Diff
Modified: trunk/LayoutTests/ChangeLog (122740 => 122741)
--- trunk/LayoutTests/ChangeLog 2012-07-16 18:14:02 UTC (rev 122740)
+++ trunk/LayoutTests/ChangeLog 2012-07-16 18:16:42 UTC (rev 122741)
@@ -1,3 +1,19 @@
+2012-07-16 Mike West <[email protected]>
+
+ Invalid `script-nonce` directives should block script execution.
+ https://bugs.webkit.org/show_bug.cgi?id=91353
+
+ Reviewed by Adam Barth.
+
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce.html: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce-expected.txt: Removed.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce.html: Removed.
+ Replaced these two tests with the following.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt: Added.
+ * http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html: Added.
+ This tests variously invalid nonces to ensure they block execution.
+
2012-07-16 W. James MacLean <[email protected]>
[chromium] Unreviewed gardening. Layout Test storage/indexeddb/cursor-update-value-argument-required.html is flaky
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce-expected.txt (122740 => 122741)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce-expected.txt 2012-07-16 18:14:02 UTC (rev 122740)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce-expected.txt 2012-07-16 18:16:42 UTC (rev 122741)
@@ -1,4 +0,0 @@
-CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: 'this is a bad nonce'.
-
-ALERT: PASS (1/1)
-This tests the effect of an invalid script-nonce value. It passes if a console warning is visible, and the alert() is executed.
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce.html (122740 => 122741)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce.html 2012-07-16 18:14:02 UTC (rev 122740)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-badnonce.html 2012-07-16 18:16:42 UTC (rev 122741)
@@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<html>
- <head>
- <meta http-equiv="X-WebKit-CSP" content="script-nonce this is a bad nonce;">
- <script>
- if (window.layoutTestController)
- layoutTestController.dumpAsText();
- </script>
- <script>
- alert('PASS (1/1)');
- </script>
- </head>
- <body>
- <p>
- This tests the effect of an invalid script-nonce value. It passes if
- a console warning is visible, and the alert() is executed.
- </p>
- </body>
-</html>
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce-expected.txt (122740 => 122741)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce-expected.txt 2012-07-16 18:14:02 UTC (rev 122740)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce-expected.txt 2012-07-16 18:16:42 UTC (rev 122741)
@@ -1,4 +0,0 @@
-CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: ''.
-
-ALERT: PASS (1/1)
-This tests the effect of an empty script-nonce value. It passes if a console warning is visible, and the alert() is executed.
Deleted: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce.html (122740 => 122741)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce.html 2012-07-16 18:14:02 UTC (rev 122740)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-emptynonce.html 2012-07-16 18:16:42 UTC (rev 122741)
@@ -1,19 +0,0 @@
-<!DOCTYPE html>
-<html>
- <head>
- <meta http-equiv="X-WebKit-CSP" content="script-nonce;">
- <script>
- if (window.layoutTestController)
- layoutTestController.dumpAsText();
- </script>
- <script>
- alert('PASS (1/1)');
- </script>
- </head>
- <body>
- <p>
- This tests the effect of an empty script-nonce value. It passes if
- a console warning is visible, and the alert() is executed.
- </p>
- </body>
-</html>
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt (0 => 122741)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt 2012-07-16 18:16:42 UTC (rev 122741)
@@ -0,0 +1,39 @@
+CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: ''.
+
+CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
+
+CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: ''.
+
+CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
+
+CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: ''.
+
+CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
+
+CONSOLE MESSAGE: Ignoring invalid Content Security Policy script nonce: 'nonces have no spaces'.
+
+CONSOLE MESSAGE: line 7: Refused to load 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-nonce ".
+
+None of these scripts should execute, as all the nonces are invalid.
