
matchIntegrityMetadata logic.
* Source/WebCore/loader/SubresourceIntegrity.h:
(WebCore::matchIntegrityMetadata): Adjust condition and call hash
reporting.
* Source/WebCore/loader/cache/CachedResource.h:
(WebCore::CachedResource::loader const): Make it a const.
(WebCore::CachedResource::setIsHashReportingNeeded): Setter for
isHashReportingNeeded.
(WebCore::CachedResource::isHashReportingNeeded const): Getter for
isHashReportingNeeded.
(WebCore::CachedResource::loader): Deleted.
* Source/WebCore/loader/cache/CachedResourceLoader.cpp:
(WebCore::CachedResourceLoader::requestResource): Set
isHashReportingNeeded on the resource.
* Source/WebCore/page/csp/ContentSecurityPolicy.cpp:
(WebCore::ContentSecurityPolicy::hashesToReport): Get the hashes to
report from the different CSP policies.
* Source/WebCore/page/csp/ContentSecurityPolicy.h: Define
HashAlgorithmSet and HashAlgorithmSetCollection.
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.cpp:
(WebCore::ContentSecurityPolicyDirectiveList::hashReportDirectiveForScript
const): Get the directives for script hash reporting.
(WebCore::ContentSecurityPolicyDirectiveList::reportHash const): Return
the HashAlgorithmSet for the script reporting directive.
* Source/WebCore/page/csp/ContentSecurityPolicyDirectiveList.h: Add
reportHash and hashReportDirectiveForScript.
* Source/WebCore/page/csp/ContentSecurityPolicySourceList.cpp:
(WebCore::ContentSecurityPolicySourceList::parseSource): Parse the hash
reporting keywords and set the appropriate algorithms in the
HashAlgorithmSet.
* Source/WebCore/page/csp/ContentSecurityPolicySourceList.h: Add
a HashAlgorithmSet.
(WebCore::ContentSecurityPolicySourceList::reportHash const): Getter for
the HashAlgorithmSet.
* Source/WebCore/page/csp/ContentSecurityPolicySourceListDirective.h:
(WebCore::ContentSecurityPolicySourceListDirective::reportHash const):
Pipe the HashAlgorithmSet from the sourceList.
Canonical link: https://commits.webkit.org/288506@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