+
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame1-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame2-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame3-->-->'
+--------
+PASS
Added: trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html (0 => 122741)
--- trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html 2012-07-16 18:16:42 UTC (rev 122741)
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=''></script>
+<script>
+var tests = [
+ ['no', 'script-src 127.0.0.1:8000; script-nonce;', 'resources/script.js', ''],
+ ['no', 'script-src 127.0.0.1:8000; script-nonce ;', 'resources/script.js', ''],
+ ['no', 'script-src 127.0.0.1:8000; script-nonce ;', 'resources/script.js', ''],
+ ['no', 'script-src 127.0.0.1:8000; script-nonce nonces have no spaces;', 'resources/script.js', ''],
+];
+</script>
+</head>
+<body _onload_="test()">
+ <p>
+ None of these scripts should execute, as all the nonces are invalid.
+ </p>
Modified: trunk/Source/WebCore/ChangeLog (122740 => 122741)
--- trunk/Source/WebCore/ChangeLog 2012-07-16 18:14:02 UTC (rev 122740)
+++ trunk/Source/WebCore/ChangeLog 2012-07-16 18:16:42 UTC (rev 122741)
@@ -1,3 +1,26 @@
+2012-07-16 Mike West <[email protected]>
+
+ Invalid `script-nonce` directives should block script execution.
+ https://bugs.webkit.org/show_bug.cgi?id=91353
+
+ Reviewed by Adam Barth.
+
+ If the `script-nonce` Content Security Policy directive contains an
+ invalid value, we should fail loudly, throwing a warning to the console
+ and denying execution of script on the page. The is in line with the
+ current state of the experimental CSP 1.1 Editors Draft[1].
+
+ [1]: https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html#script-nonce--experimental
+
+ Test: http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html
+
+ * page/ContentSecurityPolicy.cpp:
+ (WebCore::CSPDirectiveList::checkNonceAndReportViolation):
+ Check against null rather than empty for early exit, otherwise
+ only compare nonces if the stored nonce isn't empty.
+ (WebCore::CSPDirectiveList::parseScriptNonce):
+ Assign the empty string if nonce is invalid.
+
2012-07-16 Min Qin <[email protected]>
[Android] remove RenderThemeChromiumAndroid::paintMediaFullscreenButton()
Modified: trunk/Source/WebCore/page/ContentSecurityPolicy.cpp (122740 => 122741)
--- trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-07-16 18:14:02 UTC (rev 122740)
+++ trunk/Source/WebCore/page/ContentSecurityPolicy.cpp 2012-07-16 18:16:42 UTC (rev 122741)
@@ -722,7 +722,7 @@
bool CSPDirectiveList::checkNonceAndReportViolation(const String& nonce, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine) const
{
- if (m_scriptNonce.isEmpty() || nonce.stripWhiteSpace() == m_scriptNonce)
+ if (m_scriptNonce.isNull() || (!m_scriptNonce.isEmpty() && nonce.stripWhiteSpace() == m_scriptNonce))
return true;
reportViolation(m_scriptNonce, consoleMessage + "\"script-nonce " + m_scriptNonce + "\".\n", KURL(), contextURL, contextLine);
return denyIfEnforcingPolicy();
@@ -930,7 +930,7 @@
void CSPDirectiveList::parseScriptNonce(const String& name, const String& value)
{
- if (!m_scriptNonce.isEmpty()) {
+ if (!m_scriptNonce.isNull()) {
logDuplicateDirective(name);
return;
}
@@ -943,6 +943,7 @@
const UChar* nonceBegin = position;
if (position == end) {
logInvalidNonce(String());
+ m_scriptNonce = "";
return;
}
skipWhile<isNotASCIISpace>(position, end);
@@ -952,9 +953,10 @@
// Trim off trailing whitespace: If we're not at the end of the string, log
// an error.
skipWhile<isASCIISpace>(position, end);
- if (position < end)
+ if (position < end) {
logInvalidNonce(value);
- else
+ m_scriptNonce = "";
+ } else
m_scriptNonce = nonce;
}
